From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1838 invoked by alias); 9 Mar 2011 20:29:29 -0000 Received: (qmail 1829 invoked by uid 22791); 9 Mar 2011 20:29:28 -0000 X-SWARE-Spam-Status: No, hits=-5.2 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from smtp-outbound-1.vmware.com (HELO smtp-outbound-1.vmware.com) (65.115.85.69) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 09 Mar 2011 20:29:24 +0000 Received: from mailhost4.vmware.com (mailhost4.vmware.com [10.16.67.124]) by smtp-outbound-1.vmware.com (Postfix) with ESMTP id CCD0E1301F; Wed, 9 Mar 2011 12:29:22 -0800 (PST) Received: from msnyder-server.eng.vmware.com (promd-2s-dhcp138.eng.vmware.com [10.20.124.138]) by mailhost4.vmware.com (Postfix) with ESMTP id C26BBC9F4A; Wed, 9 Mar 2011 12:29:22 -0800 (PST) Message-ID: <4D77E322.6010800@vmware.com> Date: Wed, 09 Mar 2011 23:58:00 -0000 From: Michael Snyder User-Agent: Thunderbird 2.0.0.24 (X11/20101201) MIME-Version: 1.0 To: Pedro Alves CC: "gdb-patches@sourceware.org" Subject: Re: [RFA] completer.c (expression_completer): Stop memory leak. References: <4D77CDD6.7010700@vmware.com> <201103092007.33388.pedro@codesourcery.com> In-Reply-To: <201103092007.33388.pedro@codesourcery.com> Content-Type: multipart/mixed; boundary="------------050107030504080206040903" X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-03/txt/msg00623.txt.bz2 This is a multi-part message in MIME format. --------------050107030504080206040903 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Content-length: 850 Pedro Alves wrote: > On Wednesday 09 March 2011 18:58:30, Michael Snyder wrote: >> In this case, it is possible for fieldname to be allocated before an >> exception is thrown. >> >> OK? > > Notice how `fieldname' is uninitialized by expression_completer. > If an exception is thrown from within parse_field_expression > before writting to `fieldname', you'll be calling `free' > (it should be xfree, btw) on an uninitialized pointer. That's > bad. > > Please fix this within parse_field_expression itself. > 1) even if what I describe above can't happen as is > today (it may or not, dunno), your change makes the > code quite fragile. 2) any other parse_field_expression call > that isn't wrapped in a TRY_CATCH like this, is a > potential leak. > OK how is this? I'm a little uncertain about the way "name" is handled there at the end... --------------050107030504080206040903 Content-Type: text/plain; name="parse.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="parse.txt" Content-length: 1439 2011-03-09 Michael Snyder * parse.c (parse_field_expression): Clean up memory gracefullly. Index: parse.c =================================================================== RCS file: /cvs/src/src/gdb/parse.c,v retrieving revision 1.108 diff -u -p -r1.108 parse.c --- parse.c 5 Mar 2011 22:02:47 -0000 1.108 +++ parse.c 9 Mar 2011 20:27:08 -0000 @@ -1211,34 +1211,37 @@ parse_field_expression (char *string, ch struct value *val; int subexp; volatile struct gdb_exception except; + struct cleanup *cleanups = make_cleanup (null_cleanup, NULL); TRY_CATCH (except, RETURN_MASK_ERROR) { in_parse_field = 1; exp = parse_exp_in_context (&string, 0, 0, 0, &subexp); + make_cleanup (xfree, exp); } in_parse_field = 0; if (except.reason < 0 || ! exp) return NULL; if (expout_last_struct == -1) { - xfree (exp); + do_cleanups (cleanups); return NULL; } *name = extract_field_op (exp, &subexp); if (!*name) { - xfree (exp); + do_cleanups (cleanups); return NULL; } + make_cleanup (xfree, name); /* This might throw an exception. If so, we want to let it propagate. */ val = evaluate_subexpression_type (exp, subexp); /* (*NAME) is a part of the EXP memory block freed below. */ *name = xstrdup (*name); - xfree (exp); + do_cleanups (cleanups); return value_type (val); } --------------050107030504080206040903--