segfault on 4.3.10 when sourcing file in precmd()

segfault on 4.3.10 when sourcing file in precmd()

[Stephen Talley]

When I source a file in precmd(), zsh often segfaults.

I am able to reproduce this with a simple .zshrc, with no other
configuration:

    precmd () {
        . /tmp/foo
    }

The contents of /tmp/foo don't matter; zsh segfault even if /tmp/foo
is empty.  If /tmp/foo doesn't exist, no segfault occurs.

The core file stack traces show different points of failure:

core 'core.9246.zsh.22863' of 22863:    -zsh
 fedf8287 t_splay  (80ed740, 80e79cc, 80e93e0, fedf8121) + 31
 fedf8144 t_delete (80ed740, 0, 0, fedf7df2) + 34
 fedf7e3f realfree (80ed338, 0, 8047d58, fedf84b1) + 5e
 fedf84f7 cleanfree (0, a, 8047d68, fedf77f1) + 57
 fedf7876 _malloc_unlocked (400) + 96
 fedf77b0 malloc   (400, 70, 8047dc8, 0) + 38
 08098027 zalloc   (400, 0, 8047e08, 808fa85) + 27
 080a62f3 init_parse (80ccc90, 0, 8047e48, 808725f, 80ccc90, 0) + 3b
 080a64ee parse_event (80ccc90, 0, 8047e58, a, 80ccc90, 80ccca8) + 2e
 0808725f loop     (1, 0, 8047e88, 8089d27) + b7
 08089d3a zsh_main (1, 8047ebc, 8047ec4, feffb92c) + 1f2
 0805f61d _start   (1, 8047f54, 0, 8047f59, 8047f6c, 8047f7b) + 7d

core 'core.26147.zsh.17367' of 17367:   -zsh
 00000000 ???????? (80f42c0, fecf0770, 8047b68, fecd2383)
 fecd239c openkeymap (fecf0770, 80f4ec8, 100, fecd2531) + 28
 fecd2544 selectkeymap (fecf0770) + 24
 fecd5d96 zleread  (80e8634, 0, 3, 0) + 2f6
 fecd7a53 zle_main_entry (1, 8047c64, 8047cc8, fee4cd94) + 93
 08089a96 zleentry (1, 80e8634, 0, 3, 0, 0) + 86
 0808a0cc inputline (4d41e62e, 4d41e62b, 1f7f137f, a, 1, 0) + a0
 08089fbc ingetc   (1, 0, 8047d08, 8090199, 0, 80b4cec) + 90
 080814f9 ihgetc   (0, 80b4cec, 0, ffffffff, 0, 0) + d
 08090199 gettok   (1, 0, 8047d28, 80a64e9, 1, 0) + 21
 0808fa76 zshlex   (1, 0, 8047d58, 808725f, 80ccc90, 0) + 1a
 080a64e9 parse_event (80ccc90, 0, 8047d68, a, 80ccc90, 80ccca8) + 29
 0808725f loop     (1, 0, 8047d98, 8089d27) + b7
 08089d3a zsh_main (1, 8047dc8, 8047dd0, 8047dbc) + 1f2
 0805f61d _start   (1, 8047e78, 0, 8047e7d, 8047e89, 8047e98) + 7d

core 'core.26147.zsh.26844' of 26844:   /usr/sfw/bin/zsh
 fedf7e25 realfree (814a0d0, 0, 80458d8, fedf841b) + 44
 fedf8474 _free_unlocked (8144fa0) + 66
 fedf83e2 free     (8144fa0, 0, 18, 81502f4) + 3a
 080c4f03 freearray (8144d90, 80, 0, 0) + 1f
 080a3e66 arrsetfn (8145ae0, 81500f0, 1, 40) + 22
 080a329e assignaparam (811d042, 81500f0, 0, 8045a2c) + 3a6
 08073a75 addvars  (8045df0, 811cdf4, 0, 0) + 2cd
 08071596 execsimple (8045df0, 1802, 2, 0) + 92
 08071aed execlist (8045df0, 1, 0, 8093d61) + 4d9
 08093dfe execif   (8045df0, 0, 25b, 9) + 132
 08075ea5 execcmd  (8045df0, 0, 0, 2, 2, 0) + 20e1
 08071ea5 execpline (8045df0, 2e002, 2, 0) + 1b1
 08071a55 execlist (8045df0) + 441
 080714f6 execode  (811c8e8, 1, 0, 8078974) + 36
 08078983 runshfunc (811c8e8, fec9ca38, fed20258, 807843d) + c7
 0807869c doshfunc (811c040, 0, 1, 3c) + 30c
 080c15e2 callhookfunc (80d0cc4, 0, 1, 0) + 4a
 080c1844 preprompt (80ccc90, 0, 8046088, a, 80ccc90, 80ccca8) + 1a0
 0808721e loop     (1, 0, 80460b8, 8089d27) + 76
 08089d3a zsh_main (1, 80460f0, 80460f8, 80460ac) + 1f2
 0805f61d _start   (1, 80463d0, 0, 80f16ec, 804640a, 8120d5c) + 7d

Removing the sourcing line from precmd makes zsh behave as expected.

I have reproduced this on:

    zsh 4.3.2 (i386-pc-solaris2.9)
    zsh 4.3.10 (i386-pc-solaris2.11)

Pointers/workarounds appreciated.

Thanks,

Steve

Re: segfault on 4.3.10 when sourcing file in precmd()

[Bart Schaefer]

On Jan 27,  5:33pm, Stephen Talley wrote:
} Subject: segfault on 4.3.10 when sourcing file in precmd()
}
} When I source a file in precmd(), zsh often segfaults.

Fixed about a year ago:

2010-01-04  Peter Stephenson  <pws@csr.com>

        * 27556: Src/lex.c: lexsave() should sanitize more variables else
        inner loops can get confused by outer state.  Symptom was
        source within precmd.