Re: Bug#535232: zsh: segfaults while trying to free in hend

[Clint Adams <schizo@debian.org>]

On Tue, Jun 30, 2009 at 06:21:33PM -0400, Alec Berryman wrote:
> Recently (one or two weeks, probably when I upgraded to the current version of
> zsh), I've been seeing intermittent segfaults - I'll run a command like less or
> cd and my terminal will die on me.  I've never seen it happen in a long-running
> shell; if it makes it through the first few commands, everything works.
> 
> I got the attached backtrace.

Thanks.

> (run as 'MALLOC_CHECK_=2 gdb /bin/zsh4' with zsh 4.3.10-2)
> 
> 
> Script started on Tue 30 Jun 2009 05:41:18 PM EDT
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
> (gdb) run
> Starting program: /bin/zsh4 
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bindkey -m' disables multibyte support
> ^[]2;deng-aberr:  /home/aberryman\a^[]1;deng-aberr\a/etc/zsh/zshrc:unalias:42: no such hash table element: run-help
> ^[]2;deng-aberr:  /home/aberryman\a^[]1;deng-aberr\a^[[1m^[[7m%^[[27m^[[1m^[[0m                                                                                                                                   
> 
> ^[[0m^[[27m^[[24m^[[J^[[1m[~] deng-aberr|^[[0m ^[[Kq\bqpx gt0
> [... some stuff censored, command just sets up some environment variables ...]
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bindkey -m' disables multibyte support
> ^[]2;[QPX:gt0]  deng-aberr:  /home/aberryman\a^[]1;deng-aberr\a^[[1m^[[7m%^[[27m^[[1m^[[0m                                                                                                                                   
> 
> ^[[0m^[[27m^[[24m^[[J^[[1m[~] deng-aberr|^[[0m ^[[Kc\bcd $Q
> 
> Program received signal SIGABRT, Aborted.
> 0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> 	in ../nptl/sysdeps/unix/sysv/linux/raise.c
> (gdb) backtrace full
> #0  0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 	pid = <value optimized out>
> 	selftid = <value optimized out>
> #1  0x00002ad0ef99c153 in *__GI_abort () at abort.c:88
> 	act = {__sigaction_handler = {sa_handler = 0x48f682, sa_sigaction = 0x48f682}, sa_mask = {__val = {7022288, 
>       140736343534660, 4781697, 140736343534576, 4732811, 0, 4594111, 4971973988617027653, 4781697, 76, 1, 128, 4585798, 
>       140736343534660, 4736491, 4781791}}, sa_flags = 4415891, sa_restorer = 0x7fffbbc36ce0}
> 	sigs = {__val = {32, 0 <repeats 15 times>}}
> #2  0x00002ad0ef9d9140 in malloc_printerr (action=2, str=0x2ad0efa814cd "free(): invalid pointer", ptr=0x806) at malloc.c:5999
> No locals.
> #3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
> 	hookargs = <value optimized out>
> 	flag = 8
> 	save = 0
> 	hookret = 0
> 	stack_pos = 0
> 	hf = 0xd17440 "/home/aberryman/.history"
> #4  0x0000000000440e8e in loop (toplevel=1, justonce=0) at ../../Src/init.c:150
> 	prog = (Eprog) 0x2ad0eefdb700
> #5  0x0000000000441d56 in zsh_main (argc=<value optimized out>, argv=<value optimized out>) at ../../Src/init.c:1409
> 	t = <value optimized out>
> #6  0x00002ad0ef9855a6 in __libc_start_main (main=0x40fbc0 <main>, argc=1, ubp_av=0x7fffbbc37028, init=0x48d250 <__libc_csu_init>, 
>     fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fffbbc37018) at libc-start.c:222
> 	result = <value optimized out>
> 	unwind_buf = {cancel_jmp_buf = {{jmp_buf = {4772432, -8474123038685510702, 4258512, 140736343535648, 0, 0, 
>         8474273082816742354, -2322728423309425710}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x1, 0x40fbc0}, data = {
>       prev = 0x0, cleanup = 0x0, canceltype = 1}}}
> 	not_first_call = <value optimized out>
> #7  0x000000000040faf9 in _start () at ../sysdeps/x86_64/elf/start.S:113
> No locals.
> (gdb) frame 3
> #3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
> 1271	../../Src/hist.c: No such file or directory.
> 	in ../../Src/hist.c
> (gdb) info locals
> hookargs = <value optimized out>
> flag = 8
> save = 0
> hookret = 0
> stack_pos = 0
> hf = 0xd17440 "/home/aberryman/.history"
> (gdb) print chwords
> $1 = (short int *) 0xd20b50
> (gdb) print chwords
> $2 = 0
> (gdb) print chline
> $3 = 0xd49c50 ""
> (gdb) print chwordlen
> $4 = 64
> (gdb) print chwords[64]
> $5 = 144
> (gdb) print *chwords[65]
> $6 = 0
> (gdb) print chline
> $7 = 0xd49c50 ""
> (gdb) print hlinesz
> $8 = 64
> (gdb) print chline[hlinesz]
> $9 = 10 '\n'
> (gdb) print chline[hlinesz+1]
> $10 = 0 '\0'
> (gdb) quit
> The program is running.  Exit anyway? (y or n) y
> 
> 
> hist.c:1271 is a zfree on chwords, but that array still exists, as does the one freed in the previous line, chline