* Re: Completion problem on right hand side of assignment.
@ 1999-05-03 9:18 Sven Wischnowsky
0 siblings, 0 replies; 4+ messages in thread
From: Sven Wischnowsky @ 1999-05-03 9:18 UTC (permalink / raw)
To: zsh-workers
Tanaka Akira wrote:
> ...
> rascal% A=Doc/Zsh/zsh: segmentation fault (core dumped) ./Src/zsh -f
> Z:akr@rascal%
> ...
> BUG: attempt to free already free storage
> BUG: attempt to free storage at invalid address
Seems like clwnum is off-by-one after parsing an assignment. This
caused compwords to be allocated one field too short in callcompfunc
and then the NULL pointer terminating it could be overwritten.
This should fix it.
Bye
Sven
diff -u os/Zle/zle_tricky.c Src/Zle/zle_tricky.c
--- os/Zle/zle_tricky.c Mon May 3 11:07:15 1999
+++ Src/Zle/zle_tricky.c Mon May 3 11:07:50 1999
@@ -4360,7 +4360,7 @@
PERMALLOC {
q = compwords = (char **)
- zalloc((clwnum - aadd + 1) * sizeof(char *));
+ zalloc((clwnum + 1) * sizeof(char *));
for (p = clwords + aadd; *p; p++, q++) {
tmp = dupstring(*p);
untokenize(tmp);
--
Sven Wischnowsky wischnow@informatik.hu-berlin.de
^ permalink raw reply [flat|nested] 4+ messages in thread* Completion problem on right hand side of assignment. @ 1999-05-02 16:46 Tanaka Akira 1999-05-02 19:35 ` Bart Schaefer 0 siblings, 1 reply; 4+ messages in thread From: Tanaka Akira @ 1999-05-02 16:46 UTC (permalink / raw) To: zsh-workers zsh-3.1.5-pws-17 dumps core with following operation on BSD/OS 3.0. Z:akr@rascal% ./Src/zsh -f rascal% fpath=($PWD/Completion/*(/)) rascal% . Completion/Core/compinit rascal% A=D Push <TAB> after "A=D". rascal% A=Doc/ Push <TAB>. rascal% A=Doc/ META-FAQ.yo zsh.info-3 zshcompctl.1 zshoptions.1 Makefile zsh.info-4 zshcompctl.yo zshoptions.yo Makefile.in zsh.info-5 zshcompsys.1 zshparam.1 Zsh/ zsh.info-6 zshcompsys.yo zshparam.yo intro.ms zsh.info-7 zshcompwid.1 zshzftpsys.1 version.yo zsh.info-8 zshcompwid.yo zshzftpsys.yo zmacros.yo zsh.info-9 zshexpn.1 zshzle.1 zman.yo zsh.texi zshexpn.yo zshzle.yo zsh.1 zsh.yo zshmisc.1 ztexi.yo zsh.info zshall.1 zshmisc.yo zsh.info-1 zshbuiltins.1 zshmodules.1 zsh.info-2 zshbuiltins.yo zshmodules.yo Push "Z" and <TAB>. rascal% A=Doc/Zsh/ META-FAQ.yo zsh.info-3 zshcompctl.1 zshoptions.1 Makefile zsh.info-4 zshcompctl.yo zshoptions.yo Makefile.in zsh.info-5 zshcompsys.1 zshparam.1 Zsh/ zsh.info-6 zshcompsys.yo zshparam.yo intro.ms zsh.info-7 zshcompwid.1 zshzftpsys.1 version.yo zsh.info-8 zshcompwid.yo zshzftpsys.yo zmacros.yo zsh.info-9 zshexpn.1 zshzle.1 zman.yo zsh.texi zshexpn.yo zshzle.yo zsh.1 zsh.yo zshmisc.1 ztexi.yo zsh.info zshall.1 zshmisc.yo zsh.info-1 zshbuiltins.1 zshmodules.1 zsh.info-2 zshbuiltins.yo zshmodules.yo Push <TAB>. rascal% A=Doc/Zsh/ arith.yo files.yo mod_clone.yo modules.yo builtins.yo func.yo mod_comp1.yo options.yo compat.yo grammar.yo mod_compctl.yo params.yo compctl.yo guide.yo mod_deltochar.yo prompt.yo compsys.yo index.yo mod_example.yo redirect.yo compwid.yo intro.yo mod_files.yo restricted.yo cond.yo invoke.yo mod_sched.yo seealso.yo exec.yo jobs.yo mod_stat.yo zftpsys.yo expn.yo metafaq.yo mod_zftp.yo zle.yo filelist.yo mod_cap.yo mod_zle.yo Push <TAB>. rascal% A=Doc/Zsh/zsh: segmentation fault (core dumped) ./Src/zsh -f Z:akr@rascal% Backtrace produced by re-linked zsh binary without -s option and zsh.core is follows. (gdb) where #0 0x211aa in dupstring () #1 0x331e6 in arrdup () #2 0x3baf9 in comp_wrapper () #3 0xd823 in runshfunc () #4 0xd678 in doshfunc () #5 0x4e8e5 in callcompfunc () #6 0x4ee48 in makecomplist () #7 0x4de62 in docompletion () #8 0x48700 in docomplete () #9 0x47897 in expandorcomplete () #10 0x47652 in completecall () #11 0x41a26 in execzlefunc () #12 0x41778 in zleread () #13 0x19257 in inputline () #14 0x1918d in ingetc () #15 0x14fb1 in hgetc () #16 0x1c349 in gettok () #17 0x1bd75 in yylex () #18 0x26314 in parse_event () #19 0x17757 in loop () #20 0x1211 in main () (gdb) # Hmm, zsh binary with configure --enable-debug produce very short # backtrace. Also, I made zsh with following configuration. ./configure --enable-zsh-debug --enable-zsh-mem --enable-zsh-mem-debug --enable-zsh-mem-warning --enable-zsh-secure-free This zsh binary does not dumps core immediately after above operation. But it dumps core after input Ctrl-U "A=D" <TAB> <TAB> "Z" <TAB>. Also, sometimes the binary print following message though I cannot explain accurate operation to reproduce. BUG: attempt to free already free storage BUG: attempt to free storage at invalid address -- Tanaka Akira ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Completion problem on right hand side of assignment. 1999-05-02 16:46 Tanaka Akira @ 1999-05-02 19:35 ` Bart Schaefer 1999-05-03 3:46 ` Tanaka Akira 0 siblings, 1 reply; 4+ messages in thread From: Bart Schaefer @ 1999-05-02 19:35 UTC (permalink / raw) To: zsh-workers On May 3, 1:46am, Tanaka Akira wrote: } Subject: Completion problem on right hand side of assignment. } } zsh-3.1.5-pws-17 dumps core with following operation on BSD/OS 3.0. I'm not able to reproduce this on my Linux box. I tried both a dynamic and a non-dynamic build. -- Bart Schaefer Brass Lantern Enterprises http://www.well.com/user/barts http://www.brasslantern.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Completion problem on right hand side of assignment. 1999-05-02 19:35 ` Bart Schaefer @ 1999-05-03 3:46 ` Tanaka Akira 0 siblings, 0 replies; 4+ messages in thread From: Tanaka Akira @ 1999-05-03 3:46 UTC (permalink / raw) To: zsh-workers In article <990502123501.ZM10136@candle.brasslantern.com>, "Bart Schaefer" <schaefer@brasslantern.com> writes: > I'm not able to reproduce this on my Linux box. I tried both a dynamic > and a non-dynamic build. OK. I try to find more portable way to reproduce the problem... ... I found. Make zsh as follows. ./configure --enable-zsh-debug --enable-zsh-mem --enable-zsh-mem-debug --enable-zsh-mem-warning --enable-zsh-secure-free make Start zsh as follows. Src/zsh -f Input as follows. "fpath=($PWD/Completion/*(/))" <RET> ". Completion/Core/compinit" <RET> "A=D" <TAB> <TAB> "Z" <TAB> <TAB> <C-U> "A=D" <TAB> (*1) <TAB> "Z" <TAB> (*2) (*1) zsh outputs "BUG: attempt to free storage at invalid address" on Solaris7. (*2) zsh with --enable-zsh-mem dumps core on BSD/OS 3.0, Solaris7 and Debian GNU/Linux. I think that --enable-zsh-mem is key to reproduce this problem. But it reproduce on BSD/OS without --enable-zsh-mem. Backtrace on Debian GNU/Linux is follows. (gdb) where #0 0x400cef6f in strlen () #1 0x8076551 in dupstring (s=0x902d72 <Address 0x902d72 out of bounds>) at mem.c:480 #2 0x80b3937 in makecomplistctl (flags=3) at zle_tricky.c:4795 #3 0x809aee8 in bin_compcall (name=0x81165cc "compcall", argv=0x8116714, ops=0xbfffde24 "", func=0) at compctl.c:2130 #4 0x804af85 in execbuiltin (args=0x81165c4, bn=0x80cd994) at builtin.c:357 #5 0x8059087 in execcmd (cmd=0x81165a4, input=0, output=0, how=2, last1=2) at exec.c:1840 #6 0x805680a in execpline2 (pline=0x81166e4, how=2, input=0, output=0, last1=0) at exec.c:926 #7 0x8056011 in execpline (l=0x8116590, how=2, last1=0) at exec.c:771 #8 0x8055cd9 in execlist (list=0x8116580, dont_change_job=1, exiting=0) at exec.c:672 #9 0x805b57e in runshfunc (list=0x81069a0, wrap=0x0, name=0x8106fb4 "_default") at exec.c:2834 #10 0x809b5b9 in comp_wrapper (list=0x81069a0, w=0x0, name=0x8106fb4 "_default") at compctl.c:2367 #11 0x805b51f in runshfunc (list=0x81069a0, wrap=0x80cda38, name=0x8106fb4 "_default") at exec.c:2820 #12 0x805b33c in doshfunc (name=0x8106fb4 "_default", list=0x81069a0, doshargs=0x811586c, flags=0, noreturnval=0) at exec.c:2752 #13 0x805af35 in execshfunc (cmd=0x811584c, shf=0x8106980) at exec.c:2650 #14 0x8059002 in execcmd (cmd=0x811584c, input=0, output=0, how=2, last1=2) at exec.c:1829 #15 0x805680a in execpline2 (pline=0x811583c, how=2, input=0, output=0, last1=0) at exec.c:926 #16 0x8056011 in execpline (l=0x8115828, how=2, last1=0) at exec.c:771 #17 0x8055c6b in execlist (list=0x81157a4, dont_change_job=1, exiting=0) at exec.c:650 #18 0x80732bb in execif (cmd=0x8113e28) at loop.c:380 #19 0x8058e80 in execcmd (cmd=0x8113e28, input=0, output=0, how=2, last1=2) at exec.c:1793 #20 0x805680a in execpline2 (pline=0x8113e18, how=2, input=0, output=0, last1=0) at exec.c:926 #21 0x8056011 in execpline (l=0x8113e04, how=2, last1=0) at exec.c:771 ---Type <return> to continue, or q <return> to quit--- #22 0x8055c6b in execlist (list=0x8113df4, dont_change_job=1, exiting=0) at exec.c:650 #23 0x805b57e in runshfunc (list=0x810e6dc, wrap=0x0, name=0x810a7f4 "_complete") at exec.c:2834 #24 0x809b5b9 in comp_wrapper (list=0x810e6dc, w=0x0, name=0x810a7f4 "_complete") at compctl.c:2367 #25 0x805b51f in runshfunc (list=0x810e6dc, wrap=0x80cda38, name=0x810a7f4 "_complete") at exec.c:2820 #26 0x805b33c in doshfunc (name=0x810a7f4 "_complete", list=0x810e6dc, doshargs=0x81130a4, flags=0, noreturnval=0) at exec.c:2752 #27 0x805af35 in execshfunc (cmd=0x8113084, shf=0x810e6bc) at exec.c:2650 #28 0x8059002 in execcmd (cmd=0x8113084, input=0, output=0, how=2, last1=2) at exec.c:1829 #29 0x805680a in execpline2 (pline=0x8113074, how=2, input=0, output=0, last1=0) at exec.c:926 #30 0x8056011 in execpline (l=0x8113060, how=2, last1=0) at exec.c:771 #31 0x8055c85 in execlist (list=0x8113050, dont_change_job=1, exiting=0) at exec.c:656 #32 0x807283c in execfor (cmd=0x8112c6c) at loop.c:104 #33 0x8058e80 in execcmd (cmd=0x8112c6c, input=0, output=0, how=2, last1=2) at exec.c:1793 #34 0x805680a in execpline2 (pline=0x8112c5c, how=2, input=0, output=0, last1=0) at exec.c:926 #35 0x8056011 in execpline (l=0x8112c48, how=2, last1=0) at exec.c:771 #36 0x8055c6b in execlist (list=0x8112c38, dont_change_job=1, exiting=0) at exec.c:650 #37 0x805b57e in runshfunc (list=0x810e7ec, wrap=0x0, name=0x8114df4 "_main_complete") at exec.c:2834 #38 0x809b5b9 in comp_wrapper (list=0x810e7ec, w=0x0, name=0x8114df4 "_main_complete") at compctl.c:2367 #39 0x805b51f in runshfunc (list=0x810e7ec, wrap=0x80cda38, name=0x8114df4 "_main_complete") at exec.c:2820 #40 0x805b33c in doshfunc (name=0x8114df4 "_main_complete", list=0x810e7ec, doshargs=0x0, flags=0, noreturnval=1) at exec.c:2752 #41 0x80b2cf7 in callcompfunc (s=0x80fc774 "Doc/Z", fn=0x8114df4 "_main_complete") at zle_tricky.c:4480 ---Type <return> to continue, or q <return> to quit--- #42 0x80b3369 in makecomplist (s=0x80fc774 "Doc/Z", incmd=0, lst=0) at zle_tricky.c:4632 #43 0x80b2135 in docompletion (s=0x8105fa8 "Doc/Z", lst=0, incmd=0) at zle_tricky.c:4196 #44 0x80aa85f in docomplete (lst=0) at zle_tricky.c:1000 #45 0x80a951f in expandorcomplete () at zle_tricky.c:469 #46 0x80a92a8 in completecall () at zle_tricky.c:376 #47 0x80a18cd in execzlefunc (func=0x80f719c) at zle_main.c:592 #48 0x80a1468 in zleread (lp=0x80f47b0 "%m%# ", rp=0x0, flags=3) at zle_main.c:510 #49 0x806b0da in inputline () at input.c:263 #50 0x806afcd in ingetc () at input.c:208 #51 0x8065a3f in hgetc () at hist.c:206 #52 0x806f8c9 in gettok () at lex.c:526 #53 0x806f225 in yylex () at lex.c:289 #54 0x807f8b8 in parse_event () at parse.c:99 #55 0x806912f in loop (toplevel=1, justonce=0) at init.c:100 #56 0x804a635 in main (argc=2, argv=0xbffffaf4) at ./main.c:77 (gdb) -- Tanaka Akira ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~1999-05-03 9:48 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 1999-05-03 9:18 Completion problem on right hand side of assignment Sven Wischnowsky -- strict thread matches above, loose matches on Subject: below -- 1999-05-02 16:46 Tanaka Akira 1999-05-02 19:35 ` Bart Schaefer 1999-05-03 3:46 ` Tanaka Akira
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/zsh/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).