From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22822 invoked by alias); 31 Dec 2013 07:23:19 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 32208 Received: (qmail 22973 invoked from network); 31 Dec 2013 07:23:04 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 From: Bart Schaefer Message-id: <131230232255.ZM27137@torch.brasslantern.com> Date: Mon, 30 Dec 2013 23:22:55 -0800 In-reply-to: Comments: In reply to Sam Roberts "zsh segfaul in 5.0.2, known bug?" (Dec 30, 4:07pm) References: X-Mailer: OpenZMail Classic (0.9.2 24April2005) To: zsh-workers@zsh.org Subject: Re: zsh segfaul in 5.0.2, known bug? MIME-version: 1.0 Content-type: text/plain; charset=us-ascii On Dec 30, 4:07pm, Sam Roberts wrote: } } % (export path=$PATH; unset PATH; date) } export: can't assign new value for array path } zsh: segmentation fault (core dumped) ( export path=$PATH; unset PATH; date; ) Hmm, this is a sneaky one. The "export" is entirely irrelevant. If the command is "unset path", then we first unset the path array, and then unset the PATH scalar, which repairs the environment and thereby resets an internal pointer that tracks how much of the path array has been searched. However, when the command is "unset PATH", we first unset the scalar, which resets the internal pointer, but then unset the array, which leaves that other pointer aimed at the freed memory that formerly held the path. *Except* that unsetting the path array immediately re-allocates it as an array with no elements. In most cases this re-uses the same block that was just freed, so by accident the other pointer becomes valid again. If the malloc() library routine happens to have the property that it might not return that same most-recently-freed block, then the other pointer remains invalid and a crash results when the next path search tries to pick up where the previous one left off. (There was no previous search, but it can't tell that because the pointer is bad.) The ZSH_MEM_DEBUG library happens *to* re-use the most-recently-freed block, so a typical debugger session does not reveal the problem. I found it with valgrind and then puzzled out the order of operations. The following fixes the crash, but it's exposing in arrvarsetfn() some knowledge that was previously confined to arrfixenv(), so there may be a cleaner way to handle it. diff --git a/Src/params.c b/Src/params.c index 26ad6b2..ad9e347 100644 --- a/Src/params.c +++ b/Src/params.c @@ -3380,8 +3380,12 @@ arrvarsetfn(Param pm, char **x) *dptr = mkarray(NULL); else *dptr = x; - if (pm->ename && x) - arrfixenv(pm->ename, x); + if (pm->ename) { + if (x) + arrfixenv(pm->ename, x); + else if (*dptr == path) + pathchecked = path; + } } /**/