Re: Segfault with zsh 5.2

[Christian Neukirchen <chneukirchen@xxxxxxxxx>]

Peter Stephenson <p.stephenson@xxxxxxxxxxx> writes:

> On Mon, 7 Dec 2015 14:01:57 +0100
> Christian Neukirchen <chneukirchen@xxxxxxxxx> wrote:
>>   zle-line-init() {
>>     BUFFER="$ICMD"
>>     zle accept-line
>>     zle -D zle-line-init
>>   }
>
> I couldn't get your crash to happen easily, and the crash
> actually happened in a normal alloc high up in the execution tree so
> doesn't give us much direct help apart from pointing at memory
> management.  (The call was protected by signal queueing, by the way.)
>
> However, there's definitely something very dodgy in memory management
> for the code above.  It's always been this way, so I think the fact it's
> just shown up is an accident.  I couldn't get valgrind to show it up,
> for some reason, but the evidence from gdb is incontrovertible.

I have one valgrid run, I shall test your patch soon:

juno ~% valgrind zsh -is eval sleep 0 0 0 0        
==1389== Memcheck, a memory error detector
==1389== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1389== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1389== Command: zsh -is eval sleep 0 0 0 0
==1389== 
==1397== 
==1397== HEAP SUMMARY:
==1397==     in use at exit: 527,943 bytes in 10,860 blocks
==1397==   total heap usage: 16,675 allocs, 5,815 frees, 3,817,997 bytes allocated
==1397== 
==1397== LEAK SUMMARY:
==1397==    definitely lost: 0 bytes in 0 blocks
==1397==    indirectly lost: 0 bytes in 0 blocks
==1397==      possibly lost: 0 bytes in 0 blocks
==1397==    still reachable: 527,943 bytes in 10,860 blocks
==1397==         suppressed: 0 bytes in 0 blocks
==1397== Rerun with --leak-check=full to see details of leaked memory
==1397== 
==1397== For counts of detected and suppressed errors, rerun with: -v
==1397== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1407==                                                                        
==1407== HEAP SUMMARY:
==1407==     in use at exit: 1,891,117 bytes in 47,441 blocks
==1407==   total heap usage: 56,449 allocs, 9,008 frees, 6,313,464 bytes allocated
==1407== 
==1407== LEAK SUMMARY:
==1407==    definitely lost: 0 bytes in 0 blocks
==1407==    indirectly lost: 0 bytes in 0 blocks
==1407==      possibly lost: 0 bytes in 0 blocks
==1407==    still reachable: 1,891,117 bytes in 47,441 blocks
==1407==         suppressed: 0 bytes in 0 blocks
==1407== Rerun with --leak-check=full to see details of leaked memory
==1407== 
==1407== For counts of detected and suppressed errors, rerun with: -v
==1407== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1389== Invalid read of size 4
==1389==    at 0x6187FD9: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x61A0C20: zlecallhook (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6189097: zleread (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x1550A9: zleentry (in /usr/bin/zsh)
==1389==    by 0x156648: ingetc.part.1 (in /usr/bin/zsh)
==1389==    by 0x14E22C: ihgetc (in /usr/bin/zsh)
==1389==    by 0x16039E: zshlex.part.1 (in /usr/bin/zsh)
==1389==    by 0x17EB6E: parse_event (in /usr/bin/zsh)
==1389==    by 0x151C18: loop (in /usr/bin/zsh)
==1389==    by 0x155753: zsh_main (in /usr/bin/zsh)
==1389==    by 0x57D167F: (below main) (libc-start.c:289)
==1389==  Address 0x6edca70 is 0 bytes inside a block of size 40 free'd
==1389==    at 0x4C2AE10: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x6196D67: unbindwidget (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6196DB4: bin_zle_del (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x13D97C: execode (in /usr/bin/zsh)
==1389==    by 0x13E45A: runshfunc (in /usr/bin/zsh)
==1389==    by 0x13EDCF: doshfunc (in /usr/bin/zsh)
==1389==    by 0x6187FB1: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==  Block was alloc'd at
==1389==    at 0x4C29BA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x167C7B: zalloc (in /usr/bin/zsh)
==1389==    by 0x6197413: bin_zle_new (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x162AB1: execif (in /usr/bin/zsh)
==1389==    by 0x139E5C: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389== 
==1389== Invalid write of size 4
==1389==    at 0x6187FEA: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x61A0C20: zlecallhook (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6189097: zleread (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x1550A9: zleentry (in /usr/bin/zsh)
==1389==    by 0x156648: ingetc.part.1 (in /usr/bin/zsh)
==1389==    by 0x14E22C: ihgetc (in /usr/bin/zsh)
==1389==    by 0x16039E: zshlex.part.1 (in /usr/bin/zsh)
==1389==    by 0x17EB6E: parse_event (in /usr/bin/zsh)
==1389==    by 0x151C18: loop (in /usr/bin/zsh)
==1389==    by 0x155753: zsh_main (in /usr/bin/zsh)
==1389==    by 0x57D167F: (below main) (libc-start.c:289)
==1389==  Address 0x6edca70 is 0 bytes inside a block of size 40 free'd
==1389==    at 0x4C2AE10: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x6196D67: unbindwidget (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6196DB4: bin_zle_del (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x13D97C: execode (in /usr/bin/zsh)
==1389==    by 0x13E45A: runshfunc (in /usr/bin/zsh)
==1389==    by 0x13EDCF: doshfunc (in /usr/bin/zsh)
==1389==    by 0x6187FB1: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==  Block was alloc'd at
==1389==    at 0x4C29BA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x167C7B: zalloc (in /usr/bin/zsh)
==1389==    by 0x6197413: bin_zle_new (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x162AB1: execif (in /usr/bin/zsh)
==1389==    by 0x139E5C: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389== 
sleep 0 0 0 0
==1410==                                                                        
==1410== HEAP SUMMARY:
==1410==     in use at exit: 1,895,679 bytes in 47,458 blocks
==1410==   total heap usage: 56,713 allocs, 9,255 frees, 6,340,861 bytes allocated
==1410== 
==1410== LEAK SUMMARY:
==1410==    definitely lost: 0 bytes in 0 blocks
==1410==    indirectly lost: 0 bytes in 0 blocks
==1410==      possibly lost: 0 bytes in 0 blocks
==1410==    still reachable: 1,895,679 bytes in 47,458 blocks
==1410==         suppressed: 0 bytes in 0 blocks
==1410== Rerun with --leak-check=full to see details of leaked memory
==1410== 
==1410== For counts of detected and suppressed errors, rerun with: -v
==1410== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)


-- 
Christian Neukirchen  <chneukirchen@xxxxxxxxx>  http://chneukirchen.org