From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25740 invoked by alias); 24 Jul 2014 01:37:35 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 32901 Received: (qmail 24764 invoked from network); 24 Jul 2014 01:37:33 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 From: Bart Schaefer Message-id: <140723183740.ZM5114@torch.brasslantern.com> Date: Wed, 23 Jul 2014 18:37:40 -0700 In-reply-to: <20140723175218.1350b9cd@pwslap01u.europe.root.pri> Comments: In reply to Peter Stephenson "Re: aliases+=(foo 'echo bar') crash" (Jul 23, 5:52pm) References: <20140723160935.GC7798@chaz.gmail.com> <20140723175218.1350b9cd@pwslap01u.europe.root.pri> X-Mailer: OpenZMail Classic (0.9.2 24April2005) To: zsh-workers@zsh.org Subject: Re: aliases+=(foo 'echo bar') crash MIME-version: 1.0 Content-type: text/plain; charset=us-ascii On Jul 23, 5:52pm, Peter Stephenson wrote: } } I haven't got very far with this, but I'm suspicious of this blithe } assumption in arrhashsetfn()... } } /* ...but we can use the value without copying. */ } setstrvalue(v, *aptr++); That does appear to be related; valgrind complains about it: ==5082== Invalid free() / delete / delete[] ==5082== at 0x4004EFA: free (vg_replace_malloc.c:235) ==5082== by 0x8091F38: zsfree (mem.c:1727) ==5082== by 0x80A0572: strsetfn (params.c:3148) ==5082== by 0x809DA30: setstrvalue (params.c:2297) ==5082== by 0x80A07FE: arrhashsetfn (params.c:3247) ==5082== by 0x809E234: setarrvalue (params.c:2472) ==5082== by 0x809F724: assignaparam (params.c:2829) ==5082== by 0x80650B7: addvars (exec.c:2304) ==5082== by 0x8066030: execcmd (exec.c:2677) ==5082== by 0x8063A59: execpline2 (exec.c:1691) ==5082== by 0x8062DFE: execpline (exec.c:1478) ==5082== by 0x80626D6: execlist (exec.c:1261) ==5082== Address 0x43C16A8 is not stack'd, malloc'd or (recently) free'd However, if we look at addvars (exec.c:2304): 2286 if (vl) { 2287 ptr = arr = (char **) zalloc(sizeof(char **) * 2288 (countlinknodes(vl) + 1)); 2289 2290 while (nonempty(vl)) 2291 *ptr++ = ztrdup((char *) ugetnode(vl)); 2292 } else 2293 ptr = arr = (char **) zalloc(sizeof(char **)); 2294 2295 *ptr = NULL; 2296 if (xtr) { 2297 fprintf(xtrerr, "( "); 2298 for (ptr = arr; *ptr; ptr++) { 2299 quotedzputs(*ptr, xtrerr); 2300 fputc(' ', xtrerr); 2301 } 2302 fprintf(xtrerr, ") "); 2303 } 2304 assignaparam(name, arr, myflags); The "arr" pointer is zalloc'd and every value in it is ztrdup'd, so the basic assumption seems to be good. The real problem seems to be here: 3224 /* Best not to shortcut this by using the existing hash table, * 3225 * since that could cause trouble for special hashes. This way, * 3226 * it's up to pm->gsu.h->setfn() what to do. */ 3227 int alen = arrlen(val); 3228 HashTable opmtab = paramtab, ht = 0; 3229 char **aptr = val; 3230 Value v = (Value) hcalloc(sizeof *v); 3231 v->end = -1; ... 3242 /* The parameter name is ztrdup'd... */ 3243 v->pm = createparam(*aptr, PM_SCALAR|PM_UNSET); The bad free that's being complained about is v->pm->u.str, which either came from hcalloc() for v or from somewhere in createparam(). The crash is actually here at ->setfn(): 2298 switch (PM_TYPE(v->pm->node.flags)) { 2299 case PM_SCALAR: 2300 if (v->start == 0 && v->end == -1) { 2301 v->pm->gsu.s->setfn(v->pm, val); The bad values in *pm come from here: 857 oldpm = (Param) (paramtab == realparamtab ? 858 gethashnode2(paramtab, name) : 859 paramtab->getnode(paramtab, name)); (where paramtab != realparamtab). That's as far as I've gotten.