Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Zsh 5.9 segfault, likely due to unsafe signal handler



Hello,

I am using zsh 5.9 (ARM64) via Homebrew on macOS 13.1 and I ran into a segfault as I was exiting a manpage. Unfortunately I can't seem to reproduce it, but I'm attaching the crash log to this email.

I'm not very familiar with zsh's source but after a quick look, I noticed that `zhandler` calls `wait_for_processes`, which really doesn't seem to be async-signal-safe. For example it reads from the global variable `cmdoutpid` which is just a `pid_t` rather than a `volatile sig_atomic_t` or a lock-free atomic; since it's a regular, static, non-volatile, non-atomic variable, reading it from a signal handler could lead to a data race and other UB. It makes sense that this issue would be difficult to reproduce, and that it would appear more easily on Apple Silicon which has extremely out-of-order execution that tends to trigger latent memory bugs like this.

Happy New Year! Hope this helps.

Best,
Jacob Greenfield

Attachment: zsh-2023-01-02-074639.ips
Description: Binary data



Messages sorted by: Reverse Date, Date, Thread, Author