Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: Probabilistic crash on zsh 5.9 on x86_64
- X-seq: zsh-workers 51642
- From: "Jun. T" <takimoto-j@xxxxxxxxxxxxxxxxx>
- To: zsh-workers@xxxxxxx
- Subject: Re: Probabilistic crash on zsh 5.9 on x86_64
- Date: Wed, 12 Apr 2023 01:14:15 +0900
- Archived-at: <https://zsh.org/workers/51642>
- In-reply-to: <CAHYJk3QaY_ejw2gCw5d1BzyvB4W3EyU7cb1TWtZpRhx=QSpw+w@mail.gmail.com>
- List-id: <zsh-workers.zsh.org>
- References: <tBWb5KtvEqjlaLFHtCcVrAmwPrj7aqaF50nYi_P69Xa6TiBh0ybu3JumnENwN5dGJJHi-unfO4E8igE27tXgSefdlNpUmOoAZ5fyBKSv2SU=@proton.me> <CAHYJk3QaY_ejw2gCw5d1BzyvB4W3EyU7cb1TWtZpRhx=QSpw+w@mail.gmail.com>
> 2023/04/09 6:36, Mikael Magnusson <mikachu@xxxxxxxxx> wrlte:
> It seems to happen reliably for me every time, with these messages,
> % MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
> 1: parse.c:2817: Heap EPROG has nref > 0
> free(): invalid pointer
> zsh: abort MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
It seems memory pointed to by 'Eprog p' (in function freeeprog(),
parse.c:2817) is already freed.
If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
with shf pointing to the node "TRAPEXIT" in shfunctab.
Then it calls
doshfunc(shf, ..)
starttrapscope() // exec.c:5821
unsettrap() // signals.c:1079
shfunctab->freenode(shf) // signals.c:982
this means shf is freed by freeshfuncnode(shf). But doshfunc()
continues to use shf (=shfunc in this function), and calls
runshfunc(prog=shf->funcdef, ..) // exec.c:5963
This leads to crash, of course.
The simplest thing we can do would be just to prohibit
users/scripts from calling TRAPEXIT() directly. I guess this
can be done by, for example, rejecting (with error message)
shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).
But then users can't test TRAPEXIT manually.
Messages sorted by:
Reverse Date,
Date,
Thread,
Author