On Sat, Sep 25, 2021 at 12:27 PM John Darrington
<j...@darrington.wattle.id.au> wrote:
>
> Running test 260 sometimes but not always crashes.
>
> The problematic code seems to be in scan.c (merger_add) :
>
> Although the comment says, that OUT need not be initialised,
> this code:
>
> case 3:
> if (in->type == T_STRING)
> {
> out->string = concat (out->string, in->string);
> return -1;
> }
>
> can segfault if out->string.string == 0 and out->string.length > 0
>
> This can happen because in lexer.c (lex_source_get_lookahead) passes
> the address of a variable declared on the stack:
>
> struct token out;
> int retval = merger_add (&m, &lex_stage_nth (&src->merge, i)->token,
> &out);
Thanks for the report. merger_add() ensures that when case 3 is hit, it always
has initialized OUT in a previous call. However, lex_source_get_lookahead()
declared 'out' in a way that it became indeterminate on each iteration. I fixed
the problem by moving the declaration to an enclosing scope.
