* Zsh parser segmentation fault in strcatsub
@ 2017-05-15 21:30 Eduardo Bustamante
2017-05-16 0:48 ` Bart Schaefer
0 siblings, 1 reply; 8+ messages in thread
From: Eduardo Bustamante @ 2017-05-15 21:30 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo A. Bustamante López
[-- Attachment #1: Type: text/plain, Size: 5044 bytes --]
dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 strcatsub
JCQwMDAwJHsoZTB6KV5ZLTAwMCR7KHopXlktMDA+AAoKCgp7MDAwMDAwfTB9MAowMH0keyUwMDAw
MDAwMDAwADAwMDAwMDAwMDAwMDAwADAwMDAwMDAwMDAwMDAwMDCKMDAwMDAwljAwlTAwMDCWlo0w
MDAwMDAwJHsoZnpmTGwwMjAwb05OgD8+JjmioqKioqIvL6KAPzBCMG1wcjAyMDAloo6iopeiT40p
M29OMGlPMCljMDAwJTAwMDAwMDAwMDAwMH2hMACHMDAwMDAwljAwh4cwMDAwMDAAMDAwMDAwMJYw
MId9MDA=
Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
235 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such
file or directory.
(gdb) bt
#0 __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
#1 0x00000000004c12ab in strcatsub (d=0x7fff6a5f47b8,
pb=0x7fa742ad6bed
"0\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl0200000"...,
pe=0x7fa742ad6c38
"0\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060"...,
src=0x7fa742ac7128 "69000000\205\217%0000000000\203 ", '0'
<repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
000000"..., l=224,
s=0x7fa742ad6c93
"\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl02"...,
glbsub=0, copied=1) at subst.c:738
#2 0x00000000004bf1ad in paramsubst (l=0x7fff6a5f53b0,
n=0x7fff6a5f5398, str=0x7fff6a5f4d70, qt=0, pf_flags=4,
ret_flags=0x7fff6a5f534c) at subst.c:4031
#3 0x00000000004b5083 in stringsubst (list=0x7fff6a5f53b0,
node=0x7fff6a5f5398, pf_flags=4, ret_flags=0x7fff6a5f534c, asssub=0)
at subst.c:247
#4 0x00000000004b4435 in prefork (list=0x7fff6a5f53b0, flags=4,
ret_flags=0x7fff6a5f534c) at subst.c:85
#5 0x00000000004b5abc in singsub (s=0x7fff6a5f5c08) at subst.c:430
#6 0x00000000004bb85b in paramsubst (l=0x7fff6a5f6390,
n=0x7fa742ad6cc8, str=0x7fff6a5f5d40, qt=0, pf_flags=0,
ret_flags=0x7fff6a5f631c) at subst.c:3011
#7 0x00000000004b5083 in stringsubst (list=0x7fff6a5f6390,
node=0x7fa742ad6cc8, pf_flags=0, ret_flags=0x7fff6a5f631c, asssub=0)
at subst.c:247
#8 0x00000000004b4435 in prefork (list=0x7fff6a5f6390, flags=0,
ret_flags=0x7fff6a5f631c) at subst.c:85
#9 0x0000000000440df5 in execcmd_getargs (preargs=0x7fa742ad37c8,
args=0x7fa742ad3688, expand=1) at exec.c:2659
#10 0x000000000043c1eb in execcmd_exec (state=0x7fff6a5f8230,
eparams=0x7fff6a5f70f0, input=0, output=0, how=18, last1=2)
at exec.c:2765
#11 0x000000000043b804 in execpline2 (state=0x7fff6a5f8230, pcode=131,
how=18, input=0, output=0, last1=0) at exec.c:1873
#12 0x0000000000433f6e in execpline (state=0x7fff6a5f8230,
slcode=3074, how=18, last1=0) at exec.c:1602
#13 0x0000000000432dfe in execlist (state=0x7fff6a5f8230,
dont_change_job=0, exiting=0) at exec.c:1360
---Type <return> to continue, or q <return> to quit---
#14 0x000000000043277e in execode (p=0x7fa742ad3528,
dont_change_job=0, exiting=0, context=0x4d9274 "toplevel") at
exec.c:1141
#15 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208
#16 0x0000000000462846 in zsh_main (argc=3, argv=0x7fff6a5f8858) at init.c:1692
#17 0x0000000000411a32 in main (argc=3, argv=0x7fff6a5f8858) at ./main.c:93
[-- Attachment #2: strcatsub --]
[-- Type: application/octet-stream, Size: 233 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: Zsh parser segmentation fault in strcatsub
2017-05-15 21:30 Zsh parser segmentation fault in strcatsub Eduardo Bustamante
@ 2017-05-16 0:48 ` Bart Schaefer
2017-05-16 1:36 ` Eduardo Bustamante
2017-05-16 8:47 ` Peter Stephenson
0 siblings, 2 replies; 8+ messages in thread
From: Bart Schaefer @ 2017-05-16 0:48 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo Bustamante
On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
>
> Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
when using the latest checkout from git and the file you attached.
Valgrind reports no problems.
You are not using "-f". Is it possible that a setting in a startup
file is affecting this?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Zsh parser segmentation fault in strcatsub
2017-05-16 0:48 ` Bart Schaefer
@ 2017-05-16 1:36 ` Eduardo Bustamante
2017-05-16 3:38 ` Bart Schaefer
2017-05-17 18:37 ` Bart Schaefer
2017-05-16 8:47 ` Peter Stephenson
1 sibling, 2 replies; 8+ messages in thread
From: Eduardo Bustamante @ 2017-05-16 1:36 UTC (permalink / raw)
To: Bart Schaefer; +Cc: zsh-workers
On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
<schaefer@brasslantern.com> wrote:
[...]
> You are not using "-f". Is it possible that a setting in a startup
> file is affecting this?
How do you build Zsh?
Here's how I build it (with Clang, or GCC+ASAN).
dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD
171e7fa4c1d9cbf0d8ff35ee795e1599913aa329
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum strcatsub
45a3a29522b0bd62d073d791b722ce02 strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
Segmentation fault
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CFLAGS='-O0 -ggdb
-fsanitize=address -fno-omit-frame-pointer' LDFLAGS=-lasan ./configure
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
=================================================================
==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
0x7ffe5ddad578
READ of size 1 at 0x6290000041f8 thread T0
#0 0x56236c85fac2 in mb_metacharlenconv
/home/dualbus/src/zsh/zsh/Src/utils.c:5370
#1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922
#2 0x56236c83cdba in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:4022
#3 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#4 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#5 0x56236c82bc22 in singsub /home/dualbus/src/zsh/zsh/Src/subst.c:430
#6 0x56236c8375b9 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:3011
#7 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#8 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#9 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
#10 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
#11 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
#12 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
#13 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
#14 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
#15 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
#16 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
#17 0x56236c6dd31f in main main.c:93
#18 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#19 0x56236c6dd1f9 in _start (/home/dualbus/src/zsh/zsh/Src/zsh+0x421f9)
0x6290000041f8 is located 0 bytes to the right of 16376-byte region
[0x629000000200,0x6290000041f8)
allocated by thread T0 here:
#0 0x7f85628a1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x56236c7b4df3 in zalloc /home/dualbus/src/zsh/zsh/Src/mem.c:966
#2 0x56236c7b2ff9 in zhalloc /home/dualbus/src/zsh/zsh/Src/mem.c:639
#3 0x56236c82874e in dupstring /home/dualbus/src/zsh/zsh/Src/string.c:39
#4 0x56236c7a003f in parse_subst_string
/home/dualbus/src/zsh/zsh/Src/lex.c:1710
#5 0x56236c837436 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:2975
#6 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
#7 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
#8 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
#9 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
#10 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
#11 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
#12 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
#13 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
#14 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
#15 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
#16 0x56236c6dd31f in main main.c:93
#17 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/zsh/zsh/Src/utils.c:5370 in mb_metacharlenconv
Shadow bytes around the buggy address:
0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2860==ABORTING
It doesn't segfault if I run it under Valgrind.
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: Zsh parser segmentation fault in strcatsub
2017-05-16 1:36 ` Eduardo Bustamante
@ 2017-05-16 3:38 ` Bart Schaefer
2017-05-17 18:37 ` Bart Schaefer
1 sibling, 0 replies; 8+ messages in thread
From: Bart Schaefer @ 2017-05-16 3:38 UTC (permalink / raw)
To: Eduardo Bustamante; +Cc: Zsh hackers list
[-- Attachment #1: Type: text/plain, Size: 764 bytes --]
On Mon, May 15, 2017 at 6:36 PM, Eduardo Bustamante <dualbus@gmail.com>
wrote:
> On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
> <schaefer@brasslantern.com> wrote:
> [...]
>> You are not using "-f". Is it possible that a setting in a startup
>> file is affecting this?
>
> How do you build Zsh?
However "configure" does by default; I'm not attempting anything special
with CFLAGS.
For the .o files the command is e.g.:
gcc -c -I. -I../Src -I../Src -I../Src/Zle -I. -DHAVE_CONFIG_H -Wall
-Wmissing-prototypes -ggdb -o mem.o mem.c
For the final link:
gcc -g -rdynamic -o zsh main.o `cat stamp-modobjs`
-L/usr/lib/x86_64-linux-gnu -lpcre -ldl -lncursesw -lrt -lm -lc
If I run it without -n, I get something like
strcatsub:1: command not found: 14507000000000000
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Zsh parser segmentation fault in strcatsub
2017-05-16 1:36 ` Eduardo Bustamante
2017-05-16 3:38 ` Bart Schaefer
@ 2017-05-17 18:37 ` Bart Schaefer
2017-05-18 2:21 ` Eduardo Bustamante
1 sibling, 1 reply; 8+ messages in thread
From: Bart Schaefer @ 2017-05-17 18:37 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo Bustamante
On May 15, 8:36pm, Eduardo Bustamante wrote:
}
} dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
} =================================================================
} ==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
} 0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
} 0x7ffe5ddad578
} READ of size 1 at 0x6290000041f8 thread T0
} #0 0x56236c85fac2 in mb_metacharlenconv
} /home/dualbus/src/zsh/zsh/Src/utils.c:5370
} #1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922
So this is
cl = MB_METACHARLENCONV(t, &cchar);
and at least from my sources the reported error is on
STOUC(*s)
that is, on the dereference of the pointer "t" from dopadding.
Could this be an architecture endian-ness issue while trying to interpret
bytes as belonging to a multibyte character?
Can you repeat the crash with multibyte support disabled in the compile?
I don't have clang readily available to try that compiler.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Zsh parser segmentation fault in strcatsub
2017-05-17 18:37 ` Bart Schaefer
@ 2017-05-18 2:21 ` Eduardo Bustamante
0 siblings, 0 replies; 8+ messages in thread
From: Eduardo Bustamante @ 2017-05-18 2:21 UTC (permalink / raw)
To: Bart Schaefer; +Cc: zsh-workers
On Wed, May 17, 2017 at 1:37 PM, Bart Schaefer
<schaefer@brasslantern.com> wrote:
[...]
>
> Can you repeat the crash with multibyte support disabled in the compile?
I can't get it to crash with multibyte support disabled. Also, it
seems that the --enable-zsh-debug makes the crash go away (although I
suspect that just may be because the payload doesn't overflow the
heap).
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' ./configure --enable-zsh-debug --disable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' ./configure --enable-zsh-debug --enable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' ./configure --enable-zsh-debug --disable-multibyte
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' ./configure --enable-zsh-debug --enable-multibyte
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' LDFLAGS='' ./configure --enable-multibyte && make
-j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
Segmentation fault
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' LDFLAGS='' ./configure --disable-multibyte && make
-j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure --enable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02 /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
Segmentation fault
The reason I build it with CFLAGS='-O0 -ggdb' LDFLAGS='' is that the
Makefile kept stripping symbols from the binary, so I hacked around it
by passing an empty LDFLAGS, but now I realize that --enable-zsh-debug
is what I was looking for.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Zsh parser segmentation fault in strcatsub
2017-05-16 0:48 ` Bart Schaefer
2017-05-16 1:36 ` Eduardo Bustamante
@ 2017-05-16 8:47 ` Peter Stephenson
2017-05-16 13:30 ` Daniel Shahaf
1 sibling, 1 reply; 8+ messages in thread
From: Peter Stephenson @ 2017-05-16 8:47 UTC (permalink / raw)
To: zsh-workers; +Cc: Eduardo Bustamante
On Mon, 15 May 2017 17:48:07 -0700
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
> >
> > Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
>
> I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
> when using the latest checkout from git and the file you attached.
> Valgrind reports no problems.
It's possible it's a variant of the previous string handling problem in
patterns, (41096 / 4bb81eef) which had murky effects.
pws
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Zsh parser segmentation fault in strcatsub
2017-05-16 8:47 ` Peter Stephenson
@ 2017-05-16 13:30 ` Daniel Shahaf
0 siblings, 0 replies; 8+ messages in thread
From: Daniel Shahaf @ 2017-05-16 13:30 UTC (permalink / raw)
To: Peter Stephenson; +Cc: zsh-workers, Eduardo Bustamante
Peter Stephenson wrote on Tue, May 16, 2017 at 09:47:23 +0100:
> On Mon, 15 May 2017 17:48:07 -0700
> Bart Schaefer <schaefer@brasslantern.com> wrote:
> > On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
> > >
> > > Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
> >
> > I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
> > when using the latest checkout from git and the file you attached.
> > Valgrind reports no problems.
>
> It's possible it's a variant of the previous string handling problem in
> patterns, (41096 / 4bb81eef) which had murky effects.
Building a tree newer than that revision (171e7fa4c1d9 + some local
patches that don't go anywhere near the parser), I get:
[[[
% /path/to/installed/zsh -fnv strcatsub
$$0000${(e0z)^Y-000${(z)^Y-00>
{000000}0}0
00}${%0000000000000000000000000000000000000000�000000�00�0000���0000000${(fzfLl0200oNN�?>&9������//��?0B0mpr0200%����O�)3oN0iO0)c000%000000000000}�0�000000�00��0000000000000�00�}00%
]]]
where the final % is in reverse video, but stays there even with -o nopromptsp.
If I remove the -f, it outputs the same junk, but preceded by the
entirety of my .zshenv. All that goes to stderr.
My configure line:
./configure --enable-zsh-debug --with-term-lib=ncursesw --prefix=$HOME/prefix/zsh
perl -pi -e 's/link=dynamic/link=static/g; if (/link=static/) { s/auto=yes/auto=no/ }' config.modules
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-05-18 2:22 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-15 21:30 Zsh parser segmentation fault in strcatsub Eduardo Bustamante
2017-05-16 0:48 ` Bart Schaefer
2017-05-16 1:36 ` Eduardo Bustamante
2017-05-16 3:38 ` Bart Schaefer
2017-05-17 18:37 ` Bart Schaefer
2017-05-18 2:21 ` Eduardo Bustamante
2017-05-16 8:47 ` Peter Stephenson
2017-05-16 13:30 ` Daniel Shahaf
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).