From: Peter Stephenson <p.stephenson@samsung.com>
To: Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: A repeating core, just sharing backtrace
Date: Tue, 10 Jul 2018 14:33:19 +0100 [thread overview]
Message-ID: <20180710133321eucas1p1d4efb07a819c93de4c3f75544b2ac701~ABTWjwquX1369613696eucas1p18@eucas1p1.samsung.com> (raw)
In-Reply-To: <CAKc7PVBQn-ZjZ1T0TLqofETRiRw3xTExJ3aN10FWPqEQSi180w@mail.gmail.com>
On Thu, 5 Jul 2018 15:40:30 +0200
Sebastian Gniazdowski <sgniazdowski@gmail.com> wrote:
> I bisected from 5.4.2 to HEAD. The core is fully repeatable. It's a
> larger script (zplugin) operation that causes the core, so currently
> this is kind of a black box.
>
> f7519811e1bbe990ff1c3d499ffb70cfc2d034f8 is the first bad commit
> commit f7519811e1bbe990ff1c3d499ffb70cfc2d034f8
> Author: Ricardo Giorni <ricardo@giorni.co>
> Date: Sun Apr 29 12:05:39 2018 -0700
>
> 47201: fix 42355 for multiple backslashes
>
>
> I think this is a well pointed commit, because any backtrace I
> occurred was going through zshlex:
>
> ...
> frame #5: 0x00007fff5766b256 libsystem_malloc.dylib`free_tiny +
> 628 frame #6: 0x0000000100e076e8 zsh`zfree + 24
> frame #7: 0x0000000100dc4c3c zsh`gethere + 780
> frame #8: 0x0000000100dfafc1 zsh`zshlex + 369
> frame #9: 0x0000000100e26c6f zsh`par_redir + 655
> frame #10: 0x0000000100e29b5f zsh`par_simple + 2063
> ...
The zfree() in that backtrace is on a locally allocated buffer, so this
looks like earlier memory corruption, which would fit.
The change in question is quite small but does cause bptr in that for
loop to be incremented possibly twice per loop. So this change is
probably needed whether or not it fixes the bug.
I hope the pointer arithmetic here is also a bit more transparent[ly
correct].
pws
diff --git a/Src/exec.c b/Src/exec.c
index 5864020..47a4567 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -4418,7 +4418,9 @@ gethere(char **strp, int typ)
while ((c = hgetc()) == '\t' && strip)
;
for (;;) {
- if (bptr == buf + bsiz) {
+ if (bptr >= buf + bsiz - 1) {
+ ptrdiff_t toff = t - buf;
+ ptrdiff_t bptroff = bptr - buf;
char *newbuf = realloc(buf, 2 * bsiz);
if (!newbuf) {
/* out of memory */
@@ -4426,8 +4428,8 @@ gethere(char **strp, int typ)
return NULL;
}
buf = newbuf;
- t = buf + bsiz - (bptr - t);
- bptr = buf + bsiz;
+ t = buf + toff;
+ bptr = buf + bptroff;
bsiz *= 2;
}
if (lexstop || c == '\n')
next prev parent reply other threads:[~2018-07-10 13:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-02 10:09 Sebastian Gniazdowski
2018-07-05 13:40 ` Sebastian Gniazdowski
2018-07-10 13:33 ` Peter Stephenson [this message]
[not found] ` <20180710143319.340e1bdf@camnpupstephen.cam.scsc.local>
2018-07-10 13:38 ` Peter Stephenson
2018-07-10 15:12 ` Sebastian Gniazdowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='20180710133321eucas1p1d4efb07a819c93de4c3f75544b2ac701~ABTWjwquX1369613696eucas1p18@eucas1p1.samsung.com' \
--to=p.stephenson@samsung.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).