"ensure" may cause unallocated memory to be freed
Submitted by Nor Jaidi Tuah
Link to original bug (#614551)
Description
Created attachment 157673 2 similar functions with different "ensure" clauses
I discovered this bug after porting my app to Mac, which apparently has a more strict runtime trap than Linux.
In the attached file, 2 similar functions are defined which differ only in their "ensure" conditions. This version:
char buggy_get (int index)
ensures (result.to_string () != "bug")
{
if (index >= spec.length)
return ' ';
else
return (char) (spec[index]);
}
produces this:
static gchar mem_bug_buggy_get (MemBug* self, gint index) {
gchar result = '\0';
char* _tmp0_;
gboolean _tmp1_;
g_return_val_if_fail (self != NULL, '\0');
if ((_tmp1_ = index >= string_get_length (self->priv->spec), _g_free0 (_tmp0_), _tmp1_)) {
result = ' ';
.
.
.
THE BUG : Note the call _g_free0(_tmp0_)
.
I wonder why my app, after running non-stop for days, didn't crash on linux.
Attachment 157673, "2 similar functions with different "ensure" clauses":
memfree-bug.vala
Edited by Rico Tzschichholz