Re: aliases+=(foo 'echo bar') crash

zsh-workers
 help / color / mirror / code / Atom feed

From: Bart Schaefer <schaefer@brasslantern.com>
To: zsh-workers@zsh.org
Subject: Re: aliases+=(foo 'echo bar') crash
Date: Wed, 23 Jul 2014 18:37:40 -0700	[thread overview]
Message-ID: <140723183740.ZM5114@torch.brasslantern.com> (raw)
In-Reply-To: <20140723175218.1350b9cd@pwslap01u.europe.root.pri>

On Jul 23,  5:52pm, Peter Stephenson wrote:
}
} I haven't got very far with this, but I'm suspicious of this blithe
} assumption in arrhashsetfn()...
} 
} 	/* ...but we can use the value without copying. */
} 	setstrvalue(v, *aptr++);

That does appear to be related; valgrind complains about it:

==5082== Invalid free() / delete / delete[]
==5082==    at 0x4004EFA: free (vg_replace_malloc.c:235)
==5082==    by 0x8091F38: zsfree (mem.c:1727)
==5082==    by 0x80A0572: strsetfn (params.c:3148)
==5082==    by 0x809DA30: setstrvalue (params.c:2297)
==5082==    by 0x80A07FE: arrhashsetfn (params.c:3247)
==5082==    by 0x809E234: setarrvalue (params.c:2472)
==5082==    by 0x809F724: assignaparam (params.c:2829)
==5082==    by 0x80650B7: addvars (exec.c:2304)
==5082==    by 0x8066030: execcmd (exec.c:2677)
==5082==    by 0x8063A59: execpline2 (exec.c:1691)
==5082==    by 0x8062DFE: execpline (exec.c:1478)
==5082==    by 0x80626D6: execlist (exec.c:1261)
==5082==  Address 0x43C16A8 is not stack'd, malloc'd or (recently) free'd

However, if we look at addvars (exec.c:2304):

   2286         if (vl) {
   2287             ptr = arr = (char **) zalloc(sizeof(char **) *
   2288                                          (countlinknodes(vl) + 1));
   2289 
   2290             while (nonempty(vl))
   2291                 *ptr++ = ztrdup((char *) ugetnode(vl));
   2292         } else
   2293             ptr = arr = (char **) zalloc(sizeof(char **));
   2294 
   2295         *ptr = NULL;
   2296         if (xtr) {
   2297             fprintf(xtrerr, "( ");
   2298             for (ptr = arr; *ptr; ptr++) {
   2299                 quotedzputs(*ptr, xtrerr);
   2300                 fputc(' ', xtrerr);
   2301             }
   2302             fprintf(xtrerr, ") ");
   2303         }
   2304         assignaparam(name, arr, myflags);

The "arr" pointer is zalloc'd and every value in it is ztrdup'd, so the
basic assumption seems to be good.

The real problem seems to be here:

   3224     /* Best not to shortcut this by using the existing hash table,   *
   3225      * since that could cause trouble for special hashes.  This way, *
   3226      * it's up to pm->gsu.h->setfn() what to do.                     */
   3227     int alen = arrlen(val);
   3228     HashTable opmtab = paramtab, ht = 0;
   3229     char **aptr = val;
   3230     Value v = (Value) hcalloc(sizeof *v);
   3231     v->end = -1;
...
   3242         /* The parameter name is ztrdup'd... */
   3243         v->pm = createparam(*aptr, PM_SCALAR|PM_UNSET);

The bad free that's being complained about is v->pm->u.str, which either
came from hcalloc() for v or from somewhere in createparam().  The crash
is actually here at ->setfn():

   2298     switch (PM_TYPE(v->pm->node.flags)) {
   2299     case PM_SCALAR:
   2300         if (v->start == 0 && v->end == -1) {
   2301             v->pm->gsu.s->setfn(v->pm, val);

The bad values in *pm come from here:

    857         oldpm = (Param) (paramtab == realparamtab ?
    858                          gethashnode2(paramtab, name) :
    859                          paramtab->getnode(paramtab, name));

(where paramtab != realparamtab).  That's as far as I've gotten.

next prev parent reply	other threads:[~2014-07-24  1:37 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-23 16:09 Stephane Chazelas
2014-07-23 16:52 ` Peter Stephenson
2014-07-24  1:37   ` Bart Schaefer [this message]
2014-07-24  3:04     ` Bart Schaefer
2014-07-24  5:45       ` [PATCH] " Bart Schaefer
2014-07-24  9:47         ` Peter Stephenson
2014-07-24 15:29           ` Bart Schaefer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=140723183740.ZM5114@torch.brasslantern.com \
    --to=schaefer@brasslantern.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).