r in completion function causes zsh abort

r in completion function causes zsh abort

[Oliver Kiddle]

After accidentally leaving a spurious `r' in a completion function, zsh
crashes with:

*** glibc detected *** zsh: double free or corruption (fasttop): 0x00000000022bc640 ***

It doesn't seem to occur directly from zsh -f but attempting to bisect
my options makes me suspect that there isn't a specific set that are
needed. Anyway, the following appears to reliably reproduce the problem:

zsh -f
autoload -U compinit;compinit
compdef r ty
setopt -09hwE
ty <tab>

Oliver

Re: r in completion function causes zsh abort

[Bart Schaefer]

On Nov 8, 11:25am, Oliver Kiddle wrote:
}
} After accidentally leaving a spurious `r' in a completion function, zsh
} crashes

"r" will of course attempt to invoke command history; it's not surprising
that doing so down in the guts of a completion function dives into some
code that's not prepared to be called at that juncture.

Sure enough, the stack trace is

abort
free
hend
loop
bin_fc
execbuiltin

(Don't have debugging compiled on the machine where I'm able to test this
right now.)  There's no way bin_fc should be calling the main loop during
completion, and probably not at any time while zle is active (which is a
lot easier to test).

Feel free to suggest a better error message ...

Index: Src/builtin.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/builtin.c,v
retrieving revision 1.267
diff -u -r1.267 builtin.c
--- Src/builtin.c       11 Oct 2012 20:14:03 -0000      1.267
+++ Src/builtin.c       8 Nov 2012 15:14:41 -0000
@@ -1414,6 +1414,12 @@
        unqueue_signals();
        return 0;
     }
+
+    if (zleactive) {
+       zwarnnam(nam, "no interactive history within ZLE");
+       return 1;
+    }
+
     /* put foo=bar type arguments into the substitution list */
     while (*argv && equalsplit(*argv, &s)) {
        Asgment a = (Asgment) zhalloc(sizeof *a);