Critical gawk -M bug still in Debian 11

[alexandre . ferrieux]

Hello,

Sorry if this report is unusual: it is about an old bug (5.1.0) that was fixed 
in 2020, but the impact of which may have been overlooked.
And, as Debian 11 (bullseye, currently oldstable) *and* unfortnately also its 
"backports" variant  both stick to that version... it means the bug is still 
alive in who knows how many thousands of systems in the world ?

I'm talking about the fix here:

  c31e4636   Arnold D. Robbins   Sun Jul 5 21:36:01 2020 +0300 MPFR bug fixes 
in some corner cases.

In the patch, one can see this was triggered by reports from Hyunho Cho 
<mug896@naver.com>. Many thanks to him by the way.
But, looking for this e-mail address in the archive, I see only things about, 
just as the comment says, corner cases.

Now, it just happens that the same commit is where my bisection led when chasing 
a *nasty* bug in "current" gawk (on a Debian 11 backports), that is 5.1.0.
The bug is the following:

   In -M mode, upon conversion of an input string to a number, the same value 
has unpredictable contents if used as a string again:

As an example,
       ( echo 1 2 ; echo 3 4 ; echo 3 5) | ./gawk -M 
'{x=$1+0;t[$1]+=$2}END{for(a in t)print "t["a"]="t[a]}'
yields:
      t[1]=
      t[3]=
      t[3]=

While the same without "x=$1+0" works:
       ( echo 1 2 ; echo 3 4 ; echo 3 5) | ./gawk -M '{t[$1]+=$2}END{for(a in 
t)print "t["a"]="t[a]}'
yields:
       t[1]=2
       t[3]=9

Needless to say, the "surprise effect" is ... huge. With this under the hood, 
you can imagine the kind of industrial disasters that can happen.
It took me a couple of anxious hours to track that down in one production app 
that, fortunately, does not control any nuclear core nor supersonic aerodynamic 
control. Phew.

Now please do not take this as a misplaced criticism. I *still* believe Gawk is 
a fabulous tool for rapid prototyping in research, and will keep recommending it 
to incredulous (and mis-informed) P*thonian crowds.
Also, I do understand that covering more that 0.01% of the potential problem 
space in automated tests, is an incredibly hard problem.

My only question is this: what is the appropriate channel to promote a 
commit/tag in such a manner that distros feel an urge to pull it into their 
"backports" ?

(here, I would expect to see such critical bugs fixed in all reasonable 
backports. "Upgrade to Debian stable" is not always doable).

Thanks in advance, and by all means keep the awesome work Arnold and others !

-Alex


____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.