On 11 April 2023 17:14:15 BST, "Jun. T" <takimoto-j@xxxxxxxxxxxxxxxxx> wrote:
2023/04/09 6:36, Mikael Magnusson <mikachu@xxxxxxxxx> wrlte:
It seems to happen reliably for me every time, with these messages,
% MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
1: parse.c:2817: Heap EPROG has nref > 0
free(): invalid pointer
zsh: abort MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
It seems memory pointed to by 'Eprog p' (in function freeeprog(),
parse.c:2817) is already freed.
If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
with shf pointing to the node "TRAPEXIT" in shfunctab.
Then it calls
doshfunc(shf, ..)
starttrapscope() // exec.c:5821
unsettrap() // signals.c:1079
shfunctab->freenode(shf) // signals.c:982
this means shf is freed by freeshfuncnode(shf). But doshfunc()
continues to use shf (=shfunc in this function), and calls
runshfunc(prog=shf->funcdef, ..) // exec.c:5963
This leads to crash, of course.
The simplest thing we can do would be just to prohibit
users/scripts from calling TRAPEXIT() directly. I guess this
can be done by, for example, rejecting (with error message)
shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).
But then users can't test TRAPEXIT manually.