On Wed, Aug 13, 2025 at 04:11:33PM +0200, Pablo Neira Ayuso wrote: > Uncovered by the compound_expr_remove() replacement by type safe function > coming after this patch. > > Add expression to the concatenation which is reachable via expr_value(). > > This bug is subtle, I could not spot any reproducible buggy behaviour > when using the wrong type when running the existing tests. So assuming start->etype is EXPR_SET_ELEM and start->key->etype is EXPR_CONCAT, then the wrong call will change start->expiration instead of start->key->expr_concat.size. Since this is immediately followed by a call to 'expr_free(start)', the bogus value in start->expiration has no effect and since compound_expr_destroy() does not care about the value in 'size', its wrong value has no effect either. Correct? :) Cheers, Phil
