3724 – bug in Expression::arraySyntaxCopy (null pointer dereference on struct->union->struct

D issues are now tracked on GitHub. This Bugzilla instance remains as a read-only archive.

Issue 3724 - bug in Expression::arraySyntaxCopy (null pointer dereference on struct->union->struct

Summary: bug in Expression::arraySyntaxCopy (null pointer dereference on struct->union...

Status:	RESOLVED FIXED
Alias:	None
Product:	D
Classification:	Unclassified
Component:	dmd (show other issues)
Version:	D2
Hardware:	x86 Linux
Importance :	P2 normal
Assignee:	No Owner
URL:
Keywords:	ice-on-valid-code, patch
Depends on:
Blocks:

See Also:
Reported:	2010年01月19日 19:14 UTC by Witold Baryluk
Modified:	2015年06月09日 01:27 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Witold Baryluk 2010年01月19日 19:14:35 UTC

In case of code similar to this
struct v {
 union {
 struct { float a, b; }
 struct { float c[2]; }
 }
}
(it is more complicated than just this sample, to trigger this bug.
I can't easly produce small example)
file expression.c
method Expression *StructLiteralExp::semantic(Scope *sc)
performs kind of flatening, and adds member c to array "elements",
but in case on union memberrs it adds them as null:
relevant lines:
line 3373
 if (v->offset < offset)
 { e = NULL;
 sd->hasUnions = 1;
 }
and line 3393
 elements->push(e)
Fix:
In file expression.c line 1477
method Expressions *Expression::arraySyntaxCopy(Expressions *exps)
add condition:
 for (int i = 0; i < a->dim; i++)
 { Expression *e = (Expression *)exps->data[i];
- e = e->syntaxCopy();
+ if (e)
+ e = e->syntaxCopy();
 a->data[i] = e;^M
 }
Without it, optimize.c lines 86-87 will call indirectly this method, when some (last) elemenets of exps is/are nulls, and segfault.

Comment 1 Walter Bright 2010年01月22日 21:50:46 UTC

Changeset 348

Comment 2 Walter Bright 2010年01月30日 22:42:29 UTC

fixed dmd 1.056 and 2.040