[Bug] ZSH segmentation fault

[Bug] ZSH segmentation fault

[matthieu kermagoret]

Hello !

I just found a bug in ZSH with double left redirection.
First I generate a file like this :
> echo "cat << EOF" > segfault_file
> for i in `seq 10000`; do echo `printf "%010000d" 0` >> segfault_file; done

Then I try to make it execute to ZSH like this :
> zsh < segfault_file

After a little while ZSH segfaults !
This was successfully reproduced over Linux and NetBSD.

I hope you'll find it useful.


--
Matthieu KERMAGORET
matthieu.kermagoret@epitech.net

Re: [Bug] ZSH segmentation fault

[Peter Stephenson]

matthieu kermagoret wrote:
> Hello !
> 
> I just found a bug in ZSH with double left redirection.
> First I generate a file like this :
> > echo "cat << EOF" > segfault_file
> > for i in `seq 10000`; do echo `printf "%010000d" 0` >> segfault_file; done
> 
> Then I try to make it execute to ZSH like this :
> > zsh < segfault_file
> 
> After a little while ZSH segfaults !

Hmm... you've made the shell use massive amounts of memory and it's
crashed when it didn't have enough.  (On my laptop with 2 gigabytes of
main memory and the same amount of swap this doesn't crash, at least
with the latest version of the shell.)

The problem is that the shell actually keeps the here document in
memory.  This seems a bit lazy because it needs to write it to a
temporary file later anyway.  However, there are case where this is very
difficult to handle any other way.  Consider a shell function:

fn() {
   cat <<EOF
     ... very long text ...
   EOF
}

Obviously this has to be in the shell's memory, since that's the whole
point of a shell function, so in this case the problem isn't fixable.  A
partial kludge for here documents in scripts or on the command line is
very messy and doesn't fix the fundamental problem that you're using a
syntax which potentially asks for unavailable memory.

The only general fix, or at least graceful get out, for crashes like
this is for every memory access in zsh to be error checked and abort if
it fails.  There are very, very many of these and it still doesn't help
you run programmes requiring large amounts of memory.

-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/

Re: [Bug] ZSH segmentation fault

[DervishD]

    Hi Peter :)

 * Peter Stephenson <p.w.stephenson@ntlworld.com> dixit:
> Hmm... you've made the shell use massive amounts of memory and it's
> crashed when it didn't have enough.
[...]
> The only general fix, or at least graceful get out, for crashes like
> this is for every memory access in zsh to be error checked and abort if
> it fails.  There are very, very many of these and it still doesn't help
> you run programmes requiring large amounts of memory.

    While I understand that running such scripts is very unusual, I
think that just segfaulting is not a correct way of dealing with errors.
For example, in my zsh 4.2.6 I get a segfault when trying to complete
very long file names (I reported that, but it's just an example). If I
try to run a script that eats all the memory, the shell will segfault
too. In the second case I'm the culprit, because really the shell is not
intended to do that job; in the first case I'm not guilty, but the shell
behaved the same. Moreover, even in the first case I think that it's
better to abort, that way you can try to reproduce the error in a
non-login shell and get a sensible error message when the shell crashes
instead of just a crash.

    Just my 0.02 euros, and of course I'm not critizising anything since
I'm not the one who has to fix every memory allocation O:)

    Raúl Núñez de Arenas Coronado

-- 
Linux Registered User 88736 | http://www.dervishd.net
It's my PC and I'll cry if I want to... RAmen!

Re: [Bug] ZSH segmentation fault

[Peter Stephenson]

DervishD wrote:
>     While I understand that running such scripts is very unusual, I
> think that just segfaulting is not a correct way of dealing with errors.

I didn't claim it was, indeed I think I implied the opposite.

I can easily work around this one, though even this isn't completely
trivial.

Index: Src/exec.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/exec.c,v
retrieving revision 1.115
diff -u -r1.115 exec.c
--- Src/exec.c	29 May 2007 14:16:03 -0000	1.115
+++ Src/exec.c	3 Jun 2007 17:32:50 -0000
@@ -3111,7 +3111,13 @@
 	    ;
 	for (;;) {
 	    if (bptr == buf + bsiz) {
-		buf = realloc(buf, 2 * bsiz);
+		char *newbuf = realloc(buf, 2 * bsiz);
+		if (!newbuf) {
+		    /* out of memory */
+		    zfree(buf, bsiz);
+		    return NULL;
+		}
+		buf = newbuf;
 		t = buf + bsiz - (bptr - t);
 		bptr = buf + bsiz;
 		bsiz *= 2;
Index: Src/lex.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/lex.c,v
retrieving revision 1.38
diff -u -r1.38 lex.c
--- Src/lex.c	23 Jan 2007 16:07:47 -0000	1.38
+++ Src/lex.c	3 Jun 2007 17:32:51 -0000
@@ -356,6 +356,16 @@
 	    ALLOWHIST
 	    cmdpop();
 	    hwend();
+	    if (!name) {
+		zerr("here document too large");
+		while (hdocs) {
+		    next = hdocs->next;
+		    zfree(hdocs, sizeof(struct heredocs));
+		    hdocs = next;
+		}
+		tok = LEXERR;
+		break;
+	    }
 	    setheredoc(hdocs->pc, REDIR_HERESTR, name);
 	    zfree(hdocs, sizeof(struct heredocs));
 	    hdocs = next;

-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/

Re: [Bug] ZSH segmentation fault

[DervishD]

    Hi Peter :)

 * Peter Stephenson <p.w.stephenson@ntlworld.com> dixit:
> DervishD wrote:
> >     While I understand that running such scripts is very unusual, I
> > think that just segfaulting is not a correct way of dealing with errors.
> 
> I didn't claim it was, indeed I think I implied the opposite.

    As I said, I wasn't critizising O:) and I didn't want to sound rude,
but my english is a bit on the poor side ;) I understood, from your
message, that you were implying that fixing that behaviour wasn't really
worth the effort. Sorry for that ;)
 
> I can easily work around this one, though even this isn't completely
> trivial.

    I suppose. Zsh sources are not exactly easy to follow. I don't
really know how can you fix the bugs SO FAST!. It's amazing.

    Thanks for the fix :)

    Raúl Núñez de Arenas Coronado

-- 
Linux Registered User 88736 | http://www.dervishd.net
It's my PC and I'll cry if I want to... RAmen!

Re: [Bug] ZSH segmentation fault

[Bart Schaefer]

On Jun 3,  6:36pm, Peter Stephenson wrote:
} Subject: Re: [Bug] ZSH segmentation fault
}
} DervishD wrote:
} >     While I understand that running such scripts is very unusual, I
} > think that just segfaulting is not a correct way of dealing with errors.
} 
} I didn't claim it was, indeed I think I implied the opposite.

It might suffice to have a segfault handler (possibly turned off when the
shell is compiled for debugging) which generically prints a message and
aborts cleanly rather than producing a core dump.  It's the same as far
as the end result of the script is concerned, which is why we've never
bothered with it so far, but it gives the appearance that the shell knows
what it's doing when a less-sophisticated user accidentally induces a
fault.