From: Bart Schaefer <schaefer@brasslantern.com>
To: zsh-workers@zsh.org
Subject: Re: aliases+=(foo 'echo bar') crash
Date: Wed, 23 Jul 2014 18:37:40 -0700 [thread overview]
Message-ID: <140723183740.ZM5114@torch.brasslantern.com> (raw)
In-Reply-To: <20140723175218.1350b9cd@pwslap01u.europe.root.pri>
On Jul 23, 5:52pm, Peter Stephenson wrote:
}
} I haven't got very far with this, but I'm suspicious of this blithe
} assumption in arrhashsetfn()...
}
} /* ...but we can use the value without copying. */
} setstrvalue(v, *aptr++);
That does appear to be related; valgrind complains about it:
==5082== Invalid free() / delete / delete[]
==5082== at 0x4004EFA: free (vg_replace_malloc.c:235)
==5082== by 0x8091F38: zsfree (mem.c:1727)
==5082== by 0x80A0572: strsetfn (params.c:3148)
==5082== by 0x809DA30: setstrvalue (params.c:2297)
==5082== by 0x80A07FE: arrhashsetfn (params.c:3247)
==5082== by 0x809E234: setarrvalue (params.c:2472)
==5082== by 0x809F724: assignaparam (params.c:2829)
==5082== by 0x80650B7: addvars (exec.c:2304)
==5082== by 0x8066030: execcmd (exec.c:2677)
==5082== by 0x8063A59: execpline2 (exec.c:1691)
==5082== by 0x8062DFE: execpline (exec.c:1478)
==5082== by 0x80626D6: execlist (exec.c:1261)
==5082== Address 0x43C16A8 is not stack'd, malloc'd or (recently) free'd
However, if we look at addvars (exec.c:2304):
2286 if (vl) {
2287 ptr = arr = (char **) zalloc(sizeof(char **) *
2288 (countlinknodes(vl) + 1));
2289
2290 while (nonempty(vl))
2291 *ptr++ = ztrdup((char *) ugetnode(vl));
2292 } else
2293 ptr = arr = (char **) zalloc(sizeof(char **));
2294
2295 *ptr = NULL;
2296 if (xtr) {
2297 fprintf(xtrerr, "( ");
2298 for (ptr = arr; *ptr; ptr++) {
2299 quotedzputs(*ptr, xtrerr);
2300 fputc(' ', xtrerr);
2301 }
2302 fprintf(xtrerr, ") ");
2303 }
2304 assignaparam(name, arr, myflags);
The "arr" pointer is zalloc'd and every value in it is ztrdup'd, so the
basic assumption seems to be good.
The real problem seems to be here:
3224 /* Best not to shortcut this by using the existing hash table, *
3225 * since that could cause trouble for special hashes. This way, *
3226 * it's up to pm->gsu.h->setfn() what to do. */
3227 int alen = arrlen(val);
3228 HashTable opmtab = paramtab, ht = 0;
3229 char **aptr = val;
3230 Value v = (Value) hcalloc(sizeof *v);
3231 v->end = -1;
...
3242 /* The parameter name is ztrdup'd... */
3243 v->pm = createparam(*aptr, PM_SCALAR|PM_UNSET);
The bad free that's being complained about is v->pm->u.str, which either
came from hcalloc() for v or from somewhere in createparam(). The crash
is actually here at ->setfn():
2298 switch (PM_TYPE(v->pm->node.flags)) {
2299 case PM_SCALAR:
2300 if (v->start == 0 && v->end == -1) {
2301 v->pm->gsu.s->setfn(v->pm, val);
The bad values in *pm come from here:
857 oldpm = (Param) (paramtab == realparamtab ?
858 gethashnode2(paramtab, name) :
859 paramtab->getnode(paramtab, name));
(where paramtab != realparamtab). That's as far as I've gotten.
next prev parent reply other threads:[~2014-07-24 1:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-23 16:09 Stephane Chazelas
2014-07-23 16:52 ` Peter Stephenson
2014-07-24 1:37 ` Bart Schaefer [this message]
2014-07-24 3:04 ` Bart Schaefer
2014-07-24 5:45 ` [PATCH] " Bart Schaefer
2014-07-24 9:47 ` Peter Stephenson
2014-07-24 15:29 ` Bart Schaefer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=140723183740.ZM5114@torch.brasslantern.com \
--to=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).