Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author
Segmentation fault at exit with set -u and pipe

X-seq: zsh-workers 51358
From: Cebtenzzre <cebtenzzre@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Segmentation fault at exit with set -u and pipe
Date: Fri, 03 Feb 2023 19:31:08 -0500
Archived-at: <https://zsh.org/workers/51358>
List-id: <zsh-workers.zsh.org>
I have discovered a case where zsh will segfault at exit. Here is an
example that reproduces it more often than not:

set -u
trap 'sleep 1' EXIT
: | test $x

The trap line is not actually required but makes the issue easier to
reproduce. I have been able to reproduce this on both zsh 5.9 and latest
master (bffdbccda69683ce857dfad457e3209c0f00aa0c "51354: Fix markup in
man page version" at the time of this writing).

According to git bisect, this appears to be a regression caused by
commit e127ceaae87414588d4c839fc4cc04f02c2ed8c5 "50149: Remove all
remaining =(...) files at shell exit"). Below is the report that ASAN
gives me on zsh 5.9. It appears that cleanfilelists frees memory that is
sometimes referenced later in the exit process.

$ zsh repr.zsh
repr.zsh:3: x: parameter not set
=================================================================
==4032127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000dde0 at pc 0x558958e3cbf9 bp 0x7fff485bc8e0 sp 0x7fff485bc8d0
READ of size 8 at 0x60300000dde0 thread T0
    #0 0x558958e3cbf8 in getlinknode /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215
    #1 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1354
    #2 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
    #3 0x558958e25e97 in deletejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1440
    #4 0x558958e26e67 in printjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1284
    #5 0x558958e290bd in update_job /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:624
    #6 0x558958ed01bd in wait_for_processes /usr/src/debug/zsh/zsh-5.9/Src/signals.c:562
    #7 0x558958ecf3a4 in zhandler /usr/src/debug/zsh/zsh-5.9/Src/signals.c:649
    #8 0x7fcb150049ff  (/usr/lib/libc.so.6+0x389ff)
    #9 0x7fcb15004cb8 in sigsuspend (/usr/lib/libc.so.6+0x38cb8)
    #10 0x558958ecd5e7 in signal_suspend /usr/src/debug/zsh/zsh-5.9/Src/signals.c:393
    #11 0x558958e2a8e3 in zwaitjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1628
    #12 0x558958e2bc2f in waitonejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1678
    #13 0x558958e2bc2f in waitjobs /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1698
    #14 0x558958dd1ba5 in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1785
    #15 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
    #16 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
    #17 0x558958ed4b10 in dotrapargs /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1383
    #18 0x558958ece9ad in dotrap /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1489
    #19 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5887
    #20 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
    #21 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
    #22 0x558958d7023c in main main.c:93
    #23 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)
    #24 0x7fcb14fef349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
    #25 0x558958d70824 in _start ../sysdeps/x86_64/start.S:115

0x60300000dde0 is located 0 bytes inside of 24-byte region [0x60300000dde0,0x60300000ddf8)
freed by thread T0 here:
    #0 0x7fcb153d9672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x558958e4fbdc in zfree /usr/src/debug/zsh/zsh-5.9/Src/mem.c:1871
    #2 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1365
    #3 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
    #4 0x558958e25dfc in cleanfilelists /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1378
    #5 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5863
    #6 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
    #7 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
    #8 0x558958d7023c in main main.c:93
    #9 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)

previously allocated by thread T0 here:
    #0 0x7fcb153daa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x558958e4e9c0 in zalloc /usr/src/debug/zsh/zsh-5.9/Src/mem.c:966
    #2 0x558958e3c6a1 in znewlinklist /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:120
    #3 0x558958e2588c in addfilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1307
    #4 0x558958dcf83f in execpline2 /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1973
    #5 0x558958dd034e in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1689
    #6 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
    #7 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
    #8 0x558958e130cc in loop /usr/src/debug/zsh/zsh-5.9/Src/init.c:212
    #9 0x558958e1eea8 in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1794
    #10 0x558958d7023c in main main.c:93
    #11 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215 in getlinknode
Shadow bytes around the buggy address:
  0x0c067fff9b60: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9b70: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff9b80: 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff9b90: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9ba0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff9bb0: 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd fd fa
  0x0c067fff9bc0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9bd0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4032127==ABORTING


Thanks,
Cebtenzzre
Follow-Ups:
- Re: Segmentation fault at exit with set -u and pipe
  - From: Bart Schaefer
Messages sorted by: Reverse Date, Date, Thread, Author