Crash with 'print -s' with no further arguments

Crash with 'print -s' with no further arguments

[Miciah Dashiel Butler Masters]

When I execute 'print -s' with no further arguments twice -- not
necessarily successively -- then ZSH segfaults.

I run Debian's zsh 4.0.6-28 package (libc6 2.3.1-14 and libncurses5
5.3.20021109-2).

This bug seems similar to, but apparently not the same as, a bug
reported in zsh-workers/15085 which Bart Schaefer reports fixed in a
follow-up.  The difference is that that bug triggers when the next
command after 'print -s' is executed, whereas this bug I'm reporting
triggers when 'print -s' is executed a second time.  Another slightly
similar bug is zsh-workers/4073.  I found no others.

Backtrace, FWIW:

#0  0x400fa299 in free () from /lib/libc.so.6
#1  0x08069d08 in freehistdata ()
#2  0x08069cd6 in freehistnode ()
#3  0x080589a3 in bin_print ()
#4  0x08051a34 in execbuiltin ()
#5  0x0805ffe7 in execsubst ()
#6  0x0805eb3b in execlist ()
#7  0x0805e121 in execlist ()
#8  0x0805dea7 in execlist ()
#9  0x0805da1f in execode ()
#10 0x0806e2a6 in loop ()
#11 0x08070770 in zsh_main ()
#12 0x08051477 in main ()
#13 0x400a6a51 in __libc_start_main () from /lib/libc.so.6

Thanks,

 -- Miciah <miciah@myrealbox.com>

Re: Crash with 'print -s' with no further arguments

[Bart Schaefer]

On Mar 19,  6:17am, Miciah Dashiel Butler Masters wrote:
}
} When I execute 'print -s' with no further arguments twice -- not
} necessarily successively -- then ZSH segfaults.

I can't reproduce this on RedHat 6.2.  What are your setopts?

Re: Crash with 'print -s' with no further arguments

[Miciah Dashiel Butler Masters]

In article <1030320041539.ZM2167@candle.brasslantern.com>, Bart Schaefer wrote:
> On Mar 19,  6:17am, Miciah Dashiel Butler Masters wrote:
> }
> } When I execute 'print -s' with no further arguments twice -- not
> } necessarily successively -- then ZSH segfaults.
> 
> I can't reproduce this on RedHat 6.2.  What are your setopts?

I'm sorry I didn't put this in my first message, but I did send a
follow-up to my original post with the information -- flaky Gmane,
flaky ML, flaky SLRN, or flaky user? Oh, well.

I can reproduce the problem with:

$ zsh -f
AwesomeComp% setopt hist_ignore_all_dups
AwesomeComp% print -s
AwesomeComp% print -s
Segmentation fault

 -- Miciah <miciah@myrealbox.com>

Re: Crash with 'print -s' with no further arguments

[Clint Adams]

> $ zsh -f
> AwesomeComp% setopt hist_ignore_all_dups
> AwesomeComp% print -s
> AwesomeComp% print -s
> Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x40106299 in free () from /lib/libc.so.6
(gdb) bt
#0  0x40106299 in free () from /lib/libc.so.6
#1  0x0806b75c in freehistdata ()
#2  0x0806b72a in freehistnode ()
#3  0x08059ba4 in bin_print ()
#4  0x08051cda in execbuiltin ()
#5  0x0806199b in execsubst ()
#6  0x0806041f in execlist ()
#7  0x0805fa05 in execlist ()
#8  0x0805f78b in execlist ()
#9  0x0805f29d in execode ()
#10 0x0806fda6 in loop ()
#11 0x080722f8 in zsh_main ()
#12 0x0805178b in main ()
#13 0x400b2a51 in __libc_start_main () from /lib/libc.so.6

Re: Crash with 'print -s' with no further arguments

[Oliver Kiddle]

On 20 Mar, Miciah Dashiel Butler Masters wrote:
> 
> $ zsh -f
> AwesomeComp% setopt hist_ignore_all_dups
> AwesomeComp% print -s
> AwesomeComp% print -s
> Segmentation fault

I can't reproduce the seg fault but valgrind says:

==12379== Invalid free() / delete / delete[]
==12379==    at 0x40047262: free (vg_clientfuncs.c:180)
==12379==    by 0x808ED08: zsfree (mem.c:1399)
==12379==    by 0x8075A15: freehistdata (hashtable.c:1517)
==12379==    by 0x80759B4: freehistnode (hashtable.c:1503)
==12379==    Address 0x80C995A is not stack'd, malloc'd or free'd

It gives line numbers if that is any use beyond what Clint has already
sent.

PATCH: Crash with 'print -s' with no further arguments

[Wayne Davison]

On Thu, Mar 20, 2003 at 04:40:07AM +0000, Miciah Dashiel Butler Masters wrote:
> $ zsh -f
> AwesomeComp% setopt hist_ignore_all_dups
> AwesomeComp% print -s
> AwesomeComp% print -s
> Segmentation fault

This turns out to be a bug in the zjoin() function when it generates
an empty string and the heap flag is not set.  This patch fixes the
problem:

--- Src/utils.c	24 Mar 2003 12:57:25 -0000	1.47
+++ Src/utils.c	25 Mar 2003 17:57:07 -0000
@@ -1793,7 +1793,7 @@
     for (s = arr; *s; s++)
 	len += strlen(*s) + 1;
     if (!len)
-	return "";
+	return heap? "" : ztrdup("");
     ptr = ret = (heap ? (char *) hcalloc(len) : (char *) zcalloc(len));
     for (s = arr; *s; s++) {
 	strucpy(&ptr, *s);

This should also fix any other crash bug that was caused by typing
"print -s" (without any args) -- the only difference is when the code
will try to free the literal "" string.

..wayne..

Re: PATCH: Crash with 'print -s' with no further arguments

[Bart Schaefer]

On Mar 25, 10:03am, Wayne Davison wrote:
}
} This turns out to be a bug in the zjoin() function when it generates
} an empty string and the heap flag is not set.

Does this need applying to the 4.0 branch?

Re: PATCH: Crash with 'print -s' with no further arguments

[Wayne Davison]

On Tue, Mar 25, 2003 at 06:15:23PM +0000, Bart Schaefer wrote:
> Does this need applying to the 4.0 branch?

Yes, it did.  I just committed it there as well.

..wayne..