From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-36564-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 24628 invoked by alias); 19 Sep 2015 22:35:34 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 36564
Received: (qmail 13366 invoked from network); 19 Sep 2015 22:35:32 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.0
X-Originating-IP: [80.3.228.158]
X-Spam: 0
X-Authority: v=2.1 cv=P+nH/X0u c=1 sm=1 tr=0 a=P+FLVI8RzFchTbbqTxIDRw==:117
 a=P+FLVI8RzFchTbbqTxIDRw==:17 a=NLZqzBF-AAAA:8 a=kj9zAlcOel0A:10
 a=c1wAUjE8T2nScOx-RXYA:9 a=CjuIK1q_8ugA:10
Date: Sat, 19 Sep 2015 23:35:28 +0100
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: zsh-workers@zsh.org
Subject: Re: Two issues found with -fsanitize=undefined
Message-ID: <20150919233528.41828582@ntlworld.com>
In-Reply-To: <20150919201814.GA409@x4>
References: <20150917075759.GA24365@x4>
	<20150919205751.5338bddc@ntlworld.com>
	<20150919201814.GA409@x4>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 19 Sep 2015 22:18:14 +0200
Markus Trippelsdorf <markus@trippelsdorf.de> wrote:
> ./D02glob.ztst: starting.
> exec.c:2240:6: runtime error: index 8 out of bounds for type 'int [8]'
> exec.c:2048:10: runtime error: index 8 out of bounds for type 'int [8]'
> exec.c:2122:7: runtime error: index 8 out of bounds for type 'int [8]'
 
MULTIOUNIT is 8. struct multio is defined as

struct multio {
    int ct;		/* # of redirections on this fd                 */
    int rflag;		/* 0 if open for reading, 1 if open for writing */
    int pipe;		/* fd of pipe if ct > 1                         */
    int fds[MULTIOUNIT]; /* list of src/dests redirected to/from this fd */
};

so something is probably up here when ct is 8 and the structure needs
reallocating.

	if (mfds[fd1]->ct == 1) {	/* split the stream */
           /* ... */
	} else {		/* add another fd to an already split stream */
	    int fdN;
	    if(!(mfds[fd1]->ct % MULTIOUNIT)) {
		int new = sizeof(struct multio) + sizeof(int) * mfds[fd1]->ct;
		int old = new - sizeof(int) * MULTIOUNIT;
		mfds[fd1] = hrealloc((char *)mfds[fd1], old, new);
	    }
	    if ((fdN = movefd(fd2)) < 0) {
		zerr("multio failed for fd %d: %e", fd2, errno);
		closemnodes(mfds);
		return;
	    }
	    mfds[fd1]->fds[mfds[fd1]->ct++] = fdN;
	}

However, it looks right.  You end up with MULTIOUNIT + ct fd's
available, which is what you want: ct goes from 8 to 9 with index 8
being used out of 0 to 15 allocated.  The zerr() before the return means
it doesn't matter if we don't actually increment ct as the structure is
never used (memory is on the heap).

It may be the compiler isn't actually looking at the memory allocated,
only the definition of the structure.  Certainly valgrind has never
complained here and this is something it should pick up.

pws