source: branches/3.2/mindi-busybox/shell/hush.c @ 3232

Last change on this file since 3232 was 3232, checked in by Bruno Cornec, 7 years ago
  • Update mindi-busybox to 1.21.1
File size: 248.0 KB
Line 
1/* vi: set sw=4 ts=4: */
2/*
3 * A prototype Bourne shell grammar parser.
4 * Intended to follow the original Thompson and Ritchie
5 * "small and simple is beautiful" philosophy, which
6 * incidentally is a good match to today's BusyBox.
7 *
8 * Copyright (C) 2000,2001  Larry Doolittle <larry@doolittle.boa.org>
9 * Copyright (C) 2008,2009  Denys Vlasenko <vda.linux@googlemail.com>
10 *
11 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
12 *
13 * Credits:
14 *      The parser routines proper are all original material, first
15 *      written Dec 2000 and Jan 2001 by Larry Doolittle.  The
16 *      execution engine, the builtins, and much of the underlying
17 *      support has been adapted from busybox-0.49pre's lash, which is
18 *      Copyright (C) 1999-2004 by Erik Andersen <andersen@codepoet.org>
19 *      written by Erik Andersen <andersen@codepoet.org>.  That, in turn,
20 *      is based in part on ladsh.c, by Michael K. Johnson and Erik W.
21 *      Troan, which they placed in the public domain.  I don't know
22 *      how much of the Johnson/Troan code has survived the repeated
23 *      rewrites.
24 *
25 * Other credits:
26 *      o_addchr derived from similar w_addchar function in glibc-2.2.
27 *      parse_redirect, redirect_opt_num, and big chunks of main
28 *      and many builtins derived from contributions by Erik Andersen.
29 *      Miscellaneous bugfixes from Matt Kraai.
30 *
31 * There are two big (and related) architecture differences between
32 * this parser and the lash parser.  One is that this version is
33 * actually designed from the ground up to understand nearly all
34 * of the Bourne grammar.  The second, consequential change is that
35 * the parser and input reader have been turned inside out.  Now,
36 * the parser is in control, and asks for input as needed.  The old
37 * way had the input reader in control, and it asked for parsing to
38 * take place as needed.  The new way makes it much easier to properly
39 * handle the recursion implicit in the various substitutions, especially
40 * across continuation lines.
41 *
42 * TODOs:
43 *      grep for "TODO" and fix (some of them are easy)
44 *      special variables (done: PWD, PPID, RANDOM)
45 *      tilde expansion
46 *      aliases
47 *      follow IFS rules more precisely, including update semantics
48 *      builtins mandated by standards we don't support:
49 *          [un]alias, command, fc, getopts, newgrp, readonly, times
50 *      make complex ${var%...} constructs support optional
51 *      make here documents optional
52 *
53 * Bash compat TODO:
54 *      redirection of stdout+stderr: &> and >&
55 *      reserved words: function select
56 *      advanced test: [[ ]]
57 *      process substitution: <(list) and >(list)
58 *      =~: regex operator
59 *      let EXPR [EXPR...]
60 *          Each EXPR is an arithmetic expression (ARITHMETIC EVALUATION)
61 *          If the last arg evaluates to 0, let returns 1; 0 otherwise.
62 *          NB: let `echo 'a=a + 1'` - error (IOW: multi-word expansion is used)
63 *      ((EXPR))
64 *          The EXPR is evaluated according to ARITHMETIC EVALUATION.
65 *          This is exactly equivalent to let "EXPR".
66 *      $[EXPR]: synonym for $((EXPR))
67 *
68 * Won't do:
69 *      In bash, export builtin is special, its arguments are assignments
70 *          and therefore expansion of them should be "one-word" expansion:
71 *              $ export i=`echo 'a  b'` # export has one arg: "i=a  b"
72 *          compare with:
73 *              $ ls i=`echo 'a  b'`     # ls has two args: "i=a" and "b"
74 *              ls: cannot access i=a: No such file or directory
75 *              ls: cannot access b: No such file or directory
76 *          Note1: same applies to local builtin.
77 *          Note2: bash 3.2.33(1) does this only if export word itself
78 *          is not quoted:
79 *              $ export i=`echo 'aaa  bbb'`; echo "$i"
80 *              aaa  bbb
81 *              $ "export" i=`echo 'aaa  bbb'`; echo "$i"
82 *              aaa
83 */
84#if !(defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) \
85    || defined(__APPLE__) \
86    )
87# include <malloc.h>   /* for malloc_trim */
88#endif
89#include <glob.h>
90/* #include <dmalloc.h> */
91#if ENABLE_HUSH_CASE
92# include <fnmatch.h>
93#endif
94
95#include "busybox.h"  /* for APPLET_IS_NOFORK/NOEXEC */
96#include "unicode.h"
97#include "shell_common.h"
98#include "math.h"
99#include "match.h"
100#if ENABLE_HUSH_RANDOM_SUPPORT
101# include "random.h"
102#else
103# define CLEAR_RANDOM_T(rnd) ((void)0)
104#endif
105#ifndef PIPE_BUF
106# define PIPE_BUF 4096  /* amount of buffering in a pipe */
107#endif
108
109//config:config HUSH
110//config:   bool "hush"
111//config:   default y
112//config:   help
113//config:     hush is a small shell (25k). It handles the normal flow control
114//config:     constructs such as if/then/elif/else/fi, for/in/do/done, while loops,
115//config:     case/esac. Redirections, here documents, $((arithmetic))
116//config:     and functions are supported.
117//config:
118//config:     It will compile and work on no-mmu systems.
119//config:
120//config:     It does not handle select, aliases, tilde expansion,
121//config:     &>file and >&file redirection of stdout+stderr.
122//config:
123//config:config HUSH_BASH_COMPAT
124//config:   bool "bash-compatible extensions"
125//config:   default y
126//config:   depends on HUSH
127//config:   help
128//config:     Enable bash-compatible extensions.
129//config:
130//config:config HUSH_BRACE_EXPANSION
131//config:   bool "Brace expansion"
132//config:   default y
133//config:   depends on HUSH_BASH_COMPAT
134//config:   help
135//config:     Enable {abc,def} extension.
136//config:
137//config:config HUSH_HELP
138//config:   bool "help builtin"
139//config:   default y
140//config:   depends on HUSH
141//config:   help
142//config:     Enable help builtin in hush. Code size + ~1 kbyte.
143//config:
144//config:config HUSH_INTERACTIVE
145//config:   bool "Interactive mode"
146//config:   default y
147//config:   depends on HUSH
148//config:   help
149//config:     Enable interactive mode (prompt and command editing).
150//config:     Without this, hush simply reads and executes commands
151//config:     from stdin just like a shell script from a file.
152//config:     No prompt, no PS1/PS2 magic shell variables.
153//config:
154//config:config HUSH_SAVEHISTORY
155//config:   bool "Save command history to .hush_history"
156//config:   default y
157//config:   depends on HUSH_INTERACTIVE && FEATURE_EDITING_SAVEHISTORY
158//config:   help
159//config:     Enable history saving in hush.
160//config:
161//config:config HUSH_JOB
162//config:   bool "Job control"
163//config:   default y
164//config:   depends on HUSH_INTERACTIVE
165//config:   help
166//config:     Enable job control: Ctrl-Z backgrounds, Ctrl-C interrupts current
167//config:     command (not entire shell), fg/bg builtins work. Without this option,
168//config:     "cmd &" still works by simply spawning a process and immediately
169//config:     prompting for next command (or executing next command in a script),
170//config:     but no separate process group is formed.
171//config:
172//config:config HUSH_TICK
173//config:   bool "Process substitution"
174//config:   default y
175//config:   depends on HUSH
176//config:   help
177//config:     Enable process substitution `command` and $(command) in hush.
178//config:
179//config:config HUSH_IF
180//config:   bool "Support if/then/elif/else/fi"
181//config:   default y
182//config:   depends on HUSH
183//config:   help
184//config:     Enable if/then/elif/else/fi in hush.
185//config:
186//config:config HUSH_LOOPS
187//config:   bool "Support for, while and until loops"
188//config:   default y
189//config:   depends on HUSH
190//config:   help
191//config:     Enable for, while and until loops in hush.
192//config:
193//config:config HUSH_CASE
194//config:   bool "Support case ... esac statement"
195//config:   default y
196//config:   depends on HUSH
197//config:   help
198//config:     Enable case ... esac statement in hush. +400 bytes.
199//config:
200//config:config HUSH_FUNCTIONS
201//config:   bool "Support funcname() { commands; } syntax"
202//config:   default y
203//config:   depends on HUSH
204//config:   help
205//config:     Enable support for shell functions in hush. +800 bytes.
206//config:
207//config:config HUSH_LOCAL
208//config:   bool "Support local builtin"
209//config:   default y
210//config:   depends on HUSH_FUNCTIONS
211//config:   help
212//config:     Enable support for local variables in functions.
213//config:
214//config:config HUSH_RANDOM_SUPPORT
215//config:   bool "Pseudorandom generator and $RANDOM variable"
216//config:   default y
217//config:   depends on HUSH
218//config:   help
219//config:     Enable pseudorandom generator and dynamic variable "$RANDOM".
220//config:     Each read of "$RANDOM" will generate a new pseudorandom value.
221//config:
222//config:config HUSH_EXPORT_N
223//config:   bool "Support 'export -n' option"
224//config:   default y
225//config:   depends on HUSH
226//config:   help
227//config:     export -n unexports variables. It is a bash extension.
228//config:
229//config:config HUSH_MODE_X
230//config:   bool "Support 'hush -x' option and 'set -x' command"
231//config:   default y
232//config:   depends on HUSH
233//config:   help
234//config:     This instructs hush to print commands before execution.
235//config:     Adds ~300 bytes.
236//config:
237//config:config MSH
238//config:   bool "msh (deprecated: aliased to hush)"
239//config:   default n
240//config:   select HUSH
241//config:   help
242//config:     msh is deprecated and will be removed, please migrate to hush.
243//config:
244
245//applet:IF_HUSH(APPLET(hush, BB_DIR_BIN, BB_SUID_DROP))
246//applet:IF_MSH(APPLET(msh, BB_DIR_BIN, BB_SUID_DROP))
247//applet:IF_FEATURE_SH_IS_HUSH(APPLET_ODDNAME(sh, hush, BB_DIR_BIN, BB_SUID_DROP, sh))
248//applet:IF_FEATURE_BASH_IS_HUSH(APPLET_ODDNAME(bash, hush, BB_DIR_BIN, BB_SUID_DROP, bash))
249
250//kbuild:lib-$(CONFIG_HUSH) += hush.o match.o shell_common.o
251//kbuild:lib-$(CONFIG_HUSH_RANDOM_SUPPORT) += random.o
252
253/* -i (interactive) and -s (read stdin) are also accepted,
254 * but currently do nothing, therefore aren't shown in help.
255 * NOMMU-specific options are not meant to be used by users,
256 * therefore we don't show them either.
257 */
258//usage:#define hush_trivial_usage
259//usage:    "[-nxl] [-c 'SCRIPT' [ARG0 [ARGS]] / FILE [ARGS]]"
260//usage:#define hush_full_usage "\n\n"
261//usage:    "Unix shell interpreter"
262
263//usage:#define msh_trivial_usage hush_trivial_usage
264//usage:#define msh_full_usage hush_full_usage
265
266//usage:#if ENABLE_FEATURE_SH_IS_HUSH
267//usage:# define sh_trivial_usage hush_trivial_usage
268//usage:# define sh_full_usage    hush_full_usage
269//usage:#endif
270//usage:#if ENABLE_FEATURE_BASH_IS_HUSH
271//usage:# define bash_trivial_usage hush_trivial_usage
272//usage:# define bash_full_usage    hush_full_usage
273//usage:#endif
274
275
276/* Build knobs */
277#define LEAK_HUNTING 0
278#define BUILD_AS_NOMMU 0
279/* Enable/disable sanity checks. Ok to enable in production,
280 * only adds a bit of bloat. Set to >1 to get non-production level verbosity.
281 * Keeping 1 for now even in released versions.
282 */
283#define HUSH_DEBUG 1
284/* Slightly bigger (+200 bytes), but faster hush.
285 * So far it only enables a trick with counting SIGCHLDs and forks,
286 * which allows us to do fewer waitpid's.
287 * (we can detect a case where neither forks were done nor SIGCHLDs happened
288 * and therefore waitpid will return the same result as last time)
289 */
290#define ENABLE_HUSH_FAST 0
291/* TODO: implement simplified code for users which do not need ${var%...} ops
292 * So far ${var%...} ops are always enabled:
293 */
294#define ENABLE_HUSH_DOLLAR_OPS 1
295
296
297#if BUILD_AS_NOMMU
298# undef BB_MMU
299# undef USE_FOR_NOMMU
300# undef USE_FOR_MMU
301# define BB_MMU 0
302# define USE_FOR_NOMMU(...) __VA_ARGS__
303# define USE_FOR_MMU(...)
304#endif
305
306#include "NUM_APPLETS.h"
307#if NUM_APPLETS == 1
308/* STANDALONE does not make sense, and won't compile */
309# undef CONFIG_FEATURE_SH_STANDALONE
310# undef ENABLE_FEATURE_SH_STANDALONE
311# undef IF_FEATURE_SH_STANDALONE
312# undef IF_NOT_FEATURE_SH_STANDALONE
313# define ENABLE_FEATURE_SH_STANDALONE 0
314# define IF_FEATURE_SH_STANDALONE(...)
315# define IF_NOT_FEATURE_SH_STANDALONE(...) __VA_ARGS__
316#endif
317
318#if !ENABLE_HUSH_INTERACTIVE
319# undef ENABLE_FEATURE_EDITING
320# define ENABLE_FEATURE_EDITING 0
321# undef ENABLE_FEATURE_EDITING_FANCY_PROMPT
322# define ENABLE_FEATURE_EDITING_FANCY_PROMPT 0
323# undef ENABLE_FEATURE_EDITING_SAVE_ON_EXIT
324# define ENABLE_FEATURE_EDITING_SAVE_ON_EXIT 0
325#endif
326
327/* Do we support ANY keywords? */
328#if ENABLE_HUSH_IF || ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
329# define HAS_KEYWORDS 1
330# define IF_HAS_KEYWORDS(...) __VA_ARGS__
331# define IF_HAS_NO_KEYWORDS(...)
332#else
333# define HAS_KEYWORDS 0
334# define IF_HAS_KEYWORDS(...)
335# define IF_HAS_NO_KEYWORDS(...) __VA_ARGS__
336#endif
337
338/* If you comment out one of these below, it will be #defined later
339 * to perform debug printfs to stderr: */
340#define debug_printf(...)        do {} while (0)
341/* Finer-grained debug switches */
342#define debug_printf_parse(...)  do {} while (0)
343#define debug_print_tree(a, b)   do {} while (0)
344#define debug_printf_exec(...)   do {} while (0)
345#define debug_printf_env(...)    do {} while (0)
346#define debug_printf_jobs(...)   do {} while (0)
347#define debug_printf_expand(...) do {} while (0)
348#define debug_printf_varexp(...) do {} while (0)
349#define debug_printf_glob(...)   do {} while (0)
350#define debug_printf_list(...)   do {} while (0)
351#define debug_printf_subst(...)  do {} while (0)
352#define debug_printf_clean(...)  do {} while (0)
353
354#define ERR_PTR ((void*)(long)1)
355
356#define JOB_STATUS_FORMAT    "[%d] %-22s %.40s\n"
357
358#define _SPECIAL_VARS_STR     "_*@$!?#"
359#define SPECIAL_VARS_STR     ("_*@$!?#" + 1)
360#define NUMERIC_SPECVARS_STR ("_*@$!?#" + 3)
361#if ENABLE_HUSH_BASH_COMPAT
362/* Support / and // replace ops */
363/* Note that // is stored as \ in "encoded" string representation */
364# define VAR_ENCODED_SUBST_OPS      "\\/%#:-=+?"
365# define VAR_SUBST_OPS             ("\\/%#:-=+?" + 1)
366# define MINUS_PLUS_EQUAL_QUESTION ("\\/%#:-=+?" + 5)
367#else
368# define VAR_ENCODED_SUBST_OPS      "%#:-=+?"
369# define VAR_SUBST_OPS              "%#:-=+?"
370# define MINUS_PLUS_EQUAL_QUESTION ("%#:-=+?" + 3)
371#endif
372
373#define SPECIAL_VAR_SYMBOL   3
374
375struct variable;
376
377static const char hush_version_str[] ALIGN1 = "HUSH_VERSION="BB_VER;
378
379/* This supports saving pointers malloced in vfork child,
380 * to be freed in the parent.
381 */
382#if !BB_MMU
383typedef struct nommu_save_t {
384    char **new_env;
385    struct variable *old_vars;
386    char **argv;
387    char **argv_from_re_execing;
388} nommu_save_t;
389#endif
390
391enum {
392    RES_NONE  = 0,
393#if ENABLE_HUSH_IF
394    RES_IF    ,
395    RES_THEN  ,
396    RES_ELIF  ,
397    RES_ELSE  ,
398    RES_FI    ,
399#endif
400#if ENABLE_HUSH_LOOPS
401    RES_FOR   ,
402    RES_WHILE ,
403    RES_UNTIL ,
404    RES_DO    ,
405    RES_DONE  ,
406#endif
407#if ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
408    RES_IN    ,
409#endif
410#if ENABLE_HUSH_CASE
411    RES_CASE  ,
412    /* three pseudo-keywords support contrived "case" syntax: */
413    RES_CASE_IN,   /* "case ... IN", turns into RES_MATCH when IN is observed */
414    RES_MATCH ,    /* "word)" */
415    RES_CASE_BODY, /* "this command is inside CASE" */
416    RES_ESAC  ,
417#endif
418    RES_XXXX  ,
419    RES_SNTX
420};
421
422typedef struct o_string {
423    char *data;
424    int length; /* position where data is appended */
425    int maxlen;
426    int o_expflags;
427    /* At least some part of the string was inside '' or "",
428     * possibly empty one: word"", wo''rd etc. */
429    smallint has_quoted_part;
430    smallint has_empty_slot;
431    smallint o_assignment; /* 0:maybe, 1:yes, 2:no */
432} o_string;
433enum {
434    EXP_FLAG_SINGLEWORD     = 0x80, /* must be 0x80 */
435    EXP_FLAG_GLOB           = 0x2,
436    /* Protect newly added chars against globbing
437     * by prepending \ to *, ?, [, \ */
438    EXP_FLAG_ESC_GLOB_CHARS = 0x1,
439};
440enum {
441    MAYBE_ASSIGNMENT      = 0,
442    DEFINITELY_ASSIGNMENT = 1,
443    NOT_ASSIGNMENT        = 2,
444    /* Not an assigment, but next word may be: "if v=xyz cmd;" */
445    WORD_IS_KEYWORD       = 3,
446};
447/* Used for initialization: o_string foo = NULL_O_STRING; */
448#define NULL_O_STRING { NULL }
449
450#ifndef debug_printf_parse
451static const char *const assignment_flag[] = {
452    "MAYBE_ASSIGNMENT",
453    "DEFINITELY_ASSIGNMENT",
454    "NOT_ASSIGNMENT",
455    "WORD_IS_KEYWORD",
456};
457#endif
458
459typedef struct in_str {
460    const char *p;
461    /* eof_flag=1: last char in ->p is really an EOF */
462    char eof_flag; /* meaningless if ->p == NULL */
463    char peek_buf[2];
464#if ENABLE_HUSH_INTERACTIVE
465    smallint promptmode; /* 0: PS1, 1: PS2 */
466#endif
467    int last_char;
468    FILE *file;
469    int (*get) (struct in_str *) FAST_FUNC;
470    int (*peek) (struct in_str *) FAST_FUNC;
471} in_str;
472#define i_getch(input) ((input)->get(input))
473#define i_peek(input) ((input)->peek(input))
474
475/* The descrip member of this structure is only used to make
476 * debugging output pretty */
477static const struct {
478    int mode;
479    signed char default_fd;
480    char descrip[3];
481} redir_table[] = {
482    { O_RDONLY,                  0, "<"  },
483    { O_CREAT|O_TRUNC|O_WRONLY,  1, ">"  },
484    { O_CREAT|O_APPEND|O_WRONLY, 1, ">>" },
485    { O_CREAT|O_RDWR,            1, "<>" },
486    { O_RDONLY,                  0, "<<" },
487/* Should not be needed. Bogus default_fd helps in debugging */
488/*  { O_RDONLY,                 77, "<<" }, */
489};
490
491struct redir_struct {
492    struct redir_struct *next;
493    char *rd_filename;          /* filename */
494    int rd_fd;                  /* fd to redirect */
495    /* fd to redirect to, or -3 if rd_fd is to be closed (n>&-) */
496    int rd_dup;
497    smallint rd_type;           /* (enum redir_type) */
498    /* note: for heredocs, rd_filename contains heredoc delimiter,
499     * and subsequently heredoc itself; and rd_dup is a bitmask:
500     * bit 0: do we need to trim leading tabs?
501     * bit 1: is heredoc quoted (<<'delim' syntax) ?
502     */
503};
504typedef enum redir_type {
505    REDIRECT_INPUT     = 0,
506    REDIRECT_OVERWRITE = 1,
507    REDIRECT_APPEND    = 2,
508    REDIRECT_IO        = 3,
509    REDIRECT_HEREDOC   = 4,
510    REDIRECT_HEREDOC2  = 5, /* REDIRECT_HEREDOC after heredoc is loaded */
511
512    REDIRFD_CLOSE      = -3,
513    REDIRFD_SYNTAX_ERR = -2,
514    REDIRFD_TO_FILE    = -1,
515    /* otherwise, rd_fd is redirected to rd_dup */
516
517    HEREDOC_SKIPTABS = 1,
518    HEREDOC_QUOTED   = 2,
519} redir_type;
520
521
522struct command {
523    pid_t pid;                  /* 0 if exited */
524    int assignment_cnt;         /* how many argv[i] are assignments? */
525    smallint cmd_type;          /* CMD_xxx */
526#define CMD_NORMAL   0
527#define CMD_SUBSHELL 1
528#if ENABLE_HUSH_BASH_COMPAT
529/* used for "[[ EXPR ]]" */
530# define CMD_SINGLEWORD_NOGLOB 2
531#endif
532#if ENABLE_HUSH_FUNCTIONS
533# define CMD_FUNCDEF 3
534#endif
535
536    smalluint cmd_exitcode;
537    /* if non-NULL, this "command" is { list }, ( list ), or a compound statement */
538    struct pipe *group;
539#if !BB_MMU
540    char *group_as_string;
541#endif
542#if ENABLE_HUSH_FUNCTIONS
543    struct function *child_func;
544/* This field is used to prevent a bug here:
545 * while...do f1() {a;}; f1; f1() {b;}; f1; done
546 * When we execute "f1() {a;}" cmd, we create new function and clear
547 * cmd->group, cmd->group_as_string, cmd->argv[0].
548 * When we execute "f1() {b;}", we notice that f1 exists,
549 * and that its "parent cmd" struct is still "alive",
550 * we put those fields back into cmd->xxx
551 * (struct function has ->parent_cmd ptr to facilitate that).
552 * When we loop back, we can execute "f1() {a;}" again and set f1 correctly.
553 * Without this trick, loop would execute a;b;b;b;...
554 * instead of correct sequence a;b;a;b;...
555 * When command is freed, it severs the link
556 * (sets ->child_func->parent_cmd to NULL).
557 */
558#endif
559    char **argv;                /* command name and arguments */
560/* argv vector may contain variable references (^Cvar^C, ^C0^C etc)
561 * and on execution these are substituted with their values.
562 * Substitution can make _several_ words out of one argv[n]!
563 * Example: argv[0]=='.^C*^C.' here: echo .$*.
564 * References of the form ^C`cmd arg^C are `cmd arg` substitutions.
565 */
566    struct redir_struct *redirects; /* I/O redirections */
567};
568/* Is there anything in this command at all? */
569#define IS_NULL_CMD(cmd) \
570    (!(cmd)->group && !(cmd)->argv && !(cmd)->redirects)
571
572struct pipe {
573    struct pipe *next;
574    int num_cmds;               /* total number of commands in pipe */
575    int alive_cmds;             /* number of commands running (not exited) */
576    int stopped_cmds;           /* number of commands alive, but stopped */
577#if ENABLE_HUSH_JOB
578    int jobid;                  /* job number */
579    pid_t pgrp;                 /* process group ID for the job */
580    char *cmdtext;              /* name of job */
581#endif
582    struct command *cmds;       /* array of commands in pipe */
583    smallint followup;          /* PIPE_BG, PIPE_SEQ, PIPE_OR, PIPE_AND */
584    IF_HAS_KEYWORDS(smallint pi_inverted;) /* "! cmd | cmd" */
585    IF_HAS_KEYWORDS(smallint res_word;) /* needed for if, for, while, until... */
586};
587typedef enum pipe_style {
588    PIPE_SEQ = 1,
589    PIPE_AND = 2,
590    PIPE_OR  = 3,
591    PIPE_BG  = 4,
592} pipe_style;
593/* Is there anything in this pipe at all? */
594#define IS_NULL_PIPE(pi) \
595    ((pi)->num_cmds == 0 IF_HAS_KEYWORDS( && (pi)->res_word == RES_NONE))
596
597/* This holds pointers to the various results of parsing */
598struct parse_context {
599    /* linked list of pipes */
600    struct pipe *list_head;
601    /* last pipe (being constructed right now) */
602    struct pipe *pipe;
603    /* last command in pipe (being constructed right now) */
604    struct command *command;
605    /* last redirect in command->redirects list */
606    struct redir_struct *pending_redirect;
607#if !BB_MMU
608    o_string as_string;
609#endif
610#if HAS_KEYWORDS
611    smallint ctx_res_w;
612    smallint ctx_inverted; /* "! cmd | cmd" */
613#if ENABLE_HUSH_CASE
614    smallint ctx_dsemicolon; /* ";;" seen */
615#endif
616    /* bitmask of FLAG_xxx, for figuring out valid reserved words */
617    int old_flag;
618    /* group we are enclosed in:
619     * example: "if pipe1; pipe2; then pipe3; fi"
620     * when we see "if" or "then", we malloc and copy current context,
621     * and make ->stack point to it. then we parse pipeN.
622     * when closing "then" / fi" / whatever is found,
623     * we move list_head into ->stack->command->group,
624     * copy ->stack into current context, and delete ->stack.
625     * (parsing of { list } and ( list ) doesn't use this method)
626     */
627    struct parse_context *stack;
628#endif
629};
630
631/* On program start, environ points to initial environment.
632 * putenv adds new pointers into it, unsetenv removes them.
633 * Neither of these (de)allocates the strings.
634 * setenv allocates new strings in malloc space and does putenv,
635 * and thus setenv is unusable (leaky) for shell's purposes */
636#define setenv(...) setenv_is_leaky_dont_use()
637struct variable {
638    struct variable *next;
639    char *varstr;        /* points to "name=" portion */
640#if ENABLE_HUSH_LOCAL
641    unsigned func_nest_level;
642#endif
643    int max_len;         /* if > 0, name is part of initial env; else name is malloced */
644    smallint flg_export; /* putenv should be done on this var */
645    smallint flg_read_only;
646};
647
648enum {
649    BC_BREAK = 1,
650    BC_CONTINUE = 2,
651};
652
653#if ENABLE_HUSH_FUNCTIONS
654struct function {
655    struct function *next;
656    char *name;
657    struct command *parent_cmd;
658    struct pipe *body;
659# if !BB_MMU
660    char *body_as_string;
661# endif
662};
663#endif
664
665
666/* set -/+o OPT support. (TODO: make it optional)
667 * bash supports the following opts:
668 * allexport       off
669 * braceexpand     on
670 * emacs           on
671 * errexit         off
672 * errtrace        off
673 * functrace       off
674 * hashall         on
675 * histexpand      off
676 * history         on
677 * ignoreeof       off
678 * interactive-comments    on
679 * keyword         off
680 * monitor         on
681 * noclobber       off
682 * noexec          off
683 * noglob          off
684 * nolog           off
685 * notify          off
686 * nounset         off
687 * onecmd          off
688 * physical        off
689 * pipefail        off
690 * posix           off
691 * privileged      off
692 * verbose         off
693 * vi              off
694 * xtrace          off
695 */
696static const char o_opt_strings[] ALIGN1 =
697    "pipefail\0"
698    "noexec\0"
699#if ENABLE_HUSH_MODE_X
700    "xtrace\0"
701#endif
702    ;
703enum {
704    OPT_O_PIPEFAIL,
705    OPT_O_NOEXEC,
706#if ENABLE_HUSH_MODE_X
707    OPT_O_XTRACE,
708#endif
709    NUM_OPT_O
710};
711
712
713/* "Globals" within this file */
714/* Sorted roughly by size (smaller offsets == smaller code) */
715struct globals {
716    /* interactive_fd != 0 means we are an interactive shell.
717     * If we are, then saved_tty_pgrp can also be != 0, meaning
718     * that controlling tty is available. With saved_tty_pgrp == 0,
719     * job control still works, but terminal signals
720     * (^C, ^Z, ^Y, ^\) won't work at all, and background
721     * process groups can only be created with "cmd &".
722     * With saved_tty_pgrp != 0, hush will use tcsetpgrp()
723     * to give tty to the foreground process group,
724     * and will take it back when the group is stopped (^Z)
725     * or killed (^C).
726     */
727#if ENABLE_HUSH_INTERACTIVE
728    /* 'interactive_fd' is a fd# open to ctty, if we have one
729     * _AND_ if we decided to act interactively */
730    int interactive_fd;
731    const char *PS1;
732    const char *PS2;
733# define G_interactive_fd (G.interactive_fd)
734#else
735# define G_interactive_fd 0
736#endif
737#if ENABLE_FEATURE_EDITING
738    line_input_t *line_input_state;
739#endif
740    pid_t root_pid;
741    pid_t root_ppid;
742    pid_t last_bg_pid;
743#if ENABLE_HUSH_RANDOM_SUPPORT
744    random_t random_gen;
745#endif
746#if ENABLE_HUSH_JOB
747    int run_list_level;
748    int last_jobid;
749    pid_t saved_tty_pgrp;
750    struct pipe *job_list;
751# define G_saved_tty_pgrp (G.saved_tty_pgrp)
752#else
753# define G_saved_tty_pgrp 0
754#endif
755    char o_opt[NUM_OPT_O];
756#if ENABLE_HUSH_MODE_X
757# define G_x_mode (G.o_opt[OPT_O_XTRACE])
758#else
759# define G_x_mode 0
760#endif
761    smallint flag_SIGINT;
762#if ENABLE_HUSH_LOOPS
763    smallint flag_break_continue;
764#endif
765#if ENABLE_HUSH_FUNCTIONS
766    /* 0: outside of a function (or sourced file)
767     * -1: inside of a function, ok to use return builtin
768     * 1: return is invoked, skip all till end of func
769     */
770    smallint flag_return_in_progress;
771#endif
772    smallint exiting; /* used to prevent EXIT trap recursion */
773    /* These four support $?, $#, and $1 */
774    smalluint last_exitcode;
775    /* are global_argv and global_argv[1..n] malloced? (note: not [0]) */
776    smalluint global_args_malloced;
777    /* how many non-NULL argv's we have. NB: $# + 1 */
778    int global_argc;
779    char **global_argv;
780#if !BB_MMU
781    char *argv0_for_re_execing;
782#endif
783#if ENABLE_HUSH_LOOPS
784    unsigned depth_break_continue;
785    unsigned depth_of_loop;
786#endif
787    const char *ifs;
788    const char *cwd;
789    struct variable *top_var;
790    char **expanded_assignments;
791#if ENABLE_HUSH_FUNCTIONS
792    struct function *top_func;
793# if ENABLE_HUSH_LOCAL
794    struct variable **shadowed_vars_pp;
795    unsigned func_nest_level;
796# endif
797#endif
798    /* Signal and trap handling */
799#if ENABLE_HUSH_FAST
800    unsigned count_SIGCHLD;
801    unsigned handled_SIGCHLD;
802    smallint we_have_children;
803#endif
804    /* Which signals have non-DFL handler (even with no traps set)?
805     * Set at the start to:
806     * (SIGQUIT + maybe SPECIAL_INTERACTIVE_SIGS + maybe SPECIAL_JOBSTOP_SIGS)
807     * SPECIAL_INTERACTIVE_SIGS are cleared after fork.
808     * The rest is cleared right before execv syscalls.
809     * Other than these two times, never modified.
810     */
811    unsigned special_sig_mask;
812#if ENABLE_HUSH_JOB
813    unsigned fatal_sig_mask;
814# define G_fatal_sig_mask G.fatal_sig_mask
815#else
816# define G_fatal_sig_mask 0
817#endif
818    char **traps; /* char *traps[NSIG] */
819    sigset_t pending_set;
820#if HUSH_DEBUG
821    unsigned long memleak_value;
822    int debug_indent;
823#endif
824    struct sigaction sa;
825    char user_input_buf[ENABLE_FEATURE_EDITING ? CONFIG_FEATURE_EDITING_MAX_LEN : 2];
826};
827#define G (*ptr_to_globals)
828/* Not #defining name to G.name - this quickly gets unwieldy
829 * (too many defines). Also, I actually prefer to see when a variable
830 * is global, thus "G." prefix is a useful hint */
831#define INIT_G() do { \
832    SET_PTR_TO_GLOBALS(xzalloc(sizeof(G))); \
833    /* memset(&G.sa, 0, sizeof(G.sa)); */  \
834    sigfillset(&G.sa.sa_mask); \
835    G.sa.sa_flags = SA_RESTART; \
836} while (0)
837
838
839/* Function prototypes for builtins */
840static int builtin_cd(char **argv) FAST_FUNC;
841static int builtin_echo(char **argv) FAST_FUNC;
842static int builtin_eval(char **argv) FAST_FUNC;
843static int builtin_exec(char **argv) FAST_FUNC;
844static int builtin_exit(char **argv) FAST_FUNC;
845static int builtin_export(char **argv) FAST_FUNC;
846#if ENABLE_HUSH_JOB
847static int builtin_fg_bg(char **argv) FAST_FUNC;
848static int builtin_jobs(char **argv) FAST_FUNC;
849#endif
850#if ENABLE_HUSH_HELP
851static int builtin_help(char **argv) FAST_FUNC;
852#endif
853#if ENABLE_HUSH_LOCAL
854static int builtin_local(char **argv) FAST_FUNC;
855#endif
856#if HUSH_DEBUG
857static int builtin_memleak(char **argv) FAST_FUNC;
858#endif
859#if ENABLE_PRINTF
860static int builtin_printf(char **argv) FAST_FUNC;
861#endif
862static int builtin_pwd(char **argv) FAST_FUNC;
863static int builtin_read(char **argv) FAST_FUNC;
864static int builtin_set(char **argv) FAST_FUNC;
865static int builtin_shift(char **argv) FAST_FUNC;
866static int builtin_source(char **argv) FAST_FUNC;
867static int builtin_test(char **argv) FAST_FUNC;
868static int builtin_trap(char **argv) FAST_FUNC;
869static int builtin_type(char **argv) FAST_FUNC;
870static int builtin_true(char **argv) FAST_FUNC;
871static int builtin_umask(char **argv) FAST_FUNC;
872static int builtin_unset(char **argv) FAST_FUNC;
873static int builtin_wait(char **argv) FAST_FUNC;
874#if ENABLE_HUSH_LOOPS
875static int builtin_break(char **argv) FAST_FUNC;
876static int builtin_continue(char **argv) FAST_FUNC;
877#endif
878#if ENABLE_HUSH_FUNCTIONS
879static int builtin_return(char **argv) FAST_FUNC;
880#endif
881
882/* Table of built-in functions.  They can be forked or not, depending on
883 * context: within pipes, they fork.  As simple commands, they do not.
884 * When used in non-forking context, they can change global variables
885 * in the parent shell process.  If forked, of course they cannot.
886 * For example, 'unset foo | whatever' will parse and run, but foo will
887 * still be set at the end. */
888struct built_in_command {
889    const char *b_cmd;
890    int (*b_function)(char **argv) FAST_FUNC;
891#if ENABLE_HUSH_HELP
892    const char *b_descr;
893# define BLTIN(cmd, func, help) { cmd, func, help }
894#else
895# define BLTIN(cmd, func, help) { cmd, func }
896#endif
897};
898
899static const struct built_in_command bltins1[] = {
900    BLTIN("."        , builtin_source  , "Run commands in a file"),
901    BLTIN(":"        , builtin_true    , NULL),
902#if ENABLE_HUSH_JOB
903    BLTIN("bg"       , builtin_fg_bg   , "Resume a job in the background"),
904#endif
905#if ENABLE_HUSH_LOOPS
906    BLTIN("break"    , builtin_break   , "Exit from a loop"),
907#endif
908    BLTIN("cd"       , builtin_cd      , "Change directory"),
909#if ENABLE_HUSH_LOOPS
910    BLTIN("continue" , builtin_continue, "Start new loop iteration"),
911#endif
912    BLTIN("eval"     , builtin_eval    , "Construct and run shell command"),
913    BLTIN("exec"     , builtin_exec    , "Execute command, don't return to shell"),
914    BLTIN("exit"     , builtin_exit    , "Exit"),
915    BLTIN("export"   , builtin_export  , "Set environment variables"),
916#if ENABLE_HUSH_JOB
917    BLTIN("fg"       , builtin_fg_bg   , "Bring job into the foreground"),
918#endif
919#if ENABLE_HUSH_HELP
920    BLTIN("help"     , builtin_help    , NULL),
921#endif
922#if ENABLE_HUSH_JOB
923    BLTIN("jobs"     , builtin_jobs    , "List jobs"),
924#endif
925#if ENABLE_HUSH_LOCAL
926    BLTIN("local"    , builtin_local   , "Set local variables"),
927#endif
928#if HUSH_DEBUG
929    BLTIN("memleak"  , builtin_memleak , NULL),
930#endif
931    BLTIN("read"     , builtin_read    , "Input into variable"),
932#if ENABLE_HUSH_FUNCTIONS
933    BLTIN("return"   , builtin_return  , "Return from a function"),
934#endif
935    BLTIN("set"      , builtin_set     , "Set/unset positional parameters"),
936    BLTIN("shift"    , builtin_shift   , "Shift positional parameters"),
937#if ENABLE_HUSH_BASH_COMPAT
938    BLTIN("source"   , builtin_source  , "Run commands in a file"),
939#endif
940    BLTIN("trap"     , builtin_trap    , "Trap signals"),
941    BLTIN("type"     , builtin_type    , "Show command type"),
942    BLTIN("ulimit"   , shell_builtin_ulimit  , "Control resource limits"),
943    BLTIN("umask"    , builtin_umask   , "Set file creation mask"),
944    BLTIN("unset"    , builtin_unset   , "Unset variables"),
945    BLTIN("wait"     , builtin_wait    , "Wait for process"),
946};
947/* For now, echo and test are unconditionally enabled.
948 * Maybe make it configurable? */
949static const struct built_in_command bltins2[] = {
950    BLTIN("["        , builtin_test    , NULL),
951    BLTIN("echo"     , builtin_echo    , NULL),
952#if ENABLE_PRINTF
953    BLTIN("printf"   , builtin_printf  , NULL),
954#endif
955    BLTIN("pwd"      , builtin_pwd     , NULL),
956    BLTIN("test"     , builtin_test    , NULL),
957};
958
959
960/* Debug printouts.
961 */
962#if HUSH_DEBUG
963/* prevent disasters with G.debug_indent < 0 */
964# define indent() fdprintf(2, "%*s", (G.debug_indent * 2) & 0xff, "")
965# define debug_enter() (G.debug_indent++)
966# define debug_leave() (G.debug_indent--)
967#else
968# define indent()      ((void)0)
969# define debug_enter() ((void)0)
970# define debug_leave() ((void)0)
971#endif
972
973#ifndef debug_printf
974# define debug_printf(...) (indent(), fdprintf(2, __VA_ARGS__))
975#endif
976
977#ifndef debug_printf_parse
978# define debug_printf_parse(...) (indent(), fdprintf(2, __VA_ARGS__))
979#endif
980
981#ifndef debug_printf_exec
982#define debug_printf_exec(...) (indent(), fdprintf(2, __VA_ARGS__))
983#endif
984
985#ifndef debug_printf_env
986# define debug_printf_env(...) (indent(), fdprintf(2, __VA_ARGS__))
987#endif
988
989#ifndef debug_printf_jobs
990# define debug_printf_jobs(...) (indent(), fdprintf(2, __VA_ARGS__))
991# define DEBUG_JOBS 1
992#else
993# define DEBUG_JOBS 0
994#endif
995
996#ifndef debug_printf_expand
997# define debug_printf_expand(...) (indent(), fdprintf(2, __VA_ARGS__))
998# define DEBUG_EXPAND 1
999#else
1000# define DEBUG_EXPAND 0
1001#endif
1002
1003#ifndef debug_printf_varexp
1004# define debug_printf_varexp(...) (indent(), fdprintf(2, __VA_ARGS__))
1005#endif
1006
1007#ifndef debug_printf_glob
1008# define debug_printf_glob(...) (indent(), fdprintf(2, __VA_ARGS__))
1009# define DEBUG_GLOB 1
1010#else
1011# define DEBUG_GLOB 0
1012#endif
1013
1014#ifndef debug_printf_list
1015# define debug_printf_list(...) (indent(), fdprintf(2, __VA_ARGS__))
1016#endif
1017
1018#ifndef debug_printf_subst
1019# define debug_printf_subst(...) (indent(), fdprintf(2, __VA_ARGS__))
1020#endif
1021
1022#ifndef debug_printf_clean
1023# define debug_printf_clean(...) (indent(), fdprintf(2, __VA_ARGS__))
1024# define DEBUG_CLEAN 1
1025#else
1026# define DEBUG_CLEAN 0
1027#endif
1028
1029#if DEBUG_EXPAND
1030static void debug_print_strings(const char *prefix, char **vv)
1031{
1032    indent();
1033    fdprintf(2, "%s:\n", prefix);
1034    while (*vv)
1035        fdprintf(2, " '%s'\n", *vv++);
1036}
1037#else
1038# define debug_print_strings(prefix, vv) ((void)0)
1039#endif
1040
1041
1042/* Leak hunting. Use hush_leaktool.sh for post-processing.
1043 */
1044#if LEAK_HUNTING
1045static void *xxmalloc(int lineno, size_t size)
1046{
1047    void *ptr = xmalloc((size + 0xff) & ~0xff);
1048    fdprintf(2, "line %d: malloc %p\n", lineno, ptr);
1049    return ptr;
1050}
1051static void *xxrealloc(int lineno, void *ptr, size_t size)
1052{
1053    ptr = xrealloc(ptr, (size + 0xff) & ~0xff);
1054    fdprintf(2, "line %d: realloc %p\n", lineno, ptr);
1055    return ptr;
1056}
1057static char *xxstrdup(int lineno, const char *str)
1058{
1059    char *ptr = xstrdup(str);
1060    fdprintf(2, "line %d: strdup %p\n", lineno, ptr);
1061    return ptr;
1062}
1063static void xxfree(void *ptr)
1064{
1065    fdprintf(2, "free %p\n", ptr);
1066    free(ptr);
1067}
1068# define xmalloc(s)     xxmalloc(__LINE__, s)
1069# define xrealloc(p, s) xxrealloc(__LINE__, p, s)
1070# define xstrdup(s)     xxstrdup(__LINE__, s)
1071# define free(p)        xxfree(p)
1072#endif
1073
1074
1075/* Syntax and runtime errors. They always abort scripts.
1076 * In interactive use they usually discard unparsed and/or unexecuted commands
1077 * and return to the prompt.
1078 * HUSH_DEBUG >= 2 prints line number in this file where it was detected.
1079 */
1080#if HUSH_DEBUG < 2
1081# define die_if_script(lineno, ...)             die_if_script(__VA_ARGS__)
1082# define syntax_error(lineno, msg)              syntax_error(msg)
1083# define syntax_error_at(lineno, msg)           syntax_error_at(msg)
1084# define syntax_error_unterm_ch(lineno, ch)     syntax_error_unterm_ch(ch)
1085# define syntax_error_unterm_str(lineno, s)     syntax_error_unterm_str(s)
1086# define syntax_error_unexpected_ch(lineno, ch) syntax_error_unexpected_ch(ch)
1087#endif
1088
1089static void die_if_script(unsigned lineno, const char *fmt, ...)
1090{
1091    va_list p;
1092
1093#if HUSH_DEBUG >= 2
1094    bb_error_msg("hush.c:%u", lineno);
1095#endif
1096    va_start(p, fmt);
1097    bb_verror_msg(fmt, p, NULL);
1098    va_end(p);
1099    if (!G_interactive_fd)
1100        xfunc_die();
1101}
1102
1103static void syntax_error(unsigned lineno UNUSED_PARAM, const char *msg)
1104{
1105    if (msg)
1106        bb_error_msg("syntax error: %s", msg);
1107    else
1108        bb_error_msg("syntax error");
1109}
1110
1111static void syntax_error_at(unsigned lineno UNUSED_PARAM, const char *msg)
1112{
1113    bb_error_msg("syntax error at '%s'", msg);
1114}
1115
1116static void syntax_error_unterm_str(unsigned lineno UNUSED_PARAM, const char *s)
1117{
1118    bb_error_msg("syntax error: unterminated %s", s);
1119}
1120
1121static void syntax_error_unterm_ch(unsigned lineno, char ch)
1122{
1123    char msg[2] = { ch, '\0' };
1124    syntax_error_unterm_str(lineno, msg);
1125}
1126
1127static void syntax_error_unexpected_ch(unsigned lineno UNUSED_PARAM, int ch)
1128{
1129    char msg[2];
1130    msg[0] = ch;
1131    msg[1] = '\0';
1132    bb_error_msg("syntax error: unexpected %s", ch == EOF ? "EOF" : msg);
1133}
1134
1135#if HUSH_DEBUG < 2
1136# undef die_if_script
1137# undef syntax_error
1138# undef syntax_error_at
1139# undef syntax_error_unterm_ch
1140# undef syntax_error_unterm_str
1141# undef syntax_error_unexpected_ch
1142#else
1143# define die_if_script(...)             die_if_script(__LINE__, __VA_ARGS__)
1144# define syntax_error(msg)              syntax_error(__LINE__, msg)
1145# define syntax_error_at(msg)           syntax_error_at(__LINE__, msg)
1146# define syntax_error_unterm_ch(ch)     syntax_error_unterm_ch(__LINE__, ch)
1147# define syntax_error_unterm_str(s)     syntax_error_unterm_str(__LINE__, s)
1148# define syntax_error_unexpected_ch(ch) syntax_error_unexpected_ch(__LINE__, ch)
1149#endif
1150
1151
1152#if ENABLE_HUSH_INTERACTIVE
1153static void cmdedit_update_prompt(void);
1154#else
1155# define cmdedit_update_prompt() ((void)0)
1156#endif
1157
1158
1159/* Utility functions
1160 */
1161/* Replace each \x with x in place, return ptr past NUL. */
1162static char *unbackslash(char *src)
1163{
1164    char *dst = src = strchrnul(src, '\\');
1165    while (1) {
1166        if (*src == '\\')
1167            src++;
1168        if ((*dst++ = *src++) == '\0')
1169            break;
1170    }
1171    return dst;
1172}
1173
1174static char **add_strings_to_strings(char **strings, char **add, int need_to_dup)
1175{
1176    int i;
1177    unsigned count1;
1178    unsigned count2;
1179    char **v;
1180
1181    v = strings;
1182    count1 = 0;
1183    if (v) {
1184        while (*v) {
1185            count1++;
1186            v++;
1187        }
1188    }
1189    count2 = 0;
1190    v = add;
1191    while (*v) {
1192        count2++;
1193        v++;
1194    }
1195    v = xrealloc(strings, (count1 + count2 + 1) * sizeof(char*));
1196    v[count1 + count2] = NULL;
1197    i = count2;
1198    while (--i >= 0)
1199        v[count1 + i] = (need_to_dup ? xstrdup(add[i]) : add[i]);
1200    return v;
1201}
1202#if LEAK_HUNTING
1203static char **xx_add_strings_to_strings(int lineno, char **strings, char **add, int need_to_dup)
1204{
1205    char **ptr = add_strings_to_strings(strings, add, need_to_dup);
1206    fdprintf(2, "line %d: add_strings_to_strings %p\n", lineno, ptr);
1207    return ptr;
1208}
1209#define add_strings_to_strings(strings, add, need_to_dup) \
1210    xx_add_strings_to_strings(__LINE__, strings, add, need_to_dup)
1211#endif
1212
1213/* Note: takes ownership of "add" ptr (it is not strdup'ed) */
1214static char **add_string_to_strings(char **strings, char *add)
1215{
1216    char *v[2];
1217    v[0] = add;
1218    v[1] = NULL;
1219    return add_strings_to_strings(strings, v, /*dup:*/ 0);
1220}
1221#if LEAK_HUNTING
1222static char **xx_add_string_to_strings(int lineno, char **strings, char *add)
1223{
1224    char **ptr = add_string_to_strings(strings, add);
1225    fdprintf(2, "line %d: add_string_to_strings %p\n", lineno, ptr);
1226    return ptr;
1227}
1228#define add_string_to_strings(strings, add) \
1229    xx_add_string_to_strings(__LINE__, strings, add)
1230#endif
1231
1232static void free_strings(char **strings)
1233{
1234    char **v;
1235
1236    if (!strings)
1237        return;
1238    v = strings;
1239    while (*v) {
1240        free(*v);
1241        v++;
1242    }
1243    free(strings);
1244}
1245
1246
1247/* Helpers for setting new $n and restoring them back
1248 */
1249typedef struct save_arg_t {
1250    char *sv_argv0;
1251    char **sv_g_argv;
1252    int sv_g_argc;
1253    smallint sv_g_malloced;
1254} save_arg_t;
1255
1256static void save_and_replace_G_args(save_arg_t *sv, char **argv)
1257{
1258    int n;
1259
1260    sv->sv_argv0 = argv[0];
1261    sv->sv_g_argv = G.global_argv;
1262    sv->sv_g_argc = G.global_argc;
1263    sv->sv_g_malloced = G.global_args_malloced;
1264
1265    argv[0] = G.global_argv[0]; /* retain $0 */
1266    G.global_argv = argv;
1267    G.global_args_malloced = 0;
1268
1269    n = 1;
1270    while (*++argv)
1271        n++;
1272    G.global_argc = n;
1273}
1274
1275static void restore_G_args(save_arg_t *sv, char **argv)
1276{
1277    char **pp;
1278
1279    if (G.global_args_malloced) {
1280        /* someone ran "set -- arg1 arg2 ...", undo */
1281        pp = G.global_argv;
1282        while (*++pp) /* note: does not free $0 */
1283            free(*pp);
1284        free(G.global_argv);
1285    }
1286    argv[0] = sv->sv_argv0;
1287    G.global_argv = sv->sv_g_argv;
1288    G.global_argc = sv->sv_g_argc;
1289    G.global_args_malloced = sv->sv_g_malloced;
1290}
1291
1292
1293/* Basic theory of signal handling in shell
1294 * ========================================
1295 * This does not describe what hush does, rather, it is current understanding
1296 * what it _should_ do. If it doesn't, it's a bug.
1297 * http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#trap
1298 *
1299 * Signals are handled only after each pipe ("cmd | cmd | cmd" thing)
1300 * is finished or backgrounded. It is the same in interactive and
1301 * non-interactive shells, and is the same regardless of whether
1302 * a user trap handler is installed or a shell special one is in effect.
1303 * ^C or ^Z from keyboard seems to execute "at once" because it usually
1304 * backgrounds (i.e. stops) or kills all members of currently running
1305 * pipe.
1306 *
1307 * Wait builtin in interruptible by signals for which user trap is set
1308 * or by SIGINT in interactive shell.
1309 *
1310 * Trap handlers will execute even within trap handlers. (right?)
1311 *
1312 * User trap handlers are forgotten when subshell ("(cmd)") is entered,
1313 * except for handlers set to '' (empty string).
1314 *
1315 * If job control is off, backgrounded commands ("cmd &")
1316 * have SIGINT, SIGQUIT set to SIG_IGN.
1317 *
1318 * Commands which are run in command substitution ("`cmd`")
1319 * have SIGTTIN, SIGTTOU, SIGTSTP set to SIG_IGN.
1320 *
1321 * Ordinary commands have signals set to SIG_IGN/DFL as inherited
1322 * by the shell from its parent.
1323 *
1324 * Signals which differ from SIG_DFL action
1325 * (note: child (i.e., [v]forked) shell is not an interactive shell):
1326 *
1327 * SIGQUIT: ignore
1328 * SIGTERM (interactive): ignore
1329 * SIGHUP (interactive):
1330 *    send SIGCONT to stopped jobs, send SIGHUP to all jobs and exit
1331 * SIGTTIN, SIGTTOU, SIGTSTP (if job control is on): ignore
1332 *    Note that ^Z is handled not by trapping SIGTSTP, but by seeing
1333 *    that all pipe members are stopped. Try this in bash:
1334 *    while :; do :; done - ^Z does not background it
1335 *    (while :; do :; done) - ^Z backgrounds it
1336 * SIGINT (interactive): wait for last pipe, ignore the rest
1337 *    of the command line, show prompt. NB: ^C does not send SIGINT
1338 *    to interactive shell while shell is waiting for a pipe,
1339 *    since shell is bg'ed (is not in foreground process group).
1340 *    Example 1: this waits 5 sec, but does not execute ls:
1341 *    "echo $$; sleep 5; ls -l" + "kill -INT <pid>"
1342 *    Example 2: this does not wait and does not execute ls:
1343 *    "echo $$; sleep 5 & wait; ls -l" + "kill -INT <pid>"
1344 *    Example 3: this does not wait 5 sec, but executes ls:
1345 *    "sleep 5; ls -l" + press ^C
1346 *    Example 4: this does not wait and does not execute ls:
1347 *    "sleep 5 & wait; ls -l" + press ^C
1348 *
1349 * (What happens to signals which are IGN on shell start?)
1350 * (What happens with signal mask on shell start?)
1351 *
1352 * Old implementation
1353 * ==================
1354 * We use in-kernel pending signal mask to determine which signals were sent.
1355 * We block all signals which we don't want to take action immediately,
1356 * i.e. we block all signals which need to have special handling as described
1357 * above, and all signals which have traps set.
1358 * After each pipe execution, we extract any pending signals via sigtimedwait()
1359 * and act on them.
1360 *
1361 * unsigned special_sig_mask: a mask of such "special" signals
1362 * sigset_t blocked_set:  current blocked signal set
1363 *
1364 * "trap - SIGxxx":
1365 *    clear bit in blocked_set unless it is also in special_sig_mask
1366 * "trap 'cmd' SIGxxx":
1367 *    set bit in blocked_set (even if 'cmd' is '')
1368 * after [v]fork, if we plan to be a shell:
1369 *    unblock signals with special interactive handling
1370 *    (child shell is not interactive),
1371 *    unset all traps except '' (note: regardless of child shell's type - {}, (), etc)
1372 * after [v]fork, if we plan to exec:
1373 *    POSIX says fork clears pending signal mask in child - no need to clear it.
1374 *    Restore blocked signal set to one inherited by shell just prior to exec.
1375 *
1376 * Note: as a result, we do not use signal handlers much. The only uses
1377 * are to count SIGCHLDs
1378 * and to restore tty pgrp on signal-induced exit.
1379 *
1380 * Note 2 (compat):
1381 * Standard says "When a subshell is entered, traps that are not being ignored
1382 * are set to the default actions". bash interprets it so that traps which
1383 * are set to '' (ignore) are NOT reset to defaults. We do the same.
1384 *
1385 * Problem: the above approach makes it unwieldy to catch signals while
1386 * we are in read builtin, of while we read commands from stdin:
1387 * masked signals are not visible!
1388 *
1389 * New implementation
1390 * ==================
1391 * We record each signal we are interested in by installing signal handler
1392 * for them - a bit like emulating kernel pending signal mask in userspace.
1393 * We are interested in: signals which need to have special handling
1394 * as described above, and all signals which have traps set.
1395 * Signals are rocorded in pending_set.
1396 * After each pipe execution, we extract any pending signals
1397 * and act on them.
1398 *
1399 * unsigned special_sig_mask: a mask of shell-special signals.
1400 * unsigned fatal_sig_mask: a mask of signals on which we restore tty pgrp.
1401 * char *traps[sig] if trap for sig is set (even if it's '').
1402 * sigset_t pending_set: set of sigs we received.
1403 *
1404 * "trap - SIGxxx":
1405 *    if sig is in special_sig_mask, set handler back to:
1406 *        record_pending_signo, or to IGN if it's a tty stop signal
1407 *    if sig is in fatal_sig_mask, set handler back to sigexit.
1408 *    else: set handler back to SIG_DFL
1409 * "trap 'cmd' SIGxxx":
1410 *    set handler to record_pending_signo.
1411 * "trap '' SIGxxx":
1412 *    set handler to SIG_IGN.
1413 * after [v]fork, if we plan to be a shell:
1414 *    set signals with special interactive handling to SIG_DFL
1415 *    (because child shell is not interactive),
1416 *    unset all traps except '' (note: regardless of child shell's type - {}, (), etc)
1417 * after [v]fork, if we plan to exec:
1418 *    POSIX says fork clears pending signal mask in child - no need to clear it.
1419 *
1420 * To make wait builtin interruptible, we handle SIGCHLD as special signal,
1421 * otherwise (if we leave it SIG_DFL) sigsuspend in wait builtin will not wake up on it.
1422 *
1423 * Note (compat):
1424 * Standard says "When a subshell is entered, traps that are not being ignored
1425 * are set to the default actions". bash interprets it so that traps which
1426 * are set to '' (ignore) are NOT reset to defaults. We do the same.
1427 */
1428enum {
1429    SPECIAL_INTERACTIVE_SIGS = 0
1430        | (1 << SIGTERM)
1431        | (1 << SIGINT)
1432        | (1 << SIGHUP)
1433        ,
1434    SPECIAL_JOBSTOP_SIGS = 0
1435#if ENABLE_HUSH_JOB
1436        | (1 << SIGTTIN)
1437        | (1 << SIGTTOU)
1438        | (1 << SIGTSTP)
1439#endif
1440        ,
1441};
1442
1443static void record_pending_signo(int sig)
1444{
1445    sigaddset(&G.pending_set, sig);
1446#if ENABLE_HUSH_FAST
1447    if (sig == SIGCHLD) {
1448        G.count_SIGCHLD++;
1449//bb_error_msg("[%d] SIGCHLD_handler: G.count_SIGCHLD:%d G.handled_SIGCHLD:%d", getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
1450    }
1451#endif
1452}
1453
1454static sighandler_t install_sighandler(int sig, sighandler_t handler)
1455{
1456    struct sigaction old_sa;
1457
1458    /* We could use signal() to install handlers... almost:
1459     * except that we need to mask ALL signals while handlers run.
1460     * I saw signal nesting in strace, race window isn't small.
1461     * SA_RESTART is also needed, but in Linux, signal()
1462     * sets SA_RESTART too.
1463     */
1464    /* memset(&G.sa, 0, sizeof(G.sa)); - already done */
1465    /* sigfillset(&G.sa.sa_mask);      - already done */
1466    /* G.sa.sa_flags = SA_RESTART;     - already done */
1467    G.sa.sa_handler = handler;
1468    sigaction(sig, &G.sa, &old_sa);
1469    return old_sa.sa_handler;
1470}
1471
1472#if ENABLE_HUSH_JOB
1473
1474/* After [v]fork, in child: do not restore tty pgrp on xfunc death */
1475# define disable_restore_tty_pgrp_on_exit() (die_sleep = 0)
1476/* After [v]fork, in parent: restore tty pgrp on xfunc death */
1477# define enable_restore_tty_pgrp_on_exit()  (die_sleep = -1)
1478
1479/* Restores tty foreground process group, and exits.
1480 * May be called as signal handler for fatal signal
1481 * (will resend signal to itself, producing correct exit state)
1482 * or called directly with -EXITCODE.
1483 * We also call it if xfunc is exiting. */
1484static void sigexit(int sig) NORETURN;
1485static void sigexit(int sig)
1486{
1487    /* Careful: we can end up here after [v]fork. Do not restore
1488     * tty pgrp then, only top-level shell process does that */
1489    if (G_saved_tty_pgrp && getpid() == G.root_pid) {
1490        /* Disable all signals: job control, SIGPIPE, etc.
1491         * Mostly paranoid measure, to prevent infinite SIGTTOU.
1492         */
1493        sigprocmask_allsigs(SIG_BLOCK);
1494        tcsetpgrp(G_interactive_fd, G_saved_tty_pgrp);
1495    }
1496
1497    /* Not a signal, just exit */
1498    if (sig <= 0)
1499        _exit(- sig);
1500
1501    kill_myself_with_sig(sig); /* does not return */
1502}
1503#else
1504
1505# define disable_restore_tty_pgrp_on_exit() ((void)0)
1506# define enable_restore_tty_pgrp_on_exit()  ((void)0)
1507
1508#endif
1509
1510static sighandler_t pick_sighandler(unsigned sig)
1511{
1512    sighandler_t handler = SIG_DFL;
1513    if (sig < sizeof(unsigned)*8) {
1514        unsigned sigmask = (1 << sig);
1515
1516#if ENABLE_HUSH_JOB
1517        /* is sig fatal? */
1518        if (G_fatal_sig_mask & sigmask)
1519            handler = sigexit;
1520        else
1521#endif
1522        /* sig has special handling? */
1523        if (G.special_sig_mask & sigmask) {
1524            handler = record_pending_signo;
1525            /* TTIN/TTOU/TSTP can't be set to record_pending_signo
1526             * in order to ignore them: they will be raised
1527             * in an endless loop when we try to do some
1528             * terminal ioctls! We do have to _ignore_ these.
1529             */
1530            if (SPECIAL_JOBSTOP_SIGS & sigmask)
1531                handler = SIG_IGN;
1532        }
1533    }
1534    return handler;
1535}
1536
1537/* Restores tty foreground process group, and exits. */
1538static void hush_exit(int exitcode) NORETURN;
1539static void hush_exit(int exitcode)
1540{
1541#if ENABLE_FEATURE_EDITING_SAVE_ON_EXIT
1542    save_history(G.line_input_state);
1543#endif
1544
1545    fflush_all();
1546    if (G.exiting <= 0 && G.traps && G.traps[0] && G.traps[0][0]) {
1547        char *argv[3];
1548        /* argv[0] is unused */
1549        argv[1] = G.traps[0];
1550        argv[2] = NULL;
1551        G.exiting = 1; /* prevent EXIT trap recursion */
1552        /* Note: G.traps[0] is not cleared!
1553         * "trap" will still show it, if executed
1554         * in the handler */
1555        builtin_eval(argv);
1556    }
1557
1558#if ENABLE_FEATURE_CLEAN_UP
1559    {
1560        struct variable *cur_var;
1561        if (G.cwd != bb_msg_unknown)
1562            free((char*)G.cwd);
1563        cur_var = G.top_var;
1564        while (cur_var) {
1565            struct variable *tmp = cur_var;
1566            if (!cur_var->max_len)
1567                free(cur_var->varstr);
1568            cur_var = cur_var->next;
1569            free(tmp);
1570        }
1571    }
1572#endif
1573
1574#if ENABLE_HUSH_JOB
1575    fflush_all();
1576    sigexit(- (exitcode & 0xff));
1577#else
1578    exit(exitcode);
1579#endif
1580}
1581
1582
1583//TODO: return a mask of ALL handled sigs?
1584static int check_and_run_traps(void)
1585{
1586    int last_sig = 0;
1587
1588    while (1) {
1589        int sig;
1590
1591        if (sigisemptyset(&G.pending_set))
1592            break;
1593        sig = 0;
1594        do {
1595            sig++;
1596            if (sigismember(&G.pending_set, sig)) {
1597                sigdelset(&G.pending_set, sig);
1598                goto got_sig;
1599            }
1600        } while (sig < NSIG);
1601        break;
1602 got_sig:
1603        if (G.traps && G.traps[sig]) {
1604            if (G.traps[sig][0]) {
1605                /* We have user-defined handler */
1606                smalluint save_rcode;
1607                char *argv[3];
1608                /* argv[0] is unused */
1609                argv[1] = G.traps[sig];
1610                argv[2] = NULL;
1611                save_rcode = G.last_exitcode;
1612                builtin_eval(argv);
1613                G.last_exitcode = save_rcode;
1614                last_sig = sig;
1615            } /* else: "" trap, ignoring signal */
1616            continue;
1617        }
1618        /* not a trap: special action */
1619        switch (sig) {
1620        case SIGINT:
1621            /* Builtin was ^C'ed, make it look prettier: */
1622            bb_putchar('\n');
1623            G.flag_SIGINT = 1;
1624            last_sig = sig;
1625            break;
1626#if ENABLE_HUSH_JOB
1627        case SIGHUP: {
1628            struct pipe *job;
1629            /* bash is observed to signal whole process groups,
1630             * not individual processes */
1631            for (job = G.job_list; job; job = job->next) {
1632                if (job->pgrp <= 0)
1633                    continue;
1634                debug_printf_exec("HUPing pgrp %d\n", job->pgrp);
1635                if (kill(- job->pgrp, SIGHUP) == 0)
1636                    kill(- job->pgrp, SIGCONT);
1637            }
1638            sigexit(SIGHUP);
1639        }
1640#endif
1641#if ENABLE_HUSH_FAST
1642        case SIGCHLD:
1643            G.count_SIGCHLD++;
1644//bb_error_msg("[%d] check_and_run_traps: G.count_SIGCHLD:%d G.handled_SIGCHLD:%d", getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
1645            /* Note:
1646             * We dont do 'last_sig = sig' here -> NOT returning this sig.
1647             * This simplifies wait builtin a bit.
1648             */
1649            break;
1650#endif
1651        default: /* ignored: */
1652            /* SIGTERM, SIGQUIT, SIGTTIN, SIGTTOU, SIGTSTP */
1653            /* Note:
1654             * We dont do 'last_sig = sig' here -> NOT returning this sig.
1655             * Example: wait is not interrupted by TERM
1656             * in interactive shell, because TERM is ignored.
1657             */
1658            break;
1659        }
1660    }
1661    return last_sig;
1662}
1663
1664
1665static const char *get_cwd(int force)
1666{
1667    if (force || G.cwd == NULL) {
1668        /* xrealloc_getcwd_or_warn(arg) calls free(arg),
1669         * we must not try to free(bb_msg_unknown) */
1670        if (G.cwd == bb_msg_unknown)
1671            G.cwd = NULL;
1672        G.cwd = xrealloc_getcwd_or_warn((char *)G.cwd);
1673        if (!G.cwd)
1674            G.cwd = bb_msg_unknown;
1675    }
1676    return G.cwd;
1677}
1678
1679
1680/*
1681 * Shell and environment variable support
1682 */
1683static struct variable **get_ptr_to_local_var(const char *name, unsigned len)
1684{
1685    struct variable **pp;
1686    struct variable *cur;
1687
1688    pp = &G.top_var;
1689    while ((cur = *pp) != NULL) {
1690        if (strncmp(cur->varstr, name, len) == 0 && cur->varstr[len] == '=')
1691            return pp;
1692        pp = &cur->next;
1693    }
1694    return NULL;
1695}
1696
1697static const char* FAST_FUNC get_local_var_value(const char *name)
1698{
1699    struct variable **vpp;
1700    unsigned len = strlen(name);
1701
1702    if (G.expanded_assignments) {
1703        char **cpp = G.expanded_assignments;
1704        while (*cpp) {
1705            char *cp = *cpp;
1706            if (strncmp(cp, name, len) == 0 && cp[len] == '=')
1707                return cp + len + 1;
1708            cpp++;
1709        }
1710    }
1711
1712    vpp = get_ptr_to_local_var(name, len);
1713    if (vpp)
1714        return (*vpp)->varstr + len + 1;
1715
1716    if (strcmp(name, "PPID") == 0)
1717        return utoa(G.root_ppid);
1718    // bash compat: UID? EUID?
1719#if ENABLE_HUSH_RANDOM_SUPPORT
1720    if (strcmp(name, "RANDOM") == 0)
1721        return utoa(next_random(&G.random_gen));
1722#endif
1723    return NULL;
1724}
1725
1726/* str holds "NAME=VAL" and is expected to be malloced.
1727 * We take ownership of it.
1728 * flg_export:
1729 *  0: do not change export flag
1730 *     (if creating new variable, flag will be 0)
1731 *  1: set export flag and putenv the variable
1732 * -1: clear export flag and unsetenv the variable
1733 * flg_read_only is set only when we handle -R var=val
1734 */
1735#if !BB_MMU && ENABLE_HUSH_LOCAL
1736/* all params are used */
1737#elif BB_MMU && ENABLE_HUSH_LOCAL
1738#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
1739    set_local_var(str, flg_export, local_lvl)
1740#elif BB_MMU && !ENABLE_HUSH_LOCAL
1741#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
1742    set_local_var(str, flg_export)
1743#elif !BB_MMU && !ENABLE_HUSH_LOCAL
1744#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
1745    set_local_var(str, flg_export, flg_read_only)
1746#endif
1747static int set_local_var(char *str, int flg_export, int local_lvl, int flg_read_only)
1748{
1749    struct variable **var_pp;
1750    struct variable *cur;
1751    char *eq_sign;
1752    int name_len;
1753
1754    eq_sign = strchr(str, '=');
1755    if (!eq_sign) { /* not expected to ever happen? */
1756        free(str);
1757        return -1;
1758    }
1759
1760    name_len = eq_sign - str + 1; /* including '=' */
1761    var_pp = &G.top_var;
1762    while ((cur = *var_pp) != NULL) {
1763        if (strncmp(cur->varstr, str, name_len) != 0) {
1764            var_pp = &cur->next;
1765            continue;
1766        }
1767        /* We found an existing var with this name */
1768        if (cur->flg_read_only) {
1769#if !BB_MMU
1770            if (!flg_read_only)
1771#endif
1772                bb_error_msg("%s: readonly variable", str);
1773            free(str);
1774            return -1;
1775        }
1776        if (flg_export == -1) { // "&& cur->flg_export" ?
1777            debug_printf_env("%s: unsetenv '%s'\n", __func__, str);
1778            *eq_sign = '\0';
1779            unsetenv(str);
1780            *eq_sign = '=';
1781        }
1782#if ENABLE_HUSH_LOCAL
1783        if (cur->func_nest_level < local_lvl) {
1784            /* New variable is declared as local,
1785             * and existing one is global, or local
1786             * from enclosing function.
1787             * Remove and save old one: */
1788            *var_pp = cur->next;
1789            cur->next = *G.shadowed_vars_pp;
1790            *G.shadowed_vars_pp = cur;
1791            /* bash 3.2.33(1) and exported vars:
1792             * # export z=z
1793             * # f() { local z=a; env | grep ^z; }
1794             * # f
1795             * z=a
1796             * # env | grep ^z
1797             * z=z
1798             */
1799            if (cur->flg_export)
1800                flg_export = 1;
1801            break;
1802        }
1803#endif
1804        if (strcmp(cur->varstr + name_len, eq_sign + 1) == 0) {
1805 free_and_exp:
1806            free(str);
1807            goto exp;
1808        }
1809        if (cur->max_len != 0) {
1810            if (cur->max_len >= strlen(str)) {
1811                /* This one is from startup env, reuse space */
1812                strcpy(cur->varstr, str);
1813                goto free_and_exp;
1814            }
1815        } else {
1816            /* max_len == 0 signifies "malloced" var, which we can
1817             * (and has to) free */
1818            free(cur->varstr);
1819        }
1820        cur->max_len = 0;
1821        goto set_str_and_exp;
1822    }
1823
1824    /* Not found - create new variable struct */
1825    cur = xzalloc(sizeof(*cur));
1826#if ENABLE_HUSH_LOCAL
1827    cur->func_nest_level = local_lvl;
1828#endif
1829    cur->next = *var_pp;
1830    *var_pp = cur;
1831
1832 set_str_and_exp:
1833    cur->varstr = str;
1834#if !BB_MMU
1835    cur->flg_read_only = flg_read_only;
1836#endif
1837 exp:
1838    if (flg_export == 1)
1839        cur->flg_export = 1;
1840    if (name_len == 4 && cur->varstr[0] == 'P' && cur->varstr[1] == 'S')
1841        cmdedit_update_prompt();
1842    if (cur->flg_export) {
1843        if (flg_export == -1) {
1844            cur->flg_export = 0;
1845            /* unsetenv was already done */
1846        } else {
1847            debug_printf_env("%s: putenv '%s'\n", __func__, cur->varstr);
1848            return putenv(cur->varstr);
1849        }
1850    }
1851    return 0;
1852}
1853
1854/* Used at startup and after each cd */
1855static void set_pwd_var(int exp)
1856{
1857    set_local_var(xasprintf("PWD=%s", get_cwd(/*force:*/ 1)),
1858        /*exp:*/ exp, /*lvl:*/ 0, /*ro:*/ 0);
1859}
1860
1861static int unset_local_var_len(const char *name, int name_len)
1862{
1863    struct variable *cur;
1864    struct variable **var_pp;
1865
1866    if (!name)
1867        return EXIT_SUCCESS;
1868    var_pp = &G.top_var;
1869    while ((cur = *var_pp) != NULL) {
1870        if (strncmp(cur->varstr, name, name_len) == 0 && cur->varstr[name_len] == '=') {
1871            if (cur->flg_read_only) {
1872                bb_error_msg("%s: readonly variable", name);
1873                return EXIT_FAILURE;
1874            }
1875            *var_pp = cur->next;
1876            debug_printf_env("%s: unsetenv '%s'\n", __func__, cur->varstr);
1877            bb_unsetenv(cur->varstr);
1878            if (name_len == 3 && cur->varstr[0] == 'P' && cur->varstr[1] == 'S')
1879                cmdedit_update_prompt();
1880            if (!cur->max_len)
1881                free(cur->varstr);
1882            free(cur);
1883            return EXIT_SUCCESS;
1884        }
1885        var_pp = &cur->next;
1886    }
1887    return EXIT_SUCCESS;
1888}
1889
1890static int unset_local_var(const char *name)
1891{
1892    return unset_local_var_len(name, strlen(name));
1893}
1894
1895static void unset_vars(char **strings)
1896{
1897    char **v;
1898
1899    if (!strings)
1900        return;
1901    v = strings;
1902    while (*v) {
1903        const char *eq = strchrnul(*v, '=');
1904        unset_local_var_len(*v, (int)(eq - *v));
1905        v++;
1906    }
1907    free(strings);
1908}
1909
1910static void FAST_FUNC set_local_var_from_halves(const char *name, const char *val)
1911{
1912    char *var = xasprintf("%s=%s", name, val);
1913    set_local_var(var, /*flags:*/ 0, /*lvl:*/ 0, /*ro:*/ 0);
1914}
1915
1916
1917/*
1918 * Helpers for "var1=val1 var2=val2 cmd" feature
1919 */
1920static void add_vars(struct variable *var)
1921{
1922    struct variable *next;
1923
1924    while (var) {
1925        next = var->next;
1926        var->next = G.top_var;
1927        G.top_var = var;
1928        if (var->flg_export) {
1929            debug_printf_env("%s: restoring exported '%s'\n", __func__, var->varstr);
1930            putenv(var->varstr);
1931        } else {
1932            debug_printf_env("%s: restoring variable '%s'\n", __func__, var->varstr);
1933        }
1934        var = next;
1935    }
1936}
1937
1938static struct variable *set_vars_and_save_old(char **strings)
1939{
1940    char **s;
1941    struct variable *old = NULL;
1942
1943    if (!strings)
1944        return old;
1945    s = strings;
1946    while (*s) {
1947        struct variable *var_p;
1948        struct variable **var_pp;
1949        char *eq;
1950
1951        eq = strchr(*s, '=');
1952        if (eq) {
1953            var_pp = get_ptr_to_local_var(*s, eq - *s);
1954            if (var_pp) {
1955                /* Remove variable from global linked list */
1956                var_p = *var_pp;
1957                debug_printf_env("%s: removing '%s'\n", __func__, var_p->varstr);
1958                *var_pp = var_p->next;
1959                /* Add it to returned list */
1960                var_p->next = old;
1961                old = var_p;
1962            }
1963            set_local_var(*s, /*exp:*/ 1, /*lvl:*/ 0, /*ro:*/ 0);
1964        }
1965        s++;
1966    }
1967    return old;
1968}
1969
1970
1971/*
1972 * in_str support
1973 */
1974static int FAST_FUNC static_get(struct in_str *i)
1975{
1976    int ch = *i->p;
1977    if (ch != '\0') {
1978        i->p++;
1979        i->last_char = ch;
1980        return ch;
1981    }
1982    return EOF;
1983}
1984
1985static int FAST_FUNC static_peek(struct in_str *i)
1986{
1987    return *i->p;
1988}
1989
1990#if ENABLE_HUSH_INTERACTIVE
1991
1992static void cmdedit_update_prompt(void)
1993{
1994    if (ENABLE_FEATURE_EDITING_FANCY_PROMPT) {
1995        G.PS1 = get_local_var_value("PS1");
1996        if (G.PS1 == NULL)
1997            G.PS1 = "\\w \\$ ";
1998        G.PS2 = get_local_var_value("PS2");
1999    } else {
2000        G.PS1 = NULL;
2001    }
2002    if (G.PS2 == NULL)
2003        G.PS2 = "> ";
2004}
2005
2006static const char *setup_prompt_string(int promptmode)
2007{
2008    const char *prompt_str;
2009    debug_printf("setup_prompt_string %d ", promptmode);
2010    if (!ENABLE_FEATURE_EDITING_FANCY_PROMPT) {
2011        /* Set up the prompt */
2012        if (promptmode == 0) { /* PS1 */
2013            free((char*)G.PS1);
2014            /* bash uses $PWD value, even if it is set by user.
2015             * It uses current dir only if PWD is unset.
2016             * We always use current dir. */
2017            G.PS1 = xasprintf("%s %c ", get_cwd(0), (geteuid() != 0) ? '$' : '#');
2018            prompt_str = G.PS1;
2019        } else
2020            prompt_str = G.PS2;
2021    } else
2022        prompt_str = (promptmode == 0) ? G.PS1 : G.PS2;
2023    debug_printf("result '%s'\n", prompt_str);
2024    return prompt_str;
2025}
2026
2027static void get_user_input(struct in_str *i)
2028{
2029    int r;
2030    const char *prompt_str;
2031
2032    prompt_str = setup_prompt_string(i->promptmode);
2033# if ENABLE_FEATURE_EDITING
2034    /* Enable command line editing only while a command line
2035     * is actually being read */
2036    do {
2037        /* Unicode support should be activated even if LANG is set
2038         * _during_ shell execution, not only if it was set when
2039         * shell was started. Therefore, re-check LANG every time:
2040         */
2041        reinit_unicode(get_local_var_value("LANG"));
2042
2043        G.flag_SIGINT = 0;
2044        /* buglet: SIGINT will not make new prompt to appear _at once_,
2045         * only after <Enter>. (^C will work) */
2046        r = read_line_input(G.line_input_state, prompt_str, G.user_input_buf, CONFIG_FEATURE_EDITING_MAX_LEN-1, /*timeout*/ -1);
2047        /* catch *SIGINT* etc (^C is handled by read_line_input) */
2048        check_and_run_traps();
2049    } while (r == 0 || G.flag_SIGINT); /* repeat if ^C or SIGINT */
2050    i->eof_flag = (r < 0);
2051    if (i->eof_flag) { /* EOF/error detected */
2052        G.user_input_buf[0] = EOF; /* yes, it will be truncated, it's ok */
2053        G.user_input_buf[1] = '\0';
2054    }
2055# else
2056    do {
2057        G.flag_SIGINT = 0;
2058        if (i->last_char == '\0' || i->last_char == '\n') {
2059            /* Why check_and_run_traps here? Try this interactively:
2060             * $ trap 'echo INT' INT; (sleep 2; kill -INT $$) &
2061             * $ <[enter], repeatedly...>
2062             * Without check_and_run_traps, handler never runs.
2063             */
2064            check_and_run_traps();
2065            fputs(prompt_str, stdout);
2066        }
2067        fflush_all();
2068        G.user_input_buf[0] = r = fgetc(i->file);
2069        /*G.user_input_buf[1] = '\0'; - already is and never changed */
2070    } while (G.flag_SIGINT);
2071    i->eof_flag = (r == EOF);
2072# endif
2073    i->p = G.user_input_buf;
2074}
2075
2076#endif  /* INTERACTIVE */
2077
2078/* This is the magic location that prints prompts
2079 * and gets data back from the user */
2080static int FAST_FUNC file_get(struct in_str *i)
2081{
2082    int ch;
2083
2084    /* If there is data waiting, eat it up */
2085    if (i->p && *i->p) {
2086#if ENABLE_HUSH_INTERACTIVE
2087 take_cached:
2088#endif
2089        ch = *i->p++;
2090        if (i->eof_flag && !*i->p)
2091            ch = EOF;
2092        /* note: ch is never NUL */
2093    } else {
2094        /* need to double check i->file because we might be doing something
2095         * more complicated by now, like sourcing or substituting. */
2096#if ENABLE_HUSH_INTERACTIVE
2097        if (G_interactive_fd && i->file == stdin) {
2098            do {
2099                get_user_input(i);
2100            } while (!*i->p); /* need non-empty line */
2101            i->promptmode = 1; /* PS2 */
2102            goto take_cached;
2103        }
2104#endif
2105        do ch = fgetc(i->file); while (ch == '\0');
2106    }
2107    debug_printf("file_get: got '%c' %d\n", ch, ch);
2108    i->last_char = ch;
2109    return ch;
2110}
2111
2112/* All callers guarantee this routine will never
2113 * be used right after a newline, so prompting is not needed.
2114 */
2115static int FAST_FUNC file_peek(struct in_str *i)
2116{
2117    int ch;
2118    if (i->p && *i->p) {
2119        if (i->eof_flag && !i->p[1])
2120            return EOF;
2121        return *i->p;
2122        /* note: ch is never NUL */
2123    }
2124    do ch = fgetc(i->file); while (ch == '\0');
2125    i->eof_flag = (ch == EOF);
2126    i->peek_buf[0] = ch;
2127    i->peek_buf[1] = '\0';
2128    i->p = i->peek_buf;
2129    debug_printf("file_peek: got '%c' %d\n", ch, ch);
2130    return ch;
2131}
2132
2133static void setup_file_in_str(struct in_str *i, FILE *f)
2134{
2135    memset(i, 0, sizeof(*i));
2136    i->peek = file_peek;
2137    i->get = file_get;
2138    /* i->promptmode = 0; - PS1 (memset did it) */
2139    i->file = f;
2140    /* i->p = NULL; */
2141}
2142
2143static void setup_string_in_str(struct in_str *i, const char *s)
2144{
2145    memset(i, 0, sizeof(*i));
2146    i->peek = static_peek;
2147    i->get = static_get;
2148    /* i->promptmode = 0; - PS1 (memset did it) */
2149    i->p = s;
2150    /* i->eof_flag = 0; */
2151}
2152
2153
2154/*
2155 * o_string support
2156 */
2157#define B_CHUNK  (32 * sizeof(char*))
2158
2159static void o_reset_to_empty_unquoted(o_string *o)
2160{
2161    o->length = 0;
2162    o->has_quoted_part = 0;
2163    if (o->data)
2164        o->data[0] = '\0';
2165}
2166
2167static void o_free(o_string *o)
2168{
2169    free(o->data);
2170    memset(o, 0, sizeof(*o));
2171}
2172
2173static ALWAYS_INLINE void o_free_unsafe(o_string *o)
2174{
2175    free(o->data);
2176}
2177
2178static void o_grow_by(o_string *o, int len)
2179{
2180    if (o->length + len > o->maxlen) {
2181        o->maxlen += (2*len > B_CHUNK ? 2*len : B_CHUNK);
2182        o->data = xrealloc(o->data, 1 + o->maxlen);
2183    }
2184}
2185
2186static void o_addchr(o_string *o, int ch)
2187{
2188    debug_printf("o_addchr: '%c' o->length=%d o=%p\n", ch, o->length, o);
2189    o_grow_by(o, 1);
2190    o->data[o->length] = ch;
2191    o->length++;
2192    o->data[o->length] = '\0';
2193}
2194
2195static void o_addblock(o_string *o, const char *str, int len)
2196{
2197    o_grow_by(o, len);
2198    memcpy(&o->data[o->length], str, len);
2199    o->length += len;
2200    o->data[o->length] = '\0';
2201}
2202
2203static void o_addstr(o_string *o, const char *str)
2204{
2205    o_addblock(o, str, strlen(str));
2206}
2207
2208#if !BB_MMU
2209static void nommu_addchr(o_string *o, int ch)
2210{
2211    if (o)
2212        o_addchr(o, ch);
2213}
2214#else
2215# define nommu_addchr(o, str) ((void)0)
2216#endif
2217
2218static void o_addstr_with_NUL(o_string *o, const char *str)
2219{
2220    o_addblock(o, str, strlen(str) + 1);
2221}
2222
2223/*
2224 * HUSH_BRACE_EXPANSION code needs corresponding quoting on variable expansion side.
2225 * Currently, "v='{q,w}'; echo $v" erroneously expands braces in $v.
2226 * Apparently, on unquoted $v bash still does globbing
2227 * ("v='*.txt'; echo $v" prints all .txt files),
2228 * but NOT brace expansion! Thus, there should be TWO independent
2229 * quoting mechanisms on $v expansion side: one protects
2230 * $v from brace expansion, and other additionally protects "$v" against globbing.
2231 * We have only second one.
2232 */
2233
2234#if ENABLE_HUSH_BRACE_EXPANSION
2235# define MAYBE_BRACES "{}"
2236#else
2237# define MAYBE_BRACES ""
2238#endif
2239
2240/* My analysis of quoting semantics tells me that state information
2241 * is associated with a destination, not a source.
2242 */
2243static void o_addqchr(o_string *o, int ch)
2244{
2245    int sz = 1;
2246    char *found = strchr("*?[\\" MAYBE_BRACES, ch);
2247    if (found)
2248        sz++;
2249    o_grow_by(o, sz);
2250    if (found) {
2251        o->data[o->length] = '\\';
2252        o->length++;
2253    }
2254    o->data[o->length] = ch;
2255    o->length++;
2256    o->data[o->length] = '\0';
2257}
2258
2259static void o_addQchr(o_string *o, int ch)
2260{
2261    int sz = 1;
2262    if ((o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS)
2263     && strchr("*?[\\" MAYBE_BRACES, ch)
2264    ) {
2265        sz++;
2266        o->data[o->length] = '\\';
2267        o->length++;
2268    }
2269    o_grow_by(o, sz);
2270    o->data[o->length] = ch;
2271    o->length++;
2272    o->data[o->length] = '\0';
2273}
2274
2275static void o_addqblock(o_string *o, const char *str, int len)
2276{
2277    while (len) {
2278        char ch;
2279        int sz;
2280        int ordinary_cnt = strcspn(str, "*?[\\" MAYBE_BRACES);
2281        if (ordinary_cnt > len) /* paranoia */
2282            ordinary_cnt = len;
2283        o_addblock(o, str, ordinary_cnt);
2284        if (ordinary_cnt == len)
2285            return; /* NUL is already added by o_addblock */
2286        str += ordinary_cnt;
2287        len -= ordinary_cnt + 1; /* we are processing + 1 char below */
2288
2289        ch = *str++;
2290        sz = 1;
2291        if (ch) { /* it is necessarily one of "*?[\\" MAYBE_BRACES */
2292            sz++;
2293            o->data[o->length] = '\\';
2294            o->length++;
2295        }
2296        o_grow_by(o, sz);
2297        o->data[o->length] = ch;
2298        o->length++;
2299    }
2300    o->data[o->length] = '\0';
2301}
2302
2303static void o_addQblock(o_string *o, const char *str, int len)
2304{
2305    if (!(o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS)) {
2306        o_addblock(o, str, len);
2307        return;
2308    }
2309    o_addqblock(o, str, len);
2310}
2311
2312static void o_addQstr(o_string *o, const char *str)
2313{
2314    o_addQblock(o, str, strlen(str));
2315}
2316
2317/* A special kind of o_string for $VAR and `cmd` expansion.
2318 * It contains char* list[] at the beginning, which is grown in 16 element
2319 * increments. Actual string data starts at the next multiple of 16 * (char*).
2320 * list[i] contains an INDEX (int!) into this string data.
2321 * It means that if list[] needs to grow, data needs to be moved higher up
2322 * but list[i]'s need not be modified.
2323 * NB: remembering how many list[i]'s you have there is crucial.
2324 * o_finalize_list() operation post-processes this structure - calculates
2325 * and stores actual char* ptrs in list[]. Oh, it NULL terminates it as well.
2326 */
2327#if DEBUG_EXPAND || DEBUG_GLOB
2328static void debug_print_list(const char *prefix, o_string *o, int n)
2329{
2330    char **list = (char**)o->data;
2331    int string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
2332    int i = 0;
2333
2334    indent();
2335    fdprintf(2, "%s: list:%p n:%d string_start:%d length:%d maxlen:%d glob:%d quoted:%d escape:%d\n",
2336            prefix, list, n, string_start, o->length, o->maxlen,
2337            !!(o->o_expflags & EXP_FLAG_GLOB),
2338            o->has_quoted_part,
2339            !!(o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
2340    while (i < n) {
2341        indent();
2342        fdprintf(2, " list[%d]=%d '%s' %p\n", i, (int)(uintptr_t)list[i],
2343                o->data + (int)(uintptr_t)list[i] + string_start,
2344                o->data + (int)(uintptr_t)list[i] + string_start);
2345        i++;
2346    }
2347    if (n) {
2348        const char *p = o->data + (int)(uintptr_t)list[n - 1] + string_start;
2349        indent();
2350        fdprintf(2, " total_sz:%ld\n", (long)((p + strlen(p) + 1) - o->data));
2351    }
2352}
2353#else
2354# define debug_print_list(prefix, o, n) ((void)0)
2355#endif
2356
2357/* n = o_save_ptr_helper(str, n) "starts new string" by storing an index value
2358 * in list[n] so that it points past last stored byte so far.
2359 * It returns n+1. */
2360static int o_save_ptr_helper(o_string *o, int n)
2361{
2362    char **list = (char**)o->data;
2363    int string_start;
2364    int string_len;
2365
2366    if (!o->has_empty_slot) {
2367        string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
2368        string_len = o->length - string_start;
2369        if (!(n & 0xf)) { /* 0, 0x10, 0x20...? */
2370            debug_printf_list("list[%d]=%d string_start=%d (growing)\n", n, string_len, string_start);
2371            /* list[n] points to string_start, make space for 16 more pointers */
2372            o->maxlen += 0x10 * sizeof(list[0]);
2373            o->data = xrealloc(o->data, o->maxlen + 1);
2374            list = (char**)o->data;
2375            memmove(list + n + 0x10, list + n, string_len);
2376            o->length += 0x10 * sizeof(list[0]);
2377        } else {
2378            debug_printf_list("list[%d]=%d string_start=%d\n",
2379                    n, string_len, string_start);
2380        }
2381    } else {
2382        /* We have empty slot at list[n], reuse without growth */
2383        string_start = ((n+1 + 0xf) & ~0xf) * sizeof(list[0]); /* NB: n+1! */
2384        string_len = o->length - string_start;
2385        debug_printf_list("list[%d]=%d string_start=%d (empty slot)\n",
2386                n, string_len, string_start);
2387        o->has_empty_slot = 0;
2388    }
2389    o->has_quoted_part = 0;
2390    list[n] = (char*)(uintptr_t)string_len;
2391    return n + 1;
2392}
2393
2394/* "What was our last o_save_ptr'ed position (byte offset relative o->data)?" */
2395static int o_get_last_ptr(o_string *o, int n)
2396{
2397    char **list = (char**)o->data;
2398    int string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
2399
2400    return ((int)(uintptr_t)list[n-1]) + string_start;
2401}
2402
2403#if ENABLE_HUSH_BRACE_EXPANSION
2404/* There in a GNU extension, GLOB_BRACE, but it is not usable:
2405 * first, it processes even {a} (no commas), second,
2406 * I didn't manage to make it return strings when they don't match
2407 * existing files. Need to re-implement it.
2408 */
2409
2410/* Helper */
2411static int glob_needed(const char *s)
2412{
2413    while (*s) {
2414        if (*s == '\\') {
2415            if (!s[1])
2416                return 0;
2417            s += 2;
2418            continue;
2419        }
2420        if (*s == '*' || *s == '[' || *s == '?' || *s == '{')
2421            return 1;
2422        s++;
2423    }
2424    return 0;
2425}
2426/* Return pointer to next closing brace or to comma */
2427static const char *next_brace_sub(const char *cp)
2428{
2429    unsigned depth = 0;
2430    cp++;
2431    while (*cp != '\0') {
2432        if (*cp == '\\') {
2433            if (*++cp == '\0')
2434                break;
2435            cp++;
2436            continue;
2437        }
2438        if ((*cp == '}' && depth-- == 0) || (*cp == ',' && depth == 0))
2439            break;
2440        if (*cp++ == '{')
2441            depth++;
2442    }
2443
2444    return *cp != '\0' ? cp : NULL;
2445}
2446/* Recursive brace globber. Note: may garble pattern[]. */
2447static int glob_brace(char *pattern, o_string *o, int n)
2448{
2449    char *new_pattern_buf;
2450    const char *begin;
2451    const char *next;
2452    const char *rest;
2453    const char *p;
2454    size_t rest_len;
2455
2456    debug_printf_glob("glob_brace('%s')\n", pattern);
2457
2458    begin = pattern;
2459    while (1) {
2460        if (*begin == '\0')
2461            goto simple_glob;
2462        if (*begin == '{') {
2463            /* Find the first sub-pattern and at the same time
2464             * find the rest after the closing brace */
2465            next = next_brace_sub(begin);
2466            if (next == NULL) {
2467                /* An illegal expression */
2468                goto simple_glob;
2469            }
2470            if (*next == '}') {
2471                /* "{abc}" with no commas - illegal
2472                 * brace expr, disregard and skip it */
2473                begin = next + 1;
2474                continue;
2475            }
2476            break;
2477        }
2478        if (*begin == '\\' && begin[1] != '\0')
2479            begin++;
2480        begin++;
2481    }
2482    debug_printf_glob("begin:%s\n", begin);
2483    debug_printf_glob("next:%s\n", next);
2484
2485    /* Now find the end of the whole brace expression */
2486    rest = next;
2487    while (*rest != '}') {
2488        rest = next_brace_sub(rest);
2489        if (rest == NULL) {
2490            /* An illegal expression */
2491            goto simple_glob;
2492        }
2493        debug_printf_glob("rest:%s\n", rest);
2494    }
2495    rest_len = strlen(++rest) + 1;
2496
2497    /* We are sure the brace expression is well-formed */
2498
2499    /* Allocate working buffer large enough for our work */
2500    new_pattern_buf = xmalloc(strlen(pattern));
2501
2502    /* We have a brace expression.  BEGIN points to the opening {,
2503     * NEXT points past the terminator of the first element, and REST
2504     * points past the final }.  We will accumulate result names from
2505     * recursive runs for each brace alternative in the buffer using
2506     * GLOB_APPEND.  */
2507
2508    p = begin + 1;
2509    while (1) {
2510        /* Construct the new glob expression */
2511        memcpy(
2512            mempcpy(
2513                mempcpy(new_pattern_buf,
2514                    /* We know the prefix for all sub-patterns */
2515                    pattern, begin - pattern),
2516                p, next - p),
2517            rest, rest_len);
2518
2519        /* Note: glob_brace() may garble new_pattern_buf[].
2520         * That's why we re-copy prefix every time (1st memcpy above).
2521         */
2522        n = glob_brace(new_pattern_buf, o, n);
2523        if (*next == '}') {
2524            /* We saw the last entry */
2525            break;
2526        }
2527        p = next + 1;
2528        next = next_brace_sub(next);
2529    }
2530    free(new_pattern_buf);
2531    return n;
2532
2533 simple_glob:
2534    {
2535        int gr;
2536        glob_t globdata;
2537
2538        memset(&globdata, 0, sizeof(globdata));
2539        gr = glob(pattern, 0, NULL, &globdata);
2540        debug_printf_glob("glob('%s'):%d\n", pattern, gr);
2541        if (gr != 0) {
2542            if (gr == GLOB_NOMATCH) {
2543                globfree(&globdata);
2544                /* NB: garbles parameter */
2545                unbackslash(pattern);
2546                o_addstr_with_NUL(o, pattern);
2547                debug_printf_glob("glob pattern '%s' is literal\n", pattern);
2548                return o_save_ptr_helper(o, n);
2549            }
2550            if (gr == GLOB_NOSPACE)
2551                bb_error_msg_and_die(bb_msg_memory_exhausted);
2552            /* GLOB_ABORTED? Only happens with GLOB_ERR flag,
2553             * but we didn't specify it. Paranoia again. */
2554            bb_error_msg_and_die("glob error %d on '%s'", gr, pattern);
2555        }
2556        if (globdata.gl_pathv && globdata.gl_pathv[0]) {
2557            char **argv = globdata.gl_pathv;
2558            while (1) {
2559                o_addstr_with_NUL(o, *argv);
2560                n = o_save_ptr_helper(o, n);
2561                argv++;
2562                if (!*argv)
2563                    break;
2564            }
2565        }
2566        globfree(&globdata);
2567    }
2568    return n;
2569}
2570/* Performs globbing on last list[],
2571 * saving each result as a new list[].
2572 */
2573static int perform_glob(o_string *o, int n)
2574{
2575    char *pattern, *copy;
2576
2577    debug_printf_glob("start perform_glob: n:%d o->data:%p\n", n, o->data);
2578    if (!o->data)
2579        return o_save_ptr_helper(o, n);
2580    pattern = o->data + o_get_last_ptr(o, n);
2581    debug_printf_glob("glob pattern '%s'\n", pattern);
2582    if (!glob_needed(pattern)) {
2583        /* unbackslash last string in o in place, fix length */
2584        o->length = unbackslash(pattern) - o->data;
2585        debug_printf_glob("glob pattern '%s' is literal\n", pattern);
2586        return o_save_ptr_helper(o, n);
2587    }
2588
2589    copy = xstrdup(pattern);
2590    /* "forget" pattern in o */
2591    o->length = pattern - o->data;
2592    n = glob_brace(copy, o, n);
2593    free(copy);
2594    if (DEBUG_GLOB)
2595        debug_print_list("perform_glob returning", o, n);
2596    return n;
2597}
2598
2599#else /* !HUSH_BRACE_EXPANSION */
2600
2601/* Helper */
2602static int glob_needed(const char *s)
2603{
2604    while (*s) {
2605        if (*s == '\\') {
2606            if (!s[1])
2607                return 0;
2608            s += 2;
2609            continue;
2610        }
2611        if (*s == '*' || *s == '[' || *s == '?')
2612            return 1;
2613        s++;
2614    }
2615    return 0;
2616}
2617/* Performs globbing on last list[],
2618 * saving each result as a new list[].
2619 */
2620static int perform_glob(o_string *o, int n)
2621{
2622    glob_t globdata;
2623    int gr;
2624    char *pattern;
2625
2626    debug_printf_glob("start perform_glob: n:%d o->data:%p\n", n, o->data);
2627    if (!o->data)
2628        return o_save_ptr_helper(o, n);
2629    pattern = o->data + o_get_last_ptr(o, n);
2630    debug_printf_glob("glob pattern '%s'\n", pattern);
2631    if (!glob_needed(pattern)) {
2632 literal:
2633        /* unbackslash last string in o in place, fix length */
2634        o->length = unbackslash(pattern) - o->data;
2635        debug_printf_glob("glob pattern '%s' is literal\n", pattern);
2636        return o_save_ptr_helper(o, n);
2637    }
2638
2639    memset(&globdata, 0, sizeof(globdata));
2640    /* Can't use GLOB_NOCHECK: it does not unescape the string.
2641     * If we glob "*.\*" and don't find anything, we need
2642     * to fall back to using literal "*.*", but GLOB_NOCHECK
2643     * will return "*.\*"!
2644     */
2645    gr = glob(pattern, 0, NULL, &globdata);
2646    debug_printf_glob("glob('%s'):%d\n", pattern, gr);
2647    if (gr != 0) {
2648        if (gr == GLOB_NOMATCH) {
2649            globfree(&globdata);
2650            goto literal;
2651        }
2652        if (gr == GLOB_NOSPACE)
2653            bb_error_msg_and_die(bb_msg_memory_exhausted);
2654        /* GLOB_ABORTED? Only happens with GLOB_ERR flag,
2655         * but we didn't specify it. Paranoia again. */
2656        bb_error_msg_and_die("glob error %d on '%s'", gr, pattern);
2657    }
2658    if (globdata.gl_pathv && globdata.gl_pathv[0]) {
2659        char **argv = globdata.gl_pathv;
2660        /* "forget" pattern in o */
2661        o->length = pattern - o->data;
2662        while (1) {
2663            o_addstr_with_NUL(o, *argv);
2664            n = o_save_ptr_helper(o, n);
2665            argv++;
2666            if (!*argv)
2667                break;
2668        }
2669    }
2670    globfree(&globdata);
2671    if (DEBUG_GLOB)
2672        debug_print_list("perform_glob returning", o, n);
2673    return n;
2674}
2675
2676#endif /* !HUSH_BRACE_EXPANSION */
2677
2678/* If o->o_expflags & EXP_FLAG_GLOB, glob the string so far remembered.
2679 * Otherwise, just finish current list[] and start new */
2680static int o_save_ptr(o_string *o, int n)
2681{
2682    if (o->o_expflags & EXP_FLAG_GLOB) {
2683        /* If o->has_empty_slot, list[n] was already globbed
2684         * (if it was requested back then when it was filled)
2685         * so don't do that again! */
2686        if (!o->has_empty_slot)
2687            return perform_glob(o, n); /* o_save_ptr_helper is inside */
2688    }
2689    return o_save_ptr_helper(o, n);
2690}
2691
2692/* "Please convert list[n] to real char* ptrs, and NULL terminate it." */
2693static char **o_finalize_list(o_string *o, int n)
2694{
2695    char **list;
2696    int string_start;
2697
2698    n = o_save_ptr(o, n); /* force growth for list[n] if necessary */
2699    if (DEBUG_EXPAND)
2700        debug_print_list("finalized", o, n);
2701    debug_printf_expand("finalized n:%d\n", n);
2702    list = (char**)o->data;
2703    string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
2704    list[--n] = NULL;
2705    while (n) {
2706        n--;
2707        list[n] = o->data + (int)(uintptr_t)list[n] + string_start;
2708    }
2709    return list;
2710}
2711
2712static void free_pipe_list(struct pipe *pi);
2713
2714/* Returns pi->next - next pipe in the list */
2715static struct pipe *free_pipe(struct pipe *pi)
2716{
2717    struct pipe *next;
2718    int i;
2719
2720    debug_printf_clean("free_pipe (pid %d)\n", getpid());
2721    for (i = 0; i < pi->num_cmds; i++) {
2722        struct command *command;
2723        struct redir_struct *r, *rnext;
2724
2725        command = &pi->cmds[i];
2726        debug_printf_clean("  command %d:\n", i);
2727        if (command->argv) {
2728            if (DEBUG_CLEAN) {
2729                int a;
2730                char **p;
2731                for (a = 0, p = command->argv; *p; a++, p++) {
2732                    debug_printf_clean("   argv[%d] = %s\n", a, *p);
2733                }
2734            }
2735            free_strings(command->argv);
2736            //command->argv = NULL;
2737        }
2738        /* not "else if": on syntax error, we may have both! */
2739        if (command->group) {
2740            debug_printf_clean("   begin group (cmd_type:%d)\n",
2741                    command->cmd_type);
2742            free_pipe_list(command->group);
2743            debug_printf_clean("   end group\n");
2744            //command->group = NULL;
2745        }
2746        /* else is crucial here.
2747         * If group != NULL, child_func is meaningless */
2748#if ENABLE_HUSH_FUNCTIONS
2749        else if (command->child_func) {
2750            debug_printf_exec("cmd %p releases child func at %p\n", command, command->child_func);
2751            command->child_func->parent_cmd = NULL;
2752        }
2753#endif
2754#if !BB_MMU
2755        free(command->group_as_string);
2756        //command->group_as_string = NULL;
2757#endif
2758        for (r = command->redirects; r; r = rnext) {
2759            debug_printf_clean("   redirect %d%s",
2760                    r->rd_fd, redir_table[r->rd_type].descrip);
2761            /* guard against the case >$FOO, where foo is unset or blank */
2762            if (r->rd_filename) {
2763                debug_printf_clean(" fname:'%s'\n", r->rd_filename);
2764                free(r->rd_filename);
2765                //r->rd_filename = NULL;
2766            }
2767            debug_printf_clean(" rd_dup:%d\n", r->rd_dup);
2768            rnext = r->next;
2769            free(r);
2770        }
2771        //command->redirects = NULL;
2772    }
2773    free(pi->cmds);   /* children are an array, they get freed all at once */
2774    //pi->cmds = NULL;
2775#if ENABLE_HUSH_JOB
2776    free(pi->cmdtext);
2777    //pi->cmdtext = NULL;
2778#endif
2779
2780    next = pi->next;
2781    free(pi);
2782    return next;
2783}
2784
2785static void free_pipe_list(struct pipe *pi)
2786{
2787    while (pi) {
2788#if HAS_KEYWORDS
2789        debug_printf_clean("pipe reserved word %d\n", pi->res_word);
2790#endif
2791        debug_printf_clean("pipe followup code %d\n", pi->followup);
2792        pi = free_pipe(pi);
2793    }
2794}
2795
2796
2797/*** Parsing routines ***/
2798
2799#ifndef debug_print_tree
2800static void debug_print_tree(struct pipe *pi, int lvl)
2801{
2802    static const char *const PIPE[] = {
2803        [PIPE_SEQ] = "SEQ",
2804        [PIPE_AND] = "AND",
2805        [PIPE_OR ] = "OR" ,
2806        [PIPE_BG ] = "BG" ,
2807    };
2808    static const char *RES[] = {
2809        [RES_NONE ] = "NONE" ,
2810# if ENABLE_HUSH_IF
2811        [RES_IF   ] = "IF"   ,
2812        [RES_THEN ] = "THEN" ,
2813        [RES_ELIF ] = "ELIF" ,
2814        [RES_ELSE ] = "ELSE" ,
2815        [RES_FI   ] = "FI"   ,
2816# endif
2817# if ENABLE_HUSH_LOOPS
2818        [RES_FOR  ] = "FOR"  ,
2819        [RES_WHILE] = "WHILE",
2820        [RES_UNTIL] = "UNTIL",
2821        [RES_DO   ] = "DO"   ,
2822        [RES_DONE ] = "DONE" ,
2823# endif
2824# if ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
2825        [RES_IN   ] = "IN"   ,
2826# endif
2827# if ENABLE_HUSH_CASE
2828        [RES_CASE ] = "CASE" ,
2829        [RES_CASE_IN ] = "CASE_IN" ,
2830        [RES_MATCH] = "MATCH",
2831        [RES_CASE_BODY] = "CASE_BODY",
2832        [RES_ESAC ] = "ESAC" ,
2833# endif
2834        [RES_XXXX ] = "XXXX" ,
2835        [RES_SNTX ] = "SNTX" ,
2836    };
2837    static const char *const CMDTYPE[] = {
2838        "{}",
2839        "()",
2840        "[noglob]",
2841# if ENABLE_HUSH_FUNCTIONS
2842        "func()",
2843# endif
2844    };
2845
2846    int pin, prn;
2847
2848    pin = 0;
2849    while (pi) {
2850        fdprintf(2, "%*spipe %d res_word=%s followup=%d %s\n", lvl*2, "",
2851                pin, RES[pi->res_word], pi->followup, PIPE[pi->followup]);
2852        prn = 0;
2853        while (prn < pi->num_cmds) {
2854            struct command *command = &pi->cmds[prn];
2855            char **argv = command->argv;
2856
2857            fdprintf(2, "%*s cmd %d assignment_cnt:%d",
2858                    lvl*2, "", prn,
2859                    command->assignment_cnt);
2860            if (command->group) {
2861                fdprintf(2, " group %s: (argv=%p)%s%s\n",
2862                        CMDTYPE[command->cmd_type],
2863                        argv
2864# if !BB_MMU
2865                        , " group_as_string:", command->group_as_string
2866# else
2867                        , "", ""
2868# endif
2869                );
2870                debug_print_tree(command->group, lvl+1);
2871                prn++;
2872                continue;
2873            }
2874            if (argv) while (*argv) {
2875                fdprintf(2, " '%s'", *argv);
2876                argv++;
2877            }
2878            fdprintf(2, "\n");
2879            prn++;
2880        }
2881        pi = pi->next;
2882        pin++;
2883    }
2884}
2885#endif /* debug_print_tree */
2886
2887static struct pipe *new_pipe(void)
2888{
2889    struct pipe *pi;
2890    pi = xzalloc(sizeof(struct pipe));
2891    /*pi->followup = 0; - deliberately invalid value */
2892    /*pi->res_word = RES_NONE; - RES_NONE is 0 anyway */
2893    return pi;
2894}
2895
2896/* Command (member of a pipe) is complete, or we start a new pipe
2897 * if ctx->command is NULL.
2898 * No errors possible here.
2899 */
2900static int done_command(struct parse_context *ctx)
2901{
2902    /* The command is really already in the pipe structure, so
2903     * advance the pipe counter and make a new, null command. */
2904    struct pipe *pi = ctx->pipe;
2905    struct command *command = ctx->command;
2906
2907    if (command) {
2908        if (IS_NULL_CMD(command)) {
2909            debug_printf_parse("done_command: skipping null cmd, num_cmds=%d\n", pi->num_cmds);
2910            goto clear_and_ret;
2911        }
2912        pi->num_cmds++;
2913        debug_printf_parse("done_command: ++num_cmds=%d\n", pi->num_cmds);
2914        //debug_print_tree(ctx->list_head, 20);
2915    } else {
2916        debug_printf_parse("done_command: initializing, num_cmds=%d\n", pi->num_cmds);
2917    }
2918
2919    /* Only real trickiness here is that the uncommitted
2920     * command structure is not counted in pi->num_cmds. */
2921    pi->cmds = xrealloc(pi->cmds, sizeof(*pi->cmds) * (pi->num_cmds+1));
2922    ctx->command = command = &pi->cmds[pi->num_cmds];
2923 clear_and_ret:
2924    memset(command, 0, sizeof(*command));
2925    return pi->num_cmds; /* used only for 0/nonzero check */
2926}
2927
2928static void done_pipe(struct parse_context *ctx, pipe_style type)
2929{
2930    int not_null;
2931
2932    debug_printf_parse("done_pipe entered, followup %d\n", type);
2933    /* Close previous command */
2934    not_null = done_command(ctx);
2935    ctx->pipe->followup = type;
2936#if HAS_KEYWORDS
2937    ctx->pipe->pi_inverted = ctx->ctx_inverted;
2938    ctx->ctx_inverted = 0;
2939    ctx->pipe->res_word = ctx->ctx_res_w;
2940#endif
2941
2942    /* Without this check, even just <enter> on command line generates
2943     * tree of three NOPs (!). Which is harmless but annoying.
2944     * IOW: it is safe to do it unconditionally. */
2945    if (not_null
2946#if ENABLE_HUSH_IF
2947     || ctx->ctx_res_w == RES_FI
2948#endif
2949#if ENABLE_HUSH_LOOPS
2950     || ctx->ctx_res_w == RES_DONE
2951     || ctx->ctx_res_w == RES_FOR
2952     || ctx->ctx_res_w == RES_IN
2953#endif
2954#if ENABLE_HUSH_CASE
2955     || ctx->ctx_res_w == RES_ESAC
2956#endif
2957    ) {
2958        struct pipe *new_p;
2959        debug_printf_parse("done_pipe: adding new pipe: "
2960                "not_null:%d ctx->ctx_res_w:%d\n",
2961                not_null, ctx->ctx_res_w);
2962        new_p = new_pipe();
2963        ctx->pipe->next = new_p;
2964        ctx->pipe = new_p;
2965        /* RES_THEN, RES_DO etc are "sticky" -
2966         * they remain set for pipes inside if/while.
2967         * This is used to control execution.
2968         * RES_FOR and RES_IN are NOT sticky (needed to support
2969         * cases where variable or value happens to match a keyword):
2970         */
2971#if ENABLE_HUSH_LOOPS
2972        if (ctx->ctx_res_w == RES_FOR
2973         || ctx->ctx_res_w == RES_IN)
2974            ctx->ctx_res_w = RES_NONE;
2975#endif
2976#if ENABLE_HUSH_CASE
2977        if (ctx->ctx_res_w == RES_MATCH)
2978            ctx->ctx_res_w = RES_CASE_BODY;
2979        if (ctx->ctx_res_w == RES_CASE)
2980            ctx->ctx_res_w = RES_CASE_IN;
2981#endif
2982        ctx->command = NULL; /* trick done_command below */
2983        /* Create the memory for command, roughly:
2984         * ctx->pipe->cmds = new struct command;
2985         * ctx->command = &ctx->pipe->cmds[0];
2986         */
2987        done_command(ctx);
2988        //debug_print_tree(ctx->list_head, 10);
2989    }
2990    debug_printf_parse("done_pipe return\n");
2991}
2992
2993static void initialize_context(struct parse_context *ctx)
2994{
2995    memset(ctx, 0, sizeof(*ctx));
2996    ctx->pipe = ctx->list_head = new_pipe();
2997    /* Create the memory for command, roughly:
2998     * ctx->pipe->cmds = new struct command;
2999     * ctx->command = &ctx->pipe->cmds[0];
3000     */
3001    done_command(ctx);
3002}
3003
3004/* If a reserved word is found and processed, parse context is modified
3005 * and 1 is returned.
3006 */
3007#if HAS_KEYWORDS
3008struct reserved_combo {
3009    char literal[6];
3010    unsigned char res;
3011    unsigned char assignment_flag;
3012    int flag;
3013};
3014enum {
3015    FLAG_END   = (1 << RES_NONE ),
3016# if ENABLE_HUSH_IF
3017    FLAG_IF    = (1 << RES_IF   ),
3018    FLAG_THEN  = (1 << RES_THEN ),
3019    FLAG_ELIF  = (1 << RES_ELIF ),
3020    FLAG_ELSE  = (1 << RES_ELSE ),
3021    FLAG_FI    = (1 << RES_FI   ),
3022# endif
3023# if ENABLE_HUSH_LOOPS
3024    FLAG_FOR   = (1 << RES_FOR  ),
3025    FLAG_WHILE = (1 << RES_WHILE),
3026    FLAG_UNTIL = (1 << RES_UNTIL),
3027    FLAG_DO    = (1 << RES_DO   ),
3028    FLAG_DONE  = (1 << RES_DONE ),
3029    FLAG_IN    = (1 << RES_IN   ),
3030# endif
3031# if ENABLE_HUSH_CASE
3032    FLAG_MATCH = (1 << RES_MATCH),
3033    FLAG_ESAC  = (1 << RES_ESAC ),
3034# endif
3035    FLAG_START = (1 << RES_XXXX ),
3036};
3037
3038static const struct reserved_combo* match_reserved_word(o_string *word)
3039{
3040    /* Mostly a list of accepted follow-up reserved words.
3041     * FLAG_END means we are done with the sequence, and are ready
3042     * to turn the compound list into a command.
3043     * FLAG_START means the word must start a new compound list.
3044     */
3045    static const struct reserved_combo reserved_list[] = {
3046# if ENABLE_HUSH_IF
3047        { "!",     RES_NONE,  NOT_ASSIGNMENT  , 0 },
3048        { "if",    RES_IF,    MAYBE_ASSIGNMENT, FLAG_THEN | FLAG_START },
3049        { "then",  RES_THEN,  MAYBE_ASSIGNMENT, FLAG_ELIF | FLAG_ELSE | FLAG_FI },
3050        { "elif",  RES_ELIF,  MAYBE_ASSIGNMENT, FLAG_THEN },
3051        { "else",  RES_ELSE,  MAYBE_ASSIGNMENT, FLAG_FI   },
3052        { "fi",    RES_FI,    NOT_ASSIGNMENT  , FLAG_END  },
3053# endif
3054# if ENABLE_HUSH_LOOPS
3055        { "for",   RES_FOR,   NOT_ASSIGNMENT  , FLAG_IN | FLAG_DO | FLAG_START },
3056        { "while", RES_WHILE, MAYBE_ASSIGNMENT, FLAG_DO | FLAG_START },
3057        { "until", RES_UNTIL, MAYBE_ASSIGNMENT, FLAG_DO | FLAG_START },
3058        { "in",    RES_IN,    NOT_ASSIGNMENT  , FLAG_DO   },
3059        { "do",    RES_DO,    MAYBE_ASSIGNMENT, FLAG_DONE },
3060        { "done",  RES_DONE,  NOT_ASSIGNMENT  , FLAG_END  },
3061# endif
3062# if ENABLE_HUSH_CASE
3063        { "case",  RES_CASE,  NOT_ASSIGNMENT  , FLAG_MATCH | FLAG_START },
3064        { "esac",  RES_ESAC,  NOT_ASSIGNMENT  , FLAG_END  },
3065# endif
3066    };
3067    const struct reserved_combo *r;
3068
3069    for (r = reserved_list; r < reserved_list + ARRAY_SIZE(reserved_list); r++) {
3070        if (strcmp(word->data, r->literal) == 0)
3071            return r;
3072    }
3073    return NULL;
3074}
3075/* Return 0: not a keyword, 1: keyword
3076 */
3077static int reserved_word(o_string *word, struct parse_context *ctx)
3078{
3079# if ENABLE_HUSH_CASE
3080    static const struct reserved_combo reserved_match = {
3081        "",        RES_MATCH, NOT_ASSIGNMENT , FLAG_MATCH | FLAG_ESAC
3082    };
3083# endif
3084    const struct reserved_combo *r;
3085
3086    if (word->has_quoted_part)
3087        return 0;
3088    r = match_reserved_word(word);
3089    if (!r)
3090        return 0;
3091
3092    debug_printf("found reserved word %s, res %d\n", r->literal, r->res);
3093# if ENABLE_HUSH_CASE
3094    if (r->res == RES_IN && ctx->ctx_res_w == RES_CASE_IN) {
3095        /* "case word IN ..." - IN part starts first MATCH part */
3096        r = &reserved_match;
3097    } else
3098# endif
3099    if (r->flag == 0) { /* '!' */
3100        if (ctx->ctx_inverted) { /* bash doesn't accept '! ! true' */
3101            syntax_error("! ! command");
3102            ctx->ctx_res_w = RES_SNTX;
3103        }
3104        ctx->ctx_inverted = 1;
3105        return 1;
3106    }
3107    if (r->flag & FLAG_START) {
3108        struct parse_context *old;
3109
3110        old = xmalloc(sizeof(*old));
3111        debug_printf_parse("push stack %p\n", old);
3112        *old = *ctx;   /* physical copy */
3113        initialize_context(ctx);
3114        ctx->stack = old;
3115    } else if (/*ctx->ctx_res_w == RES_NONE ||*/ !(ctx->old_flag & (1 << r->res))) {
3116        syntax_error_at(word->data);
3117        ctx->ctx_res_w = RES_SNTX;
3118        return 1;
3119    } else {
3120        /* "{...} fi" is ok. "{...} if" is not
3121         * Example:
3122         * if { echo foo; } then { echo bar; } fi */
3123        if (ctx->command->group)
3124            done_pipe(ctx, PIPE_SEQ);
3125    }
3126
3127    ctx->ctx_res_w = r->res;
3128    ctx->old_flag = r->flag;
3129    word->o_assignment = r->assignment_flag;
3130    debug_printf_parse("word->o_assignment='%s'\n", assignment_flag[word->o_assignment]);
3131
3132    if (ctx->old_flag & FLAG_END) {
3133        struct parse_context *old;
3134
3135        done_pipe(ctx, PIPE_SEQ);
3136        debug_printf_parse("pop stack %p\n", ctx->stack);
3137        old = ctx->stack;
3138        old->command->group = ctx->list_head;
3139        old->command->cmd_type = CMD_NORMAL;
3140# if !BB_MMU
3141        o_addstr(&old->as_string, ctx->as_string.data);
3142        o_free_unsafe(&ctx->as_string);
3143        old->command->group_as_string = xstrdup(old->as_string.data);
3144        debug_printf_parse("pop, remembering as:'%s'\n",
3145                old->command->group_as_string);
3146# endif
3147        *ctx = *old;   /* physical copy */
3148        free(old);
3149    }
3150    return 1;
3151}
3152#endif /* HAS_KEYWORDS */
3153
3154/* Word is complete, look at it and update parsing context.
3155 * Normal return is 0. Syntax errors return 1.
3156 * Note: on return, word is reset, but not o_free'd!
3157 */
3158static int done_word(o_string *word, struct parse_context *ctx)
3159{
3160    struct command *command = ctx->command;
3161
3162    debug_printf_parse("done_word entered: '%s' %p\n", word->data, command);
3163    if (word->length == 0 && !word->has_quoted_part) {
3164        debug_printf_parse("done_word return 0: true null, ignored\n");
3165        return 0;
3166    }
3167
3168    if (ctx->pending_redirect) {
3169        /* We do not glob in e.g. >*.tmp case. bash seems to glob here
3170         * only if run as "bash", not "sh" */
3171        /* http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
3172         * "2.7 Redirection
3173         * ...the word that follows the redirection operator
3174         * shall be subjected to tilde expansion, parameter expansion,
3175         * command substitution, arithmetic expansion, and quote
3176         * removal. Pathname expansion shall not be performed
3177         * on the word by a non-interactive shell; an interactive
3178         * shell may perform it, but shall do so only when
3179         * the expansion would result in one word."
3180         */
3181        ctx->pending_redirect->rd_filename = xstrdup(word->data);
3182        /* Cater for >\file case:
3183         * >\a creates file a; >\\a, >"\a", >"\\a" create file \a
3184         * Same with heredocs:
3185         * for <<\H delim is H; <<\\H, <<"\H", <<"\\H" - \H
3186         */
3187        if (ctx->pending_redirect->rd_type == REDIRECT_HEREDOC) {
3188            unbackslash(ctx->pending_redirect->rd_filename);
3189            /* Is it <<"HEREDOC"? */
3190            if (word->has_quoted_part) {
3191                ctx->pending_redirect->rd_dup |= HEREDOC_QUOTED;
3192            }
3193        }
3194        debug_printf_parse("word stored in rd_filename: '%s'\n", word->data);
3195        ctx->pending_redirect = NULL;
3196    } else {
3197#if HAS_KEYWORDS
3198# if ENABLE_HUSH_CASE
3199        if (ctx->ctx_dsemicolon
3200         && strcmp(word->data, "esac") != 0 /* not "... pattern) cmd;; esac" */
3201        ) {
3202            /* already done when ctx_dsemicolon was set to 1: */
3203            /* ctx->ctx_res_w = RES_MATCH; */
3204            ctx->ctx_dsemicolon = 0;
3205        } else
3206# endif
3207        if (!command->argv /* if it's the first word... */
3208# if ENABLE_HUSH_LOOPS
3209         && ctx->ctx_res_w != RES_FOR /* ...not after FOR or IN */
3210         && ctx->ctx_res_w != RES_IN
3211# endif
3212# if ENABLE_HUSH_CASE
3213         && ctx->ctx_res_w != RES_CASE
3214# endif
3215        ) {
3216            int reserved = reserved_word(word, ctx);
3217            debug_printf_parse("checking for reserved-ness: %d\n", reserved);
3218            if (reserved) {
3219                o_reset_to_empty_unquoted(word);
3220                debug_printf_parse("done_word return %d\n",
3221                        (ctx->ctx_res_w == RES_SNTX));
3222                return (ctx->ctx_res_w == RES_SNTX);
3223            }
3224# if ENABLE_HUSH_BASH_COMPAT
3225            if (strcmp(word->data, "[[") == 0) {
3226                command->cmd_type = CMD_SINGLEWORD_NOGLOB;
3227            }
3228            /* fall through */
3229# endif
3230        }
3231#endif
3232        if (command->group) {
3233            /* "{ echo foo; } echo bar" - bad */
3234            syntax_error_at(word->data);
3235            debug_printf_parse("done_word return 1: syntax error, "
3236                    "groups and arglists don't mix\n");
3237            return 1;
3238        }
3239
3240        /* If this word wasn't an assignment, next ones definitely
3241         * can't be assignments. Even if they look like ones. */
3242        if (word->o_assignment != DEFINITELY_ASSIGNMENT
3243         && word->o_assignment != WORD_IS_KEYWORD
3244        ) {
3245            word->o_assignment = NOT_ASSIGNMENT;
3246        } else {
3247            if (word->o_assignment == DEFINITELY_ASSIGNMENT) {
3248                command->assignment_cnt++;
3249                debug_printf_parse("++assignment_cnt=%d\n", command->assignment_cnt);
3250            }
3251            debug_printf_parse("word->o_assignment was:'%s'\n", assignment_flag[word->o_assignment]);
3252            word->o_assignment = MAYBE_ASSIGNMENT;
3253        }
3254        debug_printf_parse("word->o_assignment='%s'\n", assignment_flag[word->o_assignment]);
3255
3256        if (word->has_quoted_part
3257         /* optimization: and if it's ("" or '') or ($v... or `cmd`...): */
3258         && (word->data[0] == '\0' || word->data[0] == SPECIAL_VAR_SYMBOL)
3259         /* (otherwise it's known to be not empty and is already safe) */
3260        ) {
3261            /* exclude "$@" - it can expand to no word despite "" */
3262            char *p = word->data;
3263            while (p[0] == SPECIAL_VAR_SYMBOL
3264                && (p[1] & 0x7f) == '@'
3265                && p[2] == SPECIAL_VAR_SYMBOL
3266            ) {
3267                p += 3;
3268            }
3269        }
3270        command->argv = add_string_to_strings(command->argv, xstrdup(word->data));
3271        debug_print_strings("word appended to argv", command->argv);
3272    }
3273
3274#if ENABLE_HUSH_LOOPS
3275    if (ctx->ctx_res_w == RES_FOR) {
3276        if (word->has_quoted_part
3277         || !is_well_formed_var_name(command->argv[0], '\0')
3278        ) {
3279            /* bash says just "not a valid identifier" */
3280            syntax_error("not a valid identifier in for");
3281            return 1;
3282        }
3283        /* Force FOR to have just one word (variable name) */
3284        /* NB: basically, this makes hush see "for v in ..."
3285         * syntax as if it is "for v; in ...". FOR and IN become
3286         * two pipe structs in parse tree. */
3287        done_pipe(ctx, PIPE_SEQ);
3288    }
3289#endif
3290#if ENABLE_HUSH_CASE
3291    /* Force CASE to have just one word */
3292    if (ctx->ctx_res_w == RES_CASE) {
3293        done_pipe(ctx, PIPE_SEQ);
3294    }
3295#endif
3296
3297    o_reset_to_empty_unquoted(word);
3298
3299    debug_printf_parse("done_word return 0\n");
3300    return 0;
3301}
3302
3303
3304/* Peek ahead in the input to find out if we have a "&n" construct,
3305 * as in "2>&1", that represents duplicating a file descriptor.
3306 * Return:
3307 * REDIRFD_CLOSE if >&- "close fd" construct is seen,
3308 * REDIRFD_SYNTAX_ERR if syntax error,
3309 * REDIRFD_TO_FILE if no & was seen,
3310 * or the number found.
3311 */
3312#if BB_MMU
3313#define parse_redir_right_fd(as_string, input) \
3314    parse_redir_right_fd(input)
3315#endif
3316static int parse_redir_right_fd(o_string *as_string, struct in_str *input)
3317{
3318    int ch, d, ok;
3319
3320    ch = i_peek(input);
3321    if (ch != '&')
3322        return REDIRFD_TO_FILE;
3323
3324    ch = i_getch(input);  /* get the & */
3325    nommu_addchr(as_string, ch);
3326    ch = i_peek(input);
3327    if (ch == '-') {
3328        ch = i_getch(input);
3329        nommu_addchr(as_string, ch);
3330        return REDIRFD_CLOSE;
3331    }
3332    d = 0;
3333    ok = 0;
3334    while (ch != EOF && isdigit(ch)) {
3335        d = d*10 + (ch-'0');
3336        ok = 1;
3337        ch = i_getch(input);
3338        nommu_addchr(as_string, ch);
3339        ch = i_peek(input);
3340    }
3341    if (ok) return d;
3342
3343//TODO: this is the place to catch ">&file" bashism (redirect both fd 1 and 2)
3344
3345    bb_error_msg("ambiguous redirect");
3346    return REDIRFD_SYNTAX_ERR;
3347}
3348
3349/* Return code is 0 normal, 1 if a syntax error is detected
3350 */
3351static int parse_redirect(struct parse_context *ctx,
3352        int fd,
3353        redir_type style,
3354        struct in_str *input)
3355{
3356    struct command *command = ctx->command;
3357    struct redir_struct *redir;
3358    struct redir_struct **redirp;
3359    int dup_num;
3360
3361    dup_num = REDIRFD_TO_FILE;
3362    if (style != REDIRECT_HEREDOC) {
3363        /* Check for a '>&1' type redirect */
3364        dup_num = parse_redir_right_fd(&ctx->as_string, input);
3365        if (dup_num == REDIRFD_SYNTAX_ERR)
3366            return 1;
3367    } else {
3368        int ch = i_peek(input);
3369        dup_num = (ch == '-'); /* HEREDOC_SKIPTABS bit is 1 */
3370        if (dup_num) { /* <<-... */
3371            ch = i_getch(input);
3372            nommu_addchr(&ctx->as_string, ch);
3373            ch = i_peek(input);
3374        }
3375    }
3376
3377    if (style == REDIRECT_OVERWRITE && dup_num == REDIRFD_TO_FILE) {
3378        int ch = i_peek(input);
3379        if (ch == '|') {
3380            /* >|FILE redirect ("clobbering" >).
3381             * Since we do not support "set -o noclobber" yet,
3382             * >| and > are the same for now. Just eat |.
3383             */
3384            ch = i_getch(input);
3385            nommu_addchr(&ctx->as_string, ch);
3386        }
3387    }
3388
3389    /* Create a new redir_struct and append it to the linked list */
3390    redirp = &command->redirects;
3391    while ((redir = *redirp) != NULL) {
3392        redirp = &(redir->next);
3393    }
3394    *redirp = redir = xzalloc(sizeof(*redir));
3395    /* redir->next = NULL; */
3396    /* redir->rd_filename = NULL; */
3397    redir->rd_type = style;
3398    redir->rd_fd = (fd == -1) ? redir_table[style].default_fd : fd;
3399
3400    debug_printf_parse("redirect type %d %s\n", redir->rd_fd,
3401                redir_table[style].descrip);
3402
3403    redir->rd_dup = dup_num;
3404    if (style != REDIRECT_HEREDOC && dup_num != REDIRFD_TO_FILE) {
3405        /* Erik had a check here that the file descriptor in question
3406         * is legit; I postpone that to "run time"
3407         * A "-" representation of "close me" shows up as a -3 here */
3408        debug_printf_parse("duplicating redirect '%d>&%d'\n",
3409                redir->rd_fd, redir->rd_dup);
3410    } else {
3411        /* Set ctx->pending_redirect, so we know what to do at the
3412         * end of the next parsed word. */
3413        ctx->pending_redirect = redir;
3414    }
3415    return 0;
3416}
3417
3418/* If a redirect is immediately preceded by a number, that number is
3419 * supposed to tell which file descriptor to redirect.  This routine
3420 * looks for such preceding numbers.  In an ideal world this routine
3421 * needs to handle all the following classes of redirects...
3422 *     echo 2>foo     # redirects fd  2 to file "foo", nothing passed to echo
3423 *     echo 49>foo    # redirects fd 49 to file "foo", nothing passed to echo
3424 *     echo -2>foo    # redirects fd  1 to file "foo",    "-2" passed to echo
3425 *     echo 49x>foo   # redirects fd  1 to file "foo",   "49x" passed to echo
3426 *
3427 * http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
3428 * "2.7 Redirection
3429 * ... If n is quoted, the number shall not be recognized as part of
3430 * the redirection expression. For example:
3431 * echo \2>a
3432 * writes the character 2 into file a"
3433 * We are getting it right by setting ->has_quoted_part on any \<char>
3434 *
3435 * A -1 return means no valid number was found,
3436 * the caller should use the appropriate default for this redirection.
3437 */
3438static int redirect_opt_num(o_string *o)
3439{
3440    int num;
3441
3442    if (o->data == NULL)
3443        return -1;
3444    num = bb_strtou(o->data, NULL, 10);
3445    if (errno || num < 0)
3446        return -1;
3447    o_reset_to_empty_unquoted(o);
3448    return num;
3449}
3450
3451#if BB_MMU
3452#define fetch_till_str(as_string, input, word, skip_tabs) \
3453    fetch_till_str(input, word, skip_tabs)
3454#endif
3455static char *fetch_till_str(o_string *as_string,
3456        struct in_str *input,
3457        const char *word,
3458        int heredoc_flags)
3459{
3460    o_string heredoc = NULL_O_STRING;
3461    unsigned past_EOL;
3462    int prev = 0; /* not \ */
3463    int ch;
3464
3465    goto jump_in;
3466
3467    while (1) {
3468        ch = i_getch(input);
3469        if (ch != EOF)
3470            nommu_addchr(as_string, ch);
3471        if ((ch == '\n' || ch == EOF)
3472         && ((heredoc_flags & HEREDOC_QUOTED) || prev != '\\')
3473        ) {
3474            if (strcmp(heredoc.data + past_EOL, word) == 0) {
3475                heredoc.data[past_EOL] = '\0';
3476                debug_printf_parse("parsed heredoc '%s'\n", heredoc.data);
3477                return heredoc.data;
3478            }
3479            while (ch == '\n') {
3480                o_addchr(&heredoc, ch);
3481                prev = ch;
3482 jump_in:
3483                past_EOL = heredoc.length;
3484                do {
3485                    ch = i_getch(input);
3486                    if (ch != EOF)
3487                        nommu_addchr(as_string, ch);
3488                } while ((heredoc_flags & HEREDOC_SKIPTABS) && ch == '\t');
3489            }
3490        }
3491        if (ch == EOF) {
3492            o_free_unsafe(&heredoc);
3493            return NULL;
3494        }
3495        o_addchr(&heredoc, ch);
3496        nommu_addchr(as_string, ch);
3497        if (prev == '\\' && ch == '\\')
3498            /* Correctly handle foo\\<eol> (not a line cont.) */
3499            prev = 0; /* not \ */
3500        else
3501            prev = ch;
3502    }
3503}
3504
3505/* Look at entire parse tree for not-yet-loaded REDIRECT_HEREDOCs
3506 * and load them all. There should be exactly heredoc_cnt of them.
3507 */
3508static int fetch_heredocs(int heredoc_cnt, struct parse_context *ctx, struct in_str *input)
3509{
3510    struct pipe *pi = ctx->list_head;
3511
3512    while (pi && heredoc_cnt) {
3513        int i;
3514        struct command *cmd = pi->cmds;
3515
3516        debug_printf_parse("fetch_heredocs: num_cmds:%d cmd argv0:'%s'\n",
3517                pi->num_cmds,
3518                cmd->argv ? cmd->argv[0] : "NONE");
3519        for (i = 0; i < pi->num_cmds; i++) {
3520            struct redir_struct *redir = cmd->redirects;
3521
3522            debug_printf_parse("fetch_heredocs: %d cmd argv0:'%s'\n",
3523                    i, cmd->argv ? cmd->argv[0] : "NONE");
3524            while (redir) {
3525                if (redir->rd_type == REDIRECT_HEREDOC) {
3526                    char *p;
3527
3528                    redir->rd_type = REDIRECT_HEREDOC2;
3529                    /* redir->rd_dup is (ab)used to indicate <<- */
3530                    p = fetch_till_str(&ctx->as_string, input,
3531                            redir->rd_filename, redir->rd_dup);
3532                    if (!p) {
3533                        syntax_error("unexpected EOF in here document");
3534                        return 1;
3535                    }
3536                    free(redir->rd_filename);
3537                    redir->rd_filename = p;
3538                    heredoc_cnt--;
3539                }
3540                redir = redir->next;
3541            }
3542            cmd++;
3543        }
3544        pi = pi->next;
3545    }
3546#if 0
3547    /* Should be 0. If it isn't, it's a parse error */
3548    if (heredoc_cnt)
3549        bb_error_msg_and_die("heredoc BUG 2");
3550#endif
3551    return 0;
3552}
3553
3554
3555static int run_list(struct pipe *pi);
3556#if BB_MMU
3557#define parse_stream(pstring, input, end_trigger) \
3558    parse_stream(input, end_trigger)
3559#endif
3560static struct pipe *parse_stream(char **pstring,
3561        struct in_str *input,
3562        int end_trigger);
3563
3564
3565#if !ENABLE_HUSH_FUNCTIONS
3566#define parse_group(dest, ctx, input, ch) \
3567    parse_group(ctx, input, ch)
3568#endif
3569static int parse_group(o_string *dest, struct parse_context *ctx,
3570    struct in_str *input, int ch)
3571{
3572    /* dest contains characters seen prior to ( or {.
3573     * Typically it's empty, but for function defs,
3574     * it contains function name (without '()'). */
3575    struct pipe *pipe_list;
3576    int endch;
3577    struct command *command = ctx->command;
3578
3579    debug_printf_parse("parse_group entered\n");
3580#if ENABLE_HUSH_FUNCTIONS
3581    if (ch == '(' && !dest->has_quoted_part) {
3582        if (dest->length)
3583            if (done_word(dest, ctx))
3584                return 1;
3585        if (!command->argv)
3586            goto skip; /* (... */
3587        if (command->argv[1]) { /* word word ... (... */
3588            syntax_error_unexpected_ch('(');
3589            return 1;
3590        }
3591        /* it is "word(..." or "word (..." */
3592        do
3593            ch = i_getch(input);
3594        while (ch == ' ' || ch == '\t');
3595        if (ch != ')') {
3596            syntax_error_unexpected_ch(ch);
3597            return 1;
3598        }
3599        nommu_addchr(&ctx->as_string, ch);
3600        do
3601            ch = i_getch(input);
3602        while (ch == ' ' || ch == '\t' || ch == '\n');
3603        if (ch != '{') {
3604            syntax_error_unexpected_ch(ch);
3605            return 1;
3606        }
3607        nommu_addchr(&ctx->as_string, ch);
3608        command->cmd_type = CMD_FUNCDEF;
3609        goto skip;
3610    }
3611#endif
3612
3613#if 0 /* Prevented by caller */
3614    if (command->argv /* word [word]{... */
3615     || dest->length /* word{... */
3616     || dest->has_quoted_part /* ""{... */
3617    ) {
3618        syntax_error(NULL);
3619        debug_printf_parse("parse_group return 1: "
3620            "syntax error, groups and arglists don't mix\n");
3621        return 1;
3622    }
3623#endif
3624
3625#if ENABLE_HUSH_FUNCTIONS
3626 skip:
3627#endif
3628    endch = '}';
3629    if (ch == '(') {
3630        endch = ')';
3631        command->cmd_type = CMD_SUBSHELL;
3632    } else {
3633        /* bash does not allow "{echo...", requires whitespace */
3634        ch = i_getch(input);
3635        if (ch != ' ' && ch != '\t' && ch != '\n') {
3636            syntax_error_unexpected_ch(ch);
3637            return 1;
3638        }
3639        nommu_addchr(&ctx->as_string, ch);
3640    }
3641
3642    {
3643#if BB_MMU
3644# define as_string NULL
3645#else
3646        char *as_string = NULL;
3647#endif
3648        pipe_list = parse_stream(&as_string, input, endch);
3649#if !BB_MMU
3650        if (as_string)
3651            o_addstr(&ctx->as_string, as_string);
3652#endif
3653        /* empty ()/{} or parse error? */
3654        if (!pipe_list || pipe_list == ERR_PTR) {
3655            /* parse_stream already emitted error msg */
3656            if (!BB_MMU)
3657                free(as_string);
3658            debug_printf_parse("parse_group return 1: "
3659                "parse_stream returned %p\n", pipe_list);
3660            return 1;
3661        }
3662        command->group = pipe_list;
3663#if !BB_MMU
3664        as_string[strlen(as_string) - 1] = '\0'; /* plink ')' or '}' */
3665        command->group_as_string = as_string;
3666        debug_printf_parse("end of group, remembering as:'%s'\n",
3667                command->group_as_string);
3668#endif
3669#undef as_string
3670    }
3671    debug_printf_parse("parse_group return 0\n");
3672    return 0;
3673    /* command remains "open", available for possible redirects */
3674}
3675
3676#if ENABLE_HUSH_TICK || ENABLE_SH_MATH_SUPPORT || ENABLE_HUSH_DOLLAR_OPS
3677/* Subroutines for copying $(...) and `...` things */
3678static int add_till_backquote(o_string *dest, struct in_str *input, int in_dquote);
3679/* '...' */
3680static int add_till_single_quote(o_string *dest, struct in_str *input)
3681{
3682    while (1) {
3683        int ch = i_getch(input);
3684        if (ch == EOF) {
3685            syntax_error_unterm_ch('\'');
3686            return 0;
3687        }
3688        if (ch == '\'')
3689            return 1;
3690        o_addchr(dest, ch);
3691    }
3692}
3693/* "...\"...`..`...." - do we need to handle "...$(..)..." too? */
3694static int add_till_double_quote(o_string *dest, struct in_str *input)
3695{
3696    while (1) {
3697        int ch = i_getch(input);
3698        if (ch == EOF) {
3699            syntax_error_unterm_ch('"');
3700            return 0;
3701        }
3702        if (ch == '"')
3703            return 1;
3704        if (ch == '\\') {  /* \x. Copy both chars. */
3705            o_addchr(dest, ch);
3706            ch = i_getch(input);
3707        }
3708        o_addchr(dest, ch);
3709        if (ch == '`') {
3710            if (!add_till_backquote(dest, input, /*in_dquote:*/ 1))
3711                return 0;
3712            o_addchr(dest, ch);
3713            continue;
3714        }
3715        //if (ch == '$') ...
3716    }
3717}
3718/* Process `cmd` - copy contents until "`" is seen. Complicated by
3719 * \` quoting.
3720 * "Within the backquoted style of command substitution, backslash
3721 * shall retain its literal meaning, except when followed by: '$', '`', or '\'.
3722 * The search for the matching backquote shall be satisfied by the first
3723 * backquote found without a preceding backslash; during this search,
3724 * if a non-escaped backquote is encountered within a shell comment,
3725 * a here-document, an embedded command substitution of the $(command)
3726 * form, or a quoted string, undefined results occur. A single-quoted
3727 * or double-quoted string that begins, but does not end, within the
3728 * "`...`" sequence produces undefined results."
3729 * Example                               Output
3730 * echo `echo '\'TEST\`echo ZZ\`BEST`    \TESTZZBEST
3731 */
3732static int add_till_backquote(o_string *dest, struct in_str *input, int in_dquote)
3733{
3734    while (1) {
3735        int ch = i_getch(input);
3736        if (ch == '`')
3737            return 1;
3738        if (ch == '\\') {
3739            /* \x. Copy both unless it is \`, \$, \\ and maybe \" */
3740            ch = i_getch(input);
3741            if (ch != '`'
3742             && ch != '$'
3743             && ch != '\\'
3744             && (!in_dquote || ch != '"')
3745            ) {
3746                o_addchr(dest, '\\');
3747            }
3748        }
3749        if (ch == EOF) {
3750            syntax_error_unterm_ch('`');
3751            return 0;
3752        }
3753        o_addchr(dest, ch);
3754    }
3755}
3756/* Process $(cmd) - copy contents until ")" is seen. Complicated by
3757 * quoting and nested ()s.
3758 * "With the $(command) style of command substitution, all characters
3759 * following the open parenthesis to the matching closing parenthesis
3760 * constitute the command. Any valid shell script can be used for command,
3761 * except a script consisting solely of redirections which produces
3762 * unspecified results."
3763 * Example                              Output
3764 * echo $(echo '(TEST)' BEST)           (TEST) BEST
3765 * echo $(echo 'TEST)' BEST)            TEST) BEST
3766 * echo $(echo \(\(TEST\) BEST)         ((TEST) BEST
3767 *
3768 * Also adapted to eat ${var%...} and $((...)) constructs, since ... part
3769 * can contain arbitrary constructs, just like $(cmd).
3770 * In bash compat mode, it needs to also be able to stop on ':' or '/'
3771 * for ${var:N[:M]} and ${var/P[/R]} parsing.
3772 */
3773#define DOUBLE_CLOSE_CHAR_FLAG 0x80
3774static int add_till_closing_bracket(o_string *dest, struct in_str *input, unsigned end_ch)
3775{
3776    int ch;
3777    char dbl = end_ch & DOUBLE_CLOSE_CHAR_FLAG;
3778# if ENABLE_HUSH_BASH_COMPAT
3779    char end_char2 = end_ch >> 8;
3780# endif
3781    end_ch &= (DOUBLE_CLOSE_CHAR_FLAG - 1);
3782
3783    while (1) {
3784        ch = i_getch(input);
3785        if (ch == EOF) {
3786            syntax_error_unterm_ch(end_ch);
3787            return 0;
3788        }
3789        if (ch == end_ch  IF_HUSH_BASH_COMPAT( || ch == end_char2)) {
3790            if (!dbl)
3791                break;
3792            /* we look for closing )) of $((EXPR)) */
3793            if (i_peek(input) == end_ch) {
3794                i_getch(input); /* eat second ')' */
3795                break;
3796            }
3797        }
3798        o_addchr(dest, ch);
3799        if (ch == '(' || ch == '{') {
3800            ch = (ch == '(' ? ')' : '}');
3801            if (!add_till_closing_bracket(dest, input, ch))
3802                return 0;
3803            o_addchr(dest, ch);
3804            continue;
3805        }
3806        if (ch == '\'') {
3807            if (!add_till_single_quote(dest, input))
3808                return 0;
3809            o_addchr(dest, ch);
3810            continue;
3811        }
3812        if (ch == '"') {
3813            if (!add_till_double_quote(dest, input))
3814                return 0;
3815            o_addchr(dest, ch);
3816            continue;
3817        }
3818        if (ch == '`') {
3819            if (!add_till_backquote(dest, input, /*in_dquote:*/ 0))
3820                return 0;
3821            o_addchr(dest, ch);
3822            continue;
3823        }
3824        if (ch == '\\') {
3825            /* \x. Copy verbatim. Important for  \(, \) */
3826            ch = i_getch(input);
3827            if (ch == EOF) {
3828                syntax_error_unterm_ch(')');
3829                return 0;
3830            }
3831            o_addchr(dest, ch);
3832            continue;
3833        }
3834    }
3835    return ch;
3836}
3837#endif /* ENABLE_HUSH_TICK || ENABLE_SH_MATH_SUPPORT || ENABLE_HUSH_DOLLAR_OPS */
3838
3839/* Return code: 0 for OK, 1 for syntax error */
3840#if BB_MMU
3841#define parse_dollar(as_string, dest, input, quote_mask) \
3842    parse_dollar(dest, input, quote_mask)
3843#define as_string NULL
3844#endif
3845static int parse_dollar(o_string *as_string,
3846        o_string *dest,
3847        struct in_str *input, unsigned char quote_mask)
3848{
3849    int ch = i_peek(input);  /* first character after the $ */
3850
3851    debug_printf_parse("parse_dollar entered: ch='%c'\n", ch);
3852    if (isalpha(ch)) {
3853        ch = i_getch(input);
3854        nommu_addchr(as_string, ch);
3855 make_var:
3856        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3857        while (1) {
3858            debug_printf_parse(": '%c'\n", ch);
3859            o_addchr(dest, ch | quote_mask);
3860            quote_mask = 0;
3861            ch = i_peek(input);
3862            if (!isalnum(ch) && ch != '_')
3863                break;
3864            ch = i_getch(input);
3865            nommu_addchr(as_string, ch);
3866        }
3867        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3868    } else if (isdigit(ch)) {
3869 make_one_char_var:
3870        ch = i_getch(input);
3871        nommu_addchr(as_string, ch);
3872        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3873        debug_printf_parse(": '%c'\n", ch);
3874        o_addchr(dest, ch | quote_mask);
3875        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3876    } else switch (ch) {
3877    case '$': /* pid */
3878    case '!': /* last bg pid */
3879    case '?': /* last exit code */
3880    case '#': /* number of args */
3881    case '*': /* args */
3882    case '@': /* args */
3883        goto make_one_char_var;
3884    case '{': {
3885        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3886
3887        ch = i_getch(input); /* eat '{' */
3888        nommu_addchr(as_string, ch);
3889
3890        ch = i_getch(input); /* first char after '{' */
3891        /* It should be ${?}, or ${#var},
3892         * or even ${?+subst} - operator acting on a special variable,
3893         * or the beginning of variable name.
3894         */
3895        if (ch == EOF
3896         || (!strchr(_SPECIAL_VARS_STR, ch) && !isalnum(ch)) /* not one of those */
3897        ) {
3898 bad_dollar_syntax:
3899            syntax_error_unterm_str("${name}");
3900            debug_printf_parse("parse_dollar return 0: unterminated ${name}\n");
3901            return 0;
3902        }
3903        nommu_addchr(as_string, ch);
3904        ch |= quote_mask;
3905
3906        /* It's possible to just call add_till_closing_bracket() at this point.
3907         * However, this regresses some of our testsuite cases
3908         * which check invalid constructs like ${%}.
3909         * Oh well... let's check that the var name part is fine... */
3910
3911        while (1) {
3912            unsigned pos;
3913
3914            o_addchr(dest, ch);
3915            debug_printf_parse(": '%c'\n", ch);
3916
3917            ch = i_getch(input);
3918            nommu_addchr(as_string, ch);
3919            if (ch == '}')
3920                break;
3921
3922            if (!isalnum(ch) && ch != '_') {
3923                unsigned end_ch;
3924                unsigned char last_ch;
3925                /* handle parameter expansions
3926                 * http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_06_02
3927                 */
3928                if (!strchr(VAR_SUBST_OPS, ch)) /* ${var<bad_char>... */
3929                    goto bad_dollar_syntax;
3930
3931                /* Eat everything until closing '}' (or ':') */
3932                end_ch = '}';
3933                if (ENABLE_HUSH_BASH_COMPAT
3934                 && ch == ':'
3935                 && !strchr(MINUS_PLUS_EQUAL_QUESTION, i_peek(input))
3936                ) {
3937                    /* It's ${var:N[:M]} thing */
3938                    end_ch = '}' * 0x100 + ':';
3939                }
3940                if (ENABLE_HUSH_BASH_COMPAT
3941                 && ch == '/'
3942                ) {
3943                    /* It's ${var/[/]pattern[/repl]} thing */
3944                    if (i_peek(input) == '/') { /* ${var//pattern[/repl]}? */
3945                        i_getch(input);
3946                        nommu_addchr(as_string, '/');
3947                        ch = '\\';
3948                    }
3949                    end_ch = '}' * 0x100 + '/';
3950                }
3951                o_addchr(dest, ch);
3952 again:
3953                if (!BB_MMU)
3954                    pos = dest->length;
3955#if ENABLE_HUSH_DOLLAR_OPS
3956                last_ch = add_till_closing_bracket(dest, input, end_ch);
3957                if (last_ch == 0) /* error? */
3958                    return 0;
3959#else
3960#error Simple code to only allow ${var} is not implemented
3961#endif
3962                if (as_string) {
3963                    o_addstr(as_string, dest->data + pos);
3964                    o_addchr(as_string, last_ch);
3965                }
3966
3967                if (ENABLE_HUSH_BASH_COMPAT && (end_ch & 0xff00)) {
3968                    /* close the first block: */
3969                    o_addchr(dest, SPECIAL_VAR_SYMBOL);
3970                    /* while parsing N from ${var:N[:M]}
3971                     * or pattern from ${var/[/]pattern[/repl]} */
3972                    if ((end_ch & 0xff) == last_ch) {
3973                        /* got ':' or '/'- parse the rest */
3974                        end_ch = '}';
3975                        goto again;
3976                    }
3977                    /* got '}' */
3978                    if (end_ch == '}' * 0x100 + ':') {
3979                        /* it's ${var:N} - emulate :999999999 */
3980                        o_addstr(dest, "999999999");
3981                    } /* else: it's ${var/[/]pattern} */
3982                }
3983                break;
3984            }
3985        }
3986        o_addchr(dest, SPECIAL_VAR_SYMBOL);
3987        break;
3988    }
3989#if ENABLE_SH_MATH_SUPPORT || ENABLE_HUSH_TICK
3990    case '(': {
3991        unsigned pos;
3992
3993        ch = i_getch(input);
3994        nommu_addchr(as_string, ch);
3995# if ENABLE_SH_MATH_SUPPORT
3996        if (i_peek(input) == '(') {
3997            ch = i_getch(input);
3998            nommu_addchr(as_string, ch);
3999            o_addchr(dest, SPECIAL_VAR_SYMBOL);
4000            o_addchr(dest, /*quote_mask |*/ '+');
4001            if (!BB_MMU)
4002                pos = dest->length;
4003            if (!add_till_closing_bracket(dest, input, ')' | DOUBLE_CLOSE_CHAR_FLAG))
4004                return 0; /* error */
4005            if (as_string) {
4006                o_addstr(as_string, dest->data + pos);
4007                o_addchr(as_string, ')');
4008                o_addchr(as_string, ')');
4009            }
4010            o_addchr(dest, SPECIAL_VAR_SYMBOL);
4011            break;
4012        }
4013# endif
4014# if ENABLE_HUSH_TICK
4015        o_addchr(dest, SPECIAL_VAR_SYMBOL);
4016        o_addchr(dest, quote_mask | '`');
4017        if (!BB_MMU)
4018            pos = dest->length;
4019        if (!add_till_closing_bracket(dest, input, ')'))
4020            return 0; /* error */
4021        if (as_string) {
4022            o_addstr(as_string, dest->data + pos);
4023            o_addchr(as_string, ')');
4024        }
4025        o_addchr(dest, SPECIAL_VAR_SYMBOL);
4026# endif
4027        break;
4028    }
4029#endif
4030    case '_':
4031        ch = i_getch(input);
4032        nommu_addchr(as_string, ch);
4033        ch = i_peek(input);
4034        if (isalnum(ch)) { /* it's $_name or $_123 */
4035            ch = '_';
4036            goto make_var;
4037        }
4038        /* else: it's $_ */
4039    /* TODO: $_ and $-: */
4040    /* $_ Shell or shell script name; or last argument of last command
4041     * (if last command wasn't a pipe; if it was, bash sets $_ to "");
4042     * but in command's env, set to full pathname used to invoke it */
4043    /* $- Option flags set by set builtin or shell options (-i etc) */
4044    default:
4045        o_addQchr(dest, '$');
4046    }
4047    debug_printf_parse("parse_dollar return 1 (ok)\n");
4048    return 1;
4049#undef as_string
4050}
4051
4052#if BB_MMU
4053# if ENABLE_HUSH_BASH_COMPAT
4054#define encode_string(as_string, dest, input, dquote_end, process_bkslash) \
4055    encode_string(dest, input, dquote_end, process_bkslash)
4056# else
4057/* only ${var/pattern/repl} (its pattern part) needs additional mode */
4058#define encode_string(as_string, dest, input, dquote_end, process_bkslash) \
4059    encode_string(dest, input, dquote_end)
4060# endif
4061#define as_string NULL
4062
4063#else /* !MMU */
4064
4065# if ENABLE_HUSH_BASH_COMPAT
4066/* all parameters are needed, no macro tricks */
4067# else
4068#define encode_string(as_string, dest, input, dquote_end, process_bkslash) \
4069    encode_string(as_string, dest, input, dquote_end)
4070# endif
4071#endif
4072static int encode_string(o_string *as_string,
4073        o_string *dest,
4074        struct in_str *input,
4075        int dquote_end,
4076        int process_bkslash)
4077{
4078#if !ENABLE_HUSH_BASH_COMPAT
4079    const int process_bkslash = 1;
4080#endif
4081    int ch;
4082    int next;
4083
4084 again:
4085    ch = i_getch(input);
4086    if (ch != EOF)
4087        nommu_addchr(as_string, ch);
4088    if (ch == dquote_end) { /* may be only '"' or EOF */
4089        debug_printf_parse("encode_string return 1 (ok)\n");
4090        return 1;
4091    }
4092    /* note: can't move it above ch == dquote_end check! */
4093    if (ch == EOF) {
4094        syntax_error_unterm_ch('"');
4095        return 0; /* error */
4096    }
4097    next = '\0';
4098    if (ch != '\n') {
4099        next = i_peek(input);
4100    }
4101    debug_printf_parse("\" ch=%c (%d) escape=%d\n",
4102            ch, ch, !!(dest->o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
4103    if (process_bkslash && ch == '\\') {
4104        if (next == EOF) {
4105            syntax_error("\\<eof>");
4106            xfunc_die();
4107        }
4108        /* bash:
4109         * "The backslash retains its special meaning [in "..."]
4110         * only when followed by one of the following characters:
4111         * $, `, ", \, or <newline>.  A double quote may be quoted
4112         * within double quotes by preceding it with a backslash."
4113         * NB: in (unquoted) heredoc, above does not apply to ",
4114         * therefore we check for it by "next == dquote_end" cond.
4115         */
4116        if (next == dquote_end || strchr("$`\\\n", next)) {
4117            ch = i_getch(input); /* eat next */
4118            if (ch == '\n')
4119                goto again; /* skip \<newline> */
4120        } /* else: ch remains == '\\', and we double it below: */
4121        o_addqchr(dest, ch); /* \c if c is a glob char, else just c */
4122        nommu_addchr(as_string, ch);
4123        goto again;
4124    }
4125    if (ch == '$') {
4126        if (!parse_dollar(as_string, dest, input, /*quote_mask:*/ 0x80)) {
4127            debug_printf_parse("encode_string return 0: "
4128                    "parse_dollar returned 0 (error)\n");
4129            return 0;
4130        }
4131        goto again;
4132    }
4133#if ENABLE_HUSH_TICK
4134    if (ch == '`') {
4135        //unsigned pos = dest->length;
4136        o_addchr(dest, SPECIAL_VAR_SYMBOL);
4137        o_addchr(dest, 0x80 | '`');
4138        if (!add_till_backquote(dest, input, /*in_dquote:*/ dquote_end == '"'))
4139            return 0; /* error */
4140        o_addchr(dest, SPECIAL_VAR_SYMBOL);
4141        //debug_printf_subst("SUBST RES3 '%s'\n", dest->data + pos);
4142        goto again;
4143    }
4144#endif
4145    o_addQchr(dest, ch);
4146    goto again;
4147#undef as_string
4148}
4149
4150/*
4151 * Scan input until EOF or end_trigger char.
4152 * Return a list of pipes to execute, or NULL on EOF
4153 * or if end_trigger character is met.
4154 * On syntax error, exit if shell is not interactive,
4155 * reset parsing machinery and start parsing anew,
4156 * or return ERR_PTR.
4157 */
4158static struct pipe *parse_stream(char **pstring,
4159        struct in_str *input,
4160        int end_trigger)
4161{
4162    struct parse_context ctx;
4163    o_string dest = NULL_O_STRING;
4164    int heredoc_cnt;
4165
4166    /* Single-quote triggers a bypass of the main loop until its mate is
4167     * found.  When recursing, quote state is passed in via dest->o_expflags.
4168     */
4169    debug_printf_parse("parse_stream entered, end_trigger='%c'\n",
4170            end_trigger ? end_trigger : 'X');
4171    debug_enter();
4172
4173    /* If very first arg is "" or '', dest.data may end up NULL.
4174     * Preventing this: */
4175    o_addchr(&dest, '\0');
4176    dest.length = 0;
4177
4178    /* We used to separate words on $IFS here. This was wrong.
4179     * $IFS is used only for word splitting when $var is expanded,
4180     * here we should use blank chars as separators, not $IFS
4181     */
4182
4183    if (MAYBE_ASSIGNMENT != 0)
4184        dest.o_assignment = MAYBE_ASSIGNMENT;
4185    initialize_context(&ctx);
4186    heredoc_cnt = 0;
4187    while (1) {
4188        const char *is_blank;
4189        const char *is_special;
4190        int ch;
4191        int next;
4192        int redir_fd;
4193        redir_type redir_style;
4194
4195        ch = i_getch(input);
4196        debug_printf_parse(": ch=%c (%d) escape=%d\n",
4197                ch, ch, !!(dest.o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
4198        if (ch == EOF) {
4199            struct pipe *pi;
4200
4201            if (heredoc_cnt) {
4202                syntax_error_unterm_str("here document");
4203                goto parse_error;
4204            }
4205            /* end_trigger == '}' case errors out earlier,
4206             * checking only ')' */
4207            if (end_trigger == ')') {
4208                syntax_error_unterm_ch('(');
4209                goto parse_error;
4210            }
4211
4212            if (done_word(&dest, &ctx)) {
4213                goto parse_error;
4214            }
4215            o_free(&dest);
4216            done_pipe(&ctx, PIPE_SEQ);
4217            pi = ctx.list_head;
4218            /* If we got nothing... */
4219            /* (this makes bare "&" cmd a no-op.
4220             * bash says: "syntax error near unexpected token '&'") */
4221            if (pi->num_cmds == 0
4222            IF_HAS_KEYWORDS(&& pi->res_word == RES_NONE)
4223            ) {
4224                free_pipe_list(pi);
4225                pi = NULL;
4226            }
4227#if !BB_MMU
4228            debug_printf_parse("as_string '%s'\n", ctx.as_string.data);
4229            if (pstring)
4230                *pstring = ctx.as_string.data;
4231            else
4232                o_free_unsafe(&ctx.as_string);
4233#endif
4234            debug_leave();
4235            debug_printf_parse("parse_stream return %p\n", pi);
4236            return pi;
4237        }
4238        nommu_addchr(&ctx.as_string, ch);
4239
4240        next = '\0';
4241        if (ch != '\n')
4242            next = i_peek(input);
4243
4244        is_special = "{}<>;&|()#'" /* special outside of "str" */
4245                "\\$\"" IF_HUSH_TICK("`"); /* always special */
4246        /* Are { and } special here? */
4247        if (ctx.command->argv /* word [word]{... - non-special */
4248         || dest.length       /* word{... - non-special */
4249         || dest.has_quoted_part     /* ""{... - non-special */
4250         || (next != ';'             /* }; - special */
4251            && next != ')'           /* }) - special */
4252            && next != '&'           /* }& and }&& ... - special */
4253            && next != '|'           /* }|| ... - special */
4254            && !strchr(defifs, next) /* {word - non-special */
4255            )
4256        ) {
4257            /* They are not special, skip "{}" */
4258            is_special += 2;
4259        }
4260        is_special = strchr(is_special, ch);
4261        is_blank = strchr(defifs, ch);
4262
4263        if (!is_special && !is_blank) { /* ordinary char */
4264 ordinary_char:
4265            o_addQchr(&dest, ch);
4266            if ((dest.o_assignment == MAYBE_ASSIGNMENT
4267                || dest.o_assignment == WORD_IS_KEYWORD)
4268             && ch == '='
4269             && is_well_formed_var_name(dest.data, '=')
4270            ) {
4271                dest.o_assignment = DEFINITELY_ASSIGNMENT;
4272                debug_printf_parse("dest.o_assignment='%s'\n", assignment_flag[dest.o_assignment]);
4273            }
4274            continue;
4275        }
4276
4277        if (is_blank) {
4278            if (done_word(&dest, &ctx)) {
4279                goto parse_error;
4280            }
4281            if (ch == '\n') {
4282                /* Is this a case when newline is simply ignored?
4283                 * Some examples:
4284                 * "cmd | <newline> cmd ..."
4285                 * "case ... in <newline> word) ..."
4286                 */
4287                if (IS_NULL_CMD(ctx.command)
4288                 && dest.length == 0 && !dest.has_quoted_part
4289                ) {
4290                    /* This newline can be ignored. But...
4291                     * Without check #1, interactive shell
4292                     * ignores even bare <newline>,
4293                     * and shows the continuation prompt:
4294                     * ps1_prompt$ <enter>
4295                     * ps2> _   <=== wrong, should be ps1
4296                     * Without check #2, "cmd & <newline>"
4297                     * is similarly mistreated.
4298                     * (BTW, this makes "cmd & cmd"
4299                     * and "cmd && cmd" non-orthogonal.
4300                     * Really, ask yourself, why
4301                     * "cmd && <newline>" doesn't start
4302                     * cmd but waits for more input?
4303                     * No reason...)
4304                     */
4305                    struct pipe *pi = ctx.list_head;
4306                    if (pi->num_cmds != 0       /* check #1 */
4307                     && pi->followup != PIPE_BG /* check #2 */
4308                    ) {
4309                        continue;
4310                    }
4311                }
4312                /* Treat newline as a command separator. */
4313                done_pipe(&ctx, PIPE_SEQ);
4314                debug_printf_parse("heredoc_cnt:%d\n", heredoc_cnt);
4315                if (heredoc_cnt) {
4316                    if (fetch_heredocs(heredoc_cnt, &ctx, input)) {
4317                        goto parse_error;
4318                    }
4319                    heredoc_cnt = 0;
4320                }
4321                dest.o_assignment = MAYBE_ASSIGNMENT;
4322                debug_printf_parse("dest.o_assignment='%s'\n", assignment_flag[dest.o_assignment]);
4323                ch = ';';
4324                /* note: if (is_blank) continue;
4325                 * will still trigger for us */
4326            }
4327        }
4328
4329        /* "cmd}" or "cmd }..." without semicolon or &:
4330         * } is an ordinary char in this case, even inside { cmd; }
4331         * Pathological example: { ""}; } should exec "}" cmd
4332         */
4333        if (ch == '}') {
4334            if (!IS_NULL_CMD(ctx.command) /* cmd } */
4335             || dest.length != 0 /* word} */
4336             || dest.has_quoted_part    /* ""} */
4337            ) {
4338                goto ordinary_char;
4339            }
4340            if (!IS_NULL_PIPE(ctx.pipe)) /* cmd | } */
4341                goto skip_end_trigger;
4342            /* else: } does terminate a group */
4343        }
4344
4345        if (end_trigger && end_trigger == ch
4346         && (ch != ';' || heredoc_cnt == 0)
4347#if ENABLE_HUSH_CASE
4348         && (ch != ')'
4349            || ctx.ctx_res_w != RES_MATCH
4350            || (!dest.has_quoted_part && strcmp(dest.data, "esac") == 0)
4351            )
4352#endif
4353        ) {
4354            if (heredoc_cnt) {
4355                /* This is technically valid:
4356                 * { cat <<HERE; }; echo Ok
4357                 * heredoc
4358                 * heredoc
4359                 * HERE
4360                 * but we don't support this.
4361                 * We require heredoc to be in enclosing {}/(),
4362                 * if any.
4363                 */
4364                syntax_error_unterm_str("here document");
4365                goto parse_error;
4366            }
4367            if (done_word(&dest, &ctx)) {
4368                goto parse_error;
4369            }
4370            done_pipe(&ctx, PIPE_SEQ);
4371            dest.o_assignment = MAYBE_ASSIGNMENT;
4372            debug_printf_parse("dest.o_assignment='%s'\n", assignment_flag[dest.o_assignment]);
4373            /* Do we sit outside of any if's, loops or case's? */
4374            if (!HAS_KEYWORDS
4375            IF_HAS_KEYWORDS(|| (ctx.ctx_res_w == RES_NONE && ctx.old_flag == 0))
4376            ) {
4377                o_free(&dest);
4378#if !BB_MMU
4379                debug_printf_parse("as_string '%s'\n", ctx.as_string.data);
4380                if (pstring)
4381                    *pstring = ctx.as_string.data;
4382                else
4383                    o_free_unsafe(&ctx.as_string);
4384#endif
4385                debug_leave();
4386                debug_printf_parse("parse_stream return %p: "
4387                        "end_trigger char found\n",
4388                        ctx.list_head);
4389                return ctx.list_head;
4390            }
4391        }
4392 skip_end_trigger:
4393        if (is_blank)
4394            continue;
4395
4396        /* Catch <, > before deciding whether this word is
4397         * an assignment. a=1 2>z b=2: b=2 is still assignment */
4398        switch (ch) {
4399        case '>':
4400            redir_fd = redirect_opt_num(&dest);
4401            if (done_word(&dest, &ctx)) {
4402                goto parse_error;
4403            }
4404            redir_style = REDIRECT_OVERWRITE;
4405            if (next == '>') {
4406                redir_style = REDIRECT_APPEND;
4407                ch = i_getch(input);
4408                nommu_addchr(&ctx.as_string, ch);
4409            }
4410#if 0
4411            else if (next == '(') {
4412                syntax_error(">(process) not supported");
4413                goto parse_error;
4414            }
4415#endif
4416            if (parse_redirect(&ctx, redir_fd, redir_style, input))
4417                goto parse_error;
4418            continue; /* back to top of while (1) */
4419        case '<':
4420            redir_fd = redirect_opt_num(&dest);
4421            if (done_word(&dest, &ctx)) {
4422                goto parse_error;
4423            }
4424            redir_style = REDIRECT_INPUT;
4425            if (next == '<') {
4426                redir_style = REDIRECT_HEREDOC;
4427                heredoc_cnt++;
4428                debug_printf_parse("++heredoc_cnt=%d\n", heredoc_cnt);
4429                ch = i_getch(input);
4430                nommu_addchr(&ctx.as_string, ch);
4431            } else if (next == '>') {
4432                redir_style = REDIRECT_IO;
4433                ch = i_getch(input);
4434                nommu_addchr(&ctx.as_string, ch);
4435            }
4436#if 0
4437            else if (next == '(') {
4438                syntax_error("<(process) not supported");
4439                goto parse_error;
4440            }
4441#endif
4442            if (parse_redirect(&ctx, redir_fd, redir_style, input))
4443                goto parse_error;
4444            continue; /* back to top of while (1) */
4445        case '#':
4446            if (dest.length == 0 && !dest.has_quoted_part) {
4447                /* skip "#comment" */
4448                while (1) {
4449                    ch = i_peek(input);
4450                    if (ch == EOF || ch == '\n')
4451                        break;
4452                    i_getch(input);
4453                    /* note: we do not add it to &ctx.as_string */
4454                }
4455                nommu_addchr(&ctx.as_string, '\n');
4456                continue; /* back to top of while (1) */
4457            }
4458            break;
4459        case '\\':
4460            if (next == '\n') {
4461                /* It's "\<newline>" */
4462#if !BB_MMU
4463                /* Remove trailing '\' from ctx.as_string */
4464                ctx.as_string.data[--ctx.as_string.length] = '\0';
4465#endif
4466                ch = i_getch(input); /* eat it */
4467                continue; /* back to top of while (1) */
4468            }
4469            break;
4470        }
4471
4472        if (dest.o_assignment == MAYBE_ASSIGNMENT
4473         /* check that we are not in word in "a=1 2>word b=1": */
4474         && !ctx.pending_redirect
4475        ) {
4476            /* ch is a special char and thus this word
4477             * cannot be an assignment */
4478            dest.o_assignment = NOT_ASSIGNMENT;
4479            debug_printf_parse("dest.o_assignment='%s'\n", assignment_flag[dest.o_assignment]);
4480        }
4481
4482        /* Note: nommu_addchr(&ctx.as_string, ch) is already done */
4483
4484        switch (ch) {
4485        case '#': /* non-comment #: "echo a#b" etc */
4486            o_addQchr(&dest, ch);
4487            break;
4488        case '\\':
4489            if (next == EOF) {
4490                syntax_error("\\<eof>");
4491                xfunc_die();
4492            }
4493            ch = i_getch(input);
4494            /* note: ch != '\n' (that case does not reach this place) */
4495            o_addchr(&dest, '\\');
4496            /*nommu_addchr(&ctx.as_string, '\\'); - already done */
4497            o_addchr(&dest, ch);
4498            nommu_addchr(&ctx.as_string, ch);
4499            /* Example: echo Hello \2>file
4500             * we need to know that word 2 is quoted */
4501            dest.has_quoted_part = 1;
4502            break;
4503        case '$':
4504            if (!parse_dollar(&ctx.as_string, &dest, input, /*quote_mask:*/ 0)) {
4505                debug_printf_parse("parse_stream parse error: "
4506                    "parse_dollar returned 0 (error)\n");
4507                goto parse_error;
4508            }
4509            break;
4510        case '\'':
4511            dest.has_quoted_part = 1;
4512            if (next == '\'' && !ctx.pending_redirect) {
4513 insert_empty_quoted_str_marker:
4514                nommu_addchr(&ctx.as_string, next);
4515                i_getch(input); /* eat second ' */
4516                o_addchr(&dest, SPECIAL_VAR_SYMBOL);
4517                o_addchr(&dest, SPECIAL_VAR_SYMBOL);
4518            } else {
4519                while (1) {
4520                    ch = i_getch(input);
4521                    if (ch == EOF) {
4522                        syntax_error_unterm_ch('\'');
4523                        goto parse_error;
4524                    }
4525                    nommu_addchr(&ctx.as_string, ch);
4526                    if (ch == '\'')
4527                        break;
4528                    o_addqchr(&dest, ch);
4529                }
4530            }
4531            break;
4532        case '"':
4533            dest.has_quoted_part = 1;
4534            if (next == '"' && !ctx.pending_redirect)
4535                goto insert_empty_quoted_str_marker;
4536            if (dest.o_assignment == NOT_ASSIGNMENT)
4537                dest.o_expflags |= EXP_FLAG_ESC_GLOB_CHARS;
4538            if (!encode_string(&ctx.as_string, &dest, input, '"', /*process_bkslash:*/ 1))
4539                goto parse_error;
4540            dest.o_expflags &= ~EXP_FLAG_ESC_GLOB_CHARS;
4541            break;
4542#if ENABLE_HUSH_TICK
4543        case '`': {
4544            USE_FOR_NOMMU(unsigned pos;)
4545
4546            o_addchr(&dest, SPECIAL_VAR_SYMBOL);
4547            o_addchr(&dest, '`');
4548            USE_FOR_NOMMU(pos = dest.length;)
4549            if (!add_till_backquote(&dest, input, /*in_dquote:*/ 0))
4550                goto parse_error;
4551# if !BB_MMU
4552            o_addstr(&ctx.as_string, dest.data + pos);
4553            o_addchr(&ctx.as_string, '`');
4554# endif
4555            o_addchr(&dest, SPECIAL_VAR_SYMBOL);
4556            //debug_printf_subst("SUBST RES3 '%s'\n", dest.data + pos);
4557            break;
4558        }
4559#endif
4560        case ';':
4561#if ENABLE_HUSH_CASE
4562 case_semi:
4563#endif
4564            if (done_word(&dest, &ctx)) {
4565                goto parse_error;
4566            }
4567            done_pipe(&ctx, PIPE_SEQ);
4568#if ENABLE_HUSH_CASE
4569            /* Eat multiple semicolons, detect
4570             * whether it means something special */
4571            while (1) {
4572                ch = i_peek(input);
4573                if (ch != ';')
4574                    break;
4575                ch = i_getch(input);
4576                nommu_addchr(&ctx.as_string, ch);
4577                if (ctx.ctx_res_w == RES_CASE_BODY) {
4578                    ctx.ctx_dsemicolon = 1;
4579                    ctx.ctx_res_w = RES_MATCH;
4580                    break;
4581                }
4582            }
4583#endif
4584 new_cmd:
4585            /* We just finished a cmd. New one may start
4586             * with an assignment */
4587            dest.o_assignment = MAYBE_ASSIGNMENT;
4588            debug_printf_parse("dest.o_assignment='%s'\n", assignment_flag[dest.o_assignment]);
4589            break;
4590        case '&':
4591            if (done_word(&dest, &ctx)) {
4592                goto parse_error;
4593            }
4594            if (next == '&') {
4595                ch = i_getch(input);
4596                nommu_addchr(&ctx.as_string, ch);
4597                done_pipe(&ctx, PIPE_AND);
4598            } else {
4599                done_pipe(&ctx, PIPE_BG);
4600            }
4601            goto new_cmd;
4602        case '|':
4603            if (done_word(&dest, &ctx)) {
4604                goto parse_error;
4605            }
4606#if ENABLE_HUSH_CASE
4607            if (ctx.ctx_res_w == RES_MATCH)
4608                break; /* we are in case's "word | word)" */
4609#endif
4610            if (next == '|') { /* || */
4611                ch = i_getch(input);
4612                nommu_addchr(&ctx.as_string, ch);
4613                done_pipe(&ctx, PIPE_OR);
4614            } else {
4615                /* we could pick up a file descriptor choice here
4616                 * with redirect_opt_num(), but bash doesn't do it.
4617                 * "echo foo 2| cat" yields "foo 2". */
4618                done_command(&ctx);
4619#if !BB_MMU
4620                o_reset_to_empty_unquoted(&ctx.as_string);
4621#endif
4622            }
4623            goto new_cmd;
4624        case '(':
4625#if ENABLE_HUSH_CASE
4626            /* "case... in [(]word)..." - skip '(' */
4627            if (ctx.ctx_res_w == RES_MATCH
4628             && ctx.command->argv == NULL /* not (word|(... */
4629             && dest.length == 0 /* not word(... */
4630             && dest.has_quoted_part == 0 /* not ""(... */
4631            ) {
4632                continue;
4633            }
4634#endif
4635        case '{':
4636            if (parse_group(&dest, &ctx, input, ch) != 0) {
4637                goto parse_error;
4638            }
4639            goto new_cmd;
4640        case ')':
4641#if ENABLE_HUSH_CASE
4642            if (ctx.ctx_res_w == RES_MATCH)
4643                goto case_semi;
4644#endif
4645        case '}':
4646            /* proper use of this character is caught by end_trigger:
4647             * if we see {, we call parse_group(..., end_trigger='}')
4648             * and it will match } earlier (not here). */
4649            syntax_error_unexpected_ch(ch);
4650            goto parse_error;
4651        default:
4652            if (HUSH_DEBUG)
4653                bb_error_msg_and_die("BUG: unexpected %c\n", ch);
4654        }
4655    } /* while (1) */
4656
4657 parse_error:
4658    {
4659        struct parse_context *pctx;
4660        IF_HAS_KEYWORDS(struct parse_context *p2;)
4661
4662        /* Clean up allocated tree.
4663         * Sample for finding leaks on syntax error recovery path.
4664         * Run it from interactive shell, watch pmap `pidof hush`.
4665         * while if false; then false; fi; do break; fi
4666         * Samples to catch leaks at execution:
4667         * while if (true | {true;}); then echo ok; fi; do break; done
4668         * while if (true | {true;}); then echo ok; fi; do (if echo ok; break; then :; fi) | cat; break; done
4669         */
4670        pctx = &ctx;
4671        do {
4672            /* Update pipe/command counts,
4673             * otherwise freeing may miss some */
4674            done_pipe(pctx, PIPE_SEQ);
4675            debug_printf_clean("freeing list %p from ctx %p\n",
4676                    pctx->list_head, pctx);
4677            debug_print_tree(pctx->list_head, 0);
4678            free_pipe_list(pctx->list_head);
4679            debug_printf_clean("freed list %p\n", pctx->list_head);
4680#if !BB_MMU
4681            o_free_unsafe(&pctx->as_string);
4682#endif
4683            IF_HAS_KEYWORDS(p2 = pctx->stack;)
4684            if (pctx != &ctx) {
4685                free(pctx);
4686            }
4687            IF_HAS_KEYWORDS(pctx = p2;)
4688        } while (HAS_KEYWORDS && pctx);
4689
4690        o_free(&dest);
4691        G.last_exitcode = 1;
4692#if !BB_MMU
4693        if (pstring)
4694            *pstring = NULL;
4695#endif
4696        debug_leave();
4697        return ERR_PTR;
4698    }
4699}
4700
4701
4702/*** Execution routines ***/
4703
4704/* Expansion can recurse, need forward decls: */
4705#if !ENABLE_HUSH_BASH_COMPAT
4706/* only ${var/pattern/repl} (its pattern part) needs additional mode */
4707#define expand_string_to_string(str, do_unbackslash) \
4708    expand_string_to_string(str)
4709#endif
4710static char *expand_string_to_string(const char *str, int do_unbackslash);
4711#if ENABLE_HUSH_TICK
4712static int process_command_subs(o_string *dest, const char *s);
4713#endif
4714
4715/* expand_strvec_to_strvec() takes a list of strings, expands
4716 * all variable references within and returns a pointer to
4717 * a list of expanded strings, possibly with larger number
4718 * of strings. (Think VAR="a b"; echo $VAR).
4719 * This new list is allocated as a single malloc block.
4720 * NULL-terminated list of char* pointers is at the beginning of it,
4721 * followed by strings themselves.
4722 * Caller can deallocate entire list by single free(list). */
4723
4724/* A horde of its helpers come first: */
4725
4726static void o_addblock_duplicate_backslash(o_string *o, const char *str, int len)
4727{
4728    while (--len >= 0) {
4729        char c = *str++;
4730
4731#if ENABLE_HUSH_BRACE_EXPANSION
4732        if (c == '{' || c == '}') {
4733            /* { -> \{, } -> \} */
4734            o_addchr(o, '\\');
4735            /* And now we want to add { or } and continue:
4736             *  o_addchr(o, c);
4737             *  continue;
4738             * luckily, just falling throught achieves this.
4739             */
4740        }
4741#endif
4742        o_addchr(o, c);
4743        if (c == '\\') {
4744            /* \z -> \\\z; \<eol> -> \\<eol> */
4745            o_addchr(o, '\\');
4746            if (len) {
4747                len--;
4748                o_addchr(o, '\\');
4749                o_addchr(o, *str++);
4750            }
4751        }
4752    }
4753}
4754
4755/* Store given string, finalizing the word and starting new one whenever
4756 * we encounter IFS char(s). This is used for expanding variable values.
4757 * End-of-string does NOT finalize word: think about 'echo -$VAR-'.
4758 * Return in *ended_with_ifs:
4759 * 1 - ended with IFS char, else 0 (this includes case of empty str).
4760 */
4761static int expand_on_ifs(int *ended_with_ifs, o_string *output, int n, const char *str)
4762{
4763    int last_is_ifs = 0;
4764
4765    while (1) {
4766        int word_len;
4767
4768        if (!*str)  /* EOL - do not finalize word */
4769            break;
4770        word_len = strcspn(str, G.ifs);
4771        if (word_len) {
4772            /* We have WORD_LEN leading non-IFS chars */
4773            if (!(output->o_expflags & EXP_FLAG_GLOB)) {
4774                o_addblock(output, str, word_len);
4775            } else {
4776                /* Protect backslashes against globbing up :)
4777                 * Example: "v='\*'; echo b$v" prints "b\*"
4778                 * (and does not try to glob on "*")
4779                 */
4780                o_addblock_duplicate_backslash(output, str, word_len);
4781                /*/ Why can't we do it easier? */
4782                /*o_addblock(output, str, word_len); - WRONG: "v='\*'; echo Z$v" prints "Z*" instead of "Z\*" */
4783                /*o_addqblock(output, str, word_len); - WRONG: "v='*'; echo Z$v" prints "Z*" instead of Z* files */
4784            }
4785            last_is_ifs = 0;
4786            str += word_len;
4787            if (!*str)  /* EOL - do not finalize word */
4788                break;
4789        }
4790
4791        /* We know str here points to at least one IFS char */
4792        last_is_ifs = 1;
4793        str += strspn(str, G.ifs); /* skip IFS chars */
4794        if (!*str)  /* EOL - do not finalize word */
4795            break;
4796
4797        /* Start new word... but not always! */
4798        /* Case "v=' a'; echo ''$v": we do need to finalize empty word: */
4799        if (output->has_quoted_part
4800        /* Case "v=' a'; echo $v":
4801         * here nothing precedes the space in $v expansion,
4802         * therefore we should not finish the word
4803         * (IOW: if there *is* word to finalize, only then do it):
4804         */
4805         || (n > 0 && output->data[output->length - 1])
4806        ) {
4807            o_addchr(output, '\0');
4808            debug_print_list("expand_on_ifs", output, n);
4809            n = o_save_ptr(output, n);
4810        }
4811    }
4812
4813    if (ended_with_ifs)
4814        *ended_with_ifs = last_is_ifs;
4815    debug_print_list("expand_on_ifs[1]", output, n);
4816    return n;
4817}
4818
4819/* Helper to expand $((...)) and heredoc body. These act as if
4820 * they are in double quotes, with the exception that they are not :).
4821 * Just the rules are similar: "expand only $var and `cmd`"
4822 *
4823 * Returns malloced string.
4824 * As an optimization, we return NULL if expansion is not needed.
4825 */
4826#if !ENABLE_HUSH_BASH_COMPAT
4827/* only ${var/pattern/repl} (its pattern part) needs additional mode */
4828#define encode_then_expand_string(str, process_bkslash, do_unbackslash) \
4829    encode_then_expand_string(str)
4830#endif
4831static char *encode_then_expand_string(const char *str, int process_bkslash, int do_unbackslash)
4832{
4833    char *exp_str;
4834    struct in_str input;
4835    o_string dest = NULL_O_STRING;
4836
4837    if (!strchr(str, '$')
4838     && !strchr(str, '\\')
4839#if ENABLE_HUSH_TICK
4840     && !strchr(str, '`')
4841#endif
4842    ) {
4843        return NULL;
4844    }
4845
4846    /* We need to expand. Example:
4847     * echo $(($a + `echo 1`)) $((1 + $((2)) ))
4848     */
4849    setup_string_in_str(&input, str);
4850    encode_string(NULL, &dest, &input, EOF, process_bkslash);
4851//TODO: error check (encode_string returns 0 on error)?
4852    //bb_error_msg("'%s' -> '%s'", str, dest.data);
4853    exp_str = expand_string_to_string(dest.data, /*unbackslash:*/ do_unbackslash);
4854    //bb_error_msg("'%s' -> '%s'", dest.data, exp_str);
4855    o_free_unsafe(&dest);
4856    return exp_str;
4857}
4858
4859#if ENABLE_SH_MATH_SUPPORT
4860static arith_t expand_and_evaluate_arith(const char *arg, const char **errmsg_p)
4861{
4862    arith_state_t math_state;
4863    arith_t res;
4864    char *exp_str;
4865
4866    math_state.lookupvar = get_local_var_value;
4867    math_state.setvar = set_local_var_from_halves;
4868    //math_state.endofname = endofname;
4869    exp_str = encode_then_expand_string(arg, /*process_bkslash:*/ 1, /*unbackslash:*/ 1);
4870    res = arith(&math_state, exp_str ? exp_str : arg);
4871    free(exp_str);
4872    if (errmsg_p)
4873        *errmsg_p = math_state.errmsg;
4874    if (math_state.errmsg)
4875        die_if_script(math_state.errmsg);
4876    return res;
4877}
4878#endif
4879
4880#if ENABLE_HUSH_BASH_COMPAT
4881/* ${var/[/]pattern[/repl]} helpers */
4882static char *strstr_pattern(char *val, const char *pattern, int *size)
4883{
4884    while (1) {
4885        char *end = scan_and_match(val, pattern, SCAN_MOVE_FROM_RIGHT + SCAN_MATCH_LEFT_HALF);
4886        debug_printf_varexp("val:'%s' pattern:'%s' end:'%s'\n", val, pattern, end);
4887        if (end) {
4888            *size = end - val;
4889            return val;
4890        }
4891        if (*val == '\0')
4892            return NULL;
4893        /* Optimization: if "*pat" did not match the start of "string",
4894         * we know that "tring", "ring" etc will not match too:
4895         */
4896        if (pattern[0] == '*')
4897            return NULL;
4898        val++;
4899    }
4900}
4901static char *replace_pattern(char *val, const char *pattern, const char *repl, char exp_op)
4902{
4903    char *result = NULL;
4904    unsigned res_len = 0;
4905    unsigned repl_len = strlen(repl);
4906
4907    while (1) {
4908        int size;
4909        char *s = strstr_pattern(val, pattern, &size);
4910        if (!s)
4911            break;
4912
4913        result = xrealloc(result, res_len + (s - val) + repl_len + 1);
4914        memcpy(result + res_len, val, s - val);
4915        res_len += s - val;
4916        strcpy(result + res_len, repl);
4917        res_len += repl_len;
4918        debug_printf_varexp("val:'%s' s:'%s' result:'%s'\n", val, s, result);
4919
4920        val = s + size;
4921        if (exp_op == '/')
4922            break;
4923    }
4924    if (val[0] && result) {
4925        result = xrealloc(result, res_len + strlen(val) + 1);
4926        strcpy(result + res_len, val);
4927        debug_printf_varexp("val:'%s' result:'%s'\n", val, result);
4928    }
4929    debug_printf_varexp("result:'%s'\n", result);
4930    return result;
4931}
4932#endif
4933
4934/* Helper:
4935 * Handles <SPECIAL_VAR_SYMBOL>varname...<SPECIAL_VAR_SYMBOL> construct.
4936 */
4937static NOINLINE const char *expand_one_var(char **to_be_freed_pp, char *arg, char **pp)
4938{
4939    const char *val = NULL;
4940    char *to_be_freed = NULL;
4941    char *p = *pp;
4942    char *var;
4943    char first_char;
4944    char exp_op;
4945    char exp_save = exp_save; /* for compiler */
4946    char *exp_saveptr; /* points to expansion operator */
4947    char *exp_word = exp_word; /* for compiler */
4948    char arg0;
4949
4950    *p = '\0'; /* replace trailing SPECIAL_VAR_SYMBOL */
4951    var = arg;
4952    exp_saveptr = arg[1] ? strchr(VAR_ENCODED_SUBST_OPS, arg[1]) : NULL;
4953    arg0 = arg[0];
4954    first_char = arg[0] = arg0 & 0x7f;
4955    exp_op = 0;
4956
4957    if (first_char == '#'      /* ${#... */
4958     && arg[1] && !exp_saveptr /* not ${#} and not ${#<op_char>...} */
4959    ) {
4960        /* It must be length operator: ${#var} */
4961        var++;
4962        exp_op = 'L';
4963    } else {
4964        /* Maybe handle parameter expansion */
4965        if (exp_saveptr /* if 2nd char is one of expansion operators */
4966         && strchr(NUMERIC_SPECVARS_STR, first_char) /* 1st char is special variable */
4967        ) {
4968            /* ${?:0}, ${#[:]%0} etc */
4969            exp_saveptr = var + 1;
4970        } else {
4971            /* ${?}, ${var}, ${var:0}, ${var[:]%0} etc */
4972            exp_saveptr = var+1 + strcspn(var+1, VAR_ENCODED_SUBST_OPS);
4973        }
4974        exp_op = exp_save = *exp_saveptr;
4975        if (exp_op) {
4976            exp_word = exp_saveptr + 1;
4977            if (exp_op == ':') {
4978                exp_op = *exp_word++;
4979//TODO: try ${var:} and ${var:bogus} in non-bash config
4980                if (ENABLE_HUSH_BASH_COMPAT
4981                 && (!exp_op || !strchr(MINUS_PLUS_EQUAL_QUESTION, exp_op))
4982                ) {
4983                    /* oops... it's ${var:N[:M]}, not ${var:?xxx} or some such */
4984                    exp_op = ':';
4985                    exp_word--;
4986                }
4987            }
4988            *exp_saveptr = '\0';
4989        } /* else: it's not an expansion op, but bare ${var} */
4990    }
4991
4992    /* Look up the variable in question */
4993    if (isdigit(var[0])) {
4994        /* parse_dollar should have vetted var for us */
4995        int n = xatoi_positive(var);
4996        if (n < G.global_argc)
4997            val = G.global_argv[n];
4998        /* else val remains NULL: $N with too big N */
4999    } else {
5000        switch (var[0]) {
5001        case '$': /* pid */
5002            val = utoa(G.root_pid);
5003            break;
5004        case '!': /* bg pid */
5005            val = G.last_bg_pid ? utoa(G.last_bg_pid) : "";
5006            break;
5007        case '?': /* exitcode */
5008            val = utoa(G.last_exitcode);
5009            break;
5010        case '#': /* argc */
5011            val = utoa(G.global_argc ? G.global_argc-1 : 0);
5012            break;
5013        default:
5014            val = get_local_var_value(var);
5015        }
5016    }
5017
5018    /* Handle any expansions */
5019    if (exp_op == 'L') {
5020        debug_printf_expand("expand: length(%s)=", val);
5021        val = utoa(val ? strlen(val) : 0);
5022        debug_printf_expand("%s\n", val);
5023    } else if (exp_op) {
5024        if (exp_op == '%' || exp_op == '#') {
5025            /* Standard-mandated substring removal ops:
5026             * ${parameter%word} - remove smallest suffix pattern
5027             * ${parameter%%word} - remove largest suffix pattern
5028             * ${parameter#word} - remove smallest prefix pattern
5029             * ${parameter##word} - remove largest prefix pattern
5030             *
5031             * Word is expanded to produce a glob pattern.
5032             * Then var's value is matched to it and matching part removed.
5033             */
5034            if (val && val[0]) {
5035                char *t;
5036                char *exp_exp_word;
5037                char *loc;
5038                unsigned scan_flags = pick_scan(exp_op, *exp_word);
5039                if (exp_op == *exp_word)  /* ## or %% */
5040                    exp_word++;
5041                exp_exp_word = encode_then_expand_string(exp_word, /*process_bkslash:*/ 1, /*unbackslash:*/ 1);
5042                if (exp_exp_word)
5043                    exp_word = exp_exp_word;
5044                /* HACK ALERT. We depend here on the fact that
5045                 * G.global_argv and results of utoa and get_local_var_value
5046                 * are actually in writable memory:
5047                 * scan_and_match momentarily stores NULs there. */
5048                t = (char*)val;
5049                loc = scan_and_match(t, exp_word, scan_flags);
5050                //bb_error_msg("op:%c str:'%s' pat:'%s' res:'%s'",
5051                //      exp_op, t, exp_word, loc);
5052                free(exp_exp_word);
5053                if (loc) { /* match was found */
5054                    if (scan_flags & SCAN_MATCH_LEFT_HALF) /* #[#] */
5055                        val = loc; /* take right part */
5056                    else /* %[%] */
5057                        val = to_be_freed = xstrndup(val, loc - val); /* left */
5058                }
5059            }
5060        }
5061#if ENABLE_HUSH_BASH_COMPAT
5062        else if (exp_op == '/' || exp_op == '\\') {
5063            /* It's ${var/[/]pattern[/repl]} thing.
5064             * Note that in encoded form it has TWO parts:
5065             * var/pattern<SPECIAL_VAR_SYMBOL>repl<SPECIAL_VAR_SYMBOL>
5066             * and if // is used, it is encoded as \:
5067             * var\pattern<SPECIAL_VAR_SYMBOL>repl<SPECIAL_VAR_SYMBOL>
5068             */
5069            /* Empty variable always gives nothing: */
5070            // "v=''; echo ${v/*/w}" prints "", not "w"
5071            if (val && val[0]) {
5072                /* pattern uses non-standard expansion.
5073                 * repl should be unbackslashed and globbed
5074                 * by the usual expansion rules:
5075                 * >az; >bz;
5076                 * v='a bz'; echo "${v/a*z/a*z}" prints "a*z"
5077                 * v='a bz'; echo "${v/a*z/\z}"  prints "\z"
5078                 * v='a bz'; echo ${v/a*z/a*z}   prints "az"
5079                 * v='a bz'; echo ${v/a*z/\z}    prints "z"
5080                 * (note that a*z _pattern_ is never globbed!)
5081                 */
5082                char *pattern, *repl, *t;
5083                pattern = encode_then_expand_string(exp_word, /*process_bkslash:*/ 0, /*unbackslash:*/ 0);
5084                if (!pattern)
5085                    pattern = xstrdup(exp_word);
5086                debug_printf_varexp("pattern:'%s'->'%s'\n", exp_word, pattern);
5087                *p++ = SPECIAL_VAR_SYMBOL;
5088                exp_word = p;
5089                p = strchr(p, SPECIAL_VAR_SYMBOL);
5090                *p = '\0';
5091                repl = encode_then_expand_string(exp_word, /*process_bkslash:*/ arg0 & 0x80, /*unbackslash:*/ 1);
5092                debug_printf_varexp("repl:'%s'->'%s'\n", exp_word, repl);
5093                /* HACK ALERT. We depend here on the fact that
5094                 * G.global_argv and results of utoa and get_local_var_value
5095                 * are actually in writable memory:
5096                 * replace_pattern momentarily stores NULs there. */
5097                t = (char*)val;
5098                to_be_freed = replace_pattern(t,
5099                        pattern,
5100                        (repl ? repl : exp_word),
5101                        exp_op);
5102                if (to_be_freed) /* at least one replace happened */
5103                    val = to_be_freed;
5104                free(pattern);
5105                free(repl);
5106            }
5107        }
5108#endif
5109        else if (exp_op == ':') {
5110#if ENABLE_HUSH_BASH_COMPAT && ENABLE_SH_MATH_SUPPORT
5111            /* It's ${var:N[:M]} bashism.
5112             * Note that in encoded form it has TWO parts:
5113             * var:N<SPECIAL_VAR_SYMBOL>M<SPECIAL_VAR_SYMBOL>
5114             */
5115            arith_t beg, len;
5116            const char *errmsg;
5117
5118            beg = expand_and_evaluate_arith(exp_word, &errmsg);
5119            if (errmsg)
5120                goto arith_err;
5121            debug_printf_varexp("beg:'%s'=%lld\n", exp_word, (long long)beg);
5122            *p++ = SPECIAL_VAR_SYMBOL;
5123            exp_word = p;
5124            p = strchr(p, SPECIAL_VAR_SYMBOL);
5125            *p = '\0';
5126            len = expand_and_evaluate_arith(exp_word, &errmsg);
5127            if (errmsg)
5128                goto arith_err;
5129            debug_printf_varexp("len:'%s'=%lld\n", exp_word, (long long)len);
5130            if (len >= 0) { /* bash compat: len < 0 is illegal */
5131                if (beg < 0) /* bash compat */
5132                    beg = 0;
5133                debug_printf_varexp("from val:'%s'\n", val);
5134                if (len == 0 || !val || beg >= strlen(val)) {
5135 arith_err:
5136                    val = NULL;
5137                } else {
5138                    /* Paranoia. What if user entered 9999999999999
5139                     * which fits in arith_t but not int? */
5140                    if (len >= INT_MAX)
5141                        len = INT_MAX;
5142                    val = to_be_freed = xstrndup(val + beg, len);
5143                }
5144                debug_printf_varexp("val:'%s'\n", val);
5145            } else
5146#endif
5147            {
5148                die_if_script("malformed ${%s:...}", var);
5149                val = NULL;
5150            }
5151        } else { /* one of "-=+?" */
5152            /* Standard-mandated substitution ops:
5153             * ${var?word} - indicate error if unset
5154             *      If var is unset, word (or a message indicating it is unset
5155             *      if word is null) is written to standard error
5156             *      and the shell exits with a non-zero exit status.
5157             *      Otherwise, the value of var is substituted.
5158             * ${var-word} - use default value
5159             *      If var is unset, word is substituted.
5160             * ${var=word} - assign and use default value
5161             *      If var is unset, word is assigned to var.
5162             *      In all cases, final value of var is substituted.
5163             * ${var+word} - use alternative value
5164             *      If var is unset, null is substituted.
5165             *      Otherwise, word is substituted.
5166             *
5167             * Word is subjected to tilde expansion, parameter expansion,
5168             * command substitution, and arithmetic expansion.
5169             * If word is not needed, it is not expanded.
5170             *
5171             * Colon forms (${var:-word}, ${var:=word} etc) do the same,
5172             * but also treat null var as if it is unset.
5173             */
5174            int use_word = (!val || ((exp_save == ':') && !val[0]));
5175            if (exp_op == '+')
5176                use_word = !use_word;
5177            debug_printf_expand("expand: op:%c (null:%s) test:%i\n", exp_op,
5178                    (exp_save == ':') ? "true" : "false", use_word);
5179            if (use_word) {
5180                to_be_freed = encode_then_expand_string(exp_word, /*process_bkslash:*/ 1, /*unbackslash:*/ 1);
5181                if (to_be_freed)
5182                    exp_word = to_be_freed;
5183                if (exp_op == '?') {
5184                    /* mimic bash message */
5185                    die_if_script("%s: %s",
5186                        var,
5187                        exp_word[0] ? exp_word : "parameter null or not set"
5188                    );
5189//TODO: how interactive bash aborts expansion mid-command?
5190                } else {
5191                    val = exp_word;
5192                }
5193
5194                if (exp_op == '=') {
5195                    /* ${var=[word]} or ${var:=[word]} */
5196                    if (isdigit(var[0]) || var[0] == '#') {
5197                        /* mimic bash message */
5198                        die_if_script("$%s: cannot assign in this way", var);
5199                        val = NULL;
5200                    } else {
5201                        char *new_var = xasprintf("%s=%s", var, val);
5202                        set_local_var(new_var, /*exp:*/ 0, /*lvl:*/ 0, /*ro:*/ 0);
5203                    }
5204                }
5205            }
5206        } /* one of "-=+?" */
5207
5208        *exp_saveptr = exp_save;
5209    } /* if (exp_op) */
5210
5211    arg[0] = arg0;
5212
5213    *pp = p;
5214    *to_be_freed_pp = to_be_freed;
5215    return val;
5216}
5217
5218/* Expand all variable references in given string, adding words to list[]
5219 * at n, n+1,... positions. Return updated n (so that list[n] is next one
5220 * to be filled). This routine is extremely tricky: has to deal with
5221 * variables/parameters with whitespace, $* and $@, and constructs like
5222 * 'echo -$*-'. If you play here, you must run testsuite afterwards! */
5223static NOINLINE int expand_vars_to_list(o_string *output, int n, char *arg)
5224{
5225    /* output->o_expflags & EXP_FLAG_SINGLEWORD (0x80) if we are in
5226     * expansion of right-hand side of assignment == 1-element expand.
5227     */
5228    char cant_be_null = 0; /* only bit 0x80 matters */
5229    int ended_in_ifs = 0;  /* did last unquoted expansion end with IFS chars? */
5230    char *p;
5231
5232    debug_printf_expand("expand_vars_to_list: arg:'%s' singleword:%x\n", arg,
5233            !!(output->o_expflags & EXP_FLAG_SINGLEWORD));
5234    debug_print_list("expand_vars_to_list", output, n);
5235    n = o_save_ptr(output, n);
5236    debug_print_list("expand_vars_to_list[0]", output, n);
5237
5238    while ((p = strchr(arg, SPECIAL_VAR_SYMBOL)) != NULL) {
5239        char first_ch;
5240        char *to_be_freed = NULL;
5241        const char *val = NULL;
5242#if ENABLE_HUSH_TICK
5243        o_string subst_result = NULL_O_STRING;
5244#endif
5245#if ENABLE_SH_MATH_SUPPORT
5246        char arith_buf[sizeof(arith_t)*3 + 2];
5247#endif
5248
5249        if (ended_in_ifs) {
5250            o_addchr(output, '\0');
5251            n = o_save_ptr(output, n);
5252            ended_in_ifs = 0;
5253        }
5254
5255        o_addblock(output, arg, p - arg);
5256        debug_print_list("expand_vars_to_list[1]", output, n);
5257        arg = ++p;
5258        p = strchr(p, SPECIAL_VAR_SYMBOL);
5259
5260        /* Fetch special var name (if it is indeed one of them)
5261         * and quote bit, force the bit on if singleword expansion -
5262         * important for not getting v=$@ expand to many words. */
5263        first_ch = arg[0] | (output->o_expflags & EXP_FLAG_SINGLEWORD);
5264
5265        /* Is this variable quoted and thus expansion can't be null?
5266         * "$@" is special. Even if quoted, it can still
5267         * expand to nothing (not even an empty string),
5268         * thus it is excluded. */
5269        if ((first_ch & 0x7f) != '@')
5270            cant_be_null |= first_ch;
5271
5272        switch (first_ch & 0x7f) {
5273        /* Highest bit in first_ch indicates that var is double-quoted */
5274        case '*':
5275        case '@': {
5276            int i;
5277            if (!G.global_argv[1])
5278                break;
5279            i = 1;
5280            cant_be_null |= first_ch; /* do it for "$@" _now_, when we know it's not empty */
5281            if (!(first_ch & 0x80)) { /* unquoted $* or $@ */
5282                while (G.global_argv[i]) {
5283                    n = expand_on_ifs(NULL, output, n, G.global_argv[i]);
5284                    debug_printf_expand("expand_vars_to_list: argv %d (last %d)\n", i, G.global_argc - 1);
5285                    if (G.global_argv[i++][0] && G.global_argv[i]) {
5286                        /* this argv[] is not empty and not last:
5287                         * put terminating NUL, start new word */
5288                        o_addchr(output, '\0');
5289                        debug_print_list("expand_vars_to_list[2]", output, n);
5290                        n = o_save_ptr(output, n);
5291                        debug_print_list("expand_vars_to_list[3]", output, n);
5292                    }
5293                }
5294            } else
5295            /* If EXP_FLAG_SINGLEWORD, we handle assignment 'a=....$@.....'
5296             * and in this case should treat it like '$*' - see 'else...' below */
5297            if (first_ch == ('@'|0x80)  /* quoted $@ */
5298             && !(output->o_expflags & EXP_FLAG_SINGLEWORD) /* not v="$@" case */
5299            ) {
5300                while (1) {
5301                    o_addQstr(output, G.global_argv[i]);
5302                    if (++i >= G.global_argc)
5303                        break;
5304                    o_addchr(output, '\0');
5305                    debug_print_list("expand_vars_to_list[4]", output, n);
5306                    n = o_save_ptr(output, n);
5307                }
5308            } else { /* quoted $* (or v="$@" case): add as one word */
5309                while (1) {
5310                    o_addQstr(output, G.global_argv[i]);
5311                    if (!G.global_argv[++i])
5312                        break;
5313                    if (G.ifs[0])
5314                        o_addchr(output, G.ifs[0]);
5315                }
5316                output->has_quoted_part = 1;
5317            }
5318            break;
5319        }
5320        case SPECIAL_VAR_SYMBOL: /* <SPECIAL_VAR_SYMBOL><SPECIAL_VAR_SYMBOL> */
5321            /* "Empty variable", used to make "" etc to not disappear */
5322            output->has_quoted_part = 1;
5323            arg++;
5324            cant_be_null = 0x80;
5325            break;
5326#if ENABLE_HUSH_TICK
5327        case '`': /* <SPECIAL_VAR_SYMBOL>`cmd<SPECIAL_VAR_SYMBOL> */
5328            *p = '\0'; /* replace trailing <SPECIAL_VAR_SYMBOL> */
5329            arg++;
5330            /* Can't just stuff it into output o_string,
5331             * expanded result may need to be globbed
5332             * and $IFS-splitted */
5333            debug_printf_subst("SUBST '%s' first_ch %x\n", arg, first_ch);
5334            G.last_exitcode = process_command_subs(&subst_result, arg);
5335            debug_printf_subst("SUBST RES:%d '%s'\n", G.last_exitcode, subst_result.data);
5336            val = subst_result.data;
5337            goto store_val;
5338#endif
5339#if ENABLE_SH_MATH_SUPPORT
5340        case '+': { /* <SPECIAL_VAR_SYMBOL>+cmd<SPECIAL_VAR_SYMBOL> */
5341            arith_t res;
5342
5343            arg++; /* skip '+' */
5344            *p = '\0'; /* replace trailing <SPECIAL_VAR_SYMBOL> */
5345            debug_printf_subst("ARITH '%s' first_ch %x\n", arg, first_ch);
5346            res = expand_and_evaluate_arith(arg, NULL);
5347            debug_printf_subst("ARITH RES '"ARITH_FMT"'\n", res);
5348            sprintf(arith_buf, ARITH_FMT, res);
5349            val = arith_buf;
5350            break;
5351        }
5352#endif
5353        default:
5354            val = expand_one_var(&to_be_freed, arg, &p);
5355 IF_HUSH_TICK(store_val:)
5356            if (!(first_ch & 0x80)) { /* unquoted $VAR */
5357                debug_printf_expand("unquoted '%s', output->o_escape:%d\n", val,
5358                        !!(output->o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
5359                if (val && val[0]) {
5360                    n = expand_on_ifs(&ended_in_ifs, output, n, val);
5361                    val = NULL;
5362                }
5363            } else { /* quoted $VAR, val will be appended below */
5364                output->has_quoted_part = 1;
5365                debug_printf_expand("quoted '%s', output->o_escape:%d\n", val,
5366                        !!(output->o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
5367            }
5368            break;
5369
5370        } /* switch (char after <SPECIAL_VAR_SYMBOL>) */
5371
5372        if (val && val[0]) {
5373            o_addQstr(output, val);
5374        }
5375        free(to_be_freed);
5376
5377        /* Restore NULL'ed SPECIAL_VAR_SYMBOL.
5378         * Do the check to avoid writing to a const string. */
5379        if (*p != SPECIAL_VAR_SYMBOL)
5380            *p = SPECIAL_VAR_SYMBOL;
5381
5382#if ENABLE_HUSH_TICK
5383        o_free(&subst_result);
5384#endif
5385        arg = ++p;
5386    } /* end of "while (SPECIAL_VAR_SYMBOL is found) ..." */
5387
5388    if (arg[0]) {
5389        if (ended_in_ifs) {
5390            o_addchr(output, '\0');
5391            n = o_save_ptr(output, n);
5392        }
5393        debug_print_list("expand_vars_to_list[a]", output, n);
5394        /* this part is literal, and it was already pre-quoted
5395         * if needed (much earlier), do not use o_addQstr here! */
5396        o_addstr_with_NUL(output, arg);
5397        debug_print_list("expand_vars_to_list[b]", output, n);
5398    } else if (output->length == o_get_last_ptr(output, n) /* expansion is empty */
5399     && !(cant_be_null & 0x80) /* and all vars were not quoted. */
5400    ) {
5401        n--;
5402        /* allow to reuse list[n] later without re-growth */
5403        output->has_empty_slot = 1;
5404    } else {
5405        o_addchr(output, '\0');
5406    }
5407
5408    return n;
5409}
5410
5411static char **expand_variables(char **argv, unsigned expflags)
5412{
5413    int n;
5414    char **list;
5415    o_string output = NULL_O_STRING;
5416
5417    output.o_expflags = expflags;
5418
5419    n = 0;
5420    while (*argv) {
5421        n = expand_vars_to_list(&output, n, *argv);
5422        argv++;
5423    }
5424    debug_print_list("expand_variables", &output, n);
5425
5426    /* output.data (malloced in one block) gets returned in "list" */
5427    list = o_finalize_list(&output, n);
5428    debug_print_strings("expand_variables[1]", list);
5429    return list;
5430}
5431
5432static char **expand_strvec_to_strvec(char **argv)
5433{
5434    return expand_variables(argv, EXP_FLAG_GLOB | EXP_FLAG_ESC_GLOB_CHARS);
5435}
5436
5437#if ENABLE_HUSH_BASH_COMPAT
5438static char **expand_strvec_to_strvec_singleword_noglob(char **argv)
5439{
5440    return expand_variables(argv, EXP_FLAG_SINGLEWORD);
5441}
5442#endif
5443
5444/* Used for expansion of right hand of assignments,
5445 * $((...)), heredocs, variable espansion parts.
5446 *
5447 * NB: should NOT do globbing!
5448 * "export v=/bin/c*; env | grep ^v=" outputs "v=/bin/c*"
5449 */
5450static char *expand_string_to_string(const char *str, int do_unbackslash)
5451{
5452#if !ENABLE_HUSH_BASH_COMPAT
5453    const int do_unbackslash = 1;
5454#endif
5455    char *argv[2], **list;
5456
5457    debug_printf_expand("string_to_string<='%s'\n", str);
5458    /* This is generally an optimization, but it also
5459     * handles "", which otherwise trips over !list[0] check below.
5460     * (is this ever happens that we actually get str="" here?)
5461     */
5462    if (!strchr(str, SPECIAL_VAR_SYMBOL) && !strchr(str, '\\')) {
5463        //TODO: Can use on strings with \ too, just unbackslash() them?
5464        debug_printf_expand("string_to_string(fast)=>'%s'\n", str);
5465        return xstrdup(str);
5466    }
5467
5468    argv[0] = (char*)str;
5469    argv[1] = NULL;
5470    list = expand_variables(argv, do_unbackslash
5471            ? EXP_FLAG_ESC_GLOB_CHARS | EXP_FLAG_SINGLEWORD
5472            : EXP_FLAG_SINGLEWORD
5473    );
5474    if (HUSH_DEBUG)
5475        if (!list[0] || list[1])
5476            bb_error_msg_and_die("BUG in varexp2");
5477    /* actually, just move string 2*sizeof(char*) bytes back */
5478    overlapping_strcpy((char*)list, list[0]);
5479    if (do_unbackslash)
5480        unbackslash((char*)list);
5481    debug_printf_expand("string_to_string=>'%s'\n", (char*)list);
5482    return (char*)list;
5483}
5484
5485/* Used for "eval" builtin */
5486static char* expand_strvec_to_string(char **argv)
5487{
5488    char **list;
5489
5490    list = expand_variables(argv, EXP_FLAG_SINGLEWORD);
5491    /* Convert all NULs to spaces */
5492    if (list[0]) {
5493        int n = 1;
5494        while (list[n]) {
5495            if (HUSH_DEBUG)
5496                if (list[n-1] + strlen(list[n-1]) + 1 != list[n])
5497                    bb_error_msg_and_die("BUG in varexp3");
5498            /* bash uses ' ' regardless of $IFS contents */
5499            list[n][-1] = ' ';
5500            n++;
5501        }
5502    }
5503    overlapping_strcpy((char*)list, list[0]);
5504    debug_printf_expand("strvec_to_string='%s'\n", (char*)list);
5505    return (char*)list;
5506}
5507
5508static char **expand_assignments(char **argv, int count)
5509{
5510    int i;
5511    char **p;
5512
5513    G.expanded_assignments = p = NULL;
5514    /* Expand assignments into one string each */
5515    for (i = 0; i < count; i++) {
5516        G.expanded_assignments = p = add_string_to_strings(p, expand_string_to_string(argv[i], /*unbackslash:*/ 1));
5517    }
5518    G.expanded_assignments = NULL;
5519    return p;
5520}
5521
5522
5523static void switch_off_special_sigs(unsigned mask)
5524{
5525    unsigned sig = 0;
5526    while ((mask >>= 1) != 0) {
5527        sig++;
5528        if (!(mask & 1))
5529            continue;
5530        if (G.traps) {
5531            if (G.traps[sig] && !G.traps[sig][0])
5532                /* trap is '', has to remain SIG_IGN */
5533                continue;
5534            free(G.traps[sig]);
5535            G.traps[sig] = NULL;
5536        }
5537        /* We are here only if no trap or trap was not '' */
5538        install_sighandler(sig, SIG_DFL);
5539    }
5540}
5541
5542#if BB_MMU
5543/* never called */
5544void re_execute_shell(char ***to_free, const char *s,
5545        char *g_argv0, char **g_argv,
5546        char **builtin_argv) NORETURN;
5547
5548static void reset_traps_to_defaults(void)
5549{
5550    /* This function is always called in a child shell
5551     * after fork (not vfork, NOMMU doesn't use this function).
5552     */
5553    unsigned sig;
5554    unsigned mask;
5555
5556    /* Child shells are not interactive.
5557     * SIGTTIN/SIGTTOU/SIGTSTP should not have special handling.
5558     * Testcase: (while :; do :; done) + ^Z should background.
5559     * Same goes for SIGTERM, SIGHUP, SIGINT.
5560     */
5561    mask = (G.special_sig_mask & SPECIAL_INTERACTIVE_SIGS) | G_fatal_sig_mask;
5562    if (!G.traps && !mask)
5563        return; /* already no traps and no special sigs */
5564
5565    /* Switch off special sigs */
5566    switch_off_special_sigs(mask);
5567#if ENABLE_HUSH_JOB
5568    G_fatal_sig_mask = 0;
5569#endif
5570    G.special_sig_mask &= ~SPECIAL_INTERACTIVE_SIGS;
5571    /* SIGQUIT,SIGCHLD and maybe SPECIAL_JOBSTOP_SIGS
5572     * remain set in G.special_sig_mask */
5573
5574    if (!G.traps)
5575        return;
5576
5577    /* Reset all sigs to default except ones with empty traps */
5578    for (sig = 0; sig < NSIG; sig++) {
5579        if (!G.traps[sig])
5580            continue; /* no trap: nothing to do */
5581        if (!G.traps[sig][0])
5582            continue; /* empty trap: has to remain SIG_IGN */
5583        /* sig has non-empty trap, reset it: */
5584        free(G.traps[sig]);
5585        G.traps[sig] = NULL;
5586        /* There is no signal for trap 0 (EXIT) */
5587        if (sig == 0)
5588            continue;
5589        install_sighandler(sig, pick_sighandler(sig));
5590    }
5591}
5592
5593#else /* !BB_MMU */
5594
5595static void re_execute_shell(char ***to_free, const char *s,
5596        char *g_argv0, char **g_argv,
5597        char **builtin_argv) NORETURN;
5598static void re_execute_shell(char ***to_free, const char *s,
5599        char *g_argv0, char **g_argv,
5600        char **builtin_argv)
5601{
5602# define NOMMU_HACK_FMT ("-$%x:%x:%x:%x:%x:%llx" IF_HUSH_LOOPS(":%x"))
5603    /* delims + 2 * (number of bytes in printed hex numbers) */
5604    char param_buf[sizeof(NOMMU_HACK_FMT) + 2 * (sizeof(int)*6 + sizeof(long long)*1)];
5605    char *heredoc_argv[4];
5606    struct variable *cur;
5607# if ENABLE_HUSH_FUNCTIONS
5608    struct function *funcp;
5609# endif
5610    char **argv, **pp;
5611    unsigned cnt;
5612    unsigned long long empty_trap_mask;
5613
5614    if (!g_argv0) { /* heredoc */
5615        argv = heredoc_argv;
5616        argv[0] = (char *) G.argv0_for_re_execing;
5617        argv[1] = (char *) "-<";
5618        argv[2] = (char *) s;
5619        argv[3] = NULL;
5620        pp = &argv[3]; /* used as pointer to empty environment */
5621        goto do_exec;
5622    }
5623
5624    cnt = 0;
5625    pp = builtin_argv;
5626    if (pp) while (*pp++)
5627        cnt++;
5628
5629    empty_trap_mask = 0;
5630    if (G.traps) {
5631        int sig;
5632        for (sig = 1; sig < NSIG; sig++) {
5633            if (G.traps[sig] && !G.traps[sig][0])
5634                empty_trap_mask |= 1LL << sig;
5635        }
5636    }
5637
5638    sprintf(param_buf, NOMMU_HACK_FMT
5639            , (unsigned) G.root_pid
5640            , (unsigned) G.root_ppid
5641            , (unsigned) G.last_bg_pid
5642            , (unsigned) G.last_exitcode
5643            , cnt
5644            , empty_trap_mask
5645            IF_HUSH_LOOPS(, G.depth_of_loop)
5646            );
5647# undef NOMMU_HACK_FMT
5648    /* 1:hush 2:-$<pid>:<pid>:<exitcode>:<etc...> <vars...> <funcs...>
5649     * 3:-c 4:<cmd> 5:<arg0> <argN...> 6:NULL
5650     */
5651    cnt += 6;
5652    for (cur = G.top_var; cur; cur = cur->next) {
5653        if (!cur->flg_export || cur->flg_read_only)
5654            cnt += 2;
5655    }
5656# if ENABLE_HUSH_FUNCTIONS
5657    for (funcp = G.top_func; funcp; funcp = funcp->next)
5658        cnt += 3;
5659# endif
5660    pp = g_argv;
5661    while (*pp++)
5662        cnt++;
5663    *to_free = argv = pp = xzalloc(sizeof(argv[0]) * cnt);
5664    *pp++ = (char *) G.argv0_for_re_execing;
5665    *pp++ = param_buf;
5666    for (cur = G.top_var; cur; cur = cur->next) {
5667        if (strcmp(cur->varstr, hush_version_str) == 0)
5668            continue;
5669        if (cur->flg_read_only) {
5670            *pp++ = (char *) "-R";
5671            *pp++ = cur->varstr;
5672        } else if (!cur->flg_export) {
5673            *pp++ = (char *) "-V";
5674            *pp++ = cur->varstr;
5675        }
5676    }
5677# if ENABLE_HUSH_FUNCTIONS
5678    for (funcp = G.top_func; funcp; funcp = funcp->next) {
5679        *pp++ = (char *) "-F";
5680        *pp++ = funcp->name;
5681        *pp++ = funcp->body_as_string;
5682    }
5683# endif
5684    /* We can pass activated traps here. Say, -Tnn:trap_string
5685     *
5686     * However, POSIX says that subshells reset signals with traps
5687     * to SIG_DFL.
5688     * I tested bash-3.2 and it not only does that with true subshells
5689     * of the form ( list ), but with any forked children shells.
5690     * I set trap "echo W" WINCH; and then tried:
5691     *
5692     * { echo 1; sleep 20; echo 2; } &
5693     * while true; do echo 1; sleep 20; echo 2; break; done &
5694     * true | { echo 1; sleep 20; echo 2; } | cat
5695     *
5696     * In all these cases sending SIGWINCH to the child shell
5697     * did not run the trap. If I add trap "echo V" WINCH;
5698     * _inside_ group (just before echo 1), it works.
5699     *
5700     * I conclude it means we don't need to pass active traps here.
5701     */
5702    *pp++ = (char *) "-c";
5703    *pp++ = (char *) s;
5704    if (builtin_argv) {
5705        while (*++builtin_argv)
5706            *pp++ = *builtin_argv;
5707        *pp++ = (char *) "";
5708    }
5709    *pp++ = g_argv0;
5710    while (*g_argv)
5711        *pp++ = *g_argv++;
5712    /* *pp = NULL; - is already there */
5713    pp = environ;
5714
5715 do_exec:
5716    debug_printf_exec("re_execute_shell pid:%d cmd:'%s'\n", getpid(), s);
5717    /* Don't propagate SIG_IGN to the child */
5718    if (SPECIAL_JOBSTOP_SIGS != 0)
5719        switch_off_special_sigs(G.special_sig_mask & SPECIAL_JOBSTOP_SIGS);
5720    execve(bb_busybox_exec_path, argv, pp);
5721    /* Fallback. Useful for init=/bin/hush usage etc */
5722    if (argv[0][0] == '/')
5723        execve(argv[0], argv, pp);
5724    xfunc_error_retval = 127;
5725    bb_error_msg_and_die("can't re-execute the shell");
5726}
5727#endif  /* !BB_MMU */
5728
5729
5730static int run_and_free_list(struct pipe *pi);
5731
5732/* Executing from string: eval, sh -c '...'
5733 *          or from file: /etc/profile, . file, sh <script>, sh (intereactive)
5734 * end_trigger controls how often we stop parsing
5735 * NUL: parse all, execute, return
5736 * ';': parse till ';' or newline, execute, repeat till EOF
5737 */
5738static void parse_and_run_stream(struct in_str *inp, int end_trigger)
5739{
5740    /* Why we need empty flag?
5741     * An obscure corner case "false; ``; echo $?":
5742     * empty command in `` should still set $? to 0.
5743     * But we can't just set $? to 0 at the start,
5744     * this breaks "false; echo `echo $?`" case.
5745     */
5746    bool empty = 1;
5747    while (1) {
5748        struct pipe *pipe_list;
5749
5750#if ENABLE_HUSH_INTERACTIVE
5751        if (end_trigger == ';')
5752            inp->promptmode = 0; /* PS1 */
5753#endif
5754        pipe_list = parse_stream(NULL, inp, end_trigger);
5755        if (!pipe_list || pipe_list == ERR_PTR) { /* EOF/error */
5756            /* If we are in "big" script
5757             * (not in `cmd` or something similar)...
5758             */
5759            if (pipe_list == ERR_PTR && end_trigger == ';') {
5760                /* Discard cached input (rest of line) */
5761                int ch = inp->last_char;
5762                while (ch != EOF && ch != '\n') {
5763                    //bb_error_msg("Discarded:'%c'", ch);
5764                    ch = i_getch(inp);
5765                }
5766                /* Force prompt */
5767                inp->p = NULL;
5768                /* This stream isn't empty */
5769                empty = 0;
5770                continue;
5771            }
5772            if (!pipe_list && empty)
5773                G.last_exitcode = 0;
5774            break;
5775        }
5776        debug_print_tree(pipe_list, 0);
5777        debug_printf_exec("parse_and_run_stream: run_and_free_list\n");
5778        run_and_free_list(pipe_list);
5779        empty = 0;
5780#if ENABLE_HUSH_FUNCTIONS
5781        if (G.flag_return_in_progress == 1)
5782            break;
5783#endif
5784    }
5785}
5786
5787static void parse_and_run_string(const char *s)
5788{
5789    struct in_str input;
5790    setup_string_in_str(&input, s);
5791    parse_and_run_stream(&input, '\0');
5792}
5793
5794static void parse_and_run_file(FILE *f)
5795{
5796    struct in_str input;
5797    setup_file_in_str(&input, f);
5798    parse_and_run_stream(&input, ';');
5799}
5800
5801#if ENABLE_HUSH_TICK
5802static FILE *generate_stream_from_string(const char *s, pid_t *pid_p)
5803{
5804    pid_t pid;
5805    int channel[2];
5806# if !BB_MMU
5807    char **to_free = NULL;
5808# endif
5809
5810    xpipe(channel);
5811    pid = BB_MMU ? xfork() : xvfork();
5812    if (pid == 0) { /* child */
5813        disable_restore_tty_pgrp_on_exit();
5814        /* Process substitution is not considered to be usual
5815         * 'command execution'.
5816         * SUSv3 says ctrl-Z should be ignored, ctrl-C should not.
5817         */
5818        bb_signals(0
5819            + (1 << SIGTSTP)
5820            + (1 << SIGTTIN)
5821            + (1 << SIGTTOU)
5822            , SIG_IGN);
5823        CLEAR_RANDOM_T(&G.random_gen); /* or else $RANDOM repeats in child */
5824        close(channel[0]); /* NB: close _first_, then move fd! */
5825        xmove_fd(channel[1], 1);
5826        /* Prevent it from trying to handle ctrl-z etc */
5827        IF_HUSH_JOB(G.run_list_level = 1;)
5828        /* Awful hack for `trap` or $(trap).
5829         *
5830         * http://www.opengroup.org/onlinepubs/009695399/utilities/trap.html
5831         * contains an example where "trap" is executed in a subshell:
5832         *
5833         * save_traps=$(trap)
5834         * ...
5835         * eval "$save_traps"
5836         *
5837         * Standard does not say that "trap" in subshell shall print
5838         * parent shell's traps. It only says that its output
5839         * must have suitable form, but then, in the above example
5840         * (which is not supposed to be normative), it implies that.
5841         *
5842         * bash (and probably other shell) does implement it
5843         * (traps are reset to defaults, but "trap" still shows them),
5844         * but as a result, "trap" logic is hopelessly messed up:
5845         *
5846         * # trap
5847         * trap -- 'echo Ho' SIGWINCH  <--- we have a handler
5848         * # (trap)        <--- trap is in subshell - no output (correct, traps are reset)
5849         * # true | trap   <--- trap is in subshell - no output (ditto)
5850         * # echo `true | trap`    <--- in subshell - output (but traps are reset!)
5851         * trap -- 'echo Ho' SIGWINCH
5852         * # echo `(trap)`         <--- in subshell in subshell - output
5853         * trap -- 'echo Ho' SIGWINCH
5854         * # echo `true | (trap)`  <--- in subshell in subshell in subshell - output!
5855         * trap -- 'echo Ho' SIGWINCH
5856         *
5857         * The rules when to forget and when to not forget traps
5858         * get really complex and nonsensical.
5859         *
5860         * Our solution: ONLY bare $(trap) or `trap` is special.
5861         */
5862        s = skip_whitespace(s);
5863        if (strncmp(s, "trap", 4) == 0
5864         && skip_whitespace(s + 4)[0] == '\0'
5865        ) {
5866            static const char *const argv[] = { NULL, NULL };
5867            builtin_trap((char**)argv);
5868            exit(0); /* not _exit() - we need to fflush */
5869        }
5870# if BB_MMU
5871        reset_traps_to_defaults();
5872        parse_and_run_string(s);
5873        _exit(G.last_exitcode);
5874# else
5875    /* We re-execute after vfork on NOMMU. This makes this script safe:
5876     * yes "0123456789012345678901234567890" | dd bs=32 count=64k >BIG
5877     * huge=`cat BIG` # was blocking here forever
5878     * echo OK
5879     */
5880        re_execute_shell(&to_free,
5881                s,
5882                G.global_argv[0],
5883                G.global_argv + 1,
5884                NULL);
5885# endif
5886    }
5887
5888    /* parent */
5889    *pid_p = pid;
5890# if ENABLE_HUSH_FAST
5891    G.count_SIGCHLD++;
5892//bb_error_msg("[%d] fork in generate_stream_from_string:"
5893//      " G.count_SIGCHLD:%d G.handled_SIGCHLD:%d",
5894//      getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
5895# endif
5896    enable_restore_tty_pgrp_on_exit();
5897# if !BB_MMU
5898    free(to_free);
5899# endif
5900    close(channel[1]);
5901    close_on_exec_on(channel[0]);
5902    return xfdopen_for_read(channel[0]);
5903}
5904
5905/* Return code is exit status of the process that is run. */
5906static int process_command_subs(o_string *dest, const char *s)
5907{
5908    FILE *fp;
5909    struct in_str pipe_str;
5910    pid_t pid;
5911    int status, ch, eol_cnt;
5912
5913    fp = generate_stream_from_string(s, &pid);
5914
5915    /* Now send results of command back into original context */
5916    setup_file_in_str(&pipe_str, fp);
5917    eol_cnt = 0;
5918    while ((ch = i_getch(&pipe_str)) != EOF) {
5919        if (ch == '\n') {
5920            eol_cnt++;
5921            continue;
5922        }
5923        while (eol_cnt) {
5924            o_addchr(dest, '\n');
5925            eol_cnt--;
5926        }
5927        o_addQchr(dest, ch);
5928    }
5929
5930    debug_printf("done reading from `cmd` pipe, closing it\n");
5931    fclose(fp);
5932    /* We need to extract exitcode. Test case
5933     * "true; echo `sleep 1; false` $?"
5934     * should print 1 */
5935    safe_waitpid(pid, &status, 0);
5936    debug_printf("child exited. returning its exitcode:%d\n", WEXITSTATUS(status));
5937    return WEXITSTATUS(status);
5938}
5939#endif /* ENABLE_HUSH_TICK */
5940
5941
5942static void setup_heredoc(struct redir_struct *redir)
5943{
5944    struct fd_pair pair;
5945    pid_t pid;
5946    int len, written;
5947    /* the _body_ of heredoc (misleading field name) */
5948    const char *heredoc = redir->rd_filename;
5949    char *expanded;
5950#if !BB_MMU
5951    char **to_free;
5952#endif
5953
5954    expanded = NULL;
5955    if (!(redir->rd_dup & HEREDOC_QUOTED)) {
5956        expanded = encode_then_expand_string(heredoc, /*process_bkslash:*/ 1, /*unbackslash:*/ 1);
5957        if (expanded)
5958            heredoc = expanded;
5959    }
5960    len = strlen(heredoc);
5961
5962    close(redir->rd_fd); /* often saves dup2+close in xmove_fd */
5963    xpiped_pair(pair);
5964    xmove_fd(pair.rd, redir->rd_fd);
5965
5966    /* Try writing without forking. Newer kernels have
5967     * dynamically growing pipes. Must use non-blocking write! */
5968    ndelay_on(pair.wr);
5969    while (1) {
5970        written = write(pair.wr, heredoc, len);
5971        if (written <= 0)
5972            break;
5973        len -= written;
5974        if (len == 0) {
5975            close(pair.wr);
5976            free(expanded);
5977            return;
5978        }
5979        heredoc += written;
5980    }
5981    ndelay_off(pair.wr);
5982
5983    /* Okay, pipe buffer was not big enough */
5984    /* Note: we must not create a stray child (bastard? :)
5985     * for the unsuspecting parent process. Child creates a grandchild
5986     * and exits before parent execs the process which consumes heredoc
5987     * (that exec happens after we return from this function) */
5988#if !BB_MMU
5989    to_free = NULL;
5990#endif
5991    pid = xvfork();
5992    if (pid == 0) {
5993        /* child */
5994        disable_restore_tty_pgrp_on_exit();
5995        pid = BB_MMU ? xfork() : xvfork();
5996        if (pid != 0)
5997            _exit(0);
5998        /* grandchild */
5999        close(redir->rd_fd); /* read side of the pipe */
6000#if BB_MMU
6001        full_write(pair.wr, heredoc, len); /* may loop or block */
6002        _exit(0);
6003#else
6004        /* Delegate blocking writes to another process */
6005        xmove_fd(pair.wr, STDOUT_FILENO);
6006        re_execute_shell(&to_free, heredoc, NULL, NULL, NULL);
6007#endif
6008    }
6009    /* parent */
6010#if ENABLE_HUSH_FAST
6011    G.count_SIGCHLD++;
6012//bb_error_msg("[%d] fork in setup_heredoc: G.count_SIGCHLD:%d G.handled_SIGCHLD:%d", getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
6013#endif
6014    enable_restore_tty_pgrp_on_exit();
6015#if !BB_MMU
6016    free(to_free);
6017#endif
6018    close(pair.wr);
6019    free(expanded);
6020    wait(NULL); /* wait till child has died */
6021}
6022
6023/* squirrel != NULL means we squirrel away copies of stdin, stdout,
6024 * and stderr if they are redirected. */
6025static int setup_redirects(struct command *prog, int squirrel[])
6026{
6027    int openfd, mode;
6028    struct redir_struct *redir;
6029
6030    for (redir = prog->redirects; redir; redir = redir->next) {
6031        if (redir->rd_type == REDIRECT_HEREDOC2) {
6032            /* rd_fd<<HERE case */
6033            if (squirrel && redir->rd_fd < 3
6034             && squirrel[redir->rd_fd] < 0
6035            ) {
6036                squirrel[redir->rd_fd] = dup(redir->rd_fd);
6037            }
6038            /* for REDIRECT_HEREDOC2, rd_filename holds _contents_
6039             * of the heredoc */
6040            debug_printf_parse("set heredoc '%s'\n",
6041                    redir->rd_filename);
6042            setup_heredoc(redir);
6043            continue;
6044        }
6045
6046        if (redir->rd_dup == REDIRFD_TO_FILE) {
6047            /* rd_fd<*>file case (<*> is <,>,>>,<>) */
6048            char *p;
6049            if (redir->rd_filename == NULL) {
6050                /* Something went wrong in the parse.
6051                 * Pretend it didn't happen */
6052                bb_error_msg("bug in redirect parse");
6053                continue;
6054            }
6055            mode = redir_table[redir->rd_type].mode;
6056            p = expand_string_to_string(redir->rd_filename, /*unbackslash:*/ 1);
6057            openfd = open_or_warn(p, mode);
6058            free(p);
6059            if (openfd < 0) {
6060            /* this could get lost if stderr has been redirected, but
6061             * bash and ash both lose it as well (though zsh doesn't!) */
6062//what the above comment tries to say?
6063                return 1;
6064            }
6065        } else {
6066            /* rd_fd<*>rd_dup or rd_fd<*>- cases */
6067            openfd = redir->rd_dup;
6068        }
6069
6070        if (openfd != redir->rd_fd) {
6071            if (squirrel && redir->rd_fd < 3
6072             && squirrel[redir->rd_fd] < 0
6073            ) {
6074                squirrel[redir->rd_fd] = dup(redir->rd_fd);
6075            }
6076            if (openfd == REDIRFD_CLOSE) {
6077                /* "n>-" means "close me" */
6078                close(redir->rd_fd);
6079            } else {
6080                xdup2(openfd, redir->rd_fd);
6081                if (redir->rd_dup == REDIRFD_TO_FILE)
6082                    close(openfd);
6083            }
6084        }
6085    }
6086    return 0;
6087}
6088
6089static void restore_redirects(int squirrel[])
6090{
6091    int i, fd;
6092    for (i = 0; i < 3; i++) {
6093        fd = squirrel[i];
6094        if (fd != -1) {
6095            /* We simply die on error */
6096            xmove_fd(fd, i);
6097        }
6098    }
6099}
6100
6101static char *find_in_path(const char *arg)
6102{
6103    char *ret = NULL;
6104    const char *PATH = get_local_var_value("PATH");
6105
6106    if (!PATH)
6107        return NULL;
6108
6109    while (1) {
6110        const char *end = strchrnul(PATH, ':');
6111        int sz = end - PATH; /* must be int! */
6112
6113        free(ret);
6114        if (sz != 0) {
6115            ret = xasprintf("%.*s/%s", sz, PATH, arg);
6116        } else {
6117            /* We have xxx::yyyy in $PATH,
6118             * it means "use current dir" */
6119            ret = xstrdup(arg);
6120        }
6121        if (access(ret, F_OK) == 0)
6122            break;
6123
6124        if (*end == '\0') {
6125            free(ret);
6126            return NULL;
6127        }
6128        PATH = end + 1;
6129    }
6130
6131    return ret;
6132}
6133
6134static const struct built_in_command *find_builtin_helper(const char *name,
6135        const struct built_in_command *x,
6136        const struct built_in_command *end)
6137{
6138    while (x != end) {
6139        if (strcmp(name, x->b_cmd) != 0) {
6140            x++;
6141            continue;
6142        }
6143        debug_printf_exec("found builtin '%s'\n", name);
6144        return x;
6145    }
6146    return NULL;
6147}
6148static const struct built_in_command *find_builtin1(const char *name)
6149{
6150    return find_builtin_helper(name, bltins1, &bltins1[ARRAY_SIZE(bltins1)]);
6151}
6152static const struct built_in_command *find_builtin(const char *name)
6153{
6154    const struct built_in_command *x = find_builtin1(name);
6155    if (x)
6156        return x;
6157    return find_builtin_helper(name, bltins2, &bltins2[ARRAY_SIZE(bltins2)]);
6158}
6159
6160#if ENABLE_HUSH_FUNCTIONS
6161static struct function **find_function_slot(const char *name)
6162{
6163    struct function **funcpp = &G.top_func;
6164    while (*funcpp) {
6165        if (strcmp(name, (*funcpp)->name) == 0) {
6166            break;
6167        }
6168        funcpp = &(*funcpp)->next;
6169    }
6170    return funcpp;
6171}
6172
6173static const struct function *find_function(const char *name)
6174{
6175    const struct function *funcp = *find_function_slot(name);
6176    if (funcp)
6177        debug_printf_exec("found function '%s'\n", name);
6178    return funcp;
6179}
6180
6181/* Note: takes ownership on name ptr */
6182static struct function *new_function(char *name)
6183{
6184    struct function **funcpp = find_function_slot(name);
6185    struct function *funcp = *funcpp;
6186
6187    if (funcp != NULL) {
6188        struct command *cmd = funcp->parent_cmd;
6189        debug_printf_exec("func %p parent_cmd %p\n", funcp, cmd);
6190        if (!cmd) {
6191            debug_printf_exec("freeing & replacing function '%s'\n", funcp->name);
6192            free(funcp->name);
6193            /* Note: if !funcp->body, do not free body_as_string!
6194             * This is a special case of "-F name body" function:
6195             * body_as_string was not malloced! */
6196            if (funcp->body) {
6197                free_pipe_list(funcp->body);
6198# if !BB_MMU
6199                free(funcp->body_as_string);
6200# endif
6201            }
6202        } else {
6203            debug_printf_exec("reinserting in tree & replacing function '%s'\n", funcp->name);
6204            cmd->argv[0] = funcp->name;
6205            cmd->group = funcp->body;
6206# if !BB_MMU
6207            cmd->group_as_string = funcp->body_as_string;
6208# endif
6209        }
6210    } else {
6211        debug_printf_exec("remembering new function '%s'\n", name);
6212        funcp = *funcpp = xzalloc(sizeof(*funcp));
6213        /*funcp->next = NULL;*/
6214    }
6215
6216    funcp->name = name;
6217    return funcp;
6218}
6219
6220static void unset_func(const char *name)
6221{
6222    struct function **funcpp = find_function_slot(name);
6223    struct function *funcp = *funcpp;
6224
6225    if (funcp != NULL) {
6226        debug_printf_exec("freeing function '%s'\n", funcp->name);
6227        *funcpp = funcp->next;
6228        /* funcp is unlinked now, deleting it.
6229         * Note: if !funcp->body, the function was created by
6230         * "-F name body", do not free ->body_as_string
6231         * and ->name as they were not malloced. */
6232        if (funcp->body) {
6233            free_pipe_list(funcp->body);
6234            free(funcp->name);
6235# if !BB_MMU
6236            free(funcp->body_as_string);
6237# endif
6238        }
6239        free(funcp);
6240    }
6241}
6242
6243# if BB_MMU
6244#define exec_function(to_free, funcp, argv) \
6245    exec_function(funcp, argv)
6246# endif
6247static void exec_function(char ***to_free,
6248        const struct function *funcp,
6249        char **argv) NORETURN;
6250static void exec_function(char ***to_free,
6251        const struct function *funcp,
6252        char **argv)
6253{
6254# if BB_MMU
6255    int n = 1;
6256
6257    argv[0] = G.global_argv[0];
6258    G.global_argv = argv;
6259    while (*++argv)
6260        n++;
6261    G.global_argc = n;
6262    /* On MMU, funcp->body is always non-NULL */
6263    n = run_list(funcp->body);
6264    fflush_all();
6265    _exit(n);
6266# else
6267    re_execute_shell(to_free,
6268            funcp->body_as_string,
6269            G.global_argv[0],
6270            argv + 1,
6271            NULL);
6272# endif
6273}
6274
6275static int run_function(const struct function *funcp, char **argv)
6276{
6277    int rc;
6278    save_arg_t sv;
6279    smallint sv_flg;
6280
6281    save_and_replace_G_args(&sv, argv);
6282
6283    /* "we are in function, ok to use return" */
6284    sv_flg = G.flag_return_in_progress;
6285    G.flag_return_in_progress = -1;
6286# if ENABLE_HUSH_LOCAL
6287    G.func_nest_level++;
6288# endif
6289
6290    /* On MMU, funcp->body is always non-NULL */
6291# if !BB_MMU
6292    if (!funcp->body) {
6293        /* Function defined by -F */
6294        parse_and_run_string(funcp->body_as_string);
6295        rc = G.last_exitcode;
6296    } else
6297# endif
6298    {
6299        rc = run_list(funcp->body);
6300    }
6301
6302# if ENABLE_HUSH_LOCAL
6303    {
6304        struct variable *var;
6305        struct variable **var_pp;
6306
6307        var_pp = &G.top_var;
6308        while ((var = *var_pp) != NULL) {
6309            if (var->func_nest_level < G.func_nest_level) {
6310                var_pp = &var->next;
6311                continue;
6312            }
6313            /* Unexport */
6314            if (var->flg_export)
6315                bb_unsetenv(var->varstr);
6316            /* Remove from global list */
6317            *var_pp = var->next;
6318            /* Free */
6319            if (!var->max_len)
6320                free(var->varstr);
6321            free(var);
6322        }
6323        G.func_nest_level--;