From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-27213-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 9320 invoked from network); 9 Aug 2009 18:47:43 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
Received: from new-brage.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.254.104)
  by ns1.primenet.com.au with SMTP; 9 Aug 2009 18:47:43 -0000
Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts)
Received: (qmail 84135 invoked from network); 9 Aug 2009 18:47:36 -0000
Received: from sunsite.dk (130.225.247.90)
  by a.mx.sunsite.dk with SMTP; 9 Aug 2009 18:47:36 -0000
Received: (qmail 3741 invoked by alias); 9 Aug 2009 18:47:30 -0000
Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 27213
Received: (qmail 3715 invoked from network); 9 Aug 2009 18:47:29 -0000
Received: from bifrost.dotsrc.org (130.225.254.106)
  by sunsite.dk with SMTP; 9 Aug 2009 18:47:29 -0000
Received: from cork.scru.org (cork.scru.org [209.20.67.2])
	by bifrost.dotsrc.org (Postfix) with ESMTPS id EDB81805D0A1
	for <zsh-workers@sunsite.dk>; Sun,  9 Aug 2009 20:47:24 +0200 (CEST)
Received: by cork.scru.org (Postfix, from userid 1000)
	id 29D51104154; Sun,  9 Aug 2009 18:47:22 +0000 (UTC)
Date: Sun, 9 Aug 2009 18:47:21 +0000
From: Clint Adams <schizo@debian.org>
To: Alec Berryman <aberryman@itasoftware.com>, 535232@bugs.debian.org
Cc: zsh-workers@sunsite.dk
Subject: Re: Bug#535232: zsh: segfaults while trying to free in hend
Message-ID: <20090809184721.GA10870@scru.org>
Mail-Followup-To: Alec Berryman <aberryman@itasoftware.com>,
	535232@bugs.debian.org, zsh-workers@sunsite.dk
References: <20090630222133.8940.9856.reportbug@deng-aberr.internal.itasoftware.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <20090630222133.8940.9856.reportbug@deng-aberr.internal.itasoftware.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: ClamAV 0.94.2/9668/Fri Aug  7 23:36:10 2009 on bifrost
X-Virus-Status: Clean

On Tue, Jun 30, 2009 at 06:21:33PM -0400, Alec Berryman wrote:
> Recently (one or two weeks, probably when I upgraded to the current versi=
on of
> zsh), I've been seeing intermittent segfaults - I'll run a command like l=
ess or
> cd and my terminal will die on me.  I've never seen it happen in a long-r=
unning
> shell; if it makes it through the first few commands, everything works.
>=20
> I got the attached backtrace.

Thanks.

> (run as 'MALLOC_CHECK_=3D2 gdb /bin/zsh4' with zsh 4.3.10-2)
>=20
>=20
> Script started on Tue 30 Jun 2009 05:41:18 PM EDT
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.h=
tml>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
> (gdb) run
> Starting program: /bin/zsh4=20
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bi=
ndkey -m' disables multibyte support
> =1B]2;deng-aberr:  /home/aberryman=07=1B]1;deng-aberr=07/etc/zsh/zshrc:un=
alias:42: no such hash table element: run-help
> =1B]2;deng-aberr:  /home/aberryman=07=1B]1;deng-aberr=07=1B[1m=1B[7m%=1B[=
27m=1B[1m=1B[0m                                                            =
                                                                      =20
>=20
> =1B[0m=1B[27m=1B[24m=1B[J=1B[1m[~] deng-aberr|=1B[0m =1B[Kq=08qpx gt0
> [... some stuff censored, command just sets up some environment variables=
 ...]
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bi=
ndkey -m' disables multibyte support
> =1B]2;[QPX:gt0]  deng-aberr:  /home/aberryman=07=1B]1;deng-aberr=07=1B[1m=
=1B[7m%=1B[27m=1B[1m=1B[0m                                                 =
                                                                           =
      =20
>=20
> =1B[0m=1B[27m=1B[24m=1B[J=1B[1m[~] deng-aberr|=1B[0m =1B[Kc=08cd $Q
>=20
> Program received signal SIGABRT, Aborted.
> 0x00002ad0ef999065 in *__GI_raise (sig=3D<value optimized out>) at ../npt=
l/sysdeps/unix/sysv/linux/raise.c:64
> 64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> 	in ../nptl/sysdeps/unix/sysv/linux/raise.c
> (gdb) backtrace full
> #0  0x00002ad0ef999065 in *__GI_raise (sig=3D<value optimized out>) at ..=
/nptl/sysdeps/unix/sysv/linux/raise.c:64
> 	pid =3D <value optimized out>
> 	selftid =3D <value optimized out>
> #1  0x00002ad0ef99c153 in *__GI_abort () at abort.c:88
> 	act =3D {__sigaction_handler =3D {sa_handler =3D 0x48f682, sa_sigaction =
=3D 0x48f682}, sa_mask =3D {__val =3D {7022288,=20
>       140736343534660, 4781697, 140736343534576, 4732811, 0, 4594111, 497=
1973988617027653, 4781697, 76, 1, 128, 4585798,=20
>       140736343534660, 4736491, 4781791}}, sa_flags =3D 4415891, sa_resto=
rer =3D 0x7fffbbc36ce0}
> 	sigs =3D {__val =3D {32, 0 <repeats 15 times>}}
> #2  0x00002ad0ef9d9140 in malloc_printerr (action=3D2, str=3D0x2ad0efa814=
cd "free(): invalid pointer", ptr=3D0x806) at malloc.c:5999
> No locals.
> #3  0x000000000043b90c in hend (prog=3D0x0) at ../../Src/hist.c:1271
> 	hookargs =3D <value optimized out>
> 	flag =3D 8
> 	save =3D 0
> 	hookret =3D 0
> 	stack_pos =3D 0
> 	hf =3D 0xd17440 "/home/aberryman/.history"
> #4  0x0000000000440e8e in loop (toplevel=3D1, justonce=3D0) at ../../Src/=
init.c:150
> 	prog =3D (Eprog) 0x2ad0eefdb700
> #5  0x0000000000441d56 in zsh_main (argc=3D<value optimized out>, argv=3D=
<value optimized out>) at ../../Src/init.c:1409
> 	t =3D <value optimized out>
> #6  0x00002ad0ef9855a6 in __libc_start_main (main=3D0x40fbc0 <main>, argc=
=3D1, ubp_av=3D0x7fffbbc37028, init=3D0x48d250 <__libc_csu_init>,=20
>     fini=3D<value optimized out>, rtld_fini=3D<value optimized out>, stac=
k_end=3D0x7fffbbc37018) at libc-start.c:222
> 	result =3D <value optimized out>
> 	unwind_buf =3D {cancel_jmp_buf =3D {{jmp_buf =3D {4772432, -847412303868=
5510702, 4258512, 140736343535648, 0, 0,=20
>         8474273082816742354, -2322728423309425710}, mask_was_saved =3D 0}=
}, priv =3D {pad =3D {0x0, 0x0, 0x1, 0x40fbc0}, data =3D {
>       prev =3D 0x0, cleanup =3D 0x0, canceltype =3D 1}}}
> 	not_first_call =3D <value optimized out>
> #7  0x000000000040faf9 in _start () at ../sysdeps/x86_64/elf/start.S:113
> No locals.
> (gdb) frame 3
> #3  0x000000000043b90c in hend (prog=3D0x0) at ../../Src/hist.c:1271
> 1271	../../Src/hist.c: No such file or directory.
> 	in ../../Src/hist.c
> (gdb) info locals
> hookargs =3D <value optimized out>
> flag =3D 8
> save =3D 0
> hookret =3D 0
> stack_pos =3D 0
> hf =3D 0xd17440 "/home/aberryman/.history"
> (gdb) print chwords
> $1 =3D (short int *) 0xd20b50
> (gdb) print chwords
> $2 =3D 0
> (gdb) print chline
> $3 =3D 0xd49c50 ""
> (gdb) print chwordlen
> $4 =3D 64
> (gdb) print chwords[64]
> $5 =3D 144
> (gdb) print *chwords[65]
> $6 =3D 0
> (gdb) print chline
> $7 =3D 0xd49c50 ""
> (gdb) print hlinesz
> $8 =3D 64
> (gdb) print chline[hlinesz]
> $9 =3D 10 '\n'
> (gdb) print chline[hlinesz+1]
> $10 =3D 0 '\0'
> (gdb) quit
> The program is running.  Exit anyway? (y or n) y
>=20
>=20
> hist.c:1271 is a zfree on chwords, but that array still exists, as does t=
he one freed in the previous line, chline