From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-3358-mason-zsh=primenet.com.au@sunsite.auc.dk>
Received: (qmail 26165 invoked from network); 7 Aug 2000 16:20:01 -0000
Received: from sunsite.auc.dk (130.225.51.30)
  by ns1.primenet.com.au with SMTP; 7 Aug 2000 16:20:01 -0000
Received: (qmail 9697 invoked by alias); 7 Aug 2000 16:19:40 -0000
Mailing-List: contact zsh-users-help@sunsite.auc.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 3358
Received: (qmail 9688 invoked from network); 7 Aug 2000 16:19:37 -0000
From: "Bart Schaefer" <schaefer@candle.brasslantern.com>
Message-Id: <1000807161925.ZM26215@candle.brasslantern.com>
Date: Mon, 7 Aug 2000 16:19:25 +0000
In-Reply-To: <20000807162300.A3277@eggink4.rrz.uni-hamburg.de>
Comments: In reply to Bernd Eggink <eggink@uni-hamburg.de>
        "vared bug" (Aug  7,  4:23pm)
References: <20000807162300.A3277@eggink4.rrz.uni-hamburg.de>
X-Mailer: Z-Mail (5.0.0 30July97)
To: Bernd Eggink <eggink@uni-hamburg.de>, Zsh Users <zsh-users@sunsite.auc.dk>
Subject: Re: vared bug
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

On Aug 7,  4:23pm, Bernd Eggink wrote:
} Subject: vared bug
}
}     function f
}     {
}        read "dat?What: "
}        print -u2 "dat=$dat"
}     }
} 
}     print $ZSH_VERSION
}     P=aha
}     vared P
}     print "P=$P"
}     W=$(f)

This bug affects 3.0.8 as well.

What's happening is that vared invokes zleread(), which initializes shout
from SHTTY (shout was previously NULL).  The same thing happens if you use
just plain "read" -- e.g., replace "vared P" with "f" above -- so this is
not a problem with vared specifically.

Then $(f) goes through entersubsh(), which closes SHTTY, leaving shout
pointing at an invalid file descriptor.

You can see the same effect if you comment out "vared P" and then run that
script in an interactive shell with "source scriptname".

The question:  Is it intentional that entersubsh() leaves shout pointing
at an invalid file descriptor?  There are a number of places in the code
that blindly write to shout without testing whether it is NULL, so the
effect of close(SHTTY) is that those bits of code silently fail.  If we
assign shout = NULL in entersubsh(), those bits would dump core instead.

I suspect that it's OK to zero shout in entersubsh(), because if we'd
never passed through vared or read it would have been NULL anyway, at
least in a non-interactive shell.  The case I'm worried about is whether
entersubsh() from an interactive shell leaves other state unchanged (the
same way it left shout unchanged) that might permit some of those writes
to shout to occur.  Probably not, though.

Index: Src/exec.c
===================================================================
@@ -2503,6 +2503,7 @@
     if (!fake)
 	subsh = 1;
     if (SHTTY != -1) {
+	shout = NULL;
 	zclose(SHTTY);
 	SHTTY = -1;
     }

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net