/* vi: set sw=4 ts=4: */
/*
 * A prototype Bourne shell grammar parser.
 * Intended to follow the original Thompson and Ritchie
 * "small and simple is beautiful" philosophy, which
 * incidentally is a good match to today's BusyBox.
 *
 * Copyright (C) 2000,2001  Larry Doolittle <larry@doolittle.boa.org>
 * Copyright (C) 2008,2009  Denys Vlasenko <vda.linux@googlemail.com>
 *
 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
 *
 * Credits:
 *      The parser routines proper are all original material, first
 *      written Dec 2000 and Jan 2001 by Larry Doolittle.  The
 *      execution engine, the builtins, and much of the underlying
 *      support has been adapted from busybox-0.49pre's lash, which is
 *      Copyright (C) 1999-2004 by Erik Andersen <andersen@codepoet.org>
 *      written by Erik Andersen <andersen@codepoet.org>.  That, in turn,
 *      is based in part on ladsh.c, by Michael K. Johnson and Erik W.
 *      Troan, which they placed in the public domain.  I don't know
 *      how much of the Johnson/Troan code has survived the repeated
 *      rewrites.
 *
 * Other credits:
 *      o_addchr derived from similar w_addchar function in glibc-2.2.
 *      parse_redirect, redirect_opt_num, and big chunks of main
 *      and many builtins derived from contributions by Erik Andersen.
 *      Miscellaneous bugfixes from Matt Kraai.
 *
 * There are two big (and related) architecture differences between
 * this parser and the lash parser.  One is that this version is
 * actually designed from the ground up to understand nearly all
 * of the Bourne grammar.  The second, consequential change is that
 * the parser and input reader have been turned inside out.  Now,
 * the parser is in control, and asks for input as needed.  The old
 * way had the input reader in control, and it asked for parsing to
 * take place as needed.  The new way makes it much easier to properly
 * handle the recursion implicit in the various substitutions, especially
 * across continuation lines.
 *
 * TODOs:
 *      grep for "TODO" and fix (some of them are easy)
 *      special variables (done: PWD, PPID, RANDOM)
 *      tilde expansion
 *      aliases
 *      kill %jobspec
 *      follow IFS rules more precisely, including update semantics
 *      builtins mandated by standards we don't support:
 *          [un]alias, command, fc, getopts, newgrp, readonly, times
 *      make complex ${var%...} constructs support optional
 *      make here documents optional
 *
 * Bash compat TODO:
 *      redirection of stdout+stderr: &> and >&
 *      reserved words: function select
 *      advanced test: [[ ]]
 *      process substitution: <(list) and >(list)
 *      =~: regex operator
 *      let EXPR [EXPR...]
 *          Each EXPR is an arithmetic expression (ARITHMETIC EVALUATION)
 *          If the last arg evaluates to 0, let returns 1; 0 otherwise.
 *          NB: let `echo 'a=a + 1'` - error (IOW: multi-word expansion is used)
 *      ((EXPR))
 *          The EXPR is evaluated according to ARITHMETIC EVALUATION.
 *          This is exactly equivalent to let "EXPR".
 *      $[EXPR]: synonym for $((EXPR))
 *
 * Won't do:
 *      In bash, export builtin is special, its arguments are assignments
 *          and therefore expansion of them should be "one-word" expansion:
 *              $ export i=`echo 'a  b'` # export has one arg: "i=a  b"
 *          compare with:
 *              $ ls i=`echo 'a  b'`     # ls has two args: "i=a" and "b"
 *              ls: cannot access i=a: No such file or directory
 *              ls: cannot access b: No such file or directory
 *          Note1: same applies to local builtin.
 *          Note2: bash 3.2.33(1) does this only if export word itself
 *          is not quoted:
 *              $ export i=`echo 'aaa  bbb'`; echo "$i"
 *              aaa  bbb
 *              $ "export" i=`echo 'aaa  bbb'`; echo "$i"
 *              aaa
 */
//config:config HUSH
//config:       bool "hush"
//config:       default y
//config:       help
//config:         hush is a small shell (25k). It handles the normal flow control
//config:         constructs such as if/then/elif/else/fi, for/in/do/done, while loops,
//config:         case/esac. Redirections, here documents, $((arithmetic))
//config:         and functions are supported.
//config:
//config:         It will compile and work on no-mmu systems.
//config:
//config:         It does not handle select, aliases, tilde expansion,
//config:         &>file and >&file redirection of stdout+stderr.
//config:
//config:config HUSH_BASH_COMPAT
//config:       bool "bash-compatible extensions"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable bash-compatible extensions.
//config:
//config:config HUSH_BRACE_EXPANSION
//config:       bool "Brace expansion"
//config:       default y
//config:       depends on HUSH_BASH_COMPAT
//config:       help
//config:         Enable {abc,def} extension.
//config:
//config:config HUSH_HELP
//config:       bool "help builtin"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable help builtin in hush. Code size + ~1 kbyte.
//config:
//config:config HUSH_INTERACTIVE
//config:       bool "Interactive mode"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable interactive mode (prompt and command editing).
//config:         Without this, hush simply reads and executes commands
//config:         from stdin just like a shell script from a file.
//config:         No prompt, no PS1/PS2 magic shell variables.
//config:
//config:config HUSH_SAVEHISTORY
//config:       bool "Save command history to .hush_history"
//config:       default y
//config:       depends on HUSH_INTERACTIVE && FEATURE_EDITING_SAVEHISTORY
//config:       help
//config:         Enable history saving in hush.
//config:
//config:config HUSH_JOB
//config:       bool "Job control"
//config:       default y
//config:       depends on HUSH_INTERACTIVE
//config:       help
//config:         Enable job control: Ctrl-Z backgrounds, Ctrl-C interrupts current
//config:         command (not entire shell), fg/bg builtins work. Without this option,
//config:         "cmd &" still works by simply spawning a process and immediately
//config:         prompting for next command (or executing next command in a script),
//config:         but no separate process group is formed.
//config:
//config:config HUSH_TICK
//config:       bool "Process substitution"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable process substitution `command` and $(command) in hush.
//config:
//config:config HUSH_IF
//config:       bool "Support if/then/elif/else/fi"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable if/then/elif/else/fi in hush.
//config:
//config:config HUSH_LOOPS
//config:       bool "Support for, while and until loops"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable for, while and until loops in hush.
//config:
//config:config HUSH_CASE
//config:       bool "Support case ... esac statement"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable case ... esac statement in hush. +400 bytes.
//config:
//config:config HUSH_FUNCTIONS
//config:       bool "Support funcname() { commands; } syntax"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable support for shell functions in hush. +800 bytes.
//config:
//config:config HUSH_LOCAL
//config:       bool "Support local builtin"
//config:       default y
//config:       depends on HUSH_FUNCTIONS
//config:       help
//config:         Enable support for local variables in functions.
//config:
//config:config HUSH_RANDOM_SUPPORT
//config:       bool "Pseudorandom generator and $RANDOM variable"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         Enable pseudorandom generator and dynamic variable "$RANDOM".
//config:         Each read of "$RANDOM" will generate a new pseudorandom value.
//config:
//config:config HUSH_EXPORT_N
//config:       bool "Support 'export -n' option"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         export -n unexports variables. It is a bash extension.
//config:
//config:config HUSH_MODE_X
//config:       bool "Support 'hush -x' option and 'set -x' command"
//config:       default y
//config:       depends on HUSH || SH_IS_HUSH || BASH_IS_HUSH
//config:       help
//config:         This instructs hush to print commands before execution.
//config:         Adds ~300 bytes.
//config:
//config:config MSH
//config:       bool "msh (deprecated: aliased to hush)"
//config:       default n
//config:       select HUSH
//config:       help
//config:         msh is deprecated and will be removed, please migrate to hush.

//applet:IF_HUSH(APPLET(hush, BB_DIR_BIN, BB_SUID_DROP))
//applet:IF_MSH(APPLET_ODDNAME(msh, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
//applet:IF_SH_IS_HUSH(APPLET_ODDNAME(sh, hush, BB_DIR_BIN, BB_SUID_DROP, hush))
//applet:IF_BASH_IS_HUSH(APPLET_ODDNAME(bash, hush, BB_DIR_BIN, BB_SUID_DROP, hush))

//kbuild:lib-$(CONFIG_HUSH) += hush.o match.o shell_common.o
//kbuild:lib-$(CONFIG_SH_IS_HUSH) += hush.o match.o shell_common.o
//kbuild:lib-$(CONFIG_BASH_IS_HUSH) += hush.o match.o shell_common.o
//kbuild:lib-$(CONFIG_HUSH_RANDOM_SUPPORT) += random.o

/* -i (interactive) and -s (read stdin) are also accepted,
 * but currently do nothing, therefore aren't shown in help.
 * NOMMU-specific options are not meant to be used by users,
 * therefore we don't show them either.
 */
//usage:#define hush_trivial_usage
//usage:        "[-nxl] [-c 'SCRIPT' [ARG0 [ARGS]] / FILE [ARGS]]"
//usage:#define hush_full_usage "\n\n"
//usage:        "Unix shell interpreter"

#if !(defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) \
        || defined(__APPLE__) \
    )
# include <malloc.h>   /* for malloc_trim */
#endif
#include <glob.h>
/* #include <dmalloc.h> */
#if ENABLE_HUSH_CASE
# include <fnmatch.h>
#endif
#include <sys/utsname.h> /* for setting $HOSTNAME */

#include "busybox.h"  /* for APPLET_IS_NOFORK/NOEXEC */
#include "unicode.h"
#include "shell_common.h"
#include "math.h"
#include "match.h"
#if ENABLE_HUSH_RANDOM_SUPPORT
# include "random.h"
#else
# define CLEAR_RANDOM_T(rnd) ((void)0)
#endif
#ifndef F_DUPFD_CLOEXEC
# define F_DUPFD_CLOEXEC F_DUPFD
#endif
#ifndef PIPE_BUF
# define PIPE_BUF 4096  /* amount of buffering in a pipe */
#endif


/* Build knobs */
#define LEAK_HUNTING 0
#define BUILD_AS_NOMMU 0
/* Enable/disable sanity checks. Ok to enable in production,
 * only adds a bit of bloat. Set to >1 to get non-production level verbosity.
 * Keeping 1 for now even in released versions.
 */
#define HUSH_DEBUG 1
/* Slightly bigger (+200 bytes), but faster hush.
 * So far it only enables a trick with counting SIGCHLDs and forks,
 * which allows us to do fewer waitpid's.
 * (we can detect a case where neither forks were done nor SIGCHLDs happened
 * and therefore waitpid will return the same result as last time)
 */
#define ENABLE_HUSH_FAST 0
/* TODO: implement simplified code for users which do not need ${var%...} ops
 * So far ${var%...} ops are always enabled:
 */
#define ENABLE_HUSH_DOLLAR_OPS 1


#if BUILD_AS_NOMMU
# undef BB_MMU
# undef USE_FOR_NOMMU
# undef USE_FOR_MMU
# define BB_MMU 0
# define USE_FOR_NOMMU(...) __VA_ARGS__
# define USE_FOR_MMU(...)
#endif

#include "NUM_APPLETS.h"
#if NUM_APPLETS == 1
/* STANDALONE does not make sense, and won't compile */
# undef CONFIG_FEATURE_SH_STANDALONE
# undef ENABLE_FEATURE_SH_STANDALONE
# undef IF_FEATURE_SH_STANDALONE
# undef IF_NOT_FEATURE_SH_STANDALONE
# define ENABLE_FEATURE_SH_STANDALONE 0
# define IF_FEATURE_SH_STANDALONE(...)
# define IF_NOT_FEATURE_SH_STANDALONE(...) __VA_ARGS__
#endif

#if !ENABLE_HUSH_INTERACTIVE
# undef ENABLE_FEATURE_EDITING
# define ENABLE_FEATURE_EDITING 0
# undef ENABLE_FEATURE_EDITING_FANCY_PROMPT
# define ENABLE_FEATURE_EDITING_FANCY_PROMPT 0
# undef ENABLE_FEATURE_EDITING_SAVE_ON_EXIT
# define ENABLE_FEATURE_EDITING_SAVE_ON_EXIT 0
#endif

/* Do we support ANY keywords? */
#if ENABLE_HUSH_IF || ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
# define HAS_KEYWORDS 1
# define IF_HAS_KEYWORDS(...) __VA_ARGS__
# define IF_HAS_NO_KEYWORDS(...)
#else
# define HAS_KEYWORDS 0
# define IF_HAS_KEYWORDS(...)
# define IF_HAS_NO_KEYWORDS(...) __VA_ARGS__
#endif

/* If you comment out one of these below, it will be #defined later
 * to perform debug printfs to stderr: */
#define debug_printf(...)        do {} while (0)
/* Finer-grained debug switches */
#define debug_printf_parse(...)  do {} while (0)
#define debug_print_tree(a, b)   do {} while (0)
#define debug_printf_exec(...)   do {} while (0)
#define debug_printf_env(...)    do {} while (0)
#define debug_printf_jobs(...)   do {} while (0)
#define debug_printf_expand(...) do {} while (0)
#define debug_printf_varexp(...) do {} while (0)
#define debug_printf_glob(...)   do {} while (0)
#define debug_printf_list(...)   do {} while (0)
#define debug_printf_subst(...)  do {} while (0)
#define debug_printf_clean(...)  do {} while (0)

#define ERR_PTR ((void*)(long)1)

#define JOB_STATUS_FORMAT    "[%d] %-22s %.40s\n"

#define _SPECIAL_VARS_STR     "_*@$!?#"
#define SPECIAL_VARS_STR     ("_*@$!?#" + 1)
#define NUMERIC_SPECVARS_STR ("_*@$!?#" + 3)
#if ENABLE_HUSH_BASH_COMPAT
/* Support / and // replace ops */
/* Note that // is stored as \ in "encoded" string representation */
# define VAR_ENCODED_SUBST_OPS      "\\/%#:-=+?"
# define VAR_SUBST_OPS             ("\\/%#:-=+?" + 1)
# define MINUS_PLUS_EQUAL_QUESTION ("\\/%#:-=+?" + 5)
#else
# define VAR_ENCODED_SUBST_OPS      "%#:-=+?"
# define VAR_SUBST_OPS              "%#:-=+?"
# define MINUS_PLUS_EQUAL_QUESTION ("%#:-=+?" + 3)
#endif

#define SPECIAL_VAR_SYMBOL   3

struct variable;

static const char hush_version_str[] ALIGN1 = "HUSH_VERSION="BB_VER;

/* This supports saving pointers malloced in vfork child,
 * to be freed in the parent.
 */
#if !BB_MMU
typedef struct nommu_save_t {
        char **new_env;
        struct variable *old_vars;
        char **argv;
        char **argv_from_re_execing;
} nommu_save_t;
#endif

enum {
        RES_NONE  = 0,
#if ENABLE_HUSH_IF
        RES_IF    ,
        RES_THEN  ,
        RES_ELIF  ,
        RES_ELSE  ,
        RES_FI    ,
#endif
#if ENABLE_HUSH_LOOPS
        RES_FOR   ,
        RES_WHILE ,
        RES_UNTIL ,
        RES_DO    ,
        RES_DONE  ,
#endif
#if ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
        RES_IN    ,
#endif
#if ENABLE_HUSH_CASE
        RES_CASE  ,
        /* three pseudo-keywords support contrived "case" syntax: */
        RES_CASE_IN,   /* "case ... IN", turns into RES_MATCH when IN is observed */
        RES_MATCH ,    /* "word)" */
        RES_CASE_BODY, /* "this command is inside CASE" */
        RES_ESAC  ,
#endif
        RES_XXXX  ,
        RES_SNTX
};

typedef struct o_string {
        char *data;
        int length; /* position where data is appended */
        int maxlen;
        int o_expflags;
        /* At least some part of the string was inside '' or "",
         * possibly empty one: word"", wo''rd etc. */
        smallint has_quoted_part;
        smallint has_empty_slot;
        smallint o_assignment; /* 0:maybe, 1:yes, 2:no */
} o_string;
enum {
        EXP_FLAG_SINGLEWORD     = 0x80, /* must be 0x80 */
        EXP_FLAG_GLOB           = 0x2,
        /* Protect newly added chars against globbing
         * by prepending \ to *, ?, [, \ */
        EXP_FLAG_ESC_GLOB_CHARS = 0x1,
};
enum {
        MAYBE_ASSIGNMENT      = 0,
        DEFINITELY_ASSIGNMENT = 1,
        NOT_ASSIGNMENT        = 2,
        /* Not an assignment, but next word may be: "if v=xyz cmd;" */
        WORD_IS_KEYWORD       = 3,
};
/* Used for initialization: o_string foo = NULL_O_STRING; */
#define NULL_O_STRING { NULL }

#ifndef debug_printf_parse
static const char *const assignment_flag[] = {
        "MAYBE_ASSIGNMENT",
        "DEFINITELY_ASSIGNMENT",
        "NOT_ASSIGNMENT",
        "WORD_IS_KEYWORD",
};
#endif

typedef struct in_str {
        const char *p;
#if ENABLE_HUSH_INTERACTIVE
        smallint promptmode; /* 0: PS1, 1: PS2 */
#endif
        int peek_buf[2];
        int last_char;
        FILE *file;
} in_str;

/* The descrip member of this structure is only used to make
 * debugging output pretty */
static const struct {
        int mode;
        signed char default_fd;
        char descrip[3];
} redir_table[] = {
        { O_RDONLY,                  0, "<"  },
        { O_CREAT|O_TRUNC|O_WRONLY,  1, ">"  },
        { O_CREAT|O_APPEND|O_WRONLY, 1, ">>" },
        { O_CREAT|O_RDWR,            1, "<>" },
        { O_RDONLY,                  0, "<<" },
/* Should not be needed. Bogus default_fd helps in debugging */
/*      { O_RDONLY,                 77, "<<" }, */
};

struct redir_struct {
        struct redir_struct *next;
        char *rd_filename;          /* filename */
        int rd_fd;                  /* fd to redirect */
        /* fd to redirect to, or -3 if rd_fd is to be closed (n>&-) */
        int rd_dup;
        smallint rd_type;           /* (enum redir_type) */
        /* note: for heredocs, rd_filename contains heredoc delimiter,
         * and subsequently heredoc itself; and rd_dup is a bitmask:
         * bit 0: do we need to trim leading tabs?
         * bit 1: is heredoc quoted (<<'delim' syntax) ?
         */
};
typedef enum redir_type {
        REDIRECT_INPUT     = 0,
        REDIRECT_OVERWRITE = 1,
        REDIRECT_APPEND    = 2,
        REDIRECT_IO        = 3,
        REDIRECT_HEREDOC   = 4,
        REDIRECT_HEREDOC2  = 5, /* REDIRECT_HEREDOC after heredoc is loaded */

        REDIRFD_CLOSE      = -3,
        REDIRFD_SYNTAX_ERR = -2,
        REDIRFD_TO_FILE    = -1,
        /* otherwise, rd_fd is redirected to rd_dup */

        HEREDOC_SKIPTABS = 1,
        HEREDOC_QUOTED   = 2,
} redir_type;


struct command {
        pid_t pid;                  /* 0 if exited */
        int assignment_cnt;         /* how many argv[i] are assignments? */
        smallint cmd_type;          /* CMD_xxx */
#define CMD_NORMAL   0
#define CMD_SUBSHELL 1
#if ENABLE_HUSH_BASH_COMPAT
/* used for "[[ EXPR ]]" */
# define CMD_SINGLEWORD_NOGLOB 2
#endif
#if ENABLE_HUSH_FUNCTIONS
# define CMD_FUNCDEF 3
#endif

        smalluint cmd_exitcode;
        /* if non-NULL, this "command" is { list }, ( list ), or a compound statement */
        struct pipe *group;
#if !BB_MMU
        char *group_as_string;
#endif
#if ENABLE_HUSH_FUNCTIONS
        struct function *child_func;
/* This field is used to prevent a bug here:
 * while...do f1() {a;}; f1; f1() {b;}; f1; done
 * When we execute "f1() {a;}" cmd, we create new function and clear
 * cmd->group, cmd->group_as_string, cmd->argv[0].
 * When we execute "f1() {b;}", we notice that f1 exists,
 * and that its "parent cmd" struct is still "alive",
 * we put those fields back into cmd->xxx
 * (struct function has ->parent_cmd ptr to facilitate that).
 * When we loop back, we can execute "f1() {a;}" again and set f1 correctly.
 * Without this trick, loop would execute a;b;b;b;...
 * instead of correct sequence a;b;a;b;...
 * When command is freed, it severs the link
 * (sets ->child_func->parent_cmd to NULL).
 */
#endif
        char **argv;                /* command name and arguments */
/* argv vector may contain variable references (^Cvar^C, ^C0^C etc)
 * and on execution these are substituted with their values.
 * Substitution can make _several_ words out of one argv[n]!
 * Example: argv[0]=='.^C*^C.' here: echo .$*.
 * References of the form ^C`cmd arg^C are `cmd arg` substitutions.
 */
        struct redir_struct *redirects; /* I/O redirections */
};
/* Is there anything in this command at all? */
#define IS_NULL_CMD(cmd) \
        (!(cmd)->group && !(cmd)->argv && !(cmd)->redirects)

struct pipe {
        struct pipe *next;
        int num_cmds;               /* total number of commands in pipe */
        int alive_cmds;             /* number of commands running (not exited) */
        int stopped_cmds;           /* number of commands alive, but stopped */
#if ENABLE_HUSH_JOB
        int jobid;                  /* job number */
        pid_t pgrp;                 /* process group ID for the job */
        char *cmdtext;              /* name of job */
#endif
        struct command *cmds;       /* array of commands in pipe */
        smallint followup;          /* PIPE_BG, PIPE_SEQ, PIPE_OR, PIPE_AND */
        IF_HAS_KEYWORDS(smallint pi_inverted;) /* "! cmd | cmd" */
        IF_HAS_KEYWORDS(smallint res_word;) /* needed for if, for, while, until... */
};
typedef enum pipe_style {
        PIPE_SEQ = 0,
        PIPE_AND = 1,
        PIPE_OR  = 2,
        PIPE_BG  = 3,
} pipe_style;
/* Is there anything in this pipe at all? */
#define IS_NULL_PIPE(pi) \
        ((pi)->num_cmds == 0 IF_HAS_KEYWORDS( && (pi)->res_word == RES_NONE))

/* This holds pointers to the various results of parsing */
struct parse_context {
        /* linked list of pipes */
        struct pipe *list_head;
        /* last pipe (being constructed right now) */
        struct pipe *pipe;
        /* last command in pipe (being constructed right now) */
        struct command *command;
        /* last redirect in command->redirects list */
        struct redir_struct *pending_redirect;
#if !BB_MMU
        o_string as_string;
#endif
#if HAS_KEYWORDS
        smallint ctx_res_w;
        smallint ctx_inverted; /* "! cmd | cmd" */
#if ENABLE_HUSH_CASE
        smallint ctx_dsemicolon; /* ";;" seen */
#endif
        /* bitmask of FLAG_xxx, for figuring out valid reserved words */
        int old_flag;
        /* group we are enclosed in:
         * example: "if pipe1; pipe2; then pipe3; fi"
         * when we see "if" or "then", we malloc and copy current context,
         * and make ->stack point to it. then we parse pipeN.
         * when closing "then" / fi" / whatever is found,
         * we move list_head into ->stack->command->group,
         * copy ->stack into current context, and delete ->stack.
         * (parsing of { list } and ( list ) doesn't use this method)
         */
        struct parse_context *stack;
#endif
};

/* On program start, environ points to initial environment.
 * putenv adds new pointers into it, unsetenv removes them.
 * Neither of these (de)allocates the strings.
 * setenv allocates new strings in malloc space and does putenv,
 * and thus setenv is unusable (leaky) for shell's purposes */
#define setenv(...) setenv_is_leaky_dont_use()
struct variable {
        struct variable *next;
        char *varstr;        /* points to "name=" portion */
#if ENABLE_HUSH_LOCAL
        unsigned func_nest_level;
#endif
        int max_len;         /* if > 0, name is part of initial env; else name is malloced */
        smallint flg_export; /* putenv should be done on this var */
        smallint flg_read_only;
};

enum {
        BC_BREAK = 1,
        BC_CONTINUE = 2,
};

#if ENABLE_HUSH_FUNCTIONS
struct function {
        struct function *next;
        char *name;
        struct command *parent_cmd;
        struct pipe *body;
# if !BB_MMU
        char *body_as_string;
# endif
};
#endif


/* set -/+o OPT support. (TODO: make it optional)
 * bash supports the following opts:
 * allexport       off
 * braceexpand     on
 * emacs           on
 * errexit         off
 * errtrace        off
 * functrace       off
 * hashall         on
 * histexpand      off
 * history         on
 * ignoreeof       off
 * interactive-comments    on
 * keyword         off
 * monitor         on
 * noclobber       off
 * noexec          off
 * noglob          off
 * nolog           off
 * notify          off
 * nounset         off
 * onecmd          off
 * physical        off
 * pipefail        off
 * posix           off
 * privileged      off
 * verbose         off
 * vi              off
 * xtrace          off
 */
static const char o_opt_strings[] ALIGN1 =
        "pipefail\0"
        "noexec\0"
#if ENABLE_HUSH_MODE_X
        "xtrace\0"
#endif
        ;
enum {
        OPT_O_PIPEFAIL,
        OPT_O_NOEXEC,
#if ENABLE_HUSH_MODE_X
        OPT_O_XTRACE,
#endif
        NUM_OPT_O
};


struct FILE_list {
        struct FILE_list *next;
        FILE *fp;
        int fd;
};


/* "Globals" within this file */
/* Sorted roughly by size (smaller offsets == smaller code) */
struct globals {
        /* interactive_fd != 0 means we are an interactive shell.
         * If we are, then saved_tty_pgrp can also be != 0, meaning
         * that controlling tty is available. With saved_tty_pgrp == 0,
         * job control still works, but terminal signals
         * (^C, ^Z, ^Y, ^\) won't work at all, and background
         * process groups can only be created with "cmd &".
         * With saved_tty_pgrp != 0, hush will use tcsetpgrp()
         * to give tty to the foreground process group,
         * and will take it back when the group is stopped (^Z)
         * or killed (^C).
         */
#if ENABLE_HUSH_INTERACTIVE
        /* 'interactive_fd' is a fd# open to ctty, if we have one
         * _AND_ if we decided to act interactively */
        int interactive_fd;
        const char *PS1;
        const char *PS2;
# define G_interactive_fd (G.interactive_fd)
#else
# define G_interactive_fd 0
#endif
#if ENABLE_FEATURE_EDITING
        line_input_t *line_input_state;
#endif
        pid_t root_pid;
        pid_t root_ppid;
        pid_t last_bg_pid;
#if ENABLE_HUSH_RANDOM_SUPPORT
        random_t random_gen;
#endif
#if ENABLE_HUSH_JOB
        int run_list_level;
        int last_jobid;
        pid_t saved_tty_pgrp;
        struct pipe *job_list;
# define G_saved_tty_pgrp (G.saved_tty_pgrp)
#else
# define G_saved_tty_pgrp 0
#endif
        char o_opt[NUM_OPT_O];
#if ENABLE_HUSH_MODE_X
# define G_x_mode (G.o_opt[OPT_O_XTRACE])
#else
# define G_x_mode 0
#endif
        smallint flag_SIGINT;
#if ENABLE_HUSH_LOOPS
        smallint flag_break_continue;
#endif
#if ENABLE_HUSH_FUNCTIONS
        /* 0: outside of a function (or sourced file)
         * -1: inside of a function, ok to use return builtin
         * 1: return is invoked, skip all till end of func
         */
        smallint flag_return_in_progress;
# define G_flag_return_in_progress (G.flag_return_in_progress)
#else
# define G_flag_return_in_progress 0
#endif
        smallint exiting; /* used to prevent EXIT trap recursion */
        /* These four support $?, $#, and $1 */
        smalluint last_exitcode;
        /* are global_argv and global_argv[1..n] malloced? (note: not [0]) */
        smalluint global_args_malloced;
        /* how many non-NULL argv's we have. NB: $# + 1 */
        int global_argc;
        char **global_argv;
#if !BB_MMU
        char *argv0_for_re_execing;
#endif
#if ENABLE_HUSH_LOOPS
        unsigned depth_break_continue;
        unsigned depth_of_loop;
#endif
        const char *ifs;
        const char *cwd;
        struct variable *top_var;
        char **expanded_assignments;
#if ENABLE_HUSH_FUNCTIONS
        struct function *top_func;
# if ENABLE_HUSH_LOCAL
        struct variable **shadowed_vars_pp;
        unsigned func_nest_level;
# endif
#endif
        /* Signal and trap handling */
#if ENABLE_HUSH_FAST
        unsigned count_SIGCHLD;
        unsigned handled_SIGCHLD;
        smallint we_have_children;
#endif
        struct FILE_list *FILE_list;
        /* Which signals have non-DFL handler (even with no traps set)?
         * Set at the start to:
         * (SIGQUIT + maybe SPECIAL_INTERACTIVE_SIGS + maybe SPECIAL_JOBSTOP_SIGS)
         * SPECIAL_INTERACTIVE_SIGS are cleared after fork.
         * The rest is cleared right before execv syscalls.
         * Other than these two times, never modified.
         */
        unsigned special_sig_mask;
#if ENABLE_HUSH_JOB
        unsigned fatal_sig_mask;
# define G_fatal_sig_mask G.fatal_sig_mask
#else
# define G_fatal_sig_mask 0
#endif
        char **traps; /* char *traps[NSIG] */
        sigset_t pending_set;
#if HUSH_DEBUG
        unsigned long memleak_value;
        int debug_indent;
#endif
        struct sigaction sa;
#if ENABLE_FEATURE_EDITING
        char user_input_buf[CONFIG_FEATURE_EDITING_MAX_LEN];
#endif
};
#define G (*ptr_to_globals)
/* Not #defining name to G.name - this quickly gets unwieldy
 * (too many defines). Also, I actually prefer to see when a variable
 * is global, thus "G." prefix is a useful hint */
#define INIT_G() do { \
        SET_PTR_TO_GLOBALS(xzalloc(sizeof(G))); \
        /* memset(&G.sa, 0, sizeof(G.sa)); */  \
        sigfillset(&G.sa.sa_mask); \
        G.sa.sa_flags = SA_RESTART; \
} while (0)


/* Function prototypes for builtins */
static int builtin_cd(char **argv) FAST_FUNC;
static int builtin_echo(char **argv) FAST_FUNC;
static int builtin_eval(char **argv) FAST_FUNC;
static int builtin_exec(char **argv) FAST_FUNC;
static int builtin_exit(char **argv) FAST_FUNC;
static int builtin_export(char **argv) FAST_FUNC;
#if ENABLE_HUSH_JOB
static int builtin_fg_bg(char **argv) FAST_FUNC;
static int builtin_jobs(char **argv) FAST_FUNC;
#endif
#if ENABLE_HUSH_HELP
static int builtin_help(char **argv) FAST_FUNC;
#endif
#if MAX_HISTORY && ENABLE_FEATURE_EDITING
static int builtin_history(char **argv) FAST_FUNC;
#endif
#if ENABLE_HUSH_LOCAL
static int builtin_local(char **argv) FAST_FUNC;
#endif
#if HUSH_DEBUG
static int builtin_memleak(char **argv) FAST_FUNC;
#endif
#if ENABLE_PRINTF
static int builtin_printf(char **argv) FAST_FUNC;
#endif
static int builtin_pwd(char **argv) FAST_FUNC;
static int builtin_read(char **argv) FAST_FUNC;
static int builtin_set(char **argv) FAST_FUNC;
static int builtin_shift(char **argv) FAST_FUNC;
static int builtin_source(char **argv) FAST_FUNC;
static int builtin_test(char **argv) FAST_FUNC;
static int builtin_trap(char **argv) FAST_FUNC;
static int builtin_type(char **argv) FAST_FUNC;
static int builtin_true(char **argv) FAST_FUNC;
static int builtin_umask(char **argv) FAST_FUNC;
static int builtin_unset(char **argv) FAST_FUNC;
static int builtin_wait(char **argv) FAST_FUNC;
#if ENABLE_HUSH_LOOPS
static int builtin_break(char **argv) FAST_FUNC;
static int builtin_continue(char **argv) FAST_FUNC;
#endif
#if ENABLE_HUSH_FUNCTIONS
static int builtin_return(char **argv) FAST_FUNC;
#endif

/* Table of built-in functions.  They can be forked or not, depending on
 * context: within pipes, they fork.  As simple commands, they do not.
 * When used in non-forking context, they can change global variables
 * in the parent shell process.  If forked, of course they cannot.
 * For example, 'unset foo | whatever' will parse and run, but foo will
 * still be set at the end. */
struct built_in_command {
        const char *b_cmd;
        int (*b_function)(char **argv) FAST_FUNC;
#if ENABLE_HUSH_HELP
        const char *b_descr;
# define BLTIN(cmd, func, help) { cmd, func, help }
#else
# define BLTIN(cmd, func, help) { cmd, func }
#endif
};

static const struct built_in_command bltins1[] = {
        BLTIN("."        , builtin_source  , "Run commands in a file"),
        BLTIN(":"        , builtin_true    , NULL),
#if ENABLE_HUSH_JOB
        BLTIN("bg"       , builtin_fg_bg   , "Resume a job in the background"),
#endif
#if ENABLE_HUSH_LOOPS
        BLTIN("break"    , builtin_break   , "Exit from a loop"),
#endif
        BLTIN("cd"       , builtin_cd      , "Change directory"),
#if ENABLE_HUSH_LOOPS
        BLTIN("continue" , builtin_continue, "Start new loop iteration"),
#endif
        BLTIN("eval"     , builtin_eval    , "Construct and run shell command"),
        BLTIN("exec"     , builtin_exec    , "Execute command, don't return to shell"),
        BLTIN("exit"     , builtin_exit    , "Exit"),
        BLTIN("export"   , builtin_export  , "Set environment variables"),
#if ENABLE_HUSH_JOB
        BLTIN("fg"       , builtin_fg_bg   , "Bring job into the foreground"),
#endif
#if ENABLE_HUSH_HELP
        BLTIN("help"     , builtin_help    , NULL),
#endif
#if MAX_HISTORY && ENABLE_FEATURE_EDITING
        BLTIN("history"  , builtin_history , "Show command history"),
#endif
#if ENABLE_HUSH_JOB
        BLTIN("jobs"     , builtin_jobs    , "List jobs"),
#endif
#if ENABLE_HUSH_LOCAL
        BLTIN("local"    , builtin_local   , "Set local variables"),
#endif
#if HUSH_DEBUG
        BLTIN("memleak"  , builtin_memleak , NULL),
#endif
        BLTIN("read"     , builtin_read    , "Input into variable"),
#if ENABLE_HUSH_FUNCTIONS
        BLTIN("return"   , builtin_return  , "Return from a function"),
#endif
        BLTIN("set"      , builtin_set     , "Set/unset positional parameters"),
        BLTIN("shift"    , builtin_shift   , "Shift positional parameters"),
#if ENABLE_HUSH_BASH_COMPAT
        BLTIN("source"   , builtin_source  , "Run commands in a file"),
#endif
        BLTIN("trap"     , builtin_trap    , "Trap signals"),
        BLTIN("true"     , builtin_true    , NULL),
        BLTIN("type"     , builtin_type    , "Show command type"),
        BLTIN("ulimit"   , shell_builtin_ulimit  , "Control resource limits"),
        BLTIN("umask"    , builtin_umask   , "Set file creation mask"),
        BLTIN("unset"    , builtin_unset   , "Unset variables"),
        BLTIN("wait"     , builtin_wait    , "Wait for process"),
};
/* For now, echo and test are unconditionally enabled.
 * Maybe make it configurable? */
static const struct built_in_command bltins2[] = {
        BLTIN("["        , builtin_test    , NULL),
        BLTIN("echo"     , builtin_echo    , NULL),
#if ENABLE_PRINTF
        BLTIN("printf"   , builtin_printf  , NULL),
#endif
        BLTIN("pwd"      , builtin_pwd     , NULL),
        BLTIN("test"     , builtin_test    , NULL),
};


/* Debug printouts.
 */
#if HUSH_DEBUG
/* prevent disasters with G.debug_indent < 0 */
# define indent() fdprintf(2, "%*s", (G.debug_indent * 2) & 0xff, "")
# define debug_enter() (G.debug_indent++)
# define debug_leave() (G.debug_indent--)
#else
# define indent()      ((void)0)
# define debug_enter() ((void)0)
# define debug_leave() ((void)0)
#endif

#ifndef debug_printf
# define debug_printf(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_parse
# define debug_printf_parse(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_exec
#define debug_printf_exec(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_env
# define debug_printf_env(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_jobs
# define debug_printf_jobs(...) (indent(), fdprintf(2, __VA_ARGS__))
# define DEBUG_JOBS 1
#else

# define DEBUG_JOBS 0
#endif

#ifndef debug_printf_expand
# define debug_printf_expand(...) (indent(), fdprintf(2, __VA_ARGS__))
# define DEBUG_EXPAND 1
#else
# define DEBUG_EXPAND 0
#endif

#ifndef debug_printf_varexp
# define debug_printf_varexp(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_glob
# define debug_printf_glob(...) (indent(), fdprintf(2, __VA_ARGS__))
# define DEBUG_GLOB 1
#else
# define DEBUG_GLOB 0
#endif

#ifndef debug_printf_list
# define debug_printf_list(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_subst
# define debug_printf_subst(...) (indent(), fdprintf(2, __VA_ARGS__))
#endif

#ifndef debug_printf_clean
# define debug_printf_clean(...) (indent(), fdprintf(2, __VA_ARGS__))
# define DEBUG_CLEAN 1
#else
# define DEBUG_CLEAN 0
#endif

#if DEBUG_EXPAND
static void debug_print_strings(const char *prefix, char **vv)
{
        indent();
        fdprintf(2, "%s:\n", prefix);
        while (*vv)
                fdprintf(2, " '%s'\n", *vv++);
}
#else
# define debug_print_strings(prefix, vv) ((void)0)
#endif


/* Leak hunting. Use hush_leaktool.sh for post-processing.
 */
#if LEAK_HUNTING
static void *xxmalloc(int lineno, size_t size)
{
        void *ptr = xmalloc((size + 0xff) & ~0xff);
        fdprintf(2, "line %d: malloc %p\n", lineno, ptr);
        return ptr;
}
static void *xxrealloc(int lineno, void *ptr, size_t size)
{
        ptr = xrealloc(ptr, (size + 0xff) & ~0xff);
        fdprintf(2, "line %d: realloc %p\n", lineno, ptr);
        return ptr;
}
static char *xxstrdup(int lineno, const char *str)
{
        char *ptr = xstrdup(str);
        fdprintf(2, "line %d: strdup %p\n", lineno, ptr);
        return ptr;
}
static void xxfree(void *ptr)
{
        fdprintf(2, "free %p\n", ptr);
        free(ptr);
}
# define xmalloc(s)     xxmalloc(__LINE__, s)
# define xrealloc(p, s) xxrealloc(__LINE__, p, s)
# define xstrdup(s)     xxstrdup(__LINE__, s)
# define free(p)        xxfree(p)
#endif


/* Syntax and runtime errors. They always abort scripts.
 * In interactive use they usually discard unparsed and/or unexecuted commands
 * and return to the prompt.
 * HUSH_DEBUG >= 2 prints line number in this file where it was detected.
 */
#if HUSH_DEBUG < 2
# define die_if_script(lineno, ...)             die_if_script(__VA_ARGS__)
# define syntax_error(lineno, msg)              syntax_error(msg)
# define syntax_error_at(lineno, msg)           syntax_error_at(msg)
# define syntax_error_unterm_ch(lineno, ch)     syntax_error_unterm_ch(ch)
# define syntax_error_unterm_str(lineno, s)     syntax_error_unterm_str(s)
# define syntax_error_unexpected_ch(lineno, ch) syntax_error_unexpected_ch(ch)
#endif

static void die_if_script(unsigned lineno, const char *fmt, ...)
{
        va_list p;

#if HUSH_DEBUG >= 2
        bb_error_msg("hush.c:%u", lineno);
#endif
        va_start(p, fmt);
        bb_verror_msg(fmt, p, NULL);
        va_end(p);
        if (!G_interactive_fd)
                xfunc_die();
}

static void syntax_error(unsigned lineno UNUSED_PARAM, const char *msg)
{
        if (msg)
                bb_error_msg("syntax error: %s", msg);
        else
                bb_error_msg("syntax error");
}

static void syntax_error_at(unsigned lineno UNUSED_PARAM, const char *msg)
{
        bb_error_msg("syntax error at '%s'", msg);
}

static void syntax_error_unterm_str(unsigned lineno UNUSED_PARAM, const char *s)
{
        bb_error_msg("syntax error: unterminated %s", s);
}

static void syntax_error_unterm_ch(unsigned lineno, char ch)
{
        char msg[2] = { ch, '\0' };
        syntax_error_unterm_str(lineno, msg);
}

static void syntax_error_unexpected_ch(unsigned lineno UNUSED_PARAM, int ch)
{
        char msg[2];
        msg[0] = ch;
        msg[1] = '\0';
#if HUSH_DEBUG >= 2
        bb_error_msg("hush.c:%u", lineno);
#endif
        bb_error_msg("syntax error: unexpected %s", ch == EOF ? "EOF" : msg);
}

#if HUSH_DEBUG < 2
# undef die_if_script
# undef syntax_error
# undef syntax_error_at
# undef syntax_error_unterm_ch
# undef syntax_error_unterm_str
# undef syntax_error_unexpected_ch
#else
# define die_if_script(...)             die_if_script(__LINE__, __VA_ARGS__)
# define syntax_error(msg)              syntax_error(__LINE__, msg)
# define syntax_error_at(msg)           syntax_error_at(__LINE__, msg)
# define syntax_error_unterm_ch(ch)     syntax_error_unterm_ch(__LINE__, ch)
# define syntax_error_unterm_str(s)     syntax_error_unterm_str(__LINE__, s)
# define syntax_error_unexpected_ch(ch) syntax_error_unexpected_ch(__LINE__, ch)
#endif


#if ENABLE_HUSH_INTERACTIVE
static void cmdedit_update_prompt(void);
#else
# define cmdedit_update_prompt() ((void)0)
#endif


/* Utility functions
 */
/* Replace each \x with x in place, return ptr past NUL. */
static char *unbackslash(char *src)
{
        char *dst = src = strchrnul(src, '\\');
        while (1) {
                if (*src == '\\')
                        src++;
                if ((*dst++ = *src++) == '\0')
                        break;
        }
        return dst;
}

static char **add_strings_to_strings(char **strings, char **add, int need_to_dup)
{
        int i;
        unsigned count1;
        unsigned count2;
        char **v;

        v = strings;
        count1 = 0;
        if (v) {
                while (*v) {
                        count1++;
                        v++;
                }
        }
        count2 = 0;
        v = add;
        while (*v) {
                count2++;
                v++;
        }
        v = xrealloc(strings, (count1 + count2 + 1) * sizeof(char*));
        v[count1 + count2] = NULL;
        i = count2;
        while (--i >= 0)
                v[count1 + i] = (need_to_dup ? xstrdup(add[i]) : add[i]);
        return v;
}
#if LEAK_HUNTING
static char **xx_add_strings_to_strings(int lineno, char **strings, char **add, int need_to_dup)
{
        char **ptr = add_strings_to_strings(strings, add, need_to_dup);
        fdprintf(2, "line %d: add_strings_to_strings %p\n", lineno, ptr);
        return ptr;
}
#define add_strings_to_strings(strings, add, need_to_dup) \
        xx_add_strings_to_strings(__LINE__, strings, add, need_to_dup)
#endif

/* Note: takes ownership of "add" ptr (it is not strdup'ed) */
static char **add_string_to_strings(char **strings, char *add)
{
        char *v[2];
        v[0] = add;
        v[1] = NULL;
        return add_strings_to_strings(strings, v, /*dup:*/ 0);
}
#if LEAK_HUNTING
static char **xx_add_string_to_strings(int lineno, char **strings, char *add)
{
        char **ptr = add_string_to_strings(strings, add);
        fdprintf(2, "line %d: add_string_to_strings %p\n", lineno, ptr);
        return ptr;
}
#define add_string_to_strings(strings, add) \
        xx_add_string_to_strings(__LINE__, strings, add)
#endif

static void free_strings(char **strings)
{
        char **v;

        if (!strings)
                return;
        v = strings;
        while (*v) {
                free(*v);
                v++;
        }
        free(strings);
}


static int xdup_and_close(int fd, int F_DUPFD_maybe_CLOEXEC)
{
        /* We avoid taking stdio fds. Mimicking ash: use fds above 9 */
        int newfd = fcntl(fd, F_DUPFD_maybe_CLOEXEC, 10);
        if (newfd < 0) {
                /* fd was not open? */
                if (errno == EBADF)
                        return fd;
                xfunc_die();
        }
        close(fd);
        return newfd;
}


/* Manipulating the list of open FILEs */
static FILE *remember_FILE(FILE *fp)
{
        if (fp) {
                struct FILE_list *n = xmalloc(sizeof(*n));
                n->next = G.FILE_list;
                G.FILE_list = n;
                n->fp = fp;
                n->fd = fileno(fp);
                close_on_exec_on(n->fd);
        }
        return fp;
}
static void fclose_and_forget(FILE *fp)
{
        struct FILE_list **pp = &G.FILE_list;
        while (*pp) {
                struct FILE_list *cur = *pp;
                if (cur->fp == fp) {
                        *pp = cur->next;
                        free(cur);
                        break;
                }
                pp = &cur->next;
        }
        fclose(fp);
}
static int save_FILEs_on_redirect(int fd)
{
        struct FILE_list *fl = G.FILE_list;
        while (fl) {
                if (fd == fl->fd) {
                        /* We use it only on script files, they are all CLOEXEC */
                        fl->fd = xdup_and_close(fd, F_DUPFD_CLOEXEC);
                        return 1;
                }
                fl = fl->next;
        }
        return 0;
}
static void restore_redirected_FILEs(void)
{
        struct FILE_list *fl = G.FILE_list;
        while (fl) {
                int should_be = fileno(fl->fp);
                if (fl->fd != should_be) {
                        xmove_fd(fl->fd, should_be);
                        fl->fd = should_be;
                }
                fl = fl->next;
        }
}
#if ENABLE_FEATURE_SH_STANDALONE
static void close_all_FILE_list(void)
{
        struct FILE_list *fl = G.FILE_list;
        while (fl) {
                /* fclose would also free FILE object.
                 * It is disastrous if we share memory with a vforked parent.
                 * I'm not sure we never come here after vfork.
                 * Therefore just close fd, nothing more.
                 */
                /*fclose(fl->fp); - unsafe */
                close(fl->fd);
                fl = fl->next;
        }
}
#endif


/* Helpers for setting new $n and restoring them back
 */
typedef struct save_arg_t {
        char *sv_argv0;
        char **sv_g_argv;
        int sv_g_argc;
        smallint sv_g_malloced;
} save_arg_t;

static void save_and_replace_G_args(save_arg_t *sv, char **argv)
{
        int n;

        sv->sv_argv0 = argv[0];
        sv->sv_g_argv = G.global_argv;
        sv->sv_g_argc = G.global_argc;
        sv->sv_g_malloced = G.global_args_malloced;

        argv[0] = G.global_argv[0]; /* retain $0 */
        G.global_argv = argv;
        G.global_args_malloced = 0;

        n = 1;
        while (*++argv)
                n++;
        G.global_argc = n;
}

static void restore_G_args(save_arg_t *sv, char **argv)
{
        char **pp;

        if (G.global_args_malloced) {
                /* someone ran "set -- arg1 arg2 ...", undo */
                pp = G.global_argv;
                while (*++pp) /* note: does not free $0 */
                        free(*pp);
                free(G.global_argv);
        }
        argv[0] = sv->sv_argv0;
        G.global_argv = sv->sv_g_argv;
        G.global_argc = sv->sv_g_argc;
        G.global_args_malloced = sv->sv_g_malloced;
}


/* Basic theory of signal handling in shell
 * ========================================
 * This does not describe what hush does, rather, it is current understanding
 * what it _should_ do. If it doesn't, it's a bug.
 * http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#trap
 *
 * Signals are handled only after each pipe ("cmd | cmd | cmd" thing)
 * is finished or backgrounded. It is the same in interactive and
 * non-interactive shells, and is the same regardless of whether
 * a user trap handler is installed or a shell special one is in effect.
 * ^C or ^Z from keyboard seems to execute "at once" because it usually
 * backgrounds (i.e. stops) or kills all members of currently running
 * pipe.
 *
 * Wait builtin is interruptible by signals for which user trap is set
 * or by SIGINT in interactive shell.
 *
 * Trap handlers will execute even within trap handlers. (right?)
 *
 * User trap handlers are forgotten when subshell ("(cmd)") is entered,
 * except for handlers set to '' (empty string).
 *
 * If job control is off, backgrounded commands ("cmd &")
 * have SIGINT, SIGQUIT set to SIG_IGN.
 *
 * Commands which are run in command substitution ("`cmd`")
 * have SIGTTIN, SIGTTOU, SIGTSTP set to SIG_IGN.
 *
 * Ordinary commands have signals set to SIG_IGN/DFL as inherited
 * by the shell from its parent.
 *
 * Signals which differ from SIG_DFL action
 * (note: child (i.e., [v]forked) shell is not an interactive shell):
 *
 * SIGQUIT: ignore
 * SIGTERM (interactive): ignore
 * SIGHUP (interactive):
 *    send SIGCONT to stopped jobs, send SIGHUP to all jobs and exit
 * SIGTTIN, SIGTTOU, SIGTSTP (if job control is on): ignore
 *    Note that ^Z is handled not by trapping SIGTSTP, but by seeing
 *    that all pipe members are stopped. Try this in bash:
 *    while :; do :; done - ^Z does not background it
 *    (while :; do :; done) - ^Z backgrounds it
 * SIGINT (interactive): wait for last pipe, ignore the rest
 *    of the command line, show prompt. NB: ^C does not send SIGINT
 *    to interactive shell while shell is waiting for a pipe,
 *    since shell is bg'ed (is not in foreground process group).
 *    Example 1: this waits 5 sec, but does not execute ls:
 *    "echo $$; sleep 5; ls -l" + "kill -INT <pid>"
 *    Example 2: this does not wait and does not execute ls:
 *    "echo $$; sleep 5 & wait; ls -l" + "kill -INT <pid>"
 *    Example 3: this does not wait 5 sec, but executes ls:
 *    "sleep 5; ls -l" + press ^C
 *    Example 4: this does not wait and does not execute ls:
 *    "sleep 5 & wait; ls -l" + press ^C
 *
 * (What happens to signals which are IGN on shell start?)
 * (What happens with signal mask on shell start?)
 *
 * Old implementation
 * ==================
 * We use in-kernel pending signal mask to determine which signals were sent.
 * We block all signals which we don't want to take action immediately,
 * i.e. we block all signals which need to have special handling as described
 * above, and all signals which have traps set.
 * After each pipe execution, we extract any pending signals via sigtimedwait()
 * and act on them.
 *
 * unsigned special_sig_mask: a mask of such "special" signals
 * sigset_t blocked_set:  current blocked signal set
 *
 * "trap - SIGxxx":
 *    clear bit in blocked_set unless it is also in special_sig_mask
 * "trap 'cmd' SIGxxx":
 *    set bit in blocked_set (even if 'cmd' is '')
 * after [v]fork, if we plan to be a shell:
 *    unblock signals with special interactive handling
 *    (child shell is not interactive),
 *    unset all traps except '' (note: regardless of child shell's type - {}, (), etc)
 * after [v]fork, if we plan to exec:
 *    POSIX says fork clears pending signal mask in child - no need to clear it.
 *    Restore blocked signal set to one inherited by shell just prior to exec.
 *
 * Note: as a result, we do not use signal handlers much. The only uses
 * are to count SIGCHLDs
 * and to restore tty pgrp on signal-induced exit.
 *
 * Note 2 (compat):
 * Standard says "When a subshell is entered, traps that are not being ignored
 * are set to the default actions". bash interprets it so that traps which
 * are set to '' (ignore) are NOT reset to defaults. We do the same.
 *
 * Problem: the above approach makes it unwieldy to catch signals while
 * we are in read builtin, or while we read commands from stdin:
 * masked signals are not visible!
 *
 * New implementation
 * ==================
 * We record each signal we are interested in by installing signal handler
 * for them - a bit like emulating kernel pending signal mask in userspace.
 * We are interested in: signals which need to have special handling
 * as described above, and all signals which have traps set.
 * Signals are recorded in pending_set.
 * After each pipe execution, we extract any pending signals
 * and act on them.
 *
 * unsigned special_sig_mask: a mask of shell-special signals.
 * unsigned fatal_sig_mask: a mask of signals on which we restore tty pgrp.
 * char *traps[sig] if trap for sig is set (even if it's '').
 * sigset_t pending_set: set of sigs we received.
 *
 * "trap - SIGxxx":
 *    if sig is in special_sig_mask, set handler back to:
 *        record_pending_signo, or to IGN if it's a tty stop signal
 *    if sig is in fatal_sig_mask, set handler back to sigexit.
 *    else: set handler back to SIG_DFL
 * "trap 'cmd' SIGxxx":
 *    set handler to record_pending_signo.
 * "trap '' SIGxxx":
 *    set handler to SIG_IGN.
 * after [v]fork, if we plan to be a shell:
 *    set signals with special interactive handling to SIG_DFL
 *    (because child shell is not interactive),
 *    unset all traps except '' (note: regardless of child shell's type - {}, (), etc)
 * after [v]fork, if we plan to exec:
 *    POSIX says fork clears pending signal mask in child - no need to clear it.
 *
 * To make wait builtin interruptible, we handle SIGCHLD as special signal,
 * otherwise (if we leave it SIG_DFL) sigsuspend in wait builtin will not wake up on it.
 *
 * Note (compat):
 * Standard says "When a subshell is entered, traps that are not being ignored
 * are set to the default actions". bash interprets it so that traps which
 * are set to '' (ignore) are NOT reset to defaults. We do the same.
 */
enum {
        SPECIAL_INTERACTIVE_SIGS = 0
                | (1 << SIGTERM)
                | (1 << SIGINT)
                | (1 << SIGHUP)
                ,
        SPECIAL_JOBSTOP_SIGS = 0
#if ENABLE_HUSH_JOB
                | (1 << SIGTTIN)
                | (1 << SIGTTOU)
                | (1 << SIGTSTP)
#endif
                ,
};

static void record_pending_signo(int sig)
{
        sigaddset(&G.pending_set, sig);
#if ENABLE_HUSH_FAST
        if (sig == SIGCHLD) {
                G.count_SIGCHLD++;
//bb_error_msg("[%d] SIGCHLD_handler: G.count_SIGCHLD:%d G.handled_SIGCHLD:%d", getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
        }
#endif
}

static sighandler_t install_sighandler(int sig, sighandler_t handler)
{
        struct sigaction old_sa;

        /* We could use signal() to install handlers... almost:
         * except that we need to mask ALL signals while handlers run.
         * I saw signal nesting in strace, race window isn't small.
         * SA_RESTART is also needed, but in Linux, signal()
         * sets SA_RESTART too.
         */
        /* memset(&G.sa, 0, sizeof(G.sa)); - already done */
        /* sigfillset(&G.sa.sa_mask);      - already done */
        /* G.sa.sa_flags = SA_RESTART;     - already done */
        G.sa.sa_handler = handler;
        sigaction(sig, &G.sa, &old_sa);
        return old_sa.sa_handler;
}

static void hush_exit(int exitcode) NORETURN;

static void restore_ttypgrp_and__exit(void) NORETURN;
static void restore_ttypgrp_and__exit(void)
{
        /* xfunc has failed! die die die */
        /* no EXIT traps, this is an escape hatch! */
        G.exiting = 1;
        hush_exit(xfunc_error_retval);
}

#if ENABLE_HUSH_JOB

/* Needed only on some libc:
 * It was observed that on exit(), fgetc'ed buffered data
 * gets "unwound" via lseek(fd, -NUM, SEEK_CUR).
 * With the net effect that even after fork(), not vfork(),
 * exit() in NOEXECed applet in "sh SCRIPT":
 *      noexec_applet_here
 *      echo END_OF_SCRIPT
 * lseeks fd in input FILE object from EOF to "e" in "echo END_OF_SCRIPT".
 * This makes "echo END_OF_SCRIPT" executed twice.
 * Similar problems can be seen with die_if_script() -> xfunc_die()
 * and in `cmd` handling.
 * If set as die_func(), this makes xfunc_die() exit via _exit(), not exit():
 */
static void fflush_and__exit(void) NORETURN;
static void fflush_and__exit(void)
{
        fflush_all();
        _exit(xfunc_error_retval);
}

/* After [v]fork, in child: do not restore tty pgrp on xfunc death */
# define disable_restore_tty_pgrp_on_exit() (die_func = fflush_and__exit)
/* After [v]fork, in parent: restore tty pgrp on xfunc death */
# define enable_restore_tty_pgrp_on_exit()  (die_func = restore_ttypgrp_and__exit)

/* Restores tty foreground process group, and exits.
 * May be called as signal handler for fatal signal
 * (will resend signal to itself, producing correct exit state)
 * or called directly with -EXITCODE.
 * We also call it if xfunc is exiting.
 */
static void sigexit(int sig) NORETURN;
static void sigexit(int sig)
{
        /* Careful: we can end up here after [v]fork. Do not restore
         * tty pgrp then, only top-level shell process does that */
        if (G_saved_tty_pgrp && getpid() == G.root_pid) {
                /* Disable all signals: job control, SIGPIPE, etc.
                 * Mostly paranoid measure, to prevent infinite SIGTTOU.
                 */
                sigprocmask_allsigs(SIG_BLOCK);
                tcsetpgrp(G_interactive_fd, G_saved_tty_pgrp);
        }

        /* Not a signal, just exit */
        if (sig <= 0)
                _exit(- sig);

        kill_myself_with_sig(sig); /* does not return */
}
#else

# define disable_restore_tty_pgrp_on_exit() ((void)0)
# define enable_restore_tty_pgrp_on_exit()  ((void)0)

#endif

static sighandler_t pick_sighandler(unsigned sig)
{
        sighandler_t handler = SIG_DFL;
        if (sig < sizeof(unsigned)*8) {
                unsigned sigmask = (1 << sig);

#if ENABLE_HUSH_JOB
                /* is sig fatal? */
                if (G_fatal_sig_mask & sigmask)
                        handler = sigexit;
                else
#endif
                /* sig has special handling? */
                if (G.special_sig_mask & sigmask) {
                        handler = record_pending_signo;
                        /* TTIN/TTOU/TSTP can't be set to record_pending_signo
                         * in order to ignore them: they will be raised
                         * in an endless loop when we try to do some
                         * terminal ioctls! We do have to _ignore_ these.
                         */
                        if (SPECIAL_JOBSTOP_SIGS & sigmask)
                                handler = SIG_IGN;
                }
        }
        return handler;
}

/* Restores tty foreground process group, and exits. */
static void hush_exit(int exitcode)
{
#if ENABLE_FEATURE_EDITING_SAVE_ON_EXIT
        save_history(G.line_input_state);
#endif

        fflush_all();
        if (G.exiting <= 0 && G.traps && G.traps[0] && G.traps[0][0]) {
                char *argv[3];
                /* argv[0] is unused */
                argv[1] = G.traps[0];
                argv[2] = NULL;
                G.exiting = 1; /* prevent EXIT trap recursion */
                /* Note: G.traps[0] is not cleared!
                 * "trap" will still show it, if executed
                 * in the handler */
                builtin_eval(argv);
        }

#if ENABLE_FEATURE_CLEAN_UP
        {
                struct variable *cur_var;
                if (G.cwd != bb_msg_unknown)
                        free((char*)G.cwd);
                cur_var = G.top_var;
                while (cur_var) {
                        struct variable *tmp = cur_var;
                        if (!cur_var->max_len)
                                free(cur_var->varstr);
                        cur_var = cur_var->next;
                        free(tmp);
                }
        }
#endif

        fflush_all();
#if ENABLE_HUSH_JOB
        sigexit(- (exitcode & 0xff));
#else
        _exit(exitcode);
#endif
}


//TODO: return a mask of ALL handled sigs?
static int check_and_run_traps(void)
{
        int last_sig = 0;

        while (1) {
                int sig;

                if (sigisemptyset(&G.pending_set))
                        break;
                sig = 0;
                do {
                        sig++;
                        if (sigismember(&G.pending_set, sig)) {
                                sigdelset(&G.pending_set, sig);
                                goto got_sig;
                        }
                } while (sig < NSIG);
                break;
 got_sig:
                if (G.traps && G.traps[sig]) {
                        debug_printf_exec("%s: sig:%d handler:'%s'\n", __func__, sig, G.traps[sig]);
                        if (G.traps[sig][0]) {
                                /* We have user-defined handler */
                                smalluint save_rcode;
                                char *argv[3];
                                /* argv[0] is unused */
                                argv[1] = G.traps[sig];
                                argv[2] = NULL;
                                save_rcode = G.last_exitcode;
                                builtin_eval(argv);
//FIXME: shouldn't it be set to 128 + sig instead?
                                G.last_exitcode = save_rcode;
                                last_sig = sig;
                        } /* else: "" trap, ignoring signal */
                        continue;
                }
                /* not a trap: special action */
                switch (sig) {
                case SIGINT:
                        debug_printf_exec("%s: sig:%d default SIGINT handler\n", __func__, sig);
                        G.flag_SIGINT = 1;
                        last_sig = sig;
                        break;
#if ENABLE_HUSH_JOB
                case SIGHUP: {
                        struct pipe *job;
                        debug_printf_exec("%s: sig:%d default SIGHUP handler\n", __func__, sig);
                        /* bash is observed to signal whole process groups,
                         * not individual processes */
                        for (job = G.job_list; job; job = job->next) {
                                if (job->pgrp <= 0)
                                        continue;
                                debug_printf_exec("HUPing pgrp %d\n", job->pgrp);
                                if (kill(- job->pgrp, SIGHUP) == 0)
                                        kill(- job->pgrp, SIGCONT);
                        }
                        sigexit(SIGHUP);
                }
#endif
#if ENABLE_HUSH_FAST
                case SIGCHLD:
                        debug_printf_exec("%s: sig:%d default SIGCHLD handler\n", __func__, sig);
                        G.count_SIGCHLD++;
//bb_error_msg("[%d] check_and_run_traps: G.count_SIGCHLD:%d G.handled_SIGCHLD:%d", getpid(), G.count_SIGCHLD, G.handled_SIGCHLD);
                        /* Note:
                         * We dont do 'last_sig = sig' here -> NOT returning this sig.
                         * This simplifies wait builtin a bit.
                         */
                        break;
#endif
                default: /* ignored: */
                        debug_printf_exec("%s: sig:%d default handling is to ignore\n", __func__, sig);
                        /* SIGTERM, SIGQUIT, SIGTTIN, SIGTTOU, SIGTSTP */
                        /* Note:
                         * We dont do 'last_sig = sig' here -> NOT returning this sig.
                         * Example: wait is not interrupted by TERM
                         * in interactive shell, because TERM is ignored.
                         */
                        break;
                }
        }
        return last_sig;
}


static const char *get_cwd(int force)
{
        if (force || G.cwd == NULL) {
                /* xrealloc_getcwd_or_warn(arg) calls free(arg),
                 * we must not try to free(bb_msg_unknown) */
                if (G.cwd == bb_msg_unknown)
                        G.cwd = NULL;
                G.cwd = xrealloc_getcwd_or_warn((char *)G.cwd);
                if (!G.cwd)
                        G.cwd = bb_msg_unknown;
        }
        return G.cwd;
}


/*
 * Shell and environment variable support
 */
static struct variable **get_ptr_to_local_var(const char *name, unsigned len)
{
        struct variable **pp;
        struct variable *cur;

        pp = &G.top_var;
        while ((cur = *pp) != NULL) {
                if (strncmp(cur->varstr, name, len) == 0 && cur->varstr[len] == '=')
                        return pp;
                pp = &cur->next;
        }
        return NULL;
}

static const char* FAST_FUNC get_local_var_value(const char *name)
{
        struct variable **vpp;
        unsigned len = strlen(name);

        if (G.expanded_assignments) {
                char **cpp = G.expanded_assignments;
                while (*cpp) {
                        char *cp = *cpp;
                        if (strncmp(cp, name, len) == 0 && cp[len] == '=')
                                return cp + len + 1;
                        cpp++;
                }
        }

        vpp = get_ptr_to_local_var(name, len);
        if (vpp)
                return (*vpp)->varstr + len + 1;

        if (strcmp(name, "PPID") == 0)
                return utoa(G.root_ppid);
        // bash compat: UID? EUID?
#if ENABLE_HUSH_RANDOM_SUPPORT
        if (strcmp(name, "RANDOM") == 0)
                return utoa(next_random(&G.random_gen));
#endif
        return NULL;
}

/* str holds "NAME=VAL" and is expected to be malloced.
 * We take ownership of it.
 * flg_export:
 *  0: do not change export flag
 *     (if creating new variable, flag will be 0)
 *  1: set export flag and putenv the variable
 * -1: clear export flag and unsetenv the variable
 * flg_read_only is set only when we handle -R var=val
 */
#if !BB_MMU && ENABLE_HUSH_LOCAL
/* all params are used */
#elif BB_MMU && ENABLE_HUSH_LOCAL
#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
        set_local_var(str, flg_export, local_lvl)
#elif BB_MMU && !ENABLE_HUSH_LOCAL
#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
        set_local_var(str, flg_export)
#elif !BB_MMU && !ENABLE_HUSH_LOCAL
#define set_local_var(str, flg_export, local_lvl, flg_read_only) \
        set_local_var(str, flg_export, flg_read_only)
#endif
static int set_local_var(char *str, int flg_export, int local_lvl, int flg_read_only)
{
        struct variable **var_pp;
        struct variable *cur;
        char *free_me = NULL;
        char *eq_sign;
        int name_len;

        eq_sign = strchr(str, '=');
        if (!eq_sign) { /* not expected to ever happen? */
                free(str);
                return -1;
        }

        name_len = eq_sign - str + 1; /* including '=' */
        var_pp = &G.top_var;
        while ((cur = *var_pp) != NULL) {
                if (strncmp(cur->varstr, str, name_len) != 0) {
                        var_pp = &cur->next;
                        continue;
                }

                /* We found an existing var with this name */
                if (cur->flg_read_only) {
#if !BB_MMU
                        if (!flg_read_only)
#endif
                                bb_error_msg("%s: readonly variable", str);
                        free(str);
                        return -1;
                }
                if (flg_export == -1) { // "&& cur->flg_export" ?
                        debug_printf_env("%s: unsetenv '%s'\n", __func__, str);
                        *eq_sign = '\0';
                        unsetenv(str);
                        *eq_sign = '=';
                }
#if ENABLE_HUSH_LOCAL
                if (cur->func_nest_level < local_lvl) {
                        /* New variable is declared as local,
                         * and existing one is global, or local
                         * from enclosing function.
                         * Remove and save old one: */
                        *var_pp = cur->next;
                        cur->next = *G.shadowed_vars_pp;
                        *G.shadowed_vars_pp = cur;
                        /* bash 3.2.33(1) and exported vars:
                         * # export z=z
                         * # f() { local z=a; env | grep ^z; }
                         * # f
                         * z=a
                         * # env | grep ^z
                         * z=z
                         */
                        if (cur->flg_export)
                                flg_export = 1;
                        break;
                }
#endif
                if (strcmp(cur->varstr + name_len, eq_sign + 1) == 0) {
 free_and_exp:
                        free(str);
                        goto exp;
                }
                if (cur->max_len != 0) {
                        if (cur->max_len >= strlen(str)) {
                                /* This one is from startup env, reuse space */
                                strcpy(cur->varstr, str);
                                goto free_and_exp;
                        }
                        /* Can't reuse */
                        cur->max_len = 0;
                        goto set_str_and_exp;
                }
                /* max_len == 0 signifies "malloced" var, which we can
                 * (and have to) free. But we can't free(cur->varstr) here:
                 * if cur->flg_export is 1, it is in the environment.
                 * We should either unsetenv+free, or wait until putenv,
                 * then putenv(new)+free(old).
                 */
                free_me = cur->varstr;
                goto set_str_and_exp;
        }

        /* Not found - create new variable struct */
        cur = xzalloc(sizeof(*cur));
#if ENABLE_HUSH_LOCAL
        cur->func_nest_level = local_lvl;
#endif
        cur->next = *var_pp;
        *var_pp = cur;

 set_str_and_exp:
        cur->varstr = str;
#if !BB_MMU
        cur->flg_read_only = flg_read_only;
#endif
 exp:
        if (flg_export == 1)
                cur->flg_export = 1;
        if (name_len == 4 && cur->varstr[0] == 'P' && cur->varstr[1] == 'S')
                cmdedit_update_prompt();
        if (cur->flg_export) {
                if (flg_export == -1) {
                        cur->flg_export = 0;
                        /* unsetenv was already done */
                } else {
                        int i;
                        debug_printf_env("%s: putenv '%s'\n", __func__, cur->varstr);
                        i = putenv(cur->varstr);
                        /* only now we can free old exported malloced string */
                        free(free_me);
                        return i;
                }
        }
        free(free_me);
        return 0;
}

/* Used at startup and after each cd */
static void set_pwd_var(int exp)
{
        set_local_var(xasprintf("PWD=%s", get_cwd(/*force:*/ 1)),

                /*exp:*/ exp, /*lvl:*/ 0, /*ro:*/ 0);
}

static int unset_local_var_len(const char *name, int name_len)
{
        struct variable *cur;
        struct variable **var_pp;

        if (!name)
                return EXIT_SUCCESS;
        var_pp = &G.top_var;
        while ((cur = *var_pp) != NULL) {
                if (strncmp(cur->varstr, name, name_len) == 0 && cur->varstr[name_len] == '=') {
                        if (cur->flg_read_only) {
                                bb_error_msg("%s: readonly variable", name);
                                return EXIT_FAILURE;
                        }
                        *var_pp = cur->next;
                        debug_printf_env("%s: unsetenv '%s'\n", __func__, cur->varstr);
                        bb_unsetenv(cur->varstr);
                        if (name_len == 3 && cur->varstr[0] == 'P' && cur->varstr[1] == 'S')
                                cmdedit_update_prompt();
                        if (!cur->max_len)
                                free(cur->varstr);
                        free(cur);
                        return EXIT_SUCCESS;
                }
                var_pp = &cur->next;
        }
        return EXIT_SUCCESS;
}

static int unset_local_var(const char *name)
{
        return unset_local_var_len(name, strlen(name));
}

static void unset_vars(char **strings)
{
        char **v;

        if (!strings)
                return;
        v = strings;
        while (*v) {
                const char *eq = strchrnul(*v, '=');
                unset_local_var_len(*v, (int)(eq - *v));
                v++;
        }
        free(strings);
}

static void FAST_FUNC set_local_var_from_halves(const char *name, const char *val)
{
        char *var = xasprintf("%s=%s", name, val);
        set_local_var(var, /*flags:*/ 0, /*lvl:*/ 0, /*ro:*/ 0);
}


/*
 * Helpers for "var1=val1 var2=val2 cmd" feature
 */
static void add_vars(struct variable *var)
{
        struct variable *next;

        while (var) {
                next = var->next;
                var->next = G.top_var;
                G.top_var = var;
                if (var->flg_export) {
                        debug_printf_env("%s: restoring exported '%s'\n", __func__, var->varstr);
                        putenv(var->varstr);
                } else {
                        debug_printf_env("%s: restoring variable '%s'\n", __func__, var->varstr);
                }
                var = next;
        }
}

static struct variable *set_vars_and_save_old(char **strings)
{
        char **s;
        struct variable *old = NULL;

        if (!strings)
                return old;
        s = strings;
        while (*s) {
                struct variable *var_p;
                struct variable **var_pp;
                char *eq;

                eq = strchr(*s, '=');
                if (eq) {
                        var_pp = get_ptr_to_local_var(*s, eq - *s);
                        if (var_pp) {
                                /* Remove variable from global linked list */
                                var_p = *var_pp;
                                debug_printf_env("%s: removing '%s'\n", __func__, var_p->varstr);
                                *var_pp = var_p->next;
                                /* Add it to returned list */
                                var_p->next = old;
                                old = var_p;
                        }
                        set_local_var(*s, /*exp:*/ 1, /*lvl:*/ 0, /*ro:*/ 0);
                }
                s++;
        }
        return old;
}


/*
 * Unicode helper
 */
static void reinit_unicode_for_hush(void)
{
        /* Unicode support should be activated even if LANG is set
         * _during_ shell execution, not only if it was set when
         * shell was started. Therefore, re-check LANG every time:
         */
        if (ENABLE_FEATURE_CHECK_UNICODE_IN_ENV
         || ENABLE_UNICODE_USING_LOCALE
        ) {
                const char *s = get_local_var_value("LC_ALL");
                if (!s) s = get_local_var_value("LC_CTYPE");
                if (!s) s = get_local_var_value("LANG");
                reinit_unicode(s);
        }
}

/*
 * in_str support (strings, and "strings" read from files).
 */

#if ENABLE_HUSH_INTERACTIVE
/* To test correct lineedit/interactive behavior, type from command line:
 *      echo $P\
 *      \
 *      AT\
 *      H\
 *      \
 * It excercises a lot of corner cases.
 */
static void cmdedit_update_prompt(void)
{
        if (ENABLE_FEATURE_EDITING_FANCY_PROMPT) {
                G.PS1 = get_local_var_value("PS1");
                if (G.PS1 == NULL)
                        G.PS1 = "\\w \\$ ";
                G.PS2 = get_local_var_value("PS2");
        } else {
                G.PS1 = NULL;
        }
        if (G.PS2 == NULL)
                G.PS2 = "> ";
}
static const char *setup_prompt_string(int promptmode)
{
        const char *prompt_str;
        debug_printf("setup_prompt_string %d ", promptmode);
        if (!ENABLE_FEATURE_EDITING_FANCY_PROMPT) {
                /* Set up the prompt */
                if (promptmode == 0) { /* PS1 */
                        free((char*)G.PS1);
                        /* bash uses $PWD value, even if it is set by user.
                         * It uses current dir only if PWD is unset.
                         * We always use current dir. */
                        G.PS1 = xasprintf("%s %c ", get_cwd(0), (geteuid() != 0) ? '$' : '#');
                        prompt_str = G.PS1;
                } else
                        prompt_str = G.PS2;
        } else
                prompt_str = (promptmode == 0) ? G.PS1 : G.PS2;
        debug_printf("prompt_str '%s'\n", prompt_str);
        return prompt_str;
}
static int get_user_input(struct in_str *i)
{
        int r;
        const char *prompt_str;

        prompt_str = setup_prompt_string(i->promptmode);
# if ENABLE_FEATURE_EDITING
        for (;;) {
                reinit_unicode_for_hush();
                if (G.flag_SIGINT) {
                        /* There was ^C'ed, make it look prettier: */
                        bb_putchar('\n');
                        G.flag_SIGINT = 0;
                }
                /* buglet: SIGINT will not make new prompt to appear _at once_,
                 * only after <Enter>. (^C works immediately) */
                r = read_line_input(G.line_input_state, prompt_str,
                                G.user_input_buf, CONFIG_FEATURE_EDITING_MAX_LEN-1,
                                /*timeout*/ -1
                );
                /* read_line_input intercepts ^C, "convert" it to SIGINT */
                if (r == 0) {
                        write(STDOUT_FILENO, "^C", 2);
                        raise(SIGINT);
                }
                check_and_run_traps();
                if (r != 0 && !G.flag_SIGINT)
                        break;
                /* ^C or SIGINT: repeat */
                G.last_exitcode = 128 + SIGINT;
        }
        if (r < 0) {
                /* EOF/error detected */
                i->p = NULL;
                i->peek_buf[0] = r = EOF;
                return r;
        }
        i->p = G.user_input_buf;
        return (unsigned char)*i->p++;
# else
        for (;;) {
                G.flag_SIGINT = 0;
                if (i->last_char == '\0' || i->last_char == '\n') {
                        /* Why check_and_run_traps here? Try this interactively:
                         * $ trap 'echo INT' INT; (sleep 2; kill -INT $$) &
                         * $ <[enter], repeatedly...>
                         * Without check_and_run_traps, handler never runs.
                         */
                        check_and_run_traps();
                        fputs(prompt_str, stdout);
                }
                fflush_all();
//FIXME: here ^C or SIGINT will have effect only after <Enter>
                r = fgetc(i->file);
                /* In !ENABLE_FEATURE_EDITING we don't use read_line_input,
                 * no ^C masking happens during fgetc, no special code for ^C:
                 * it generates SIGINT as usual.
                 */
                check_and_run_traps();
                if (G.flag_SIGINT)
                        G.last_exitcode = 128 + SIGINT;
                if (r != '\0')
                        break;
        }
        return r;
# endif
}
/* This is the magic location that prints prompts
 * and gets data back from the user */
static int fgetc_interactive(struct in_str *i)
{
        int ch;
        /* If it's interactive stdin, get new line. */
        if (G_interactive_fd && i->file == stdin) {
                /* Returns first char (or EOF), the rest is in i->p[] */
                ch = get_user_input(i);
                i->promptmode = 1; /* PS2 */
        } else {
                /* Not stdin: script file, sourced file, etc */
                do ch = fgetc(i->file); while (ch == '\0');
        }
        return ch;
}
#else
static inline int fgetc_interactive(struct in_str *i)
{
        int ch;
        do ch = fgetc(i->file); while (ch == '\0');
        return ch;
}
#endif  /* INTERACTIVE */

static int i_getch(struct in_str *i)
{
        int ch;

        if (!i->file) {
                /* string-based in_str */
                ch = (unsigned char)*i->p;
                if (ch != '\0') {
                        i->p++;
                        i->last_char = ch;
                        return ch;
                }
                return EOF;
        }

        /* FILE-based in_str */

#if ENABLE_FEATURE_EDITING
        /* This can be stdin, check line editing char[] buffer */
        if (i->p && *i->p != '\0') {
                ch = (unsigned char)*i->p++;
                goto out;
        }
#endif
        /* peek_buf[] is an int array, not char. Can contain EOF. */
        ch = i->peek_buf[0];
        if (ch != 0) {
                int ch2 = i->peek_buf[1];
                i->peek_buf[0] = ch2;
                if (ch2 == 0) /* very likely, avoid redundant write */
                        goto out;
                i->peek_buf[1] = 0;
                goto out;
        }

        ch = fgetc_interactive(i);
 out:
        debug_printf("file_get: got '%c' %d\n", ch, ch);
        i->last_char = ch;
        return ch;
}

static int i_peek(struct in_str *i)
{
        int ch;

        if (!i->file) {
                /* string-based in_str */
                /* Doesn't report EOF on NUL. None of the callers care. */
                return (unsigned char)*i->p;
        }

        /* FILE-based in_str */

#if ENABLE_FEATURE_EDITING && ENABLE_HUSH_INTERACTIVE
        /* This can be stdin, check line editing char[] buffer */
        if (i->p && *i->p != '\0')
                return (unsigned char)*i->p;
#endif
        /* peek_buf[] is an int array, not char. Can contain EOF. */
        ch = i->peek_buf[0];
        if (ch != 0)
                return ch;

        /* Need to get a new char */
        ch = fgetc_interactive(i);
        debug_printf("file_peek: got '%c' %d\n", ch, ch);

        /* Save it by either rolling back line editing buffer, or in i->peek_buf[0] */
#if ENABLE_FEATURE_EDITING && ENABLE_HUSH_INTERACTIVE
        if (i->p) {
                i->p -= 1;
                return ch;
        }
#endif
        i->peek_buf[0] = ch;
        /*i->peek_buf[1] = 0; - already is */
        return ch;
}

/* Only ever called if i_peek() was called, and did not return EOF.
 * IOW: we know the previous peek saw an ordinary char, not EOF, not NUL,
 * not end-of-line. Therefore we never need to read a new editing line here.
 */
static int i_peek2(struct in_str *i)
{
        int ch;

        /* There are two cases when i->p[] buffer exists.
         * (1) it's a string in_str.
         * (2) It's a file, and we have a saved line editing buffer.
         * In both cases, we know that i->p[0] exists and not NUL, and
         * the peek2 result is in i->p[1].
         */
        if (i->p)
                return (unsigned char)i->p[1];

        /* Now we know it is a file-based in_str. */

        /* peek_buf[] is an int array, not char. Can contain EOF. */
        /* Is there 2nd char? */
        ch = i->peek_buf[1];
        if (ch == 0) {
                /* We did not read it yet, get it now */
                do ch = fgetc(i->file); while (ch == '\0');
                i->peek_buf[1] = ch;
        }

        debug_printf("file_peek2: got '%c' %d\n", ch, ch);
        return ch;
}

static void setup_file_in_str(struct in_str *i, FILE *f)
{
        memset(i, 0, sizeof(*i));
        /* i->promptmode = 0; - PS1 (memset did it) */
        i->file = f;
        /* i->p = NULL; */
}

static void setup_string_in_str(struct in_str *i, const char *s)
{
        memset(i, 0, sizeof(*i));
        /* i->promptmode = 0; - PS1 (memset did it) */
        /*i->file = NULL */;
        i->p = s;
}


/*
 * o_string support
 */
#define B_CHUNK  (32 * sizeof(char*))

static void o_reset_to_empty_unquoted(o_string *o)
{
        o->length = 0;
        o->has_quoted_part = 0;
        if (o->data)
                o->data[0] = '\0';
}

static void o_free(o_string *o)
{
        free(o->data);
        memset(o, 0, sizeof(*o));
}

static ALWAYS_INLINE void o_free_unsafe(o_string *o)
{
        free(o->data);
}

static void o_grow_by(o_string *o, int len)
{
        if (o->length + len > o->maxlen) {
                o->maxlen += (2 * len) | (B_CHUNK-1);
                o->data = xrealloc(o->data, 1 + o->maxlen);
        }
}

static void o_addchr(o_string *o, int ch)
{
        debug_printf("o_addchr: '%c' o->length=%d o=%p\n", ch, o->length, o);
        if (o->length < o->maxlen) {
                /* likely. avoid o_grow_by() call */
 add:
                o->data[o->length] = ch;
                o->length++;
                o->data[o->length] = '\0';
                return;
        }
        o_grow_by(o, 1);
        goto add;
}

#if 0
/* Valid only if we know o_string is not empty */
static void o_delchr(o_string *o)
{
        o->length--;
        o->data[o->length] = '\0';
}
#endif

static void o_addblock(o_string *o, const char *str, int len)
{
        o_grow_by(o, len);
        memcpy(&o->data[o->length], str, len);
        o->length += len;
        o->data[o->length] = '\0';
}

static void o_addstr(o_string *o, const char *str)
{
        o_addblock(o, str, strlen(str));
}

#if !BB_MMU
static void nommu_addchr(o_string *o, int ch)
{
        if (o)
                o_addchr(o, ch);
}
#else
# define nommu_addchr(o, str) ((void)0)
#endif

static void o_addstr_with_NUL(o_string *o, const char *str)
{
        o_addblock(o, str, strlen(str) + 1);
}

/*
 * HUSH_BRACE_EXPANSION code needs corresponding quoting on variable expansion side.
 * Currently, "v='{q,w}'; echo $v" erroneously expands braces in $v.
 * Apparently, on unquoted $v bash still does globbing
 * ("v='*.txt'; echo $v" prints all .txt files),
 * but NOT brace expansion! Thus, there should be TWO independent
 * quoting mechanisms on $v expansion side: one protects
 * $v from brace expansion, and other additionally protects "$v" against globbing.
 * We have only second one.
 */

#if ENABLE_HUSH_BRACE_EXPANSION
# define MAYBE_BRACES "{}"
#else
# define MAYBE_BRACES ""
#endif

/* My analysis of quoting semantics tells me that state information
 * is associated with a destination, not a source.
 */
static void o_addqchr(o_string *o, int ch)
{
        int sz = 1;
        char *found = strchr("*?[\\" MAYBE_BRACES, ch);
        if (found)
                sz++;
        o_grow_by(o, sz);
        if (found) {
                o->data[o->length] = '\\';
                o->length++;
        }
        o->data[o->length] = ch;
        o->length++;
        o->data[o->length] = '\0';
}

static void o_addQchr(o_string *o, int ch)
{
        int sz = 1;
        if ((o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS)
         && strchr("*?[\\" MAYBE_BRACES, ch)
        ) {
                sz++;
                o->data[o->length] = '\\';
                o->length++;
        }
        o_grow_by(o, sz);
        o->data[o->length] = ch;
        o->length++;
        o->data[o->length] = '\0';
}

static void o_addqblock(o_string *o, const char *str, int len)
{
        while (len) {
                char ch;
                int sz;
                int ordinary_cnt = strcspn(str, "*?[\\" MAYBE_BRACES);
                if (ordinary_cnt > len) /* paranoia */
                        ordinary_cnt = len;
                o_addblock(o, str, ordinary_cnt);
                if (ordinary_cnt == len)
                        return; /* NUL is already added by o_addblock */
                str += ordinary_cnt;
                len -= ordinary_cnt + 1; /* we are processing + 1 char below */

                ch = *str++;
                sz = 1;
                if (ch) { /* it is necessarily one of "*?[\\" MAYBE_BRACES */
                        sz++;
                        o->data[o->length] = '\\';
                        o->length++;
                }
                o_grow_by(o, sz);
                o->data[o->length] = ch;
                o->length++;
        }
        o->data[o->length] = '\0';
}

static void o_addQblock(o_string *o, const char *str, int len)
{
        if (!(o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS)) {
                o_addblock(o, str, len);
                return;
        }
        o_addqblock(o, str, len);
}

static void o_addQstr(o_string *o, const char *str)
{
        o_addQblock(o, str, strlen(str));
}

/* A special kind of o_string for $VAR and `cmd` expansion.
 * It contains char* list[] at the beginning, which is grown in 16 element
 * increments. Actual string data starts at the next multiple of 16 * (char*).
 * list[i] contains an INDEX (int!) into this string data.
 * It means that if list[] needs to grow, data needs to be moved higher up
 * but list[i]'s need not be modified.
 * NB: remembering how many list[i]'s you have there is crucial.
 * o_finalize_list() operation post-processes this structure - calculates
 * and stores actual char* ptrs in list[]. Oh, it NULL terminates it as well.
 */
#if DEBUG_EXPAND || DEBUG_GLOB
static void debug_print_list(const char *prefix, o_string *o, int n)
{
        char **list = (char**)o->data;
        int string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
        int i = 0;

        indent();
        fdprintf(2, "%s: list:%p n:%d string_start:%d length:%d maxlen:%d glob:%d quoted:%d escape:%d\n",
                        prefix, list, n, string_start, o->length, o->maxlen,
                        !!(o->o_expflags & EXP_FLAG_GLOB),
                        o->has_quoted_part,
                        !!(o->o_expflags & EXP_FLAG_ESC_GLOB_CHARS));
        while (i < n) {
                indent();
                fdprintf(2, " list[%d]=%d '%s' %p\n", i, (int)(uintptr_t)list[i],
                                o->data + (int)(uintptr_t)list[i] + string_start,
                                o->data + (int)(uintptr_t)list[i] + string_start);
                i++;
        }
        if (n) {
                const char *p = o->data + (int)(uintptr_t)list[n - 1] + string_start;
                indent();
                fdprintf(2, " total_sz:%ld\n", (long)((p + strlen(p) + 1) - o->data));
        }
}
#else
# define debug_print_list(prefix, o, n) ((void)0)
#endif

/* n = o_save_ptr_helper(str, n) "starts new string" by storing an index value
 * in list[n] so that it points past last stored byte so far.
 * It returns n+1. */
static int o_save_ptr_helper(o_string *o, int n)
{
        char **list = (char**)o->data;
        int string_start;
        int string_len;

        if (!o->has_empty_slot) {
                string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
                string_len = o->length - string_start;
                if (!(n & 0xf)) { /* 0, 0x10, 0x20...? */
                        debug_printf_list("list[%d]=%d string_start=%d (growing)\n", n, string_len, string_start);
                        /* list[n] points to string_start, make space for 16 more pointers */
                        o->maxlen += 0x10 * sizeof(list[0]);
                        o->data = xrealloc(o->data, o->maxlen + 1);
                        list = (char**)o->data;
                        memmove(list + n + 0x10, list + n, string_len);
                        o->length += 0x10 * sizeof(list[0]);
                } else {
                        debug_printf_list("list[%d]=%d string_start=%d\n",
                                        n, string_len, string_start);
                }
        } else {
                /* We have empty slot at list[n], reuse without growth */
                string_start = ((n+1 + 0xf) & ~0xf) * sizeof(list[0]); /* NB: n+1! */
                string_len = o->length - string_start;
                debug_printf_list("list[%d]=%d string_start=%d (empty slot)\n",
                                n, string_len, string_start);
                o->has_empty_slot = 0;
        }
        o->has_quoted_part = 0;
        list[n] = (char*)(uintptr_t)string_len;
        return n + 1;
}

/* "What was our last o_save_ptr'ed position (byte offset relative o->data)?" */
static int o_get_last_ptr(o_string *o, int n)
{
        char **list = (char**)o->data;
        int string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);

        return ((int)(uintptr_t)list[n-1]) + string_start;
}

#if ENABLE_HUSH_BRACE_EXPANSION
/* There in a GNU extension, GLOB_BRACE, but it is not usable:
 * first, it processes even {a} (no commas), second,
 * I didn't manage to make it return strings when they don't match
 * existing files. Need to re-implement it.
 */

/* Helper */
static int glob_needed(const char *s)
{
        while (*s) {
                if (*s == '\\') {
                        if (!s[1])
                                return 0;
                        s += 2;
                        continue;
                }
                if (*s == '*' || *s == '[' || *s == '?' || *s == '{')
                        return 1;
                s++;
        }
        return 0;
}
/* Return pointer to next closing brace or to comma */
static const char *next_brace_sub(const char *cp)
{
        unsigned depth = 0;
        cp++;
        while (*cp != '\0') {
                if (*cp == '\\') {
                        if (*++cp == '\0')
                                break;
                        cp++;
                        continue;
                }
                if ((*cp == '}' && depth-- == 0) || (*cp == ',' && depth == 0))
                        break;
                if (*cp++ == '{')
                        depth++;
        }

        return *cp != '\0' ? cp : NULL;
}
/* Recursive brace globber. Note: may garble pattern[]. */
static int glob_brace(char *pattern, o_string *o, int n)
{
        char *new_pattern_buf;
        const char *begin;
        const char *next;
        const char *rest;
        const char *p;
        size_t rest_len;

        debug_printf_glob("glob_brace('%s')\n", pattern);

        begin = pattern;
        while (1) {
                if (*begin == '\0')
                        goto simple_glob;
                if (*begin == '{') {
                        /* Find the first sub-pattern and at the same time
                         * find the rest after the closing brace */
                        next = next_brace_sub(begin);
                        if (next == NULL) {
                                /* An illegal expression */
                                goto simple_glob;
                        }
                        if (*next == '}') {
                                /* "{abc}" with no commas - illegal
                                 * brace expr, disregard and skip it */
                                begin = next + 1;
                                continue;
                        }
                        break;
                }
                if (*begin == '\\' && begin[1] != '\0')
                        begin++;
                begin++;
        }
        debug_printf_glob("begin:%s\n", begin);
        debug_printf_glob("next:%s\n", next);

        /* Now find the end of the whole brace expression */
        rest = next;
        while (*rest != '}') {
                rest = next_brace_sub(rest);
                if (rest == NULL) {
                        /* An illegal expression */
                        goto simple_glob;
                }
                debug_printf_glob("rest:%s\n", rest);
        }
        rest_len = strlen(++rest) + 1;

        /* We are sure the brace expression is well-formed */

        /* Allocate working buffer large enough for our work */
        new_pattern_buf = xmalloc(strlen(pattern));

        /* We have a brace expression.  BEGIN points to the opening {,
         * NEXT points past the terminator of the first element, and REST
         * points past the final }.  We will accumulate result names from
         * recursive runs for each brace alternative in the buffer using
         * GLOB_APPEND.  */

        p = begin + 1;
        while (1) {
                /* Construct the new glob expression */
                memcpy(
                        mempcpy(
                                mempcpy(new_pattern_buf,
                                        /* We know the prefix for all sub-patterns */
                                        pattern, begin - pattern),
                                p, next - p),
                        rest, rest_len);

                /* Note: glob_brace() may garble new_pattern_buf[].
                 * That's why we re-copy prefix every time (1st memcpy above).
                 */
                n = glob_brace(new_pattern_buf, o, n);
                if (*next == '}') {
                        /* We saw the last entry */
                        break;
                }
                p = next + 1;
                next = next_brace_sub(next);
        }
        free(new_pattern_buf);
        return n;

 simple_glob:
        {
                int gr;
                glob_t globdata;

                memset(&globdata, 0, sizeof(globdata));
                gr = glob(pattern, 0, NULL, &globdata);
                debug_printf_glob("glob('%s'):%d\n", pattern, gr);
                if (gr != 0) {
                        if (gr == GLOB_NOMATCH) {
                                globfree(&globdata);
                                /* NB: garbles parameter */
                                unbackslash(pattern);
                                o_addstr_with_NUL(o, pattern);
                                debug_printf_glob("glob pattern '%s' is literal\n", pattern);
                                return o_save_ptr_helper(o, n);
                        }
                        if (gr == GLOB_NOSPACE)
                                bb_error_msg_and_die(bb_msg_memory_exhausted);
                        /* GLOB_ABORTED? Only happens with GLOB_ERR flag,
                         * but we didn't specify it. Paranoia again. */
                        bb_error_msg_and_die("glob error %d on '%s'", gr, pattern);
                }
                if (globdata.gl_pathv && globdata.gl_pathv[0]) {
                        char **argv = globdata.gl_pathv;
                        while (1) {
                                o_addstr_with_NUL(o, *argv);
                                n = o_save_ptr_helper(o, n);
                                argv++;
                                if (!*argv)
                                        break;
                        }
                }
                globfree(&globdata);
        }
        return n;
}
/* Performs globbing on last list[],
 * saving each result as a new list[].
 */
static int perform_glob(o_string *o, int n)
{
        char *pattern, *copy;

        debug_printf_glob("start perform_glob: n:%d o->data:%p\n", n, o->data);
        if (!o->data)
                return o_save_ptr_helper(o, n);
        pattern = o->data + o_get_last_ptr(o, n);
        debug_printf_glob("glob pattern '%s'\n", pattern);
        if (!glob_needed(pattern)) {
                /* unbackslash last string in o in place, fix length */
                o->length = unbackslash(pattern) - o->data;
                debug_printf_glob("glob pattern '%s' is literal\n", pattern);
                return o_save_ptr_helper(o, n);
        }

        copy = xstrdup(pattern);
        /* "forget" pattern in o */
        o->length = pattern - o->data;
        n = glob_brace(copy, o, n);
        free(copy);
        if (DEBUG_GLOB)
                debug_print_list("perform_glob returning", o, n);
        return n;
}

#else /* !HUSH_BRACE_EXPANSION */

/* Helper */
static int glob_needed(const char *s)
{
        while (*s) {
                if (*s == '\\') {
                        if (!s[1])
                                return 0;
                        s += 2;
                        continue;
                }
                if (*s == '*' || *s == '[' || *s == '?')
                        return 1;
                s++;
        }
        return 0;
}
/* Performs globbing on last list[],
 * saving each result as a new list[].
 */
static int perform_glob(o_string *o, int n)
{
        glob_t globdata;
        int gr;
        char *pattern;

        debug_printf_glob("start perform_glob: n:%d o->data:%p\n", n, o->data);
        if (!o->data)
                return o_save_ptr_helper(o, n);
        pattern = o->data + o_get_last_ptr(o, n);
        debug_printf_glob("glob pattern '%s'\n", pattern);
        if (!glob_needed(pattern)) {
 literal:
                /* unbackslash last string in o in place, fix length */
                o->length = unbackslash(pattern) - o->data;
                debug_printf_glob("glob pattern '%s' is literal\n", pattern);
                return o_save_ptr_helper(o, n);
        }

        memset(&globdata, 0, sizeof(globdata));
        /* Can't use GLOB_NOCHECK: it does not unescape the string.
         * If we glob "*.\*" and don't find anything, we need
         * to fall back to using literal "*.*", but GLOB_NOCHECK
         * will return "*.\*"!
         */
        gr = glob(pattern, 0, NULL, &globdata);
        debug_printf_glob("glob('%s'):%d\n", pattern, gr);
        if (gr != 0) {
                if (gr == GLOB_NOMATCH) {
                        globfree(&globdata);
                        goto literal;
                }
                if (gr == GLOB_NOSPACE)
                        bb_error_msg_and_die(bb_msg_memory_exhausted);
                /* GLOB_ABORTED? Only happens with GLOB_ERR flag,
                 * but we didn't specify it. Paranoia again. */
                bb_error_msg_and_die("glob error %d on '%s'", gr, pattern);
        }
        if (globdata.gl_pathv && globdata.gl_pathv[0]) {
                char **argv = globdata.gl_pathv;
                /* "forget" pattern in o */
                o->length = pattern - o->data;
                while (1) {
                        o_addstr_with_NUL(o, *argv);
                        n = o_save_ptr_helper(o, n);
                        argv++;
                        if (!*argv)
                                break;
                }
        }
        globfree(&globdata);
        if (DEBUG_GLOB)
                debug_print_list("perform_glob returning", o, n);
        return n;
}

#endif /* !HUSH_BRACE_EXPANSION */

/* If o->o_expflags & EXP_FLAG_GLOB, glob the string so far remembered.
 * Otherwise, just finish current list[] and start new */
static int o_save_ptr(o_string *o, int n)
{
        if (o->o_expflags & EXP_FLAG_GLOB) {
                /* If o->has_empty_slot, list[n] was already globbed
                 * (if it was requested back then when it was filled)
                 * so don't do that again! */
                if (!o->has_empty_slot)
                        return perform_glob(o, n); /* o_save_ptr_helper is inside */
        }
        return o_save_ptr_helper(o, n);
}

/* "Please convert list[n] to real char* ptrs, and NULL terminate it." */
static char **o_finalize_list(o_string *o, int n)
{
        char **list;
        int string_start;

        n = o_save_ptr(o, n); /* force growth for list[n] if necessary */
        if (DEBUG_EXPAND)
                debug_print_list("finalized", o, n);
        debug_printf_expand("finalized n:%d\n", n);
        list = (char**)o->data;
        string_start = ((n + 0xf) & ~0xf) * sizeof(list[0]);
        list[--n] = NULL;
        while (n) {
                n--;
                list[n] = o->data + (int)(uintptr_t)list[n] + string_start;
        }
        return list;
}

static void free_pipe_list(struct pipe *pi);

/* Returns pi->next - next pipe in the list */
static struct pipe *free_pipe(struct pipe *pi)
{
        struct pipe *next;
        int i;

        debug_printf_clean("free_pipe (pid %d)\n", getpid());
        for (i = 0; i < pi->num_cmds; i++) {
                struct command *command;
                struct redir_struct *r, *rnext;

                command = &pi->cmds[i];
                debug_printf_clean("  command %d:\n", i);
                if (command->argv) {
                        if (DEBUG_CLEAN) {
                                int a;
                                char **p;
                                for (a = 0, p = command->argv; *p; a++, p++) {
                                        debug_printf_clean("   argv[%d] = %s\n", a, *p);
                                }
                        }
                        free_strings(command->argv);
                        //command->argv = NULL;
                }
                /* not "else if": on syntax error, we may have both! */
                if (command->group) {

                        debug_printf_clean("   begin group (cmd_type:%d)\n",
                                        command->cmd_type);
                        free_pipe_list(command->group);
                        debug_printf_clean("   end group\n");
                        //command->group = NULL;
                }
                /* else is crucial here.
                 * If group != NULL, child_func is meaningless */
#if ENABLE_HUSH_FUNCTIONS
                else if (command->child_func) {
                        debug_printf_exec("cmd %p releases child func at %p\n", command, command->child_func);
                        command->child_func->parent_cmd = NULL;
                }
#endif
#if !BB_MMU
                free(command->group_as_string);
                //command->group_as_string = NULL;
#endif
                for (r = command->redirects; r; r = rnext) {
                        debug_printf_clean("   redirect %d%s",
                                        r->rd_fd, redir_table[r->rd_type].descrip);
                        /* guard against the case >$FOO, where foo is unset or blank */
                        if (r->rd_filename) {
                                debug_printf_clean(" fname:'%s'\n", r->rd_filename);
                                free(r->rd_filename);
                                //r->rd_filename = NULL;
                        }
                        debug_printf_clean(" rd_dup:%d\n", r->rd_dup);
                        rnext = r->next;
                        free(r);
                }
                //command->redirects = NULL;
        }
        free(pi->cmds);   /* children are an array, they get freed all at once */
        //pi->cmds = NULL;
#if ENABLE_HUSH_JOB
        free(pi->cmdtext);
        //pi->cmdtext = NULL;
#endif

        next = pi->next;
        free(pi);
        return next;
}

static void free_pipe_list(struct pipe *pi)
{
        while (pi) {
#if HAS_KEYWORDS
                debug_printf_clean("pipe reserved word %d\n", pi->res_word);
#endif
                debug_printf_clean("pipe followup code %d\n", pi->followup);
                pi = free_pipe(pi);
        }
}


/*** Parsing routines ***/

#ifndef debug_print_tree
static void debug_print_tree(struct pipe *pi, int lvl)
{
        static const char *const PIPE[] = {
                [PIPE_SEQ] = "SEQ",
                [PIPE_AND] = "AND",
                [PIPE_OR ] = "OR" ,
                [PIPE_BG ] = "BG" ,
        };
        static const char *RES[] = {
                [RES_NONE ] = "NONE" ,
# if ENABLE_HUSH_IF
                [RES_IF   ] = "IF"   ,
                [RES_THEN ] = "THEN" ,
                [RES_ELIF ] = "ELIF" ,
                [RES_ELSE ] = "ELSE" ,
                [RES_FI   ] = "FI"   ,
# endif
# if ENABLE_HUSH_LOOPS
                [RES_FOR  ] = "FOR"  ,
                [RES_WHILE] = "WHILE",
                [RES_UNTIL] = "UNTIL",
                [RES_DO   ] = "DO"   ,
                [RES_DONE ] = "DONE" ,
# endif
# if ENABLE_HUSH_LOOPS || ENABLE_HUSH_CASE
                [RES_IN   ] = "IN"   ,
# endif
# if ENABLE_HUSH_CASE
                [RES_CASE ] = "CASE" ,
                [RES_CASE_IN ] = "CASE_IN" ,
                [RES_MATCH] = "MATCH",
                [RES_CASE_BODY] = "CASE_BODY",
                [RES_ESAC ] = "ESAC" ,
# endif
                [RES_XXXX ] = "XXXX" ,
                [RES_SNTX ] = "SNTX" ,
        };
        static const char *const CMDTYPE[] = {
                "{}",
                "()",
                "[noglob]",
# if ENABLE_HUSH_FUNCTIONS
                "func()",
# endif
        };

        int pin, prn;

        pin = 0;
        while (pi) {
                fdprintf(2, "%*spipe %d res_word=%s followup=%d %s\n", lvl*2, "",
                                pin, RES[pi->res_word], pi->followup, PIPE[pi->followup]);
                prn = 0;
                while (prn < pi->num_cmds) {
                        struct command *command = &pi->cmds[prn];
                        char **argv = command->argv;

                        fdprintf(2, "%*s cmd %d assignment_cnt:%d",
                                        lvl*2, "", prn,
                                        command->assignment_cnt);
                        if (command->group) {
                                fdprintf(2, " group %s: (argv=%p)%s%s\n",
                                                CMDTYPE[command->cmd_type],
                                                argv
# if !BB_MMU
                                                , " group_as_string:", command->group_as_string
# else
                                                , "", ""
# endif
                                );
                                debug_print_tree(command->group, lvl+1);
                                prn++;
                                continue;
                        }
                        if (argv) while (*argv) {
                                fdprintf(2, " '%s'", *argv);
                                argv++;
                        }
                        fdprintf(2, "\n");
                        prn++;
                }
                pi = pi->next;
                pin++;
        }
}
#endif /* debug_print_tree */

static struct pipe *new_pipe(void)
{
        struct pipe *pi;
        pi = xzalloc(sizeof(struct pipe));
        /*pi->res_word = RES_NONE; - RES_NONE is 0 anyway */
        return pi;
}

/* Command (member of a pipe) is complete, or we start a new pipe
 * if ctx->command is NULL.
 * No errors possible here.
 */
static int done_command(struct parse_context *ctx)
{
        /* The command is really already in the pipe structure, so
         * advance the pipe counter and make a new, null command. */
        struct pipe *pi = ctx->pipe;
        struct command *command = ctx->command;

#if 0   /* Instead we emit error message at run time */
        if (ctx->pending_redirect) {
                /* For example, "cmd >" (no filename to redirect to) */
                die_if_script("syntax error: %s", "invalid redirect");
                ctx->pending_redirect = NULL;
        }
#endif

        if (command) {
                if (IS_NULL_CMD(command)) {
                        debug_printf_parse("done_command: skipping null cmd, num_cmds=%d\n", pi->num_cmds);
                        goto clear_and_ret;
                }
                pi->num_cmds++;
                debug_printf_parse("done_command: ++num_cmds=%d\n", pi->num_cmds);
                //debug_print_tree(ctx->list_head, 20);
        } else {
                debug_printf_parse("done_command: initializing, num_cmds=%d\n", pi->num_cmds);
        }

        /* Only real trickiness here is that the uncommitted
         * command structure is not counted in pi->num_cmds. */
        pi->cmds = xrealloc(pi->cmds, sizeof(*pi->cmds) * (pi->num_cmds+1));
        ctx->command = command = &pi->cmds[pi->num_cmds];
 clear_and_ret:
        memset(command, 0, sizeof(*command));
        return pi->num_cmds; /* used only for 0/nonzero check */
}

static void done_pipe(struct parse_context *ctx, pipe_style type)
{
        int not_null;

        debug_printf_parse("done_pipe entered, followup %d\n", type);
        /* Close previous command */
        not_null = done_command(ctx);
        ctx->pipe->followup = type;
#if HAS_KEYWORDS
        ctx->pipe->pi_inverted = ctx->ctx_inverted;
        ctx->ctx_inverted = 0;
        ctx->pipe->res_word = ctx->ctx_res_w;
#endif

        /* Without this check, even just <enter> on command line generates
         * tree of three NOPs (!). Which is harmless but annoying.
         * IOW: it is safe to do it unconditionally. */
        if (not_null
#if ENABLE_HUSH_IF
         || ctx->ctx_res_w == RES_FI
#endif
#if ENABLE_HUSH_LOOPS
         || ctx->ctx_res_w == RES_DONE
         || ctx->ctx_res_w == RES_FOR
         || ctx->ctx_res_w == RES_IN
#endif
#if ENABLE_HUSH_CASE
         || ctx->ctx_res_w == RES_ESAC
#endif
        ) {
                struct pipe *new_p;
                debug_printf_parse("done_pipe: adding new pipe: "
                                "not_null:%d ctx->ctx_res_w:%d\n",
                                not_null, ctx->ctx_res_w);
                new_p = new_pipe();
                ctx->pipe->next = new_p;
                ctx->pipe = new_p;
                /* RES_THEN, RES_DO etc are "sticky" -
                 * they remain set for pipes inside if/while.
                 * This is used to control execution.
                 * RES_FOR and RES_IN are NOT sticky (needed to support
                 * cases where variable or value happens to match a keyword):
                 */
#if ENABLE_HUSH_LOOPS
                if (ctx->ctx_res_w == RES_FOR
                 || ctx->ctx_res_w == RES_IN)
                        ctx->ctx_res_w = RES_NONE;
#endif
#if ENABLE_HUSH_CASE
                if (ctx->ctx_res_w == RES_MATCH)
                        ctx->ctx_res_w = RES_CASE_BODY;
                if (ctx->ctx_res_w == RES_CASE)
                        ctx->ctx_res_w = RES_CASE_IN;
#endif
                ctx->command = NULL; /* trick done_command below */
                /* Create the memory for command, roughly:
                 * ctx->pipe->cmds = new struct command;
                 * ctx->command = &ctx->pipe->cmds[0];
                 */
                done_command(ctx);
                //debug_print_tree(ctx->list_head, 10);
        }
        debug_printf_parse("done_pipe return\n");
}

static void initialize_context(struct parse_context *ctx)
{
        memset(ctx, 0, sizeof(*ctx));
        ctx->pipe = ctx->list_head = new_pipe();
        /* Create the memory for command, roughly:
         * ctx->pipe->cmds = new struct command;
         * ctx->command = &ctx->pipe->cmds[0];
         */
        done_command(ctx);
}

/* If a reserved word is found and processed, parse context is modified
 * and 1 is returned.
 */
#if HAS_KEYWORDS
struct reserved_combo {
        char literal[6];
        unsigned char res;
        unsigned char assignment_flag;
        int flag;
};
enum {
        FLAG_END   = (1 << RES_NONE ),
# if ENABLE_HUSH_IF
        FLAG_IF    = (1 << RES_IF   ),
        FLAG_THEN  = (1 << RES_THEN ),
        FLAG_ELIF  = (1 << RES_ELIF ),
        FLAG_ELSE  = (1 << RES_ELSE ),
        FLAG_FI    = (1 << RES_FI   ),
# endif
# if ENABLE_HUSH_LOOPS
        FLAG_FOR   = (1 << RES_FOR  ),
        FLAG_WHILE = (1 << RES_WHILE),
        FLAG_UNTIL = (1 << RES_UNTIL),
        FLAG_DO    = (1 << RES_DO   ),
        FLAG_DONE  = (1 << RES_DONE ),
        FLAG_IN    = (1 << RES_IN   ),
# endif
# if ENABLE_HUSH_CASE
        FLAG_MATCH = (1 << RES_MATCH),
        FLAG_ESAC  = (1 << RES_ESAC ),
# endif
        FLAG_START = (1 << RES_XXXX ),
};

static const struct reserved_combo* match_reserved_word(o_string *word)
{
        /* Mostly a list of accepted follow-up reserved words.
         * FLAG_END means we are done with the sequence, and are ready
         * to turn the compound list into a command.
         * FLAG_START means the word must start a new compound list.
         */
        static const struct reserved_combo reserved_list[] = {
# if ENABLE_HUSH_IF
                { "!",     RES_NONE,  NOT_ASSIGNMENT  , 0 },
                { "if",    RES_IF,    MAYBE_ASSIGNMENT, FLAG_THEN | FLAG_START },
                { "then",  RES_THEN,  MAYBE_ASSIGNMENT, FLAG_ELIF | FLAG_ELSE | FLAG_FI },
                { "elif",  RES_ELIF,  MAYBE_ASSIGNMENT, FLAG_THEN },
                { "else",  RES_ELSE,  MAYBE_ASSIGNMENT, FLAG_FI   },
                { "fi",    RES_FI,    NOT_ASSIGNMENT  , FLAG_END  },
# endif
# if ENABLE_HUSH_LOOPS
                { "for",   RES_FOR,   NOT_ASSIGNMENT  , FLAG_IN | FLAG_DO | FLAG_START },
                { "while", RES_WHILE, MAYBE_ASSIGNMENT, FLAG_DO | FLAG_START },
                { "until", RES_UNTIL, MAYBE_ASSIGNMENT, FLAG_DO | FLAG_START },
                { "in",    RES_IN,    NOT_ASSIGNMENT  , FLAG_DO   },
                { "do",    RES_DO,    MAYBE_ASSIGNMENT, FLAG_DONE },
                { "done",  RES_DONE,  NOT_ASSIGNMENT  , FLAG_END  },
# endif
# if ENABLE_HUSH_CASE
                { "case",  RES_CASE,  NOT_ASSIGNMENT  , FLAG_MATCH | FLAG_START },
                { "esac",  RES_ESAC,  NOT_ASSIGNMENT  , FLAG_END  },
# endif
        };
        const struct reserved_combo *r;

        for (r = reserved_list; r < reserved_list + ARRAY_SIZE(reserved_list); r++) {
                if (strcmp(word->data, r->literal) == 0)
                        return r;
        }
        return NULL;
}
/* Return 0: not a keyword, 1: keyword
 */
static int reserved_word(o_string *word, struct parse_context *ctx)
{
# if ENABLE_HUSH_CASE
        static const struct reserved_combo reserved_match = {
                "",        RES_MATCH, NOT_ASSIGNMENT , FLAG_MATCH | FLAG_ESAC
        };
# endif
        const struct reserved_combo *r;

        if (word->has_quoted_part)
                return 0;
        r = match_reserved_word(word);
        if (!r)
                return 0;

        debug_printf("found reserved word %s, res %d\n", r->literal, r->res);
# if ENABLE_HUSH_CASE
        if (r->res == RES_IN && ctx->ctx_res_w == RES_CASE_IN) {
                /* "case word IN ..." - IN part starts first MATCH part */
                r = &reserved_match;
        } else
# endif
        if (r->flag == 0) { /* '!' */
                if (ctx->ctx_inverted) { /* bash doesn't accept '! ! true' */
                        syntax_error("! ! command");
                        ctx->ctx_res_w = RES_SNTX;
                }
                ctx->ctx_inverted = 1;
                return 1;
        }
        if (r->flag & FLAG_START) {
                struct parse_context *old;

                old = xmalloc(sizeof(*old));
                debug_printf_parse("push stack %p\n", old);
                *old = *ctx;   /* physical copy */
                initialize_context(ctx);
                ctx->stack = old;
        } else if (/*ctx->ctx_res_w == RES_NONE ||*/ !(ctx->old_flag & (1 << r->res))) {
                syntax_error_at(word->data);
                ctx->ctx_res_w = RES_SNTX;
                return 1;
        } else {
                /* "{...} fi" is ok. "{...} if" is not
                 * Example:
                 * if { echo foo; } then { echo bar; } fi */
                if (ctx->command->group)
                        done_pipe(ctx, PIPE_SEQ);
        }

        ctx->ctx_res_w = r->res;
        ctx->old_flag = r->flag;
        word->o_assignment = r->assignment_flag;
        debug_printf_parse("word->o_assignment='%s'\n", assignment_flag[word->o_assignment]);

        if (ctx->old_flag & FLAG_END) {
                struct parse_context *old;

                done_pipe(ctx, PIPE_SEQ);
                debug_printf_parse("pop stack %p\n", ctx->stack);
                old = ctx->stack;
                old->command->group = ctx->list_head;
                old->command->cmd_type = CMD_NORMAL;
# if !BB_MMU
                /* At this point, the compound command's string is in
                 * ctx->as_string... except for the leading keyword!
                 * Consider this example: "echo a | if true; then echo a; fi"
                 * ctx->as_string will contain "true; then echo a; fi",
                 * with "if " remaining in old->as_string!
                 */
                {
                        char *str;
                        int len = old->as_string.length;
                        /* Concatenate halves */
                        o_addstr(&old->as_string, ctx->as_string.data);
                        o_free_unsafe(&ctx->as_string);
                        /* Find where leading keyword starts in first half */
                        str = old->as_string.data + len;
                        if (str > old->as_string.data)
                                str--; /* skip whitespace after keyword */
                        while (str > old->as_string.data && isalpha(str[-1]))
                                str--;
                        /* Ugh, we're done with this horrid hack */
                        old->command->group_as_string = xstrdup(str);
                        debug_printf_parse("pop, remembering as:'%s'\n",
                                        old->command->group_as_string);
                }
# endif
                *ctx = *old;   /* physical copy */
                free(old);
        }
        return 1;
}
#endif /* HAS_KEYWORDS */

/* Word is complete, look at it and update parsing context.
 * Normal return is 0. Syntax errors return 1.
 * Note: on return, word is reset, but not o_free'd!
 */
static int done_word(o_string *word, struct parse_context *ctx)
{
        struct command *command = ctx->command;

        debug_printf_parse("done_word entered: '%s' %p\n", word->data, command);
        if (word->length == 0 && !word->has_quoted_part) {
                debug_printf_parse("done_word return 0: true null, ignored\n");
                return 0;
        }

        if (ctx->pending_redirect) {
                /* We do not glob in e.g. >*.tmp case. bash seems to glob here
                 * only if run as "bash", not "sh" */
                /* http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
                 * "2.7 Redirection
                 * ...the word that follows the redirection operator
                 * shall be subjected to tilde expansion, parameter expansion,
                 * command substitution, arithmetic expansion, and quote
                 * removal. Pathname expansion shall not be performed
                 * on the word by a non-interactive shell; an interactive
                 * shell may perform it, but shall do so only when
                 * the expansion would result in one word."
                 */
                ctx->pending_redirect->rd_filename = xstrdup(word->data);
                /* Cater for >\file case:
                 * >\a creates file a; >\\a, >"\a", >"\\a" create file \a
                 * Same with heredocs:
                 * for <<\H delim is H; <<\\H, <<"\H", <<"\\H" - \H
                 */
                if (ctx->pending_redirect->rd_type == REDIRECT_HEREDOC) {
                        unbackslash(ctx->pending_redirect->rd_filename);
                        /* Is it <<"HEREDOC"? */
                        if (word->has_quoted_part) {
                                ctx->pending_redirect->rd_dup |= HEREDOC_QUOTED;
                        }
                }
                debug_printf_parse("word stored in rd_filename: '%s'\n", word->data);
                ctx->pending_redirect = NULL;
        } else {
#if HAS_KEYWORDS
# if ENABLE_HUSH_CASE
                if (ctx->ctx_dsemicolon
                 && strcmp(word->data, "esac") != 0 /* not "... pattern) cmd;; esac" */
                ) {
                        /* already done when ctx_dsemicolon was set to 1: */
                        /* ctx->ctx_res_w = RES_MATCH; */
                        ctx->ctx_dsemicolon = 0;
                } else
# endif
                if (!command->argv /* if it's the first word... */
# if ENABLE_HUSH_LOOPS
                 && ctx->ctx_res_w != RES_FOR /* ...not after FOR or IN */
                 && ctx->ctx_res_w != RES_IN
# endif
# if ENABLE_HUSH_CASE
                 && ctx->ctx_res_w != RES_CASE
# endif
                ) {
                        int reserved = reserved_word(word, ctx);
                        debug_printf_parse("checking for reserved-ness: %d\n", reserved);
                        if (reserved) {
                                o_reset_to_empty_unquoted(word);
                                debug_printf_parse("done_word return %d\n",
                                                (ctx->ctx_res_w == RES_SNTX));
                                return (ctx->ctx_res_w == RES_SNTX);
                        }
# if ENABLE_HUSH_BASH_COMPAT
                        if (strcmp(word->data, "[[") == 0) {
                                command->cmd_type = CMD_SINGLEWORD_NOGLOB;
                        }
                        /* fall through */
# endif
                }
#endif
                if (command->group) {
                        /* "{ echo foo; } echo bar" - bad */
                        syntax_error_at(word->data);
                        debug_printf_parse("done_word return 1: syntax error, "
                                        "groups and arglists don't mix\n");
                        return 1;
                }

                /* If this word wasn't an assignment, next ones definitely
                 * can't be assignments. Even if they look like ones. */
                if (word->o_assignment != DEFINITELY_ASSIGNMENT
                 && word->o_assignment != WORD_IS_KEYWORD
                ) {
                        word->o_assignment = NOT_ASSIGNMENT;
                } else {
                        if (word->o_assignment == DEFINITELY_ASSIGNMENT) {
                                command->assignment_cnt++;
                                debug_printf_parse("++assignment_cnt=%d\n", command->assignment_cnt);
                        }
                        debug_printf_parse("word->o_assignment was:'%s'\n", assignment_flag[word->o_assignment]);
                        word->o_assignment = MAYBE_ASSIGNMENT;
                }
                debug_printf_parse("word->o_assignment='%s'\n", assignment_flag[word->o_assignment]);

                if (word->has_quoted_part
                 /* optimization: and if it's ("" or '') or ($v... or `cmd`...): */
                 && (word->data[0] == '\0' || word->data[0] == SPECIAL_VAR_SYMBOL)
                 /* (otherwise it's known to be not empty and is already safe) */
                ) {
                        /* exclude "$@" - it can expand to no word despite "" */
                        char *p = word->data;
                        while (p[0] == SPECIAL_VAR_SYMBOL
                            && (p[1] & 0x7f) == '@'
                            && p[2] == SPECIAL_VAR_SYMBOL
                        ) {
                                p += 3;
                        }
                }
                command->argv = add_string_to_strings(command->argv, xstrdup(word->data));
                debug_print_strings("word appended to argv", command->argv);
        }

#if ENABLE_HUSH_LOOPS
        if (ctx->ctx_res_w == RES_FOR) {
                if (word->has_quoted_part
                 || !is_well_formed_var_name(command->argv[0], '\0')
                ) {
                        /* bash says just "not a valid identifier" */
                        syntax_error("not a valid identifier in for");
                        return 1;
                }
                /* Force FOR to have just one word (variable name) */
                /* NB: basically, this makes hush see "for v in ..."
                 * syntax as if it is "for v; in ...". FOR and IN become
                 * two pipe structs in parse tree. */
                done_pipe(ctx, PIPE_SEQ);
        }
#endif
#if ENABLE_HUSH_CASE
        /* Force CASE to have just one word */
        if (ctx->ctx_res_w == RES_CASE) {
                done_pipe(ctx, PIPE_SEQ);
        }
#endif

        o_reset_to_empty_unquoted(word);

        debug_printf_parse("done_word return 0\n");
        return 0;
}


/* Peek ahead in the input to find out if we have a "&n" construct,
 * as in "2>&1", that represents duplicating a file descriptor.
 * Return:
 * REDIRFD_CLOSE if >&- "close fd" construct is seen,
 * REDIRFD_SYNTAX_ERR if syntax error,
 * REDIRFD_TO_FILE if no & was seen,
 * or the number found.
 */
#if BB_MMU
#define parse_redir_right_fd(as_string, input) \
        parse_redir_right_fd(input)
#endif
static int parse_redir_right_fd(o_string *as_string, struct in_str *input)
{
        int ch, d, ok;

        ch = i_peek(input);
        if (ch != '&')
                return REDIRFD_TO_FILE;

        ch = i_getch(input);  /* get the & */
        nommu_addchr(as_string, ch);
        ch = i_peek(input);
        if (ch == '-') {
                ch = i_getch(input);
                nommu_addchr(as_string, ch);
                return REDIRFD_CLOSE;
        }
        d = 0;
        ok = 0;
        while (ch != EOF && isdigit(ch)) {
                d = d*10 + (ch-'0');
                ok = 1;
                ch = i_getch(input);
                nommu_addchr(as_string, ch);
                ch = i_peek(input);
        }
        if (ok) return d;

//TODO: this is the place to catch ">&file" bashism (redirect both fd 1 and 2)

        bb_error_msg("ambiguous redirect");
        return REDIRFD_SYNTAX_ERR;
}

/* Return code is 0 normal, 1 if a syntax error is detected
 */
static int parse_redirect(struct parse_context *ctx,
                int fd,
                redir_type style,
                struct in_str *input)
{
        struct command *command = ctx->command;
        struct redir_struct *redir;
        struct redir_struct **redirp;
        int dup_num;

        dup_num = REDIRFD_TO_FILE;
        if (style != REDIRECT_HEREDOC) {
                /* Check for a '>&1' type redirect */
                dup_num = parse_redir_right_fd(&ctx->as_string, input);
                if (dup_num == REDIRFD_SYNTAX_ERR)
                        return 1;
        } else {
                int ch = i_peek(input);
                dup_num = (ch == '-'); /* HEREDOC_SKIPTABS bit is 1 */
                if (dup_num) { /* <<-... */
                        ch = i_getch(input);
                        nommu_addchr(&ctx->as_string, ch);
                        ch = i_peek(input);
                }
        }

        if (style == REDIRECT_OVERWRITE && dup_num == REDIRFD_TO_FILE) {
                int ch = i_peek(input);
                if (ch == '|') {
                        /* >|FILE redirect ("clobbering" >).
                         * Since we do not support "set -o noclobber" yet,
                         * >| and > are the same for now. Just eat |.
                         */
                        ch = i_getch(input);
                        nommu_addchr(&ctx->as_string, ch);
                }
        }

        /* Create a new redir_struct and append it to the linked list */
        redirp = &command->redirects;
        while ((redir = *redirp) != NULL) {
                redirp = &(redir->next);
        }
        *redirp = redir = xzalloc(sizeof(*redir));
        /* redir->next = NULL; */
        /* redir->rd_filename = NULL; */
        redir->rd_type = style;
        redir->rd_fd = (fd == -1) ? redir_table[style].default_fd : fd;

        debug_printf_parse("redirect type %d %s\n", redir->rd_fd,
                                redir_table[style].descrip);

        redir->rd_dup = dup_num;
        if (style != REDIRECT_HEREDOC && dup_num != REDIRFD_TO_FILE) {
                /* Erik had a check here that the file descriptor in question
                 * is legit; I postpone that to "run time"
                 * A "-" representation of "close me" shows up as a -3 here */
                debug_printf_parse("duplicating redirect '%d>&%d'\n",
                                redir->rd_fd, redir->rd_dup);
        } else {
#if 0           /* Instead we emit error message at run time */
                if (ctx->pending_redirect) {
                        /* For example, "cmd > <file" */
                        die_if_script("syntax error: %s", "invalid redirect");
                }
#endif
                /* Set ctx->pending_redirect, so we know what to do at the
                 * end of the next parsed word. */
                ctx->pending_redirect = redir;
        }
        return 0;
}

/* If a redirect is immediately preceded by a number, that number is
 * supposed to tell which file descriptor to redirect.  This routine
 * looks for such preceding numbers.  In an ideal world this routine
 * needs to handle all the following classes of redirects...
 *     echo 2>foo     # redirects fd  2 to file "foo", nothing passed to echo
 *     echo 49>foo    # redirects fd 49 to file "foo", nothing passed to echo
 *     echo -2>foo    # redirects fd  1 to file "foo",    "-2" passed to echo
 *     echo 49x>foo   # redirects fd  1 to file "foo",   "49x" passed to echo
 *
 * http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
 * "2.7 Redirection
 * ... If n is quoted, the number shall not be recognized as part of
 * the redirection expression. For example:
 * echo \2>a
 * writes the character 2 into file a"
 * We are getting it right by setting ->has_quoted_part on any \<char>
 *
 * A -1 return means no valid number was found,
 * the caller should use the appropriate default for this redirection.
 */
static int redirect_opt_num(o_string *o)
{
        int num;

        if (o->data == NULL)
                return -1;
        num = bb_strtou(o->data, NULL, 10);
        if (errno || num < 0)
                return -1;
        o_reset_to_empty_unquoted(o);
        return num;
}

#if BB_MMU
#define fetch_till_str(as_string, input, word, skip_tabs) \
        fetch_till_str(input, word, skip_tabs)
#endif
static char *fetch_till_str(o_string *as_string,
                struct in_str *input,
                const char *word,
                int heredoc_flags)
{
        o_string heredoc = NULL_O_STRING;
        unsigned past_EOL;
        int prev = 0; /* not \ */
        int ch;

        goto jump_in;

        while (1) {
                ch = i_getch(input);
                if (ch != EOF)
                        nommu_addchr(as_string, ch);
                if ((ch == '\n' || ch == EOF)
                 && ((heredoc_flags & HEREDOC_QUOTED) || prev != '\\')
                ) {
                        if (strcmp(heredoc.data + past_EOL, word) == 0) {
                                heredoc.data[past_EOL] = '\0';
                                debug_printf_parse("parsed heredoc '%s'\n", heredoc.data);
                                return heredoc.data;
                        }
                        while (ch == '\n') {
                                o_addchr(&heredoc, ch);
                                prev = ch;
 jump_in:
                                past_EOL = heredoc.length;
                                do {
                                        ch = i_getch(input);
                                        if (ch != EOF)
                                                nommu_addchr(as_string, ch);
                                } while ((heredoc_flags & HEREDOC_SKIPTABS) && ch == '\t');
                        }
                }
                if (ch == EOF) {
                        o_free_unsafe(&heredoc);
                        return NULL;
                }
                o_addchr(&heredoc, ch);
                nommu_addchr(as_string, ch);
                if (prev == '\\' && ch == '\\')
                        /* Correctly handle foo\\<eol> (not a line cont.) */
                        prev = 0; /* not \ */
                else
                        prev = ch;
        }
}

/* Look at entire parse tree for not-yet-loaded REDIRECT_HEREDOCs
 * and load them all. There should be exactly heredoc_cnt of them.
 */
static int fetch_heredocs(int heredoc_cnt, struct parse_context *ctx, struct in_str *input)
{
        struct pipe *pi = ctx->list_head;

        while (pi && heredoc_cnt) {
                int i;
                struct command *cmd = pi->cmds;

                debug_printf_parse("fetch_heredocs: num_cmds:%d cmd argv0:'%s'\n",
                                pi->num_cmds,
                                cmd->argv ? cmd->argv[0] : "NONE");
                for (i = 0; i < pi->num_cmds; i++) {
                        struct redir_struct *redir = cmd->redirects;

                        debug_printf_parse("fetch_heredocs: %d cmd argv0:'%s'\n",
                                        i, cmd->argv ? cmd->argv[0] : "NONE");
                        while (redir) {
                                if (redir->rd_type == REDIRECT_HEREDOC) {
                                        char *p;

                                        redir->rd_type = REDIRECT_HEREDOC2;
                                        /* redir->rd_dup is (ab)used to indicate <<- */
                                        p = fetch_till_str(&ctx->as_string, input,
                                                        redir->rd_filename, redir->rd_dup);
                                        if (!p) {
                                                syntax_error("unexpected EOF in here document");
                                                return 1;
                                        }
                                        free(redir->rd_filename);
                                        redir->rd_filename = p;
                                        heredoc_cnt--;
                                }
                                redir = redir->next;
                        }
                        cmd++;
                }
                pi = pi->next;
        }
#if 0
        /* Should be 0. If it isn't, it's a parse error */
        if (heredoc_cnt)
                bb_error_msg_and_die("heredoc BUG 2");
#endif
        return 0;
}


static int run_list(struct pipe *pi);
#if BB_MMU
#define parse_stream(pstring, input, end_trigger) \
        parse_stream(input, end_trigger)
#endif
static struct pipe *parse_stream(char **pstring,
                struct in_str *input,
                int end_trigger);


#if !ENABLE_HUSH_FUNCTIONS
#define parse_group(dest, ctx, input, ch) \
        parse_group(ctx, input, ch)
#endif
static int parse_group(o_string *dest, struct parse_context *ctx,
        struct in_str *input, int ch)
{
        /* dest contains characters seen prior to ( or {.
         * Typically it's empty, but for function defs,
         * it contains function name (without '()'). */
        struct pipe *pipe_list;
        int endch;
        struct command *command = ctx->command;

        debug_printf_parse("parse_group entered\n");
#if ENABLE_HUSH_FUNCTIONS
        if (ch == '(' && !dest->has_quoted_part) {
                if (dest->length)
                        if (done_word(dest, ctx))
                                return 1;
                if (!command->argv)
                        goto skip; /* (... */
                if (command->argv[1]) { /* word word ... (... */
                        syntax_error_unexpected_ch('(');
                        return 1;
                }
                /* it is "word(..." or "word (..." */
                do
                        ch = i_getch(input);
                while (ch == ' ' || ch == '\t');
                if (ch != ')') {
                        syntax_error_unexpected_ch(ch);
                        return 1;
                }
                nommu_addchr(&ctx->as_string, ch);
                do
                        ch = i_getch(input);
                while (ch == ' ' || ch == '\t' || ch == '\n');
                if (ch != '{') {
                        syntax_error_unexpected_ch(ch);
                        return 1;
                }
                nommu_addchr(&ctx->as_string, ch);
                command->cmd_type = CMD_FUNCDEF;
                goto skip;
        }
#endif

#if 0 /* Prevented by caller */
        if (command->argv /* word [word]{... */
         || dest->length /* word{... */
         || dest->has_quoted_part /* ""{... */
        ) {
                syntax_error(NULL);
                debug_printf_parse("parse_group return 1: "
                        "syntax error, groups and arglists don't mix\n");
                return 1;
        }
#endif

#if ENABLE_HUSH_FUNCTIONS
 skip:
#endif
        endch = '}';
        if (ch == '(') {
                endch = ')';
                command->cmd_type = CMD_SUBSHELL;
        } else {
                /* bash does not allow "{echo...", requires whitespace */
                ch = i_peek(input);
                if (ch != ' ' && ch != '\t' && ch != '\n'
                 && ch != '('   /* but "{(..." is allowed (without whitespace) */
                ) {
                        syntax_error_unexpected_ch(ch);
                        return 1;
                }
                if (ch != '(') {
                        ch = i_getch(input);
                        nommu_addchr(&ctx->as_string, ch);
                }
        }

        {
#if BB_MMU
# define as_string NULL
#else
                char *as_string = NULL;
#endif
                pipe_list = parse_stream(&as_string, input, endch);
#if !BB_MMU
                if (as_string)
                        o_addstr(&ctx->as_string, as_string);
#endif
                /* empty ()/{} or parse error? */
                if (!pipe_list || pipe_list == ERR_PTR) {
                        /* parse_stream already emitted error msg */
                        if (!BB_MMU)
                                free(as_string);
                        debug_printf_parse("parse_group return 1: "
                                "parse_stream returned %p\n", pipe_list);
                        return 1;
                }
                command->group = pipe_list;
#if !BB_MMU
                as_string[strlen(as_string) - 1] = '\0'; /* plink ')' or '}' */
                command->group_as_string = as_string;
                debug_printf_parse("end of group, remembering as:'%s'\n",
                                command->group_as_string);
#endif
#undef as_string
        }
        debug_printf_parse("parse_group return 0\n");
        return 0;
        /* command remains "open", available for possible redirects */
}

static int i_getch_and_eat_bkslash_nl(struct in_str *input)
{
        for (;;) {
                int ch, ch2;

                ch = i_getch(input);
                if (ch != '\\')
                        return ch;
                ch2 = i_peek(input);
                if (ch2 != '\n')
                        return ch;
                /* backslash+newline, skip it */
                i_getch(input);
        }
}

static int i_peek_and_eat_bkslash_nl(struct in_str *input)
{
        for (;;) {
                int ch, ch2;

                ch = i_peek(input);
                if (ch != '\\')
                        return ch;
                ch2 = i_peek2(input);
                if (ch2 != '\n')
                        return ch;
                /* backslash+newline, skip it */