#1192 ESQL: double-free in vcache

[Simon Sobisch]

This bug report was provided by OpenSUSE user Jan Engelhardt, when trying an updated built of GC32 with current ESQL from contrib, freshly built from gnucobol-sql-3.0.tar.gz from the files area (not the trunk sources from https://sourceforge.net/p/gnucobol/contrib/HEAD/tree/trunk/esql/ ):

osc co devel:languages:misc/gnucobol
cd devel/languages/misc/gnucobol
osc build --debuginfo
su + rpm -U esql.rpm esql-debuginfo.rpm esql-debugsource.rpm gnucobol-debuginfo.rpm


$ gdb /usr/bin/esqlOC 
(gdb) r
Starting program: /usr/bin/esqlOC 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
/usr/bin/esqlOC: ESQL for GnuCOBOL/OpenCOBOL Version 3 (2022.01.03) Build Feb  7 2026
Usage: /usr/bin/esqlOC [-Q] [-F] [-static] [-I <copybook-directory> [| -I <copybook-directory>]] [-o <output-file>] <filename> ...
       -Q        Use double quotes
       -F        Force unknown SQL statements to be accepted as "execute immediate"
       -static   Use static calls to OCSQL library

Program received signal SIGSEGV, Segmentation fault.
string::~string (this=0x555555574890 <blanks>) at /usr/src/debug/gnucobol-3.2/gnucobol-sql-3.0/esqlOC/vcache.h:161
161                     gc.remove(this);
Missing separate debuginfos, use: zypper install libstdc++6-debuginfo-16.0.1+git7040-2.1.x86_64 libgcc_s1-debuginfo-16.0.1+git7040-2.1.x86_64
(gdb) bt
#0  string::~string (this=0x555555574890 <blanks>) at /usr/src/debug/gnucobol-3.2/gnucobol-sql-3.0/esqlOC/vcache.h:161
#1  0x00007ffff78453d1 in __run_exit_handlers (status=16, listp=0x7ffff79f7680 <__exit_funcs>, 
    run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:118
#2  0x00007ffff78454b0 in __GI_exit (status=<optimized out>) at exit.c:148
#3  0x00007ffff782b302 in __libc_start_call_main (main=main@entry=0x555555556400 <main(int, char**)>, argc=argc@entry=1, 
    argv=argv@entry=0x7fffffffdc58) at ../sysdeps/nptl/libc_start_call_main.h:74
#4  0x00007ffff782b3cb in __libc_start_main_impl (main=0x555555556400 <main(int, char**)>, argc=1, argv=0x7fffffffdc58, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdc48)
    at ../csu/libc-start.c:360
#5  0x0000555555556c25 in _start () at ../sysdeps/x86_64/start.S:115

That looks like a use-after-free, in particular this is the so-called

Static Initialization Order Fiasco
(or in this case, deinitialization fiasco)

vcache.cpp: string::gc already had its destructor run,
and now
esqlOC.cpp: string blanks is going to get destructed, but: too bad gc is already gone, so gc.remove(this) is illegal.

Remember kids, DON'T DO globals without also using unique_ptr/shared_ptr.

Note that while the version is outdated (we should definitely bump version to 3.1 and make a release) the code leading to the segfault seems to not be part of the changes (only from a quick svn diff).