Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Probabilistic crash on zsh 5.9 on x86_64



(Please excuse illiterate response, I'm away but should be
back with a real computer in a day or so.)

This indicates something is wrong with the reference counting:
it shouldn't be possible for a shell code chunk to be visible
to the user without it being marked as having at least one reference.

pws


On 11 April 2023 17:14:15 BST, "Jun. T" <takimoto-j@xxxxxxxxxxxxxxxxx> wrote:

2023/04/09 6:36, Mikael Magnusson <mikachu@xxxxxxxxx> wrlte:

It seems to happen reliably for me every time, with these messages,
% MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
1: parse.c:2817: Heap EPROG has nref > 0
free(): invalid pointer
zsh: abort MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'

It seems memory pointed to by 'Eprog p' (in function freeeprog(),
parse.c:2817) is already freed.

If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
with shf pointing to the node "TRAPEXIT" in shfunctab.
Then it calls

doshfunc(shf, ..)
starttrapscope() // exec.c:5821
unsettrap() // signals.c:1079
shfunctab->freenode(shf) // signals.c:982

this means shf is freed by freeshfuncnode(shf). But doshfunc()
continues to use shf (=shfunc in this function), and calls
runshfunc(prog=shf->funcdef, ..) // exec.c:5963
This leads to crash, of course.

The simplest thing we can do would be just to prohibit
users/scripts from calling TRAPEXIT() directly. I guess this
can be done by, for example, rejecting (with error message)
shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).

But then users can't test TRAPEXIT manually.



Messages sorted by: Reverse Date, Date, Thread, Author