From: Bart Schaefer <schaefer@brasslantern.com>
To: zsh-workers@zsh.org
Cc: Jonathan H <pythonnut@gmail.com>
Subject: Re: Complex config triggering Segfault in pattern matching code.
Date: Wed, 17 Dec 2014 22:14:00 -0800 [thread overview]
Message-ID: <141217221400.ZM13648@torch.brasslantern.com> (raw)
In-Reply-To: <CAAW2-Zdr7MP_eHDzTjyHarjZCL_iu6AuRJiQL3eH0phSb=1UiA@mail.gmail.com>
On Dec 17, 9:18am, Jonathan H wrote:
} Subject: Re: Complex config triggering Segfault in pattern matching code.
}
} So, I ran ZSH for over 48 hours, and it finally crashed. I don't know
} if it was the normal crashes I'm seeing because valgrind seems to have
} rendered all of my tests useless. (Also, it gobbled up all of my RAM,
} so I can't tell if that's why it crashed).
}
} Attached is the STDERR from "valgrind -q --trace-children=yes
} --track-origins=yes"
Thanks. If you do this again I think you can avoid --trace-children.
} A lot of errors seem to have cropped up.
Yeah, but the vast majority of them are the same error repeating.
Already fixed this one:
==1705== Source and destination overlap in strcpy(0x402bd24, 0x402bd51)
==1705== at 0x4C2D766: __GI_strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1705== by 0x488CD0: stringsubst (subst.c:301)
This one seems obvious:
==1705== Uninitialised value was created by a heap allocation
==1705== at 0x4C29F90: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1705== by 0x45C446: zalloc (mem.c:896)
==1705== by 0x65A4781: init_keymaps (zle_keymap.c:1194)
diff --git a/Src/Zle/zle_keymap.c b/Src/Zle/zle_keymap.c
index be02f3a..cfef882 100644
--- a/Src/Zle/zle_keymap.c
+++ b/Src/Zle/zle_keymap.c
@@ -1201,7 +1201,7 @@ init_keymaps(void)
{
createkeymapnamtab();
default_bindings();
- keybuf = (char *)zalloc(keybufsz);
+ keybuf = (char *)zshcalloc(keybufsz);
lastnamed = refthingy(t_undefinedkey);
}
This is the one that repeats a lot:
==1705== Uninitialised value was created by a heap allocation
==1705== at 0x4C2C29E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1705== by 0x45C798: zrealloc (mem.c:938)
==1705== by 0x65B0D18: set_region_highlight (zle_refresh.c:454)
It would appear that the loop at zle_refresh.c:461 needs to assign
values to rhp->start_meta and rhp->end_meta at the same time that it
calculates rhp->start and rhp->end. However, I'm not familiar enough
with the region_highlight algorithm to be sure how to initialize those.
It's possible that fixing this will fix the next one as a side-effect.
Finally this one repeats a few times:
==1705== Conditional jump or move depends on uninitialised value(s)
==1705== at 0x5A04253: vfprintf (in /usr/lib/libc-2.20.so)
==1705== by 0x5A278FA: vsprintf (in /usr/lib/libc-2.20.so)
==1705== by 0x5A0ACD6: sprintf (in /usr/lib/libc-2.20.so)
==1705== by 0x65B0B66: get_region_highlight (zle_refresh.c:410)
That's this:
sprintf(digbuf1, "%d", rhp->start);
sprintf(digbuf2, "%d", rhp->end);
I'm confused about that one because I can't see where rhp->start might
be coming from without getting initialized. It LOOKS like the loop in
set_region_highlight() always either initializes those, or truncates
the array to be no more than N_SPECIAL_HIGHLIGHTS elements long. In
the latter case the loop containing those sprintf's should never make
a circuit. There is a potential problem in that the loop test is just
(arrsize--) which could go on infinitely if arrsize is negative when
the loop begins, but there isn't enough log output for this to be an
infinite loop.
next prev parent reply other threads:[~2014-12-18 6:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-13 19:49 Jonathan H
2014-12-13 23:28 ` Bart Schaefer
2014-12-13 23:36 ` Jonathan H
2014-12-14 4:40 ` Bart Schaefer
2014-12-14 18:20 ` Peter Stephenson
2014-12-14 18:43 ` Bart Schaefer
2014-12-15 21:20 ` Jonathan H
2014-12-15 23:39 ` Bart Schaefer
2014-12-16 20:58 ` Peter Stephenson
2014-12-17 17:18 ` Jonathan H
2014-12-18 6:14 ` Bart Schaefer [this message]
2014-12-18 19:09 ` Peter Stephenson
2014-12-18 19:34 ` Peter Stephenson
2014-12-29 0:57 ` Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=141217221400.ZM13648@torch.brasslantern.com \
--to=schaefer@brasslantern.com \
--cc=pythonnut@gmail.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).