From: Akim Demaille Date: Wed, 9 Mar 2011 20:10:35 +0000 (+0100) Subject: named references: fix double free. X-Git-Tag: v2.7.90~611 X-Git-Url: https://git.saurik.com/bison.git/commitdiff_plain/a4d1bf6a9cdd337fc113c5a3fc7424e7491d6ea5 named references: fix double free. In `rhs[name]: "a" | "b"', do not free "name" twice. Reported by Tys Lefering. * src/named-ref.h, src/named-ref.c (named_ref_copy): New. * src/parse-gram.y (current_lhs): Rename as... (current_lhs_symbol): this. (current_lhs): New function. Use it to free the current lhs named reference. * src/reader.c: Bind lhs to a copy of the current named reference. * src/symlist.c: Rely on free (0) being valid. * tests/named-refs.at: Test this. (cherry picked from commit 8f462efe923947cc4e72deea5b0fa93a5f88000d) Conflicts: src/parse-gram.y --- diff --git a/ChangeLog b/ChangeLog index 26a34cf9..a3d12021 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2011-03-09 Akim Demaille + + named references: fix double free. + In `rhs[name]: "a" | "b"', do not free "name" twice. + Reported by Tys Lefering. + + * src/named-ref.h, src/named-ref.c (named_ref_copy): New. + * src/parse-gram.y (current_lhs): Rename as... + (current_lhs_symbol): this. + (current_lhs): New function. Use it to free the current lhs + named reference. + * src/reader.c: Bind lhs to a copy of the current named reference. + * src/symlist.c: Rely on free (0) being valid. + * tests/named-refs.at: Test this. + 2011-03-09 Akim Demaille tests: style changes. diff --git a/THANKS b/THANKS index 02082c1c..f9b1b8a6 100644 --- a/THANKS +++ b/THANKS @@ -104,7 +104,7 @@ Tom Lane tgl@sss.pgh.pa.us Tom Tromey tromey@cygnus.com Tommy Nordgren tommy.nordgren@chello.se Troy A. Johnson troyj@ecn.purdue.edu -Tys Lefering twlevo@xs4all.nl +Tys Lefering twlevo@gmail.com Vin Shelton acs@alumni.princeton.edu Wayne Green wayne@infosavvy.com Wolfram Wagner ww@mpi-sb.mpg.de diff --git a/src/named-ref.c b/src/named-ref.c index 4bf3da12..132c7414 100644 --- a/src/named-ref.c +++ b/src/named-ref.c @@ -33,6 +33,12 @@ named_ref_new (uniqstr id, location loc) return res; } +named_ref * +named_ref_copy (const named_ref *r) +{ + return named_ref_new (r->id, r->loc); +} + void named_ref_free (named_ref *r) { diff --git a/src/named-ref.h b/src/named-ref.h index 0f96e463..46d9d8d4 100644 --- a/src/named-ref.h +++ b/src/named-ref.h @@ -37,6 +37,9 @@ typedef struct named_ref /* Allocate a named reference object. */ named_ref *named_ref_new (uniqstr id, location loc); +/* Allocate and return a copy. */ +named_ref *named_ref_copy (const named_ref *r); + /* Free a named reference object. */ void named_ref_free (named_ref *r); diff --git a/src/parse-gram.y b/src/parse-gram.y index f79b0e92..514b5d79 100644 --- a/src/parse-gram.y +++ b/src/parse-gram.y @@ -56,10 +56,28 @@ static char const *char_name (char); static int current_prec = 0; static location current_lhs_location; static named_ref *current_lhs_named_ref; - static symbol *current_lhs; + static symbol *current_lhs_symbol; static symbol_class current_class = unknown_sym; static uniqstr current_type = NULL; + /** Set the new current left-hand side symbol, possibly common + * to several right-hand side parts of rule. + */ + static + void + current_lhs(symbol *sym, location loc, named_ref *ref) + { + current_lhs_symbol = sym; + current_lhs_location = loc; + /* In order to simplify memory management, named references for lhs + are always assigned by deep copy into the current symbol_list + node. This is because a single named-ref in the grammar may + result in several uses when the user factors lhs between several + rules using "|". Therefore free the parser's original copy. */ + free (current_lhs_named_ref); + current_lhs_named_ref = ref; + } + #define YYTYPE_INT16 int_fast16_t #define YYTYPE_INT8 int_fast8_t #define YYTYPE_UINT16 uint_fast16_t @@ -569,8 +587,11 @@ rules_or_grammar_declaration: ; rules: - id_colon named_ref.opt { current_lhs = $1; current_lhs_location = @1; - current_lhs_named_ref = $2; } rhses.1 + id_colon named_ref.opt { current_lhs ($1, @1, $2); } rhses.1 + { + /* Free the current lhs. */ + current_lhs (0, @1, 0); + } ; rhses.1: @@ -581,7 +602,7 @@ rhses.1: rhs: /* Nothing. */ - { grammar_current_rule_begin (current_lhs, current_lhs_location, + { grammar_current_rule_begin (current_lhs_symbol, current_lhs_location, current_lhs_named_ref); } | rhs symbol named_ref.opt { grammar_current_rule_symbol_append ($2, @2, $3); } diff --git a/src/reader.c b/src/reader.c index 6fc14a3e..2289d26e 100644 --- a/src/reader.c +++ b/src/reader.c @@ -231,7 +231,7 @@ grammar_current_rule_begin (symbol *lhs, location loc, p = grammar_symbol_append (lhs, loc); if (lhs_name) - assign_named_ref(p, lhs_name); + assign_named_ref (p, named_ref_copy (lhs_name)); current_rule = grammar_end; diff --git a/src/symlist.c b/src/symlist.c index e717c3e1..190d0073 100644 --- a/src/symlist.c +++ b/src/symlist.c @@ -151,8 +151,7 @@ symbol_list_free (symbol_list *list) for (node = list; node; node = next) { next = node->next; - if (node->named_ref) - named_ref_free (node->named_ref); + named_ref_free (node->named_ref); free (node); } } diff --git a/tests/named-refs.at b/tests/named-refs.at index 8d035189..5f1daa80 100644 --- a/tests/named-refs.at +++ b/tests/named-refs.at @@ -472,6 +472,19 @@ AT_CLEANUP ####################################################################### +# Bison used to free twice the named ref for "a", since a single copy +# was used in two rules. +AT_SETUP([Factored LHS]) +AT_DATA_GRAMMAR([test.y], +[[ +%% +start[a]: "foo" | "bar"; +]]) +AT_BISON_CHECK([-o test.c test.y]) +AT_CLEANUP + +####################################################################### + AT_SETUP([Unresolved references]) AT_DATA_GRAMMAR([test.y], [[