Attached is a mechanically-reduced test case which I hope still reflects the bug I'm encountering, some kind of malloc/heap corruption. I'm pretty unclear what the root cause might be, it seems timing and memory dependent so I can't find a way to reduce the example much further, but the attached version crashes pretty reliably for me for a few of the default 100 subshells, and shows the usual variety of malloc errors, exiting usually with SIGABRT but sometimes SIGSEGV. Running on Linux 6.12.38+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.38-1 (2025-07-16) x86_64 GNU/Linux, using both Debian's installed zsh:amd64 5.9-8+b14, but also current git master in both release and debug build. % crash.zsh Fatal glibc error: malloc.c:2601 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) exit code: 134 malloc(): unsorted double linked list corrupted exit code: 134 Fatal glibc error: malloc.c:2601 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) exit code: 134 Fatal glibc error: malloc.c:2601 (sysmalloc): assertion failed: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) exit code: 134
Attachment:
crash.zsh
Description: Binary data