zsh 4.2.5 segfaults when substituting on $match

zsh 4.2.5 segfaults when substituting on $match

[DervishD]

    Hi all :)

    zsh segfaults with this:

    $ zsh -f
    $ emulate -L zsh
    $ setopt extendedglob
    $ file="a"
    $ print ${file//(#b)(*)/${match//a/}}

    But not with this:

    $ zsh -f
    $ emulate -L zsh
    $ setopt extendedglob
    $ file="a"
    $ print ${file//(#b)(*)/${match/a/}}

    Both gdb and valgrind says it crashes in a memcpy call, maybe due
to an initialized pointer :? Happens on my 4.2.5 (self compiled), AND
in an old 4.0.9 I have around here (self compiled too).

    If anyone wants me to carry any additional tests, just tell ;)

    Raúl Núñez de Arenas Coronado

-- 
Linux Registered User 88736 | http://www.dervishd.net
http://www.pleyades.net & http://www.gotesdelluna.net
It's my PC and I'll cry if I want to...

PATCH: Re: zsh 4.2.5 segfaults when substituting on $match

[Peter Stephenson]

DervishD wrote:
>     Hi all :)
> 
>     zsh segfaults with this:
> 
>     $ zsh -f
>     $ emulate -L zsh
>     $ setopt extendedglob
>     $ file="a"
>     $ print ${file//(#b)(*)/${match//a/}}

[I've been away for a couple of days.  For future reference, I am away
again the second half of next week.]

Yes, this looks like being a result of one of the zillions of places
where the code, instead of passing an argument like real programmes do,
declares a global or static variable and vaguely hopes it will come out
right in the end.  This one's been around for a long time; it may even
be my fault.

To other zsh programmers: *Please* don't.

Index: Src/glob.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/glob.c,v
retrieving revision 1.44
diff -u -r1.44 glob.c
--- Src/glob.c	15 Aug 2005 16:04:32 -0000	1.44
+++ Src/glob.c	17 Aug 2005 23:32:56 -0000
@@ -2000,15 +2000,6 @@
 };
 typedef struct repldata *Repldata;
 
-/*
- * List of bits of matches to concatenate with replacement string.
- * The data is a struct repldata.  It is not used in cases like
- * ${...//#foo/bar} even though SUB_GLOBAL is set, since the match
- * is anchored.  It goes on the heap.
- */
-
-static LinkList repllist;
-
 /* Having found a match in getmatch, decide what part of string
  * to return.  The matched part starts b characters into string s
  * and finishes e characters in: 0 <= b <= e <= strlen(s)
@@ -2020,7 +2011,8 @@
 
 /**/
 static char *
-get_match_ret(char *s, int b, int e, int fl, char *replstr)
+get_match_ret(char *s, int b, int e, int fl, char *replstr,
+	      LinkList repllist)
 {
     char buf[80], *r, *p, *rr;
     int ll = 0, l = strlen(s), bl = 0, t = 0, i;
@@ -2230,8 +2222,13 @@
      * lengths.
      */
     int ioff, l = strlen(*sp), uml = ztrlen(*sp), matched = 1, umlen;
-
-    repllist = NULL;
+    /*
+     * List of bits of matches to concatenate with replacement string.
+     * The data is a struct repldata.  It is not used in cases like
+     * ${...//#foo/bar} even though SUB_GLOBAL is set, since the match
+     * is anchored.  It goes on the heap.
+     */
+    static LinkList repllist = NULL;
 
     /* perform must-match test for complex closures */
     if (p->mustoff)
@@ -2254,7 +2251,7 @@
 
     if (fl & SUB_ALL) {
 	int i = matched && pattry(p, s);
-	*sp = get_match_ret(*sp, 0, i ? l : 0, fl, i ? replstr : 0);
+	*sp = get_match_ret(*sp, 0, i ? l : 0, fl, i ? replstr : 0, repllist);
 	if (! **sp && (((fl & SUB_MATCH) && !i) || ((fl & SUB_REST) && i)))
 	    return 0;
 	return 1;
@@ -2283,7 +2280,7 @@
 			}
 		    }
 		}
-		*sp = get_match_ret(*sp, 0, mlen, fl, replstr);
+		*sp = get_match_ret(*sp, 0, mlen, fl, replstr, repllist);
 		return 1;
 	    }
 	    break;
@@ -2298,7 +2295,7 @@
 		    t--;
 		set_pat_start(p, t-s);
 		if (pattrylen(p, t, s + l - t, umlen, ioff)) {
-		    *sp = get_match_ret(*sp, t - s, l, fl, replstr);
+		    *sp = get_match_ret(*sp, t - s, l, fl, replstr, repllist);
 		    return 1;
 		}
 		if (t > s+1 && t[-2] == Meta)
@@ -2314,7 +2311,7 @@
 		 ioff++, METAINC(t), umlen--) {
 		set_pat_start(p, t-s);
 		if (pattrylen(p, t, s + l - t, umlen, ioff)) {
-		    *sp = get_match_ret(*sp, t-s, l, fl, replstr);
+		    *sp = get_match_ret(*sp, t-s, l, fl, replstr, repllist);
 		    return 1;
 		}
 		if (*t == Meta)
@@ -2326,7 +2323,7 @@
 	    /* Smallest at start, but matching substrings. */
 	    set_pat_start(p, l);
 	    if (!(fl & SUB_GLOBAL) && pattry(p, s + l) && !--n) {
-		*sp = get_match_ret(*sp, 0, 0, fl, replstr);
+		*sp = get_match_ret(*sp, 0, 0, fl, replstr, repllist);
 		return 1;
 	    } /* fall through */
 	case (SUB_SUBSTR|SUB_LONG):
@@ -2357,7 +2354,8 @@
 			    }
 			}
 			if (!--n || (n <= 0 && (fl & SUB_GLOBAL))) {
-			    *sp = get_match_ret(*sp, t-s, mpos-s, fl, replstr);
+			    *sp = get_match_ret(*sp, t-s, mpos-s, fl,
+						replstr, repllist);
 			    if (mpos == t)
 				METAINC(mpos);
 			}
@@ -2396,7 +2394,7 @@
 	    set_pat_start(p, l);
 	    if ((fl & (SUB_LONG|SUB_GLOBAL)) == SUB_LONG &&
 		pattry(p, s + l) && !--n) {
-		*sp = get_match_ret(*sp, 0, 0, fl, replstr);
+		*sp = get_match_ret(*sp, 0, 0, fl, replstr, repllist);
 		return 1;
 	    }
 	    break;
@@ -2407,7 +2405,7 @@
 	    if (!(fl & SUB_LONG)) {
 		set_pat_start(p, l);
 		if (pattrylen(p, s + l, 0, 0, uml) && !--n) {
-		    *sp = get_match_ret(*sp, l, l, fl, replstr);
+		    *sp = get_match_ret(*sp, l, l, fl, replstr, repllist);
 		    return 1;
 		}
 	    }
@@ -2431,13 +2429,14 @@
 			    }
 			}
 		    }
-		    *sp = get_match_ret(*sp, t-s, mpos-s, fl, replstr);
+		    *sp = get_match_ret(*sp, t-s, mpos-s, fl,
+					replstr, repllist);
 		    return 1;
 		}
 	    }
 	    set_pat_start(p, l);
 	    if ((fl & SUB_LONG) && pattrylen(p, s + l, 0, 0, uml) && !--n) {
-		*sp = get_match_ret(*sp, l, l, fl, replstr);
+		*sp = get_match_ret(*sp, l, l, fl, replstr, repllist);
 		return 1;
 	    }
 	    break;
@@ -2478,7 +2477,7 @@
     }
 
     /* munge the whole string: no match, so no replstr */
-    *sp = get_match_ret(*sp, 0, 0, fl, 0);
+    *sp = get_match_ret(*sp, 0, 0, fl, 0, 0);
     return 1;
 }
 
Index: Test/D04parameter.ztst
===================================================================
RCS file: /cvsroot/zsh/zsh/Test/D04parameter.ztst,v
retrieving revision 1.10
diff -u -r1.10 D04parameter.ztst
--- Test/D04parameter.ztst	26 Apr 2005 09:51:30 -0000	1.10
+++ Test/D04parameter.ztst	17 Aug 2005 23:33:03 -0000
@@ -604,3 +604,11 @@
   print "${${foo}/?*/replacement}"
 0:Quoted zero-length strings are handled properly
 >
+
+  file=aleftkept
+  print ${file//(#b)(*)left/${match/a/andsome}}
+  print ${file//(#b)(*)left/${match//a/andsome}}
+0:Substitutions where $match is itself substituted in the replacement
+>andsomekept
+>andsomekept
+
-- 
Peter Stephenson <pws@pwstephenson.fsnet.co.uk>
Work: pws@csr.com
Web: http://www.pwstephenson.fsnet.co.uk

Re: PATCH: Re: zsh 4.2.5 segfaults when substituting on $match

[Mikael Magnusson]

On 8/18/05, Peter Stephenson <pws@pwstephenson.fsnet.co.uk> wrote:
> [I've been away for a couple of days.  For future reference, I am away
> again the second half of next week.]
> 
> Yes, this looks like being a result of one of the zillions of places
> where the code, instead of passing an argument like real programmes do,
> declares a global or static variable and vaguely hopes it will come out
> right in the end.  This one's been around for a long time; it may even
> be my fault.
> 
> To other zsh programmers: *Please* don't.
> 
> Index: Src/glob.c

This commit introduces a crash for me when i do 'export <tab>',
reverting to 1.44 fixes the crash.
backtrace:

% export <tab>
Program received signal SIGSEGV, Segmentation fault.
0x4758edbc in memcpy () from /lib/tls/libc.so.6
(gdb) bt
#0  0x4758edbc in memcpy () from /lib/tls/libc.so.6
#1  0x0807b593 in igetmatch (sp=0xaff8e2fc, p=0xa7cc2fe8, fl=19, n=1,
replstr=0x0) at glob.c:2473
	nd = 0xa7cc2ffd
	rd = 0xa7cc2fe8
	lleft = -1479880084
	i = 23
	ptr = 0xa7cad26c ""
	start = 0xa7cad258 "vars"
	s = 0xa7cad240 "vars"
	t = 0x0
	ioff = -1479790595
	uml = 4
	matched = 0
	umlen = -1479790595
	repllist = 0xa7cb13b8
#2  0x0807be5a in getmatch (sp=0xaff8e2fc, pat=0x1 <Address 0x1 out of
bounds>, fl=19, n=23,
    replstr=0x0) at glob.c:2161
#3  0x080d26b9 in paramsubst (l=0xaff8e5c0, n=0xaff8e5d0,
str=0xaff8e3b0, qt=1, ssub=4)
    at subst.c:2173
	one = -1342643460
	oef = 0
	haserr = 23
	aptr = 0xa7cad1f9 ""
	c = -105 '\227'
	cc = 0 '\0'
	s = 0xa7cad20f "\217\217:blank:\220\220\204"
	fstr = 0xa7cad21c "\231"
	idbeg = 0xa7cad1fb ""
	idend = 0xa7cad20d "%%\217\217:blank:\220\220\204"
	ostr = 0xa7cad1f8 "\231"
	colf = 19
	isarr = 0
	plan9 = 1
	globsubst = 0
	getlen = 0
	whichlen = 0
	chkset = 0
	vunset = 0
	wantt = 0
	spbreak = 0
	val = 0xa7cad240 "vars"
	aval = (char **) 0x0
	fwidth = 19
	vbuf = {isarr = 137205040, pm = 0x82c12a5, inv = 32, start =
137106085, end = 137106085,
  arr = 0x0}
	v = 0x0
	flags = 0
	flnum = 0
	sortit = 0
	casind = 0
	numord = 0
---Type <return> to continue, or q <return> to quit---
	indord = 0
	unique = 0
	casmod = 0
	quotemod = 0
	quotetype = 0
	quoteerr = 0
	visiblemod = 0
	shsplit = 0
	sep = 0x0
	spsep = 0x0
	premul = 0x80e74a3 " "
	postmul = 0x0
	preone = 0x0
	postone = 0x0
	replstr = 0x0
	prenum = 0
	postnum = 0
	copied = 0
	arrasg = 0
	eval = 0
	aspar = 0
	presc = 0
	nojoin = 0
	inbrace = 1 '\001'
	hkeys = 0 '\0'
	hvals = 0 '\0'
	subexp = -1342643460
#4  0x080d3863 in stringsubst (list=0xaff8e5c0, node=0xaff8e5d0,
ssub=4, asssub=0) at subst.c:137
#5  0x080d3b6b in prefork (list=0xaff8e5c0, flags=6) at subst.c:74
#6  0x0806bb4e in addvars (state=0xaff8e680, pc=0xaff8e5c0, export=0)
at exec.c:1683
#7  0x08072c57 in execlist (state=0xaff8e680, dont_change_job=1,
exiting=0) at exec.c:808
#8  0x0807308a in runshfunc (prog=0x816ecf8, wrap=0x816ecf8,
name=0xa7cb4ec0 "ak:]]#")
    at exec.c:781
#9  0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#10 0x08073482 in doshfunc (name=0x8167780 "_description",
prog=0x816ecf8, doshargs=0xa7cb4ec0,
    flags=270336, noreturnval=0) at exec.c:3823
#11 0x080703e9 in execcmd (state=0xaffb35e0, input=0, output=0, how=2,
last1=2) at exec.c:3534
#12 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#13 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#14 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#15 0x08099545 in execif (state=0xaffb35e0, do_exec=23) at loop.c:520
#16 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0,
how=18, last1=2) at exec.c:2505
#17 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#18 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#19 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#20 0x0809916f in execwhile (state=0xaffb35e0, do_exec=0) at loop.c:415
#21 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0,
how=18, last1=2) at exec.c:2505
#22 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#23 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#24 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#25 0x08099545 in execif (state=0xaffb35e0, do_exec=23) at loop.c:520
#26 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0, how=2,
last1=2) at exec.c:2505
#27 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#28 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#29 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#30 0x0809916f in execwhile (state=0xaffb35e0, do_exec=0) at loop.c:415
#31 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0, how=2,
last1=2) at exec.c:2505
#32 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#33 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#34 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#35 0x0809916f in execwhile (state=0xaffb35e0, do_exec=0) at loop.c:415
#36 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0, how=2,
last1=2) at exec.c:2505
#37 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#38 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#39 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#40 0x08099545 in execif (state=0xaffb35e0, do_exec=23) at loop.c:520
#41 0x0806f070 in execcmd (state=0xaffb35e0, input=0, output=0,
how=18, last1=2) at exec.c:2505
---Type <return> to continue, or q <return> to quit---
#42 0x08070e65 in execpline2 (state=0xaffb35e0, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#43 0x08071433 in execpline (state=0xaffb35e0, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#44 0x08072da3 in execlist (state=0xaffb35e0, dont_change_job=1,
exiting=0) at exec.c:881
#45 0x08074e6e in execautofn (state=0x17, do_exec=0) at exec.c:781
#46 0x0806f070 in execcmd (state=0xaffb8a50, input=0, output=0,
how=18, last1=2) at exec.c:2505
#47 0x08070e65 in execpline2 (state=0xaffb8a50, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#48 0x08071433 in execpline (state=0xaffb8a50, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#49 0x08072da3 in execlist (state=0xaffb8a50, dont_change_job=1,
exiting=0) at exec.c:881
#50 0x0807308a in runshfunc (prog=0x8165b28, wrap=0x8165b28,
name=0xa7cb1d90 "") at exec.c:781
#51 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#52 0x08073482 in doshfunc (name=0x8165b68 "_arguments",
prog=0x8165b28, doshargs=0xa7cb1d90,
    flags=270848, noreturnval=0) at exec.c:3823
#53 0x080703e9 in execcmd (state=0xaffbe0a0, input=0, output=0, how=2,
last1=2) at exec.c:3534
#54 0x08070e65 in execpline2 (state=0xaffbe0a0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#55 0x08071433 in execpline (state=0xaffbe0a0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#56 0x08072da3 in execlist (state=0xaffbe0a0, dont_change_job=1,
exiting=0) at exec.c:881
#57 0x08074e6e in execautofn (state=0x17, do_exec=0) at exec.c:781
#58 0x0806f070 in execcmd (state=0xaffc3500, input=0, output=0,
how=18, last1=2) at exec.c:2505
#59 0x08070e65 in execpline2 (state=0xaffc3500, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#60 0x08071433 in execpline (state=0xaffc3500, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#61 0x08072da3 in execlist (state=0xaffc3500, dont_change_job=1,
exiting=0) at exec.c:881
#62 0x0807308a in runshfunc (prog=0x816f440, wrap=0x816f440,
name=0xa7cb7f78 ":lak:]]#")
    at exec.c:781
#63 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#64 0x08073482 in doshfunc (name=0x816f480 "_typeset", prog=0x816f440,
doshargs=0xa7cb7f78,
    flags=270848, noreturnval=0) at exec.c:3823
#65 0x080703e9 in execcmd (state=0xaffc8b40, input=0, output=0,
how=18, last1=2) at exec.c:3534
#66 0x08070e65 in execpline2 (state=0xaffc8b40, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#67 0x08071433 in execpline (state=0xaffc8b40, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#68 0x08072da3 in execlist (state=0xaffc8b40, dont_change_job=1,
exiting=0) at exec.c:881
#69 0x08072f9a in execode (p=0xa7cb7ef0, dont_change_job=23,
exiting=23) at exec.c:781
#70 0x080616a9 in bin_eval (nam=0xa7cb7e88 "ars", argv=0x17,
ops=0xaffc8be0, func=14)
    at builtin.c:4343
#71 0x08052fb4 in execbuiltin (args=0xaffc8be0, bn=0x80ed2bc) at builtin.c:439
#72 0x0807054e in execcmd (state=0xaffd34d0, input=0, output=0, how=2,
last1=2) at exec.c:2558
#73 0x08070e65 in execpline2 (state=0xaffd34d0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#74 0x08071433 in execpline (state=0xaffd34d0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#75 0x08072a49 in execlist (state=0xaffd34d0, dont_change_job=1,
exiting=0) at exec.c:793
#76 0x08099545 in execif (state=0xaffd34d0, do_exec=23) at loop.c:520
#77 0x0806f070 in execcmd (state=0xaffd34d0, input=0, output=0, how=2,
last1=2) at exec.c:2505
#78 0x08070e65 in execpline2 (state=0xaffd34d0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#79 0x08071433 in execpline (state=0xaffd34d0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#80 0x08072da3 in execlist (state=0xaffd34d0, dont_change_job=1,
exiting=0) at exec.c:881
#81 0x08074e6e in execautofn (state=0x17, do_exec=0) at exec.c:781
---Type <return> to continue, or q <return> to quit---
#82 0x0806f070 in execcmd (state=0xaffd8930, input=0, output=0,
how=18, last1=2) at exec.c:2505
#83 0x08070e65 in execpline2 (state=0xaffd8930, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#84 0x08071433 in execpline (state=0xaffd8930, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#85 0x08072da3 in execlist (state=0xaffd8930, dont_change_job=1,
exiting=0) at exec.c:881
#86 0x0807308a in runshfunc (prog=0x8167bd8, wrap=0x8167bd8,
name=0xa7cb7a30 "rs") at exec.c:781
#87 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#88 0x08073482 in doshfunc (name=0x8167c18 "_dispatch",
prog=0x8167bd8, doshargs=0xa7cb7a30,
    flags=270848, noreturnval=0) at exec.c:3823
#89 0x080703e9 in execcmd (state=0xaffddfa0, input=0, output=0,
how=18, last1=2) at exec.c:3534
#90 0x08070e65 in execpline2 (state=0xaffddfa0, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#91 0x08071433 in execpline (state=0xaffddfa0, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#92 0x08072da3 in execlist (state=0xaffddfa0, dont_change_job=1,
exiting=0) at exec.c:881
#93 0x0807308a in runshfunc (prog=0x82bc6a8, wrap=0x82bc6a8,
name=0xa7cb7810 "") at exec.c:781
#94 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#95 0x08073482 in doshfunc (name=0x816c2c0 "_normal", prog=0x82bc6a8,
doshargs=0xa7cb7810,
    flags=270336, noreturnval=0) at exec.c:3823
#96 0x080703e9 in execcmd (state=0xaffe8a40, input=0, output=0, how=2,
last1=2) at exec.c:3534
#97 0x08070e65 in execpline2 (state=0xaffe8a40, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#98 0x08071433 in execpline (state=0xaffe8a40, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#99 0x08072a49 in execlist (state=0xaffe8a40, dont_change_job=1,
exiting=0) at exec.c:793
#100 0x08099545 in execif (state=0xaffe8a40, do_exec=23) at loop.c:520
#101 0x0806f070 in execcmd (state=0xaffe8a40, input=0, output=0,
how=2, last1=2) at exec.c:2505
#102 0x08070e65 in execpline2 (state=0xaffe8a40, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#103 0x08071433 in execpline (state=0xaffe8a40, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#104 0x08072da3 in execlist (state=0xaffe8a40, dont_change_job=1,
exiting=0) at exec.c:881
#105 0x0807308a in runshfunc (prog=0x82bc9c0, wrap=0x82bc9c0,
name=0xa7cb73a0 "rs") at exec.c:781
#106 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#107 0x08073482 in doshfunc (name=0x8166b88 "_complete",
prog=0x82bc9c0, doshargs=0xa7cb73a0,
    flags=270336, noreturnval=0) at exec.c:3823
#108 0x080703e9 in execcmd (state=0xafffdde0, input=0, output=0,
how=18, last1=2) at exec.c:3534
#109 0x08070e65 in execpline2 (state=0xafffdde0, pcode=0, how=18,
input=0, output=0, last1=0)
    at exec.c:1289
#110 0x08071433 in execpline (state=0xafffdde0, slcode=2815087212,
how=18, last1=0) at exec.c:1075
#111 0x08072da3 in execlist (state=0xafffdde0, dont_change_job=1,
exiting=0) at exec.c:881
#112 0x080994a0 in execif (state=0xafffdde0, do_exec=23) at loop.c:505
#113 0x0806f070 in execcmd (state=0xafffdde0, input=0, output=0,
how=2, last1=2) at exec.c:2505
#114 0x08070e65 in execpline2 (state=0xafffdde0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#115 0x08071433 in execpline (state=0xafffdde0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#116 0x08072da3 in execlist (state=0xafffdde0, dont_change_job=1,
exiting=0) at exec.c:881
#117 0x080985d5 in execfor (state=0xafffdde0, do_exec=0) at loop.c:159
#118 0x0806f070 in execcmd (state=0xafffdde0, input=0, output=0,
how=2, last1=2) at exec.c:2505
#119 0x08070e65 in execpline2 (state=0xafffdde0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#120 0x08071433 in execpline (state=0xafffdde0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#121 0x08072da3 in execlist (state=0xafffdde0, dont_change_job=1,
exiting=0) at exec.c:881
---Type <return> to continue, or q <return> to quit---
#122 0x080985d5 in execfor (state=0xafffdde0, do_exec=0) at loop.c:159
#123 0x0806f070 in execcmd (state=0xafffdde0, input=0, output=0,
how=2, last1=2) at exec.c:2505
#124 0x08070e65 in execpline2 (state=0xafffdde0, pcode=0, how=2,
input=0, output=0, last1=0)
    at exec.c:1289
#125 0x08071433 in execpline (state=0xafffdde0, slcode=2815087212,
how=2, last1=0) at exec.c:1075
#126 0x08072da3 in execlist (state=0xafffdde0, dont_change_job=1,
exiting=0) at exec.c:881
#127 0x0807308a in runshfunc (prog=0x82b4ad8, wrap=0x82b4ad8,
name=0xa7cb5030 "rs") at exec.c:781
#128 0xa7d12dba in comp_wrapper (prog=0x17, w=0x17, name=0x17 <Address
0x17 out of bounds>)
    at complete.c:1326
#129 0x08073482 in doshfunc (name=0x81474b0 "_main_complete",
prog=0x82b4ad8, doshargs=0xa7cb5030,
    flags=0, noreturnval=0) at exec.c:3823
#130 0xa7d1a8f6 in makecomplist (s=0x82b4940 "", incmd=0, lst=23) at
compcore.c:806
#131 0xa7d1b9a8 in do_completion (dummy=0xa7d66e74, dat=0xa7cad26c) at
compcore.c:347
#132 0xa7d58604 in docomplete (lst=0) at zle_tricky.c:1899
#133 0xa7d59bbf in completeword (args=0x17) at zle_tricky.c:232
#134 0xa7d540b9 in completecall (args=0xa7cad26c) at zle_tricky.c:208
#135 0xa7d475c5 in execzlefunc (func=0xa7d64330, args=0xa7d6715c) at
zle_main.c:1063
#136 0xa7d47938 in zlecore () at zle_main.c:838
#137 0xa7d483bd in zleread (lp=0x8101b70, rp=0x0, flags=23,
context=23) at zle_main.c:992
#138 0x0808a0b4 in inputline () at input.c:278
#139 0x0808a6fa in ingetc () at input.c:214
#140 0x08080c27 in ihgetc () at hist.c:240
#141 0x080960d6 in gettok () at lex.c:628
#142 0x08097d96 in yylex () at lex.c:344
#143 0x080b9e5a in parse_event () at parse.c:451
#144 0x08086f4a in loop (toplevel=1, justonce=0) at init.c:128
#145 0x08089c64 in zsh_main (argc=1, argv=0xafffebb4) at init.c:1315
#146 0x0805292e in main (argc=23, argv=0x17) at main.c:93


-- 
Mikael Magnusson

Re: PATCH: Re: zsh 4.2.5 segfaults when substituting on $match

[Peter Stephenson]

Mikael Magnusson <mikachu@gmail.com> wrote:
> > Index: Src/glob.c
> 
> This commit introduces a crash for me when i do 'export <tab>',
> reverting to 1.44 fixes the crash.

Sorry, that was plain stupidity.  The intention was to replace the file
static variable with an automatic, not a function static.

Index: Src/glob.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/glob.c,v
retrieving revision 1.45
diff -u -r1.45 glob.c
--- Src/glob.c	17 Aug 2005 23:45:32 -0000	1.45
+++ Src/glob.c	18 Aug 2005 10:04:15 -0000
@@ -2228,7 +2228,7 @@
      * ${...//#foo/bar} even though SUB_GLOBAL is set, since the match
      * is anchored.  It goes on the heap.
      */
-    static LinkList repllist = NULL;
+    LinkList repllist = NULL;
 
     /* perform must-match test for complex closures */
     if (p->mustoff)


-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************