hush: fix mishandling of a'b'c=fff as assignments. They are not.

function                                             old     new   delta
parse_stream                                        1920    2004     +84
done_word                                            715     752     +37
parse_and_run_stream                                 328     333      +5
builtin_exec                                          25      29      +4
pseudo_exec_argv                                     138     139      +1
run_list                                            2006    1999      -7
is_assignment                                        215     134     -81
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 5/2 up/down: 131/-88)            Total: 43 bytes

diff --git a/shell/hush.c b/shell/hush.c
index ce25e12..78622d1 100644
--- a/shell/hush.c
+++ b/shell/hush.c
@@ -318,10 +318,12 @@
 
 struct child_prog {
 	pid_t pid;                  /* 0 if exited */
+	int assignment_cnt;         /* how many argv[i] are assignments? */
 	smallint is_stopped;        /* is the program currently running? */
 	smallint subshell;          /* flag, non-zero if group must be forked */
+	struct pipe *group;         /* if non-NULL, this "prog" is {} group,
+	                             * subshell, or a compound statement */
 	char **argv;                /* program name and arguments */
-	struct pipe *group;         /* if non-NULL, first in group or subshell */
 	struct redir_struct *redirects; /* I/O redirections */
 };
 /* argv vector may contain variable references (^Cvar^C, ^C0^C etc)
@@ -377,6 +379,7 @@
 	MAYBE_ASSIGNMENT = 0,
 	DEFINITELY_ASSIGNMENT = 1,
 	NOT_ASSIGNMENT = 2,
+	WORD_IS_KEYWORD = 3, /* not assigment, but next word may be: "if v=xyz cmd;" */
 };
 /* Used for initialization: o_string foo = NULL_O_STRING; */
 #define NULL_O_STRING { NULL }
@@ -430,7 +433,6 @@
 	pid_t last_bg_pid;
 #if ENABLE_HUSH_JOB
 	int run_list_level;
-//	pid_t saved_task_pgrp;
 	pid_t saved_tty_pgrp;
 	int last_jobid;
 	struct pipe *job_list;
@@ -524,10 +526,12 @@
 static int setup_redirects(struct child_prog *prog, int squirrel[]);
 static int run_list(struct pipe *pi);
 #if BB_MMU
-#define pseudo_exec_argv(ptrs2free, argv, argv_expanded) pseudo_exec_argv(argv, argv_expanded)
-#define      pseudo_exec(ptrs2free, child, argv_expanded)     pseudo_exec(child, argv_expanded)
+#define pseudo_exec_argv(ptrs2free, argv, assignment_cnt, argv_expanded) \
+	pseudo_exec_argv(argv, assignment_cnt, argv_expanded)
+#define pseudo_exec(ptrs2free, child, argv_expanded) \
+	pseudo_exec(child, argv_expanded)
 #endif
-static void pseudo_exec_argv(char **ptrs2free, char **argv, char **argv_expanded) NORETURN;
+static void pseudo_exec_argv(char **ptrs2free, char **argv, int assignment_cnt, char **argv_expanded) NORETURN;
 static void pseudo_exec(char **ptrs2free, struct child_prog *child, char **argv_expanded) NORETURN;
 static int run_pipe(struct pipe *pi);
 /*   data structure manipulation: */
@@ -1390,13 +1394,13 @@
  * XXX no exit() here.  If you don't exec, use _exit instead.
  * The at_exit handlers apparently confuse the calling process,
  * in particular stdin handling.  Not sure why? -- because of vfork! (vda) */
-static void pseudo_exec_argv(char **ptrs2free, char **argv, char **argv_expanded)
+static void pseudo_exec_argv(char **ptrs2free, char **argv, int assignment_cnt, char **argv_expanded)
 {
 	int i, rcode;
 	char *p;
 	const struct built_in_command *x;
 
-	for (i = 0; is_assignment(argv[i]); i++) {
+	for (i = 0; i < assignment_cnt; i++) {
 		debug_printf_exec("pid %d environment modification: %s\n",
 				getpid(), argv[i]);
 		p = expand_string_to_string(argv[i]);
@@ -1466,7 +1470,7 @@
 static void pseudo_exec(char **ptrs2free, struct child_prog *child, char **argv_expanded)
 {
 	if (child->argv)
-		pseudo_exec_argv(ptrs2free, child->argv, argv_expanded);
+		pseudo_exec_argv(ptrs2free, child->argv, child->assignment_cnt, argv_expanded);
 
 	if (child->group) {
 #if !BB_MMU
@@ -1713,8 +1717,6 @@
 	p = getpgid(0); /* pgid of our process */
 	debug_printf_jobs("fg'ing ourself: getpgid(0)=%d\n", (int)p);
 	tcsetpgrp(G.interactive_fd, p);
-//	if (tcsetpgrp(G.interactive_fd, p) && errno != ENOTTY)
-//		bb_perror_msg("tcsetpgrp-4a");
 	return rcode;
 }
 #endif
@@ -1780,8 +1782,7 @@
 	argv = child->argv;
 
 	if (single_and_fg && argv != NULL) {
-		for (i = 0; is_assignment(argv[i]); i++)
-			continue;
+		i = child->assignment_cnt;
 		if (i != 0 && argv[i] == NULL) {
 			/* assignments, but no command: set local environment */
 			for (i = 0; argv[i] != NULL; i++) {
@@ -1793,7 +1794,7 @@
 		}
 
 		/* Expand assignments into one string each */
-		for (i = 0; is_assignment(argv[i]); i++) {
+		for (i = 0; i < child->assignment_cnt; i++) {
 			p = expand_string_to_string(argv[i]);
 			putenv(p);
 //FIXME: do we leak p?!
@@ -1991,7 +1992,7 @@
 			struct child_prog *child = &pi->progs[prn];
 			char **argv = child->argv;
 
-			fprintf(stderr, "%*s prog %d", lvl*2, "", prn);
+			fprintf(stderr, "%*s prog %d assignment_cnt:%d", lvl*2, "", prn, child->assignment_cnt);
 			if (child->group) {
 				fprintf(stderr, " group %s: (argv=%p)\n",
 						(child->subshell ? "()" : "{}"),
@@ -2165,30 +2166,31 @@
 				vals = (char**)encoded_dollar_at_argv;
 				if (pi->next->res_word == RES_IN) {
 					/* if no variable values after "in" we skip "for" */
-					if (!pi->next->progs->argv)
+					if (!pi->next->progs[0].argv)
 						break;
-					vals = pi->next->progs->argv;
+					vals = pi->next->progs[0].argv;
 				} /* else: "for var; do..." -> assume "$@" list */
 				/* create list of variable values */
 				debug_print_strings("for_list made from", vals);
 				for_list = expand_strvec_to_strvec(vals);
 				for_lcur = for_list;
 				debug_print_strings("for_list", for_list);
-				for_varname = pi->progs->argv[0];
-				pi->progs->argv[0] = NULL;
+				for_varname = pi->progs[0].argv[0];
+				pi->progs[0].argv[0] = NULL;
 			}
-			free(pi->progs->argv[0]);
+			free(pi->progs[0].argv[0]);
 			if (!*for_lcur) {
 				/* "for" loop is over, clean up */
 				free(for_list);
 				for_list = NULL;
 				for_lcur = NULL;
-				pi->progs->argv[0] = for_varname;
+				pi->progs[0].argv[0] = for_varname;
 				break;
 			}
 			/* insert next value from for_lcur */
 //TODO: does it need escaping?
-			pi->progs->argv[0] = xasprintf("%s=%s", for_varname, *for_lcur++);
+			pi->progs[0].argv[0] = xasprintf("%s=%s", for_varname, *for_lcur++);
+			pi->progs[0].assignment_cnt = 1;
 		}
 		if (rword == RES_IN) /* "for v IN list;..." - "in" has no cmds anyway */
 			continue;
@@ -2902,11 +2904,12 @@
  * case, function, and select are obnoxious, save those for later.
  */
 #if HAS_KEYWORDS
-static int reserved_word(const o_string *word, struct p_context *ctx)
+static int reserved_word(o_string *word, struct p_context *ctx)
 {
 	struct reserved_combo {
-		char literal[7];
+		char literal[6];
 		unsigned char res;
+		unsigned char assignment_flag;
 		int flag;
 	};
 	enum {
@@ -2939,29 +2942,29 @@
 	 */
 	static const struct reserved_combo reserved_list[] = {
 #if ENABLE_HUSH_IF
-		{ "!",     RES_NONE,  0 },
-		{ "if",    RES_IF,    FLAG_THEN | FLAG_START },
-		{ "then",  RES_THEN,  FLAG_ELIF | FLAG_ELSE | FLAG_FI },
-		{ "elif",  RES_ELIF,  FLAG_THEN },
-		{ "else",  RES_ELSE,  FLAG_FI   },
-		{ "fi",    RES_FI,    FLAG_END  },
+		{ "!",     RES_NONE,  NOT_ASSIGNMENT , 0 },
+		{ "if",    RES_IF,    WORD_IS_KEYWORD, FLAG_THEN | FLAG_START },
+		{ "then",  RES_THEN,  WORD_IS_KEYWORD, FLAG_ELIF | FLAG_ELSE | FLAG_FI },
+		{ "elif",  RES_ELIF,  WORD_IS_KEYWORD, FLAG_THEN },
+		{ "else",  RES_ELSE,  WORD_IS_KEYWORD, FLAG_FI   },
+		{ "fi",    RES_FI,    NOT_ASSIGNMENT , FLAG_END  },
 #endif
 #if ENABLE_HUSH_LOOPS
-		{ "for",   RES_FOR,   FLAG_IN | FLAG_DO | FLAG_START },
-		{ "while", RES_WHILE, FLAG_DO | FLAG_START },
-		{ "until", RES_UNTIL, FLAG_DO | FLAG_START },
-		{ "in",    RES_IN,    FLAG_DO   },
-		{ "do",    RES_DO,    FLAG_DONE },
-		{ "done",  RES_DONE,  FLAG_END  },
+		{ "for",   RES_FOR,   NOT_ASSIGNMENT , FLAG_IN | FLAG_DO | FLAG_START },
+		{ "while", RES_WHILE, WORD_IS_KEYWORD, FLAG_DO | FLAG_START },
+		{ "until", RES_UNTIL, WORD_IS_KEYWORD, FLAG_DO | FLAG_START },
+		{ "in",    RES_IN,    NOT_ASSIGNMENT , FLAG_DO   },
+		{ "do",    RES_DO,    WORD_IS_KEYWORD, FLAG_DONE },
+		{ "done",  RES_DONE,  NOT_ASSIGNMENT , FLAG_END  },
 #endif
 #if ENABLE_HUSH_CASE
-		{ "case",  RES_CASE,  FLAG_MATCH | FLAG_START },
-		{ "esac",  RES_ESAC,  FLAG_END  },
+		{ "case",  RES_CASE,  NOT_ASSIGNMENT , FLAG_MATCH | FLAG_START },
+		{ "esac",  RES_ESAC,  NOT_ASSIGNMENT , FLAG_END  },
 #endif
 	};
 #if ENABLE_HUSH_CASE
 	static const struct reserved_combo reserved_match = {
-		"" /* "match" */, RES_MATCH, FLAG_MATCH | FLAG_ESAC
+		"",        RES_MATCH, NOT_ASSIGNMENT , FLAG_MATCH | FLAG_ESAC
 	};
 #endif
 	const struct reserved_combo *r;
@@ -3008,6 +3011,7 @@
 			*ctx = *old;   /* physical copy */
 			free(old);
 		}
+		word->o_assignment = r->assignment_flag;
 		return 1;
 	}
 	return 0;
@@ -3021,17 +3025,22 @@
 	struct child_prog *child = ctx->child;
 
 	debug_printf_parse("done_word entered: '%s' %p\n", word->data, child);
-	/* If this word wasn't an assignment, next ones definitely
-	 * can't be assignments. Even if they look like ones. */
-	if (word->o_assignment != DEFINITELY_ASSIGNMENT) {
-		word->o_assignment = NOT_ASSIGNMENT;
-	} else {
-		word->o_assignment = MAYBE_ASSIGNMENT;
-	}
 	if (word->length == 0 && word->nonnull == 0) {
 		debug_printf_parse("done_word return 0: true null, ignored\n");
 		return 0;
 	}
+	/* If this word wasn't an assignment, next ones definitely
+	 * can't be assignments. Even if they look like ones. */
+	if (word->o_assignment != DEFINITELY_ASSIGNMENT
+	 && word->o_assignment != WORD_IS_KEYWORD
+	) {
+		word->o_assignment = NOT_ASSIGNMENT;
+	} else {
+		if (word->o_assignment == DEFINITELY_ASSIGNMENT)
+			child->assignment_cnt++;
+		word->o_assignment = MAYBE_ASSIGNMENT;
+	}
+
 	if (ctx->pending_redirect) {
 		/* We do not glob in e.g. >*.tmp case. bash seems to glob here
 		 * only if run as "bash", not "sh" */
@@ -3066,7 +3075,6 @@
 			debug_printf_parse(": checking '%s' for reserved-ness\n", word->data);
 			if (reserved_word(word, ctx)) {
 				o_reset(word);
-				word->o_assignment = NOT_ASSIGNMENT;
 				debug_printf_parse("done_word return %d\n", (ctx->ctx_res_w == RES_SNTX));
 				return (ctx->ctx_res_w == RES_SNTX);
 			}
@@ -3343,11 +3351,6 @@
 			o_addchr(dest, '\n');
 			eol_cnt--;
 		}
-//		/* Even unquoted `echo '\'` results in two backslashes
-//		 * (which are converted into one by globbing later) */
-//		if (!dest->o_quote && ch == '\\') {
-//			o_addchr(dest, ch);
-//		}
 		o_addQchr(dest, ch);
 	}
 
@@ -3367,6 +3370,9 @@
 static int parse_group(o_string *dest, struct p_context *ctx,
 	struct in_str *input, int ch)
 {
+	/* NB: parse_group may create and use its own o_string,
+	 * without any code changes. It just so happens that code is smaller
+	 * if we (ab)use caller's one. */
 	int rcode;
 	const char *endch = NULL;
 	struct p_context sub;
@@ -3624,7 +3630,7 @@
 	 * A single-quote triggers a bypass of the main loop until its mate is
 	 * found.  When recursing, quote state is passed in via dest->o_quote. */
 
-	debug_printf_parse("parse_stream entered, end_trigger='%s'\n", end_trigger);
+	debug_printf_parse("parse_stream entered, end_trigger='%s' dest->o_assignment:%d\n", end_trigger, dest->o_assignment);
 
 	while (1) {
 		m = CHAR_IFS;
@@ -3647,7 +3653,8 @@
 				return 1;
 			}
 			o_addQchr(dest, ch);
-			if (dest->o_assignment == MAYBE_ASSIGNMENT
+			if ((dest->o_assignment == MAYBE_ASSIGNMENT
+			    || dest->o_assignment == WORD_IS_KEYWORD)
 			 && ch == '='
 			 && is_assignment(dest->data)
 			) {
@@ -3676,6 +3683,7 @@
 				}
 #endif
 				done_pipe(ctx, PIPE_SEQ);
+				dest->o_assignment = MAYBE_ASSIGNMENT;
 			}
 		}
 		if (end_trigger) {
@@ -3686,6 +3694,7 @@
 					done_word(dest, ctx);
 //err chk?
 					done_pipe(ctx, PIPE_SEQ);
+					dest->o_assignment = MAYBE_ASSIGNMENT;
 				}
 				if (!HAS_KEYWORDS
 				 IF_HAS_KEYWORDS(|| (ctx->ctx_res_w == RES_NONE && ctx->old_flag == 0))
@@ -3841,6 +3850,10 @@
 				}
 			}
 #endif
+ new_cmd:
+			/* We just finished a cmd. New one may start
+			 * with an assignment */
+			dest->o_assignment = MAYBE_ASSIGNMENT;
 			break;
 		case '&':
 			done_word(dest, ctx);
@@ -3850,14 +3863,14 @@
 			} else {
 				done_pipe(ctx, PIPE_BG);
 			}
-			break;
+			goto new_cmd;
 		case '|':
 			done_word(dest, ctx);
 #if ENABLE_HUSH_CASE
 			if (ctx->ctx_res_w == RES_MATCH)
 				break; /* we are in case's "word | word)" */
 #endif
-			if (next == '|') {
+			if (next == '|') { /* || */
 				i_getch(input);
 				done_pipe(ctx, PIPE_OR);
 			} else {
@@ -3866,7 +3879,7 @@
 				 * "echo foo 2| cat" yields "foo 2". */
 				done_command(ctx);
 			}
-			break;
+			goto new_cmd;
 		case '(':
 #if ENABLE_HUSH_CASE
 			/* "case... in [(]word)..." - skip '(' */
@@ -3881,7 +3894,7 @@
 				debug_printf_parse("parse_stream return 1: parse_group returned non-0\n");
 				return 1;
 			}
-			break;
+			goto new_cmd;
 		case ')':
 #if ENABLE_HUSH_CASE
 			if (ctx->ctx_res_w == RES_MATCH)
@@ -3947,6 +3960,7 @@
 		/* We will stop & execute after each ';' or '\n'.
 		 * Example: "sleep 9999; echo TEST" + ctrl-C:
 		 * TEST should be printed */
+		temp.o_assignment = MAYBE_ASSIGNMENT;
 		rcode = parse_stream(&temp, &ctx, inp, ";\n");
 #if HAS_KEYWORDS
 		if (rcode != 1 && ctx.old_flag != 0) {
@@ -4006,9 +4020,7 @@
 {
 	pid_t shell_pgrp;
 
-//	G.saved_task_pgrp =
 	shell_pgrp = getpgrp();
-//	debug_printf_jobs("saved_task_pgrp=%d\n", G.saved_task_pgrp);
 	close_on_exec_on(G.interactive_fd);
 
 	/* If we were ran as 'hush &',
@@ -4302,7 +4314,7 @@
 		char **ptrs2free = alloc_ptrs(argv);
 #endif
 // FIXME: if exec fails, bash does NOT exit! We do...
-		pseudo_exec_argv(ptrs2free, argv + 1, NULL);
+		pseudo_exec_argv(ptrs2free, argv + 1, 0, NULL);
 		/* never returns */
 	}
 }
diff --git a/shell/hush_test/hush-misc/assignment1.right b/shell/hush_test/hush-misc/assignment1.right
new file mode 100644
index 0000000..d0a13d3
--- /dev/null
+++ b/shell/hush_test/hush-misc/assignment1.right
@@ -0,0 +1,9 @@
+if1:0
+while1:0
+until1:0
+if2:0
+while2:0
+until2:0
+if3:0
+while3:0
+until3:0
diff --git a/shell/hush_test/hush-misc/assignment1.tests b/shell/hush_test/hush-misc/assignment1.tests
new file mode 100755
index 0000000..033b352
--- /dev/null
+++ b/shell/hush_test/hush-misc/assignment1.tests
@@ -0,0 +1,42 @@
+# Assignments after some keywords should still work
+
+if a=1 true; then a=1 true; elif a=1 true; then a=1 true; else a=1 true; fi
+echo if1:$?
+while a=1 true; do a=1 true; break; done
+echo while1:$?
+until a=1 false; do a=1 true; break; done
+echo until1:$?
+
+if a=1 true
+ then a=1 true
+ elif a=1 true
+ then a=1 true
+ else a=1 true
+ fi
+echo if2:$?
+while a=1 true
+ do a=1 true
+ break
+ done
+echo while2:$?
+until a=1 false
+ do a=1 true
+ break
+ done
+echo until2:$?
+
+if
+ a=1 true; then
+ a=1 true; elif
+ a=1 true; then
+ a=1 true; else
+ a=1 true; fi
+echo if3:$?
+while
+ a=1 true; do
+ a=1 true; break; done
+echo while3:$?
+until
+ a=1 false; do
+ a=1 true; break; done
+echo until3:$?
diff --git a/shell/hush_test/hush-misc/assignment2.rigth b/shell/hush_test/hush-misc/assignment2.rigth
new file mode 100644
index 0000000..591552c
--- /dev/null
+++ b/shell/hush_test/hush-misc/assignment2.rigth
@@ -0,0 +1,2 @@
+hush: can't exec 'a=b': No such file or directory
+1
diff --git a/shell/hush_test/hush-misc/assignment2.tests b/shell/hush_test/hush-misc/assignment2.tests
new file mode 100755
index 0000000..540e01e
--- /dev/null
+++ b/shell/hush_test/hush-misc/assignment2.tests
@@ -0,0 +1,4 @@
+# This must not be interpreted as an assignment
+a''=b true
+echo $?
+# (buglet: $? should be 127. it is currently 1)