Re: Re : bug in gawk-3.1.0

[Hans-Bernhard Broeker]

Olatunji Oluwabukunmi Ruwase <address@hidden> wrote:
> Hi,
>  i do apologize if this happens to be an old and fixed bug, but i searched
> in vain for a list of reported/fixed bugs for gawk.
>  anyway i m working on improving the performance of Richard Jones' bounds
> checking extension to gcc by reducing the slowdown it imposes on code
> compiled with it.
>  so while testing the effectiveness of my code on known buffer
> overflow bugs, i decided to work on gawk-3.0.1 and
> came up on this bug in random.c

> random.c:178: static long randtbl[DEG_3 + 1] = {

> random.c:230: static long *end_ptr = &randtbl[DEG_3 + 1];

> line 230 is clearly an out of range array expression.

No, it's not.  But it's a bit tricky to see why.  This is perfectly
valid C because of two special exceptions in the language definitions:

1) You're always allowed to create a pointer to the object exactly behind
   the end of a given array.  I.e. in the case above

        randtbl + (DEG_3 + 1)

   is a completely valid pointer expression --- you're just not allowed to
   *dereference* this pointer.  You can do pointer arithmetics with it,
   though, and more importantly, it's valid for comparisons with pointers
   into randtbl[].

2) &(*(some_pointer)) is specially defined to be equivalent to
   some_pointer itself.  In particular it does not have the effect
   of dereferencing some_pointer.

Combine this with the usual expansion of a[i] as *(a+i), and you get:

        &randtbl[DEG_3 + 1] 
        == &(*(randtbl + (DEG_3 + 1)))
        == randtbl + (DEG_3 + 1)

which, by the first special exception, is a legal pointer.

> interestingly Richard Jone's extension flagged this at compile time.

It may flag this as a warning.  If it flags this construct as an
error, though, that constitutes a bug in his implementation.

-- 
Hans-Bernhard Broeker (address@hidden)
Even if all the snow were burnt, ashes would remain.