Segmentation fault while searching backward

Segmentation fault while searching backward

[Jörg Sommer]

Hi,

when I search backward through the history with ^R I get a segmentation
fault:

% zsh --version
zsh 4.3.4-dev-4 (powerpc-unknown-linux-gnu)
% gdb =zsh core
(gdb) bt
#0  zwcwrite (s=0x101c2784, i=4294967293) at ../../../Src/Zle/zle_refresh.c:204
#1  0x0fbd0d68 in refreshline (ln=0) at ../../../Src/Zle/zle_refresh.c:1124
#2  0x0fbd1c38 in zrefresh () at ../../../Src/Zle/zle_refresh.c:847
#3  0x0fbbfd64 in doisearch (args=<value optimized out>, dir=-1)
    at ../../../Src/Zle/zle_hist.c:1000
#4  0x0fbc04a4 in historyincrementalsearchbackward (args=<value optimized out>)
    at ../../../Src/Zle/zle_hist.c:809
#5  0x0fbc640c in execzlefunc (func=0xfbfae6c, args=0xfbfd9cc, 
    set_bindk=<value optimized out>) at ../../../Src/Zle/zle_main.c:1261
#6  0x0fbc694c in zlecore () at ../../../Src/Zle/zle_main.c:1019
#7  0x0fbc7050 in zleread (lp=<value optimized out>, rp=<value optimized out>, 
    flags=<value optimized out>, context=<value optimized out>)
    at ../../../Src/Zle/zle_main.c:1174
#8  0x1003c150 in ingetc ()
#9  0x10036d50 in ?? ()
#10 0x100447dc in yylex ()
#11 0x10065318 in parse_event ()
#12 0x1003a590 in loop ()
#13 0x1003b314 in zsh_main ()
#14 0x1000dc10 in main ()

And I can reproduce it with
% zsh-beta --version
zsh 4.3.4-dev-4 (powerpc-unknown-linux-gnu)

Bye, Jörg.
-- 
Ich halte ihn zwar für einen Schurken und das was er sagt für
falsch – aber ich bin bereit mein Leben dafür einzusetzen, daß
er seine Meinung sagen kann.		(Voletair)

Re: Segmentation fault while searching backward

[Peter Stephenson]

On Wed, 19 Dec 2007 00:59:34 +0000 (UTC)
Jörg Sommer <joerg@alea.gnuu.de> wrote:
> when I search backward through the history with ^R I get a segmentation
> fault:

Unfortunately we're going to need more detail than that to reproduce it.
The crash is because of a large value passed down to zwcwrite().  We're
likely to need to know what line was on screen before (the contents of
the array pointed to by ol in stack level 1 and its length ollen) and
what it's trying to put on screen (the contents of the array nl and its
length nllen).  Note the arrays will be wide character strings.  If it's
reproducible with these two lines we have a chance of fixing it.

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070

Re: Segmentation fault while searching backward

[Jörg Sommer]

Hallo Peter,

Peter Stephenson <pws@csr.com> wrote:
> On Wed, 19 Dec 2007 00:59:34 +0000 (UTC)
> Jörg Sommer <joerg@alea.gnuu.de> wrote:
>> when I search backward through the history with ^R I get a segmentation
>> fault:
>
> Unfortunately we're going to need more detail than that to reproduce it.
> The crash is because of a large value passed down to zwcwrite().  We're
> likely to need to know what line was on screen before (the contents of
> the array pointed to by ol in stack level 1 and its length ollen)

(gdb) up
#1  0x0fbd0d68 in refreshline (ln=0) at ../../../Src/Zle/zle_refresh.c:1124
1124    in ../../../Src/Zle/zle_refresh.c
(gdb) print ol
$1 = (REFRESH_STRING) 0x101c31a0
(gdb) print *ol
$2 = 0
(gdb) print ollen
$3 = 6

(gdb) x/16cb ol
0x101c31a0:     0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  108 'l'
0x101c31a8:     0 '\0'  0 '\0'  0 '\0'  101 'e' 0 '\0'  0 '\0'  0 '\0'  110 'n'

> and what it's trying to put on screen (the contents of the array nl and
> its length nllen).

(gdb) print nl
$6 = (REFRESH_STRING) 0x101c2784
(gdb) print *nl
$7 = 62
(gdb) print nllen
$8 = 16

(gdb) x/24cb nl
0x101c2784:     0 '\0'  0 '\0'  0 '\0'  62 '>'  0 '\0'  0 '\0'  0 '\0'  46 '.'
0x101c278c:     0 '\0'  0 '\0'  0 '\0'  46 '.'  0 '\0'  0 '\0'  0 '\0'  46 '.'
0x101c2794:     0 '\0'  0 '\0'  0 '\0'  46 '.'  0 '\0'  0 '\0'  0 '\0'  32 ' '

> Note the arrays will be wide character strings.  If it's reproducible
> with these two lines we have a chance of fixing it.

I can send you the core file (the executables and debugging symbols are
from Debian) and the broken history file. It's reproducible.

Bye, Jörg.
-- 
Stasi 2.0 – http://www.dataloo.de/stasi-20-525.html

Re: Segmentation fault while searching backward

[Peter Stephenson]

=?UTF-8?Q?J=C3=B6rg?= Sommer wrote:
> (gdb) print ollen
> $3 = 6
> 
> (gdb) x/16cb ol
> 0x101c31a0:     0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  0 '\0'  108 '
> l'
> 0x101c31a8:     0 '\0'  0 '\0'  0 '\0'  101 'e' 0 '\0'  0 '\0'  0 '\0'  110 '
> n'

Thanks for the extra info... I think there is an extra line here (to
make six characters of four bytes each) but I'm already a bit worried
because the first character appears to be a NULL which should make the
length zero.

> > and what it's trying to put on screen (the contents of the array nl and
> > its length nllen).
> 
> (gdb) print nl
> $6 = (REFRESH_STRING) 0x101c2784
> (gdb) print *nl
> $7 = 62
> (gdb) print nllen
> $8 = 16
> 
> (gdb) x/24cb nl
> 0x101c2784:     0 '\0'  0 '\0'  0 '\0'  62 '>'  0 '\0'  0 '\0'  0 '\0'  46 '.
> '
> 0x101c278c:     0 '\0'  0 '\0'  0 '\0'  46 '.'  0 '\0'  0 '\0'  0 '\0'  46 '.
> '
> 0x101c2794:     0 '\0'  0 '\0'  0 '\0'  46 '.'  0 '\0'  0 '\0'  0 '\0'  32 ' 
> '

... and also an extra five lines here (making 64 bytes)

> > Note the arrays will be wide character strings.  If it's reproducible
> > with these two lines we have a chance of fixing it.
> 
> I can send you the core file (the executables and debugging symbols are
> from Debian) and the broken history file. It's reproducible.

With a bit of luck the history file will tell me enough: it will needed
to be synced with the internal history; if you use incappendhistory or
sharehistory it automatically will be.  If it's OK it would good to get
that (you can send it to me directly).  What are you typing after ^R to
get this to happen?

It would be preferable to sort this out before making a release, if
possible, and I'm on holiday for two weeks from tomorrow, so it might be
best if I make another dev release (incorporating the Solaris fixes)
today.

pws

Re: Segmentation fault while searching backward

[Peter Stephenson]

On Wed, 19 Dec 2007 00:59:34 +0000 (UTC)
Jörg Sommer <joerg@alea.gnuu.de> wrote:
> when I search backward through the history with ^R I get a segmentation
> fault:

Jörg sent me his history and I can get it to crash, although not quite as
straightforwardly (it needed some scrolling).  The crash I was getting was
in a large chunk of history that needed scrolling to handle.  I think the
fix for that crash is the following depressingly simply change.  (The
second hunk is to be safer in future while still reporting problems when
debugging.)  It's not absolutely certain it's the same problem, but I think
there's a pretty good chance.

I'll make another test build at some point.

Index: Src/Zle/zle_refresh.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/Zle/zle_refresh.c,v
retrieving revision 1.51
diff -u -r1.51 zle_refresh.c
--- Src/Zle/zle_refresh.c	5 Jan 2008 13:12:56 -0000	1.51
+++ Src/Zle/zle_refresh.c	8 Jan 2008 14:56:53 -0000
@@ -797,7 +797,7 @@
 		(int)ZR_strlen(nbuf[0]) + rpromptw < winw - 1;
     } else {
 /* insert >.... on first line if there is more text before start of screen */
-	memset(nbuf[0], ZWC(' '), lpromptw);
+	ZR_memset(nbuf[0], ZWC(' '), lpromptw);
 	t0 = winw - lpromptw;
 	t0 = t0 > 5 ? 5 : t0;
 	ZR_memcpy(nbuf[0] + lpromptw, ZWS(">...."), t0);
@@ -1133,6 +1133,15 @@
 	    if (!*ol) {
 		i = (col_cleareol >= 0) ? col_cleareol : nllen;
 		i -= vcs;
+		if (i < 0) {
+		    /*
+		     * This shouldn't be necessary, but it's better
+		     * than a crash if there's a bug somewhere else,
+		     * so report in debug mode.
+		     */
+		    DPUTS(1, "BUG: badly calculated old line width in refresh");
+		    i = 0;
+		}
 		zwrite(nl, i);
 		vcs += i;
 		if (col_cleareol >= 0)


-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070