From 94923161f4aa9c75a27c8f56a68662cef6695713 Mon Sep 17 00:00:00 2001
From: Jan Kratochvil <jan.kratochvil@redhat.com>
Date: Mon, 22 Dec 2008 13:19:28 +0000
Subject: [PATCH] gdb/ 	Fix memory double-free. 	* completer.c
 (line_completion_function): Clear LIST after called xfree. gdb/testsuite/ 
 * gdb.base/completion.exp (Completing non-existing component): New test.

---
 gdb/ChangeLog                         |  7 ++++++-
 gdb/completer.c                       |  4 +++-
 gdb/testsuite/ChangeLog               |  4 ++++
 gdb/testsuite/gdb.base/completion.exp | 18 ++++++++++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index 6b067ead98..2a0a8c400e 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,4 +1,9 @@
-2008-12-22  Joel  Brobecker  <brobecker@adacore.com>
+2008-12-22  Jan Kratochvil  <jan.kratochvil@redhat.com>
+
+	Fix memory double-free.
+	* completer.c (line_completion_function): Clear LIST after called xfree.
+
+2008-12-22  Joel Brobecker  <brobecker@adacore.com>
 
 	* breakpoint.c (update_watchpoint): Adjust and extend the description
 	of this function.  Fix one error message accordingly.
diff --git a/gdb/completer.c b/gdb/completer.c
index d109140ee3..4747a42980 100644
--- a/gdb/completer.c
+++ b/gdb/completer.c
@@ -752,8 +752,10 @@ line_completion_function (const char *text, int matches,
       if (list)
 	{
 	  /* Free the storage used by LIST, but not by the strings inside.
-	     This is because rl_complete_internal () frees the strings.  */
+	     This is because rl_complete_internal () frees the strings.
+	     As complete_line may abort by calling `error' clear LIST now.  */
 	  xfree (list);
+	  list = NULL;
 	}
       index = 0;
       list = complete_line (text, line_buffer, point);
diff --git a/gdb/testsuite/ChangeLog b/gdb/testsuite/ChangeLog
index efa6234ca0..d5ae44852e 100644
--- a/gdb/testsuite/ChangeLog
+++ b/gdb/testsuite/ChangeLog
@@ -1,3 +1,7 @@
+2008-12-22  Jan Kratochvil  <jan.kratochvil@redhat.com>
+
+	* gdb.base/completion.exp (Completing non-existing component): New test.
+
 2008-12-21  Jan Kratochvil  <jan.kratochvil@redhat.com>
 
 	Fix for PR gdb/8648.
diff --git a/gdb/testsuite/gdb.base/completion.exp b/gdb/testsuite/gdb.base/completion.exp
index d0d0dd6ba3..2d94fcab47 100644
--- a/gdb/testsuite/gdb.base/completion.exp
+++ b/gdb/testsuite/gdb.base/completion.exp
@@ -805,6 +805,24 @@ gdb_expect  {
         timeout         { fail "(timeout) complete 'set follow-fork-mode'" }
         }
 
+send_gdb "p values\[0\].nonex.\t"
+gdb_expect  {
+        -re "Type struct some_struct has no component named nonex.\r\n$gdb_prompt $"\
+            { pass "Completing non-existing component" }
+        -re ".*$gdb_prompt $"       { fail "Completing non-existing component" }
+        timeout         { fail "(timeout) Completing non-existing component" }
+        eof             { fail "(eof) Completing non-existing component #2" }
+        }
+# Double memory freeing gets found only on the second run:
+send_gdb "p values\[0\].nonex.\t"
+gdb_expect  {
+        -re "Type struct some_struct has no component named nonex.\r\n$gdb_prompt $"\
+            { pass "Completing non-existing component #2" }
+        -re ".*$gdb_prompt $"       { fail "Completing non-existing component #2" }
+        timeout         { fail "(timeout) Completing non-existing component #2" }
+        eof             { fail "(eof) Completing non-existing component #2" }
+        }
+
 # Restore globals modified in this test...
 if [info exists old_inputrc] {
     set env(INPUTRC) $old_inputrc
-- 
2.11.0