From a4d1bf6a9cdd337fc113c5a3fc7424e7491d6ea5 Mon Sep 17 00:00:00 2001
From: Akim Demaille <demaille@gostai.com>
Date: Wed, 9 Mar 2011 21:10:35 +0100
Subject: named references: fix double free.

In `rhs[name]: "a" | "b"', do not free "name" twice.
Reported by Tys Lefering.
<http://lists.gnu.org/archive/html/bug-bison/2010-06/msg00002.html>

	* src/named-ref.h, src/named-ref.c (named_ref_copy): New.
	* src/parse-gram.y (current_lhs): Rename as...
	(current_lhs_symbol): this.
	(current_lhs): New function.  Use it to free the current lhs
	named reference.
	* src/reader.c: Bind lhs to a copy of the current named reference.
	* src/symlist.c: Rely on free (0) being valid.
	* tests/named-refs.at: Test this.

(cherry picked from commit 8f462efe923947cc4e72deea5b0fa93a5f88000d)

Conflicts:

	src/parse-gram.y
---
 src/named-ref.h | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/named-ref.h')

diff --git a/src/named-ref.h b/src/named-ref.h
index 0f96e463..46d9d8d4 100644
--- a/src/named-ref.h
+++ b/src/named-ref.h
@@ -37,6 +37,9 @@ typedef struct named_ref
 /* Allocate a named reference object. */
 named_ref *named_ref_new (uniqstr id, location loc);
 
+/* Allocate and return a copy.  */
+named_ref *named_ref_copy (const named_ref *r);
+
 /* Free a named reference object. */
 void named_ref_free (named_ref *r);
 
-- 
cgit v1.2.1