From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-60710-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 10109 invoked by alias); 20 Dec 2008 00:51:46 -0000
Received: (qmail 10101 invoked by uid 22791); 20 Dec 2008 00:51:45 -0000
X-SWARE-Spam-Status: No, hits=-2.2 required=5.0 	tests=AWL,BAYES_00,KAM_MX,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: sourceware.org
Received: from mx2.redhat.com (HELO mx2.redhat.com) (66.187.237.31)     by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sat, 20 Dec 2008 00:51:10 +0000
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) 	by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id mBK0p8hB006095 	for <gdb-patches@sourceware.org>; Fri, 19 Dec 2008 19:51:08 -0500
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) 	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mBK0p837016967 	for <gdb-patches@sourceware.org>; Fri, 19 Dec 2008 19:51:08 -0500
Received: from host0.dyn.jankratochvil.net (sebastian-int.corp.redhat.com [172.16.52.221]) 	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id mBK0p6Lw017697 	for <gdb-patches@sourceware.org>; Fri, 19 Dec 2008 19:51:07 -0500
Received: from host0.dyn.jankratochvil.net (localhost [127.0.0.1]) 	by host0.dyn.jankratochvil.net (8.14.3/8.14.3) with ESMTP id mBK0p462024653 	for <gdb-patches@sourceware.org>; Sat, 20 Dec 2008 01:51:05 +0100
Received: (from jkratoch@localhost) 	by host0.dyn.jankratochvil.net (8.14.3/8.14.2/Submit) id mBK0p4SC024650 	for gdb-patches@sourceware.org; Sat, 20 Dec 2008 01:51:04 +0100
Date: Sat, 20 Dec 2008 00:51:00 -0000
From: Jan Kratochvil <jan.kratochvil@redhat.com>
To: gdb-patches@sourceware.org
Subject: [patch] Fix completion memory double-free
Message-ID: <20081220005103.GA19202@host0.dyn.jankratochvil.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-IsSubscribed: yes
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
X-SW-Source: 2008-12/txt/msg00356.txt.bz2


--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-length: 135

Hi,

p values[0].nonex.<tab>
causes a double-free (testcase included) when linked with `-lmcheck'.

Approval requested.


Regards,
Jan

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="gdb-completer.patch"
Content-length: 2253

gdb/
2008-12-20  Jan Kratochvil  <jan.kratochvil@redhat.com>

	Fix memory double-free.
	* completer.c (line_completion_function): Clear LIST after called xfree.

gdb/testsuite/
2008-12-20  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.base/completion.exp (Completing non-existing component): New test.

--- ./gdb/completer.c	24 Nov 2008 17:05:43 -0000	1.28
+++ ./gdb/completer.c	19 Dec 2008 23:59:36 -0000
@@ -752,8 +752,10 @@ line_completion_function (const char *te
       if (list)
 	{
 	  /* Free the storage used by LIST, but not by the strings inside.
-	     This is because rl_complete_internal () frees the strings.  */
+	     This is because rl_complete_internal () frees the strings.
+	     As complete_line may abort by calling `error' clear LIST now.  */
 	  xfree (list);
+	  list = NULL;
 	}
       index = 0;
       list = complete_line (text, line_buffer, point);
--- ./gdb/testsuite/gdb.base/completion.exp	22 Oct 2008 19:46:13 -0000	1.34
+++ ./gdb/testsuite/gdb.base/completion.exp	20 Dec 2008 00:18:50 -0000
@@ -805,6 +805,26 @@ gdb_expect  {
         timeout         { fail "(timeout) complete 'set follow-fork-mode'" }
         }
 
+send_gdb "p values\[0\].nonex.\t"
+sleep 1
+gdb_expect  {
+        -re "Type struct some_struct has no component named nonex.\r\n$gdb_prompt $"\
+            { pass "Completing non-existing component" }
+        -re ".*$gdb_prompt $"       { fail "Completing non-existing component" }
+        timeout         { fail "(timeout) Completing non-existing component" }
+        eof             { fail "(eof) Completing non-existing component #2" }
+        }
+# Double memory freeing gets found only on the second run:
+send_gdb "p values\[0\].nonex.\t"
+sleep 1
+gdb_expect  {
+        -re "Type struct some_struct has no component named nonex.\r\n$gdb_prompt $"\
+            { pass "Completing non-existing component #2" }
+        -re ".*$gdb_prompt $"       { fail "Completing non-existing component #2" }
+        timeout         { fail "(timeout) Completing non-existing component #2" }
+        eof             { fail "(eof) Completing non-existing component #2" }
+        }
+
 # Restore globals modified in this test...
 if [info exists old_inputrc] {
     set env(INPUTRC) $old_inputrc

--sdtB3X0nJg68CQEu--