completion crash

completion crash

[Mikael Magnusson]

I got this when playing with _git, I had
_wanted files expl 'tree file' compadd $multi_parts_opts -f -a tree_trees
and added -p $Path to get
_wanted files expl 'tree file' compadd $multi_parts_opts -p $Path -f
-a tree_trees
which in turn gave me this backtrace (hold on to your hat):

0x41b66273 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x41b66273 in strlen () from /lib/libc.so.6
#1  0x080bf8c1 in ztrdup (s=0xa77fe7c8 <Address 0xa77fe7c8 out of
bounds>) at string.c:52
#2  0xa7a749e0 in dupmatch (m=0xa7bbb990, nbeg=0, nend=0) at compcore.c:3225
#3  0xa7a74f35 in permmatches (last=0) at compcore.c:3339
#4  0xa7a6a3bc in get_nmatches (pm=0x82ddbb0) at complete.c:1261
#5  0x080a54ae in getstrvalue (v=0xafeaa7ec) at params.c:1885
#6  0x080a362c in getarg (str=0xafeaa624, inv=0xafeaa628,
v=0xafeaa7ec, a2=0, w=0xafeaa618,
    prevcharlen=0xafeaa60c, nextcharlen=0xafeaa608) at params.c:1227
#7  0x080a4ab1 in getindex (pptr=0xafeaa68c, v=0xafeaa7ec, flags=256)
at params.c:1601
#8  0x080a5138 in fetchvalue (v=0xafeaa7ec, pptr=0xafeaa810, bracks=1,
flags=256)
    at params.c:1818
#9  0x080c3c21 in paramsubst (l=0xafeaaccc, n=0xafeaacc0,
str=0xafeaaa28, qt=1, ssub=4)
    at subst.c:1912
#10 0x080c05c7 in stringsubst (list=0xafeaaccc, node=0xafeaacc0,
ssub=4, asssub=0) at subst.c:193
#11 0x080bfe84 in prefork (list=0xafeaaccc, flags=4) at subst.c:91
#12 0x080c0ac0 in singsub (s=0xafeaaddc) at subst.c:348
#13 0x0806863d in evalcond (state=0xafeab5ac, fromtest=0x0) at cond.c:179
#14 0x08072cb8 in execcond (state=0xafeab5ac, do_exec=0) at exec.c:3826
#15 0x0806b7f9 in execsimple (state=0xafeab5ac) at exec.c:999
#16 0x0806ba14 in execlist (state=0xafeab5ac, dont_change_job=1,
exiting=0) at exec.c:1092
#17 0x08093b56 in execif (state=0xafeab5ac, do_exec=0) at loop.c:515
#18 0x08070fb5 in execcmd (state=0xafeab5ac, input=0, output=0,
how=18, last1=2) at exec.c:2978
#19 0x0806cf78 in execpline2 (state=0xafeab5ac, pcode=19459, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#20 0x0806c30e in execpline (state=0xafeab5ac, slcode=1296386, how=18,
last1=0) at exec.c:1326
#21 0x0806bb51 in execlist (state=0xafeab5ac, dont_change_job=1,
exiting=0) at exec.c:1124
#22 0x0806b6c0 in execode (p=0x830dbf0, dont_change_job=1, exiting=0)
at exec.c:965
#23 0x08073ea7 in runshfunc (prog=0x830dbf0, wrap=0x0, name=0xa7803910
"_arguments")
    at exec.c:4355
---Type <return> to continue, or q <return> to quit---
#24 0xa7a6a9fc in comp_wrapper (prog=0x830dbf0, w=0x0, name=0xa7803910
"_arguments")
    at complete.c:1449
#25 0x08073e36 in runshfunc (prog=0x830dbf0, wrap=0xa7a85720,
name=0xa7803910 "_arguments")
    at exec.c:4343
#26 0x08073c1a in doshfunc (name=0x82c3240 "_arguments",
prog=0x830dbf0, doshargs=0xa78035e0,
    flags=270336, noreturnval=0) at exec.c:4264
#27 0x0807350d in execshfunc (shf=0x82c31e8, args=0xa78035e0) at exec.c:4041
#28 0x080711ac in execcmd (state=0xafeabe7c, input=0, output=0, how=2,
last1=2) at exec.c:3026
#29 0x0806cf78 in execpline2 (state=0xafeabe7c, pcode=323, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#30 0x0806c30e in execpline (state=0xafeabe7c, slcode=13346, how=2,
last1=0) at exec.c:1326
#31 0x0806bb9d in execlist (state=0xafeabe7c, dont_change_job=1,
exiting=0) at exec.c:1131
#32 0x0806b6c0 in execode (p=0x82ecc78, dont_change_job=1, exiting=0)
at exec.c:965
#33 0x08073ea7 in runshfunc (prog=0x82ecc78, wrap=0x0, name=0xa78034d8
"_git-ls-tree")
    at exec.c:4355
#34 0xa7a6a9fc in comp_wrapper (prog=0x82ecc78, w=0x0, name=0xa78034d8
"_git-ls-tree")
    at complete.c:1449
#35 0x08073e36 in runshfunc (prog=0x82ecc78, wrap=0xa7a85720,
name=0xa78034d8 "_git-ls-tree")
    at exec.c:4343
#36 0x08073c1a in doshfunc (name=0x82ecf58 "_git-ls-tree",
prog=0x82ecc78, doshargs=0xa7803488,
    flags=0, noreturnval=0) at exec.c:4264
#37 0x0807350d in execshfunc (shf=0x82ecf40, args=0xa7803488) at exec.c:4041
#38 0x080711ac in execcmd (state=0xafeacd6c, input=0, output=0, how=2,
last1=2) at exec.c:3026
#39 0x0806cf78 in execpline2 (state=0xafeacd6c, pcode=1475, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#40 0x0806c30e in execpline (state=0xafeacd6c, slcode=3074, how=2,
last1=0) at exec.c:1326
#41 0x0806bb51 in execlist (state=0xafeacd6c, dont_change_job=1,
exiting=0) at exec.c:1124
#42 0x08093b56 in execif (state=0xafeacd6c, do_exec=0) at loop.c:515
#43 0x08070fb5 in execcmd (state=0xafeacd6c, input=0, output=0, how=2,
last1=2) at exec.c:2978
---Type <return> to continue, or q <return> to quit---
#44 0x0806cf78 in execpline2 (state=0xafeacd6c, pcode=1411, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#45 0x0806c30e in execpline (state=0xafeacd6c, slcode=40962, how=2,
last1=0) at exec.c:1326
#46 0x0806bb51 in execlist (state=0xafeacd6c, dont_change_job=1,
exiting=0) at exec.c:1124
#47 0x0806b6c0 in execode (p=0x831bbc0, dont_change_job=1, exiting=0)
at exec.c:965
#48 0x08073ea7 in runshfunc (prog=0x831bbc0, wrap=0x0, name=0xa7803118
"_call_function")
    at exec.c:4355
#49 0xa7a6a9fc in comp_wrapper (prog=0x831bbc0, w=0x0, name=0xa7803118
"_call_function")
    at complete.c:1449
#50 0x08073e36 in runshfunc (prog=0x831bbc0, wrap=0xa7a85720,
name=0xa7803118 "_call_function")
    at exec.c:4343
#51 0x08073c1a in doshfunc (name=0x82c3f10 "_call_function", prog=0x831bbc0,
    doshargs=0xa7809fc8, flags=270336, noreturnval=0) at exec.c:4264
#52 0x0807350d in execshfunc (shf=0x82c3eb8, args=0xa7809fc8) at exec.c:4041
#53 0x080711ac in execcmd (state=0xafeae2bc, input=0, output=0,
how=18, last1=2) at exec.c:3026
#54 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=278019, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#55 0x0806c30e in execpline (state=0xafeae2bc, slcode=5122, how=18,
last1=0) at exec.c:1326
#56 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
exiting=0) at exec.c:1124
#57 0x08093efb in execcase (state=0xafeae2bc, do_exec=0) at loop.c:593
#58 0x08070fb5 in execcmd (state=0xafeae2bc, input=0, output=0,
how=18, last1=2) at exec.c:2978
#59 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=277635, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#60 0x0806c30e in execpline (state=0xafeae2bc, slcode=27650, how=18,
last1=0) at exec.c:1326
#61 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
exiting=0) at exec.c:1124
#62 0x08093b56 in execif (state=0xafeae2bc, do_exec=0) at loop.c:515
#63 0x08070fb5 in execcmd (state=0xafeae2bc, input=0, output=0,
how=18, last1=2) at exec.c:2978
#64 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=276867, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
---Type <return> to continue, or q <return> to quit---
#65 0x0806c30e in execpline (state=0xafeae2bc, slcode=81922, how=18,
last1=0) at exec.c:1326
#66 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
exiting=0) at exec.c:1124
#67 0x0806b6c0 in execode (p=0x82e15a8, dont_change_job=1, exiting=0)
at exec.c:965
#68 0x08073ea7 in runshfunc (prog=0x82e15a8, wrap=0x0, name=0xa784bae0
"_git") at exec.c:4355
#69 0xa7a6a9fc in comp_wrapper (prog=0x82e15a8, w=0x0, name=0xa784bae0
"_git") at complete.c:1449
#70 0x08073e36 in runshfunc (prog=0x82e15a8, wrap=0xa7a85720,
name=0xa784bae0 "_git")
    at exec.c:4343
#71 0x08073c1a in doshfunc (name=0x82e1570 "_git", prog=0x82e15a8,
doshargs=0xa784bab0, flags=0,
    noreturnval=0) at exec.c:4264
#72 0x0807350d in execshfunc (shf=0x82e15d0, args=0xa784bab0) at exec.c:4041
#73 0x080711ac in execcmd (state=0xafeaeb6c, input=0, output=0,
how=18, last1=2) at exec.c:3026
#74 0x0806cf78 in execpline2 (state=0xafeaeb6c, pcode=131, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#75 0x0806c30e in execpline (state=0xafeaeb6c, slcode=3074, how=18,
last1=0) at exec.c:1326
#76 0x0806bb51 in execlist (state=0xafeaeb6c, dont_change_job=1,
exiting=0) at exec.c:1124
#77 0x0806b6c0 in execode (p=0xa784ba58, dont_change_job=1, exiting=0)
at exec.c:965
#78 0x08064cb0 in bin_eval (nam=0xa784ba00 "eval", argv=0xafeaebc0,
ops=0xafeaec00, func=14)
    at builtin.c:4726
#79 0x08055abb in execbuiltin (args=0xa784b9d8, bn=0x80de63c) at builtin.c:438
#80 0x0807122b in execcmd (state=0xafeaf92c, input=0, output=0, how=2,
last1=2) at exec.c:3037
#81 0x0806cf78 in execpline2 (state=0xafeaf92c, pcode=3779, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#82 0x0806c30e in execpline (state=0xafeaf92c, slcode=4130, how=2,
last1=0) at exec.c:1326
#83 0x0806bb9d in execlist (state=0xafeaf92c, dont_change_job=1,
exiting=0) at exec.c:1131
#84 0x08093b56 in execif (state=0xafeaf92c, do_exec=0) at loop.c:515
#85 0x08070fb5 in execcmd (state=0xafeaf92c, input=0, output=0, how=2,
last1=2) at exec.c:2978
#86 0x0806cf78 in execpline2 (state=0xafeaf92c, pcode=3651, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#87 0x0806c30e in execpline (state=0xafeaf92c, slcode=43010, how=2,
last1=0) at exec.c:1326
---Type <return> to continue, or q <return> to quit---
#88 0x0806bb51 in execlist (state=0xafeaf92c, dont_change_job=1,
exiting=0) at exec.c:1124
#89 0x0806b6c0 in execode (p=0x82e0e28, dont_change_job=1, exiting=0)
at exec.c:965
#90 0x08073ea7 in runshfunc (prog=0x82e0e28, wrap=0x0, name=0xa784b5a0
"_dispatch")
    at exec.c:4355
#91 0xa7a6a9fc in comp_wrapper (prog=0x82e0e28, w=0x0, name=0xa784b5a0
"_dispatch")
    at complete.c:1449
#92 0x08073e36 in runshfunc (prog=0x82e0e28, wrap=0xa7a85720,
name=0xa784b5a0 "_dispatch")
    at exec.c:4343
#93 0x08073c1a in doshfunc (name=0x82c5c58 "_dispatch",
prog=0x82e0e28, doshargs=0xa784b470,
    flags=270336, noreturnval=0) at exec.c:4264
#94 0x0807350d in execshfunc (shf=0x82c5c00, args=0xa784b470) at exec.c:4041
#95 0x080711ac in execcmd (state=0xafeb01dc, input=0, output=0,
how=18, last1=2) at exec.c:3026
#96 0x0806cf78 in execpline2 (state=0xafeb01dc, pcode=1667, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#97 0x0806c30e in execpline (state=0xafeb01dc, slcode=8194, how=18,
last1=0) at exec.c:1326
#98 0x0806bb51 in execlist (state=0xafeb01dc, dont_change_job=1,
exiting=0) at exec.c:1124
#99 0x0806b6c0 in execode (p=0x82e0838, dont_change_job=1, exiting=0)
at exec.c:965
#100 0x08073ea7 in runshfunc (prog=0x82e0838, wrap=0x0,
name=0xa784b358 "_normal") at exec.c:4355
#101 0xa7a6a9fc in comp_wrapper (prog=0x82e0838, w=0x0,
name=0xa784b358 "_normal")
    at complete.c:1449
#102 0x08073e36 in runshfunc (prog=0x82e0838, wrap=0xa7a85720,
name=0xa784b358 "_normal")
    at exec.c:4343
#103 0x08073c1a in doshfunc (name=0x82cb980 "_normal", prog=0x82e0838,
doshargs=0xa784b310,
    flags=270336, noreturnval=0) at exec.c:4264
#104 0x0807350d in execshfunc (shf=0x82cb928, args=0xa784b310) at exec.c:4041
#105 0x080711ac in execcmd (state=0xafeb10cc, input=0, output=0,
how=2, last1=2) at exec.c:3026
#106 0x0806cf78 in execpline2 (state=0xafeb10cc, pcode=7555, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#107 0x0806c30e in execpline (state=0xafeb10cc, slcode=4130, how=2,
last1=0) at exec.c:1326
---Type <return> to continue, or q <return> to quit---
#108 0x0806bb9d in execlist (state=0xafeb10cc, dont_change_job=1,
exiting=0) at exec.c:1131
#109 0x08093b56 in execif (state=0xafeb10cc, do_exec=0) at loop.c:515
#110 0x08070fb5 in execcmd (state=0xafeb10cc, input=0, output=0,
how=2, last1=2) at exec.c:2978
#111 0x0806cf78 in execpline2 (state=0xafeb10cc, pcode=7427, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#112 0x0806c30e in execpline (state=0xafeb10cc, slcode=114690, how=2,
last1=0) at exec.c:1326
#113 0x0806bb51 in execlist (state=0xafeb10cc, dont_change_job=1,
exiting=0) at exec.c:1124
#114 0x0806b6c0 in execode (p=0x82cbae8, dont_change_job=1, exiting=0)
at exec.c:965
#115 0x08073ea7 in runshfunc (prog=0x82cbae8, wrap=0x0,
name=0xa784ae50 "_complete")
    at exec.c:4355
#116 0xa7a6a9fc in comp_wrapper (prog=0x82cbae8, w=0x0,
name=0xa784ae50 "_complete")
    at complete.c:1449
#117 0x08073e36 in runshfunc (prog=0x82cbae8, wrap=0xa7a85720,
name=0xa784ae50 "_complete")
    at exec.c:4343
#118 0x08073c1a in doshfunc (name=0x82c4620 "_complete",
prog=0x82cbae8, doshargs=0xa784ae00,
    flags=270336, noreturnval=0) at exec.c:4264
#119 0x0807350d in execshfunc (shf=0x82c45c8, args=0xa784ae00) at exec.c:4041
#120 0x080711ac in execcmd (state=0xafeb2cdc, input=0, output=0,
how=18, last1=2) at exec.c:3026
#121 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=10371, how=18,
input=0, output=0, last1=0)
    at exec.c:1540
#122 0x0806c30e in execpline (state=0xafeb2cdc, slcode=3074, how=18,
last1=0) at exec.c:1326
#123 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
exiting=0) at exec.c:1124
#124 0x08093ab1 in execif (state=0xafeb2cdc, do_exec=0) at loop.c:500
#125 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
how=2, last1=2) at exec.c:2978
#126 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=10051, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#127 0x0806c30e in execpline (state=0xafeb2cdc, slcode=48130, how=2,
last1=0) at exec.c:1326
#128 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
exiting=0) at exec.c:1124
#129 0x08092d78 in execfor (state=0xafeb2cdc, do_exec=0) at loop.c:159
---Type <return> to continue, or q <return> to quit---
#130 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
how=2, last1=2) at exec.c:2978
#131 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=9539, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#132 0x0806c30e in execpline (state=0xafeb2cdc, slcode=90114, how=2,
last1=0) at exec.c:1326
#133 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
exiting=0) at exec.c:1124
#134 0x08092d78 in execfor (state=0xafeb2cdc, do_exec=0) at loop.c:159
#135 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
how=2, last1=2) at exec.c:2978
#136 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=8067, how=2,
input=0, output=0, last1=0)
    at exec.c:1540
#137 0x0806c30e in execpline (state=0xafeb2cdc, slcode=220162, how=2,
last1=0) at exec.c:1326
#138 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
exiting=0) at exec.c:1124
#139 0x0806b6c0 in execode (p=0x82dcb00, dont_change_job=1, exiting=0)
at exec.c:965
#140 0x08073ea7 in runshfunc (prog=0x82dcb00, wrap=0x0,
name=0xa7849030 "_main_complete")
    at exec.c:4355
#141 0xa7a6a9fc in comp_wrapper (prog=0x82dcb00, w=0x0,
name=0xa7849030 "_main_complete")
    at complete.c:1449
#142 0x08073e36 in runshfunc (prog=0x82dcb00, wrap=0xa7a85720,
name=0xa7849030 "_main_complete")
    at exec.c:4343
#143 0x08073c1a in doshfunc (name=0x829d390 "_main_complete",
prog=0x82dcb00, doshargs=0x0,
    flags=0, noreturnval=0) at exec.c:4264
#144 0xa7a6d2e1 in callcompfunc (s=0xa7bbb738 "HEAD:", fn=0x829d390
"_main_complete")
    at compcore.c:817
#145 0xa7a6dbb3 in makecomplist (s=0xa7bbb738 "HEAD:", incmd=0, lst=0)
at compcore.c:968
#146 0xa7a6b942 in do_completion (dummy=0xa7ac39d4, dat=0xafeb3138) at
compcore.c:349
#147 0x0809abcc in runhookdef (h=0xa7ac39d4, d=0xafeb3138) at module.c:996
#148 0xa7ab3993 in docompletion (s=0x831a570 "HEAD:", lst=0, incmd=0)
at zle_tricky.c:2135
#149 0xa7aafa13 in docomplete (lst=0) at zle_tricky.c:859
#150 0xa7aae493 in expandorcomplete (args=0xa7ac3cbc) at zle_tricky.c:315
#151 0xa7aae036 in completecall (args=0xa7ac3cbc) at zle_tricky.c:208
---Type <return> to continue, or q <return> to quit---
#152 0xa7a9dbf2 in execzlefunc (func=0xa7ac1cd0, args=0xa7ac3cbc,
set_bindk=0) at zle_main.c:1291
#153 0xa7a9d122 in zlecore () at zle_main.c:1043
#154 0xa7a9d833 in zleread (lp=0x80f3adc, rp=0x80f3a64, flags=7,
context=0) at zle_main.c:1205
#155 0xa7a9f9c1 in zle_main_entry (cmd=1, ap=0xafeb35a4 "") at zle_main.c:1834
#156 0x08086ef8 in zleentry (cmd=1) at init.c:1237
#157 0x080877d6 in inputline () at input.c:278
#158 0x08087645 in ingetc () at input.c:214
#159 0x0807dc26 in ihgetc () at hist.c:263
#160 0x0808f96f in gettok () at lex.c:663
#161 0x0808f1fa in yylex () at lex.c:350
#162 0x080abb8d in parse_event () at parse.c:451
#163 0x0808463f in loop (toplevel=1, justonce=0) at init.c:129
#164 0x08087279 in zsh_main (argc=1, argv=0xafeb3804) at init.c:1388
#165 0x080551c6 in main (argc=Cannot access memory at address 0x0
) at ./main.c:93

-- 
Mikael Magnusson

Re: completion crash

[Mikael Magnusson]

I've tracked this down to something calling popheap() when it
shouldn't, because putting "return;" at the top of popheap() makes the
crash go away, also, at one point during all this, in
parse.c:ecgetstr(), char *r gets a string assigned to it that has the
same address as amatches->matches, which is subsequently overwritten
by an strcpy. I'm not exactly sure if it's this corruption that causes
the crash, what eventually crashes is an access to
amatches->matches->prpre which is broken.
(gdb) print amatches->matches
$5 = (Cmatch *) 0x7ffff7fe3fa0
#1  0x000000000048008c in dupstring (s=0x6bd8fc "-s") at string.c:40
40	    strcpy(t, s);
(gdb) print t
$7 = 0x7ffff7fe3fa0 "-"

This is presumably not good. Any ideas?

On 22 August 2008 03:55, Mikael Magnusson <mikachu@gmail.com> wrote:
> I got this when playing with _git, I had
> _wanted files expl 'tree file' compadd $multi_parts_opts -f -a tree_trees
> and added -p $Path to get
> _wanted files expl 'tree file' compadd $multi_parts_opts -p $Path -f
> -a tree_trees
> which in turn gave me this backtrace (hold on to your hat):
>
> 0x41b66273 in strlen () from /lib/libc.so.6
> (gdb) bt
> #0  0x41b66273 in strlen () from /lib/libc.so.6
> #1  0x080bf8c1 in ztrdup (s=0xa77fe7c8 <Address 0xa77fe7c8 out of
> bounds>) at string.c:52
> #2  0xa7a749e0 in dupmatch (m=0xa7bbb990, nbeg=0, nend=0) at compcore.c:3225
> #3  0xa7a74f35 in permmatches (last=0) at compcore.c:3339
> #4  0xa7a6a3bc in get_nmatches (pm=0x82ddbb0) at complete.c:1261
> #5  0x080a54ae in getstrvalue (v=0xafeaa7ec) at params.c:1885
> #6  0x080a362c in getarg (str=0xafeaa624, inv=0xafeaa628,
> v=0xafeaa7ec, a2=0, w=0xafeaa618,
>    prevcharlen=0xafeaa60c, nextcharlen=0xafeaa608) at params.c:1227
> #7  0x080a4ab1 in getindex (pptr=0xafeaa68c, v=0xafeaa7ec, flags=256)
> at params.c:1601
> #8  0x080a5138 in fetchvalue (v=0xafeaa7ec, pptr=0xafeaa810, bracks=1,
> flags=256)
>    at params.c:1818
> #9  0x080c3c21 in paramsubst (l=0xafeaaccc, n=0xafeaacc0,
> str=0xafeaaa28, qt=1, ssub=4)
>    at subst.c:1912
> #10 0x080c05c7 in stringsubst (list=0xafeaaccc, node=0xafeaacc0,
> ssub=4, asssub=0) at subst.c:193
> #11 0x080bfe84 in prefork (list=0xafeaaccc, flags=4) at subst.c:91
> #12 0x080c0ac0 in singsub (s=0xafeaaddc) at subst.c:348
> #13 0x0806863d in evalcond (state=0xafeab5ac, fromtest=0x0) at cond.c:179
> #14 0x08072cb8 in execcond (state=0xafeab5ac, do_exec=0) at exec.c:3826
> #15 0x0806b7f9 in execsimple (state=0xafeab5ac) at exec.c:999
> #16 0x0806ba14 in execlist (state=0xafeab5ac, dont_change_job=1,
> exiting=0) at exec.c:1092
> #17 0x08093b56 in execif (state=0xafeab5ac, do_exec=0) at loop.c:515
> #18 0x08070fb5 in execcmd (state=0xafeab5ac, input=0, output=0,
> how=18, last1=2) at exec.c:2978
> #19 0x0806cf78 in execpline2 (state=0xafeab5ac, pcode=19459, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #20 0x0806c30e in execpline (state=0xafeab5ac, slcode=1296386, how=18,
> last1=0) at exec.c:1326
> #21 0x0806bb51 in execlist (state=0xafeab5ac, dont_change_job=1,
> exiting=0) at exec.c:1124
> #22 0x0806b6c0 in execode (p=0x830dbf0, dont_change_job=1, exiting=0)
> at exec.c:965
> #23 0x08073ea7 in runshfunc (prog=0x830dbf0, wrap=0x0, name=0xa7803910
> "_arguments")
>    at exec.c:4355
> ---Type <return> to continue, or q <return> to quit---
> #24 0xa7a6a9fc in comp_wrapper (prog=0x830dbf0, w=0x0, name=0xa7803910
> "_arguments")
>    at complete.c:1449
> #25 0x08073e36 in runshfunc (prog=0x830dbf0, wrap=0xa7a85720,
> name=0xa7803910 "_arguments")
>    at exec.c:4343
> #26 0x08073c1a in doshfunc (name=0x82c3240 "_arguments",
> prog=0x830dbf0, doshargs=0xa78035e0,
>    flags=270336, noreturnval=0) at exec.c:4264
> #27 0x0807350d in execshfunc (shf=0x82c31e8, args=0xa78035e0) at exec.c:4041
> #28 0x080711ac in execcmd (state=0xafeabe7c, input=0, output=0, how=2,
> last1=2) at exec.c:3026
> #29 0x0806cf78 in execpline2 (state=0xafeabe7c, pcode=323, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #30 0x0806c30e in execpline (state=0xafeabe7c, slcode=13346, how=2,
> last1=0) at exec.c:1326
> #31 0x0806bb9d in execlist (state=0xafeabe7c, dont_change_job=1,
> exiting=0) at exec.c:1131
> #32 0x0806b6c0 in execode (p=0x82ecc78, dont_change_job=1, exiting=0)
> at exec.c:965
> #33 0x08073ea7 in runshfunc (prog=0x82ecc78, wrap=0x0, name=0xa78034d8
> "_git-ls-tree")
>    at exec.c:4355
> #34 0xa7a6a9fc in comp_wrapper (prog=0x82ecc78, w=0x0, name=0xa78034d8
> "_git-ls-tree")
>    at complete.c:1449
> #35 0x08073e36 in runshfunc (prog=0x82ecc78, wrap=0xa7a85720,
> name=0xa78034d8 "_git-ls-tree")
>    at exec.c:4343
> #36 0x08073c1a in doshfunc (name=0x82ecf58 "_git-ls-tree",
> prog=0x82ecc78, doshargs=0xa7803488,
>    flags=0, noreturnval=0) at exec.c:4264
> #37 0x0807350d in execshfunc (shf=0x82ecf40, args=0xa7803488) at exec.c:4041
> #38 0x080711ac in execcmd (state=0xafeacd6c, input=0, output=0, how=2,
> last1=2) at exec.c:3026
> #39 0x0806cf78 in execpline2 (state=0xafeacd6c, pcode=1475, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #40 0x0806c30e in execpline (state=0xafeacd6c, slcode=3074, how=2,
> last1=0) at exec.c:1326
> #41 0x0806bb51 in execlist (state=0xafeacd6c, dont_change_job=1,
> exiting=0) at exec.c:1124
> #42 0x08093b56 in execif (state=0xafeacd6c, do_exec=0) at loop.c:515
> #43 0x08070fb5 in execcmd (state=0xafeacd6c, input=0, output=0, how=2,
> last1=2) at exec.c:2978
> ---Type <return> to continue, or q <return> to quit---
> #44 0x0806cf78 in execpline2 (state=0xafeacd6c, pcode=1411, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #45 0x0806c30e in execpline (state=0xafeacd6c, slcode=40962, how=2,
> last1=0) at exec.c:1326
> #46 0x0806bb51 in execlist (state=0xafeacd6c, dont_change_job=1,
> exiting=0) at exec.c:1124
> #47 0x0806b6c0 in execode (p=0x831bbc0, dont_change_job=1, exiting=0)
> at exec.c:965
> #48 0x08073ea7 in runshfunc (prog=0x831bbc0, wrap=0x0, name=0xa7803118
> "_call_function")
>    at exec.c:4355
> #49 0xa7a6a9fc in comp_wrapper (prog=0x831bbc0, w=0x0, name=0xa7803118
> "_call_function")
>    at complete.c:1449
> #50 0x08073e36 in runshfunc (prog=0x831bbc0, wrap=0xa7a85720,
> name=0xa7803118 "_call_function")
>    at exec.c:4343
> #51 0x08073c1a in doshfunc (name=0x82c3f10 "_call_function", prog=0x831bbc0,
>    doshargs=0xa7809fc8, flags=270336, noreturnval=0) at exec.c:4264
> #52 0x0807350d in execshfunc (shf=0x82c3eb8, args=0xa7809fc8) at exec.c:4041
> #53 0x080711ac in execcmd (state=0xafeae2bc, input=0, output=0,
> how=18, last1=2) at exec.c:3026
> #54 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=278019, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #55 0x0806c30e in execpline (state=0xafeae2bc, slcode=5122, how=18,
> last1=0) at exec.c:1326
> #56 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #57 0x08093efb in execcase (state=0xafeae2bc, do_exec=0) at loop.c:593
> #58 0x08070fb5 in execcmd (state=0xafeae2bc, input=0, output=0,
> how=18, last1=2) at exec.c:2978
> #59 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=277635, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #60 0x0806c30e in execpline (state=0xafeae2bc, slcode=27650, how=18,
> last1=0) at exec.c:1326
> #61 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #62 0x08093b56 in execif (state=0xafeae2bc, do_exec=0) at loop.c:515
> #63 0x08070fb5 in execcmd (state=0xafeae2bc, input=0, output=0,
> how=18, last1=2) at exec.c:2978
> #64 0x0806cf78 in execpline2 (state=0xafeae2bc, pcode=276867, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> ---Type <return> to continue, or q <return> to quit---
> #65 0x0806c30e in execpline (state=0xafeae2bc, slcode=81922, how=18,
> last1=0) at exec.c:1326
> #66 0x0806bb51 in execlist (state=0xafeae2bc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #67 0x0806b6c0 in execode (p=0x82e15a8, dont_change_job=1, exiting=0)
> at exec.c:965
> #68 0x08073ea7 in runshfunc (prog=0x82e15a8, wrap=0x0, name=0xa784bae0
> "_git") at exec.c:4355
> #69 0xa7a6a9fc in comp_wrapper (prog=0x82e15a8, w=0x0, name=0xa784bae0
> "_git") at complete.c:1449
> #70 0x08073e36 in runshfunc (prog=0x82e15a8, wrap=0xa7a85720,
> name=0xa784bae0 "_git")
>    at exec.c:4343
> #71 0x08073c1a in doshfunc (name=0x82e1570 "_git", prog=0x82e15a8,
> doshargs=0xa784bab0, flags=0,
>    noreturnval=0) at exec.c:4264
> #72 0x0807350d in execshfunc (shf=0x82e15d0, args=0xa784bab0) at exec.c:4041
> #73 0x080711ac in execcmd (state=0xafeaeb6c, input=0, output=0,
> how=18, last1=2) at exec.c:3026
> #74 0x0806cf78 in execpline2 (state=0xafeaeb6c, pcode=131, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #75 0x0806c30e in execpline (state=0xafeaeb6c, slcode=3074, how=18,
> last1=0) at exec.c:1326
> #76 0x0806bb51 in execlist (state=0xafeaeb6c, dont_change_job=1,
> exiting=0) at exec.c:1124
> #77 0x0806b6c0 in execode (p=0xa784ba58, dont_change_job=1, exiting=0)
> at exec.c:965
> #78 0x08064cb0 in bin_eval (nam=0xa784ba00 "eval", argv=0xafeaebc0,
> ops=0xafeaec00, func=14)
>    at builtin.c:4726
> #79 0x08055abb in execbuiltin (args=0xa784b9d8, bn=0x80de63c) at builtin.c:438
> #80 0x0807122b in execcmd (state=0xafeaf92c, input=0, output=0, how=2,
> last1=2) at exec.c:3037
> #81 0x0806cf78 in execpline2 (state=0xafeaf92c, pcode=3779, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #82 0x0806c30e in execpline (state=0xafeaf92c, slcode=4130, how=2,
> last1=0) at exec.c:1326
> #83 0x0806bb9d in execlist (state=0xafeaf92c, dont_change_job=1,
> exiting=0) at exec.c:1131
> #84 0x08093b56 in execif (state=0xafeaf92c, do_exec=0) at loop.c:515
> #85 0x08070fb5 in execcmd (state=0xafeaf92c, input=0, output=0, how=2,
> last1=2) at exec.c:2978
> #86 0x0806cf78 in execpline2 (state=0xafeaf92c, pcode=3651, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #87 0x0806c30e in execpline (state=0xafeaf92c, slcode=43010, how=2,
> last1=0) at exec.c:1326
> ---Type <return> to continue, or q <return> to quit---
> #88 0x0806bb51 in execlist (state=0xafeaf92c, dont_change_job=1,
> exiting=0) at exec.c:1124
> #89 0x0806b6c0 in execode (p=0x82e0e28, dont_change_job=1, exiting=0)
> at exec.c:965
> #90 0x08073ea7 in runshfunc (prog=0x82e0e28, wrap=0x0, name=0xa784b5a0
> "_dispatch")
>    at exec.c:4355
> #91 0xa7a6a9fc in comp_wrapper (prog=0x82e0e28, w=0x0, name=0xa784b5a0
> "_dispatch")
>    at complete.c:1449
> #92 0x08073e36 in runshfunc (prog=0x82e0e28, wrap=0xa7a85720,
> name=0xa784b5a0 "_dispatch")
>    at exec.c:4343
> #93 0x08073c1a in doshfunc (name=0x82c5c58 "_dispatch",
> prog=0x82e0e28, doshargs=0xa784b470,
>    flags=270336, noreturnval=0) at exec.c:4264
> #94 0x0807350d in execshfunc (shf=0x82c5c00, args=0xa784b470) at exec.c:4041
> #95 0x080711ac in execcmd (state=0xafeb01dc, input=0, output=0,
> how=18, last1=2) at exec.c:3026
> #96 0x0806cf78 in execpline2 (state=0xafeb01dc, pcode=1667, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #97 0x0806c30e in execpline (state=0xafeb01dc, slcode=8194, how=18,
> last1=0) at exec.c:1326
> #98 0x0806bb51 in execlist (state=0xafeb01dc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #99 0x0806b6c0 in execode (p=0x82e0838, dont_change_job=1, exiting=0)
> at exec.c:965
> #100 0x08073ea7 in runshfunc (prog=0x82e0838, wrap=0x0,
> name=0xa784b358 "_normal") at exec.c:4355
> #101 0xa7a6a9fc in comp_wrapper (prog=0x82e0838, w=0x0,
> name=0xa784b358 "_normal")
>    at complete.c:1449
> #102 0x08073e36 in runshfunc (prog=0x82e0838, wrap=0xa7a85720,
> name=0xa784b358 "_normal")
>    at exec.c:4343
> #103 0x08073c1a in doshfunc (name=0x82cb980 "_normal", prog=0x82e0838,
> doshargs=0xa784b310,
>    flags=270336, noreturnval=0) at exec.c:4264
> #104 0x0807350d in execshfunc (shf=0x82cb928, args=0xa784b310) at exec.c:4041
> #105 0x080711ac in execcmd (state=0xafeb10cc, input=0, output=0,
> how=2, last1=2) at exec.c:3026
> #106 0x0806cf78 in execpline2 (state=0xafeb10cc, pcode=7555, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #107 0x0806c30e in execpline (state=0xafeb10cc, slcode=4130, how=2,
> last1=0) at exec.c:1326
> ---Type <return> to continue, or q <return> to quit---
> #108 0x0806bb9d in execlist (state=0xafeb10cc, dont_change_job=1,
> exiting=0) at exec.c:1131
> #109 0x08093b56 in execif (state=0xafeb10cc, do_exec=0) at loop.c:515
> #110 0x08070fb5 in execcmd (state=0xafeb10cc, input=0, output=0,
> how=2, last1=2) at exec.c:2978
> #111 0x0806cf78 in execpline2 (state=0xafeb10cc, pcode=7427, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #112 0x0806c30e in execpline (state=0xafeb10cc, slcode=114690, how=2,
> last1=0) at exec.c:1326
> #113 0x0806bb51 in execlist (state=0xafeb10cc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #114 0x0806b6c0 in execode (p=0x82cbae8, dont_change_job=1, exiting=0)
> at exec.c:965
> #115 0x08073ea7 in runshfunc (prog=0x82cbae8, wrap=0x0,
> name=0xa784ae50 "_complete")
>    at exec.c:4355
> #116 0xa7a6a9fc in comp_wrapper (prog=0x82cbae8, w=0x0,
> name=0xa784ae50 "_complete")
>    at complete.c:1449
> #117 0x08073e36 in runshfunc (prog=0x82cbae8, wrap=0xa7a85720,
> name=0xa784ae50 "_complete")
>    at exec.c:4343
> #118 0x08073c1a in doshfunc (name=0x82c4620 "_complete",
> prog=0x82cbae8, doshargs=0xa784ae00,
>    flags=270336, noreturnval=0) at exec.c:4264
> #119 0x0807350d in execshfunc (shf=0x82c45c8, args=0xa784ae00) at exec.c:4041
> #120 0x080711ac in execcmd (state=0xafeb2cdc, input=0, output=0,
> how=18, last1=2) at exec.c:3026
> #121 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=10371, how=18,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #122 0x0806c30e in execpline (state=0xafeb2cdc, slcode=3074, how=18,
> last1=0) at exec.c:1326
> #123 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #124 0x08093ab1 in execif (state=0xafeb2cdc, do_exec=0) at loop.c:500
> #125 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
> how=2, last1=2) at exec.c:2978
> #126 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=10051, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #127 0x0806c30e in execpline (state=0xafeb2cdc, slcode=48130, how=2,
> last1=0) at exec.c:1326
> #128 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #129 0x08092d78 in execfor (state=0xafeb2cdc, do_exec=0) at loop.c:159
> ---Type <return> to continue, or q <return> to quit---
> #130 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
> how=2, last1=2) at exec.c:2978
> #131 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=9539, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #132 0x0806c30e in execpline (state=0xafeb2cdc, slcode=90114, how=2,
> last1=0) at exec.c:1326
> #133 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #134 0x08092d78 in execfor (state=0xafeb2cdc, do_exec=0) at loop.c:159
> #135 0x08070fb5 in execcmd (state=0xafeb2cdc, input=0, output=0,
> how=2, last1=2) at exec.c:2978
> #136 0x0806cf78 in execpline2 (state=0xafeb2cdc, pcode=8067, how=2,
> input=0, output=0, last1=0)
>    at exec.c:1540
> #137 0x0806c30e in execpline (state=0xafeb2cdc, slcode=220162, how=2,
> last1=0) at exec.c:1326
> #138 0x0806bb51 in execlist (state=0xafeb2cdc, dont_change_job=1,
> exiting=0) at exec.c:1124
> #139 0x0806b6c0 in execode (p=0x82dcb00, dont_change_job=1, exiting=0)
> at exec.c:965
> #140 0x08073ea7 in runshfunc (prog=0x82dcb00, wrap=0x0,
> name=0xa7849030 "_main_complete")
>    at exec.c:4355
> #141 0xa7a6a9fc in comp_wrapper (prog=0x82dcb00, w=0x0,
> name=0xa7849030 "_main_complete")
>    at complete.c:1449
> #142 0x08073e36 in runshfunc (prog=0x82dcb00, wrap=0xa7a85720,
> name=0xa7849030 "_main_complete")
>    at exec.c:4343
> #143 0x08073c1a in doshfunc (name=0x829d390 "_main_complete",
> prog=0x82dcb00, doshargs=0x0,
>    flags=0, noreturnval=0) at exec.c:4264
> #144 0xa7a6d2e1 in callcompfunc (s=0xa7bbb738 "HEAD:", fn=0x829d390
> "_main_complete")
>    at compcore.c:817
> #145 0xa7a6dbb3 in makecomplist (s=0xa7bbb738 "HEAD:", incmd=0, lst=0)
> at compcore.c:968
> #146 0xa7a6b942 in do_completion (dummy=0xa7ac39d4, dat=0xafeb3138) at
> compcore.c:349
> #147 0x0809abcc in runhookdef (h=0xa7ac39d4, d=0xafeb3138) at module.c:996
> #148 0xa7ab3993 in docompletion (s=0x831a570 "HEAD:", lst=0, incmd=0)
> at zle_tricky.c:2135
> #149 0xa7aafa13 in docomplete (lst=0) at zle_tricky.c:859
> #150 0xa7aae493 in expandorcomplete (args=0xa7ac3cbc) at zle_tricky.c:315
> #151 0xa7aae036 in completecall (args=0xa7ac3cbc) at zle_tricky.c:208
> ---Type <return> to continue, or q <return> to quit---
> #152 0xa7a9dbf2 in execzlefunc (func=0xa7ac1cd0, args=0xa7ac3cbc,
> set_bindk=0) at zle_main.c:1291
> #153 0xa7a9d122 in zlecore () at zle_main.c:1043
> #154 0xa7a9d833 in zleread (lp=0x80f3adc, rp=0x80f3a64, flags=7,
> context=0) at zle_main.c:1205
> #155 0xa7a9f9c1 in zle_main_entry (cmd=1, ap=0xafeb35a4 "") at zle_main.c:1834
> #156 0x08086ef8 in zleentry (cmd=1) at init.c:1237
> #157 0x080877d6 in inputline () at input.c:278
> #158 0x08087645 in ingetc () at input.c:214
> #159 0x0807dc26 in ihgetc () at hist.c:263
> #160 0x0808f96f in gettok () at lex.c:663
> #161 0x0808f1fa in yylex () at lex.c:350
> #162 0x080abb8d in parse_event () at parse.c:451
> #163 0x0808463f in loop (toplevel=1, justonce=0) at init.c:129
> #164 0x08087279 in zsh_main (argc=1, argv=0xafeb3804) at init.c:1388
> #165 0x080551c6 in main (argc=Cannot access memory at address 0x0
> ) at ./main.c:93
>
> --
> Mikael Magnusson
>



-- 
Mikael Magnusson

Re: completion crash

[Bart Schaefer]

On Mar 30,  6:26pm, Mikael Magnusson wrote:
} Subject: Re: completion crash
}
} I've tracked this down to something calling popheap() when it
} shouldn't, because putting "return;" at the top of popheap() makes the
} crash go away, also, at one point during all this, in
} parse.c:ecgetstr(), char *r gets a string assigned to it that has the
} same address as amatches->matches, which is subsequently overwritten
} by an strcpy. I'm not exactly sure if it's this corruption that causes
} the crash, what eventually crashes is an access to
} amatches->matches->prpre which is broken.
} (gdb) print amatches->matches
} $5 = (Cmatch *) 0x7ffff7fe3fa0
} #1  0x000000000048008c in dupstring (s=0x6bd8fc "-s") at string.c:40
} 40	    strcpy(t, s);
} (gdb) print t
} $7 = 0x7ffff7fe3fa0 "-"
} 
} This is presumably not good. Any ideas?

If you're in dupstring() when that strcpy() happens, then I strongly
suspect that what's happening is that amatches->matches points to
freed memory which is being re-allocated in dupstring().

This could be because popheap() is being called improperly, or it may
instead be that amatches or amatches->matches is not being reset to
zero at some point where the memory it points to is correctly freed.
I believe we've had that latter come up before.

Or it could be amatches should never point into heap memory and there
is a dupstring() or zhalloc() in a spot that should be a ztrdup() or
zalloc() instead.  Most likely you're goig to need to find the place
where amatches->matches is being set, rather than the spot where it is
already pointing at garbage.

Re: completion crash

[Mikael Magnusson]

On 30 March 2011 18:57, Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Mar 30,  6:26pm, Mikael Magnusson wrote:
> } Subject: Re: completion crash
> }
> } I've tracked this down to something calling popheap() when it
> } shouldn't, because putting "return;" at the top of popheap() makes the
> } crash go away, also, at one point during all this, in
> } parse.c:ecgetstr(), char *r gets a string assigned to it that has the
> } same address as amatches->matches, which is subsequently overwritten
> } by an strcpy. I'm not exactly sure if it's this corruption that causes
> } the crash, what eventually crashes is an access to
> } amatches->matches->prpre which is broken.
> } (gdb) print amatches->matches
> } $5 = (Cmatch *) 0x7ffff7fe3fa0
> } #1  0x000000000048008c in dupstring (s=0x6bd8fc "-s") at string.c:40
> } 40        strcpy(t, s);
> } (gdb) print t
> } $7 = 0x7ffff7fe3fa0 "-"
> }
> } This is presumably not good. Any ideas?
>
> If you're in dupstring() when that strcpy() happens, then I strongly
> suspect that what's happening is that amatches->matches points to
> freed memory which is being re-allocated in dupstring().
>
> This could be because popheap() is being called improperly, or it may
> instead be that amatches or amatches->matches is not being reset to
> zero at some point where the memory it points to is correctly freed.
> I believe we've had that latter come up before.
>
> Or it could be amatches should never point into heap memory and there
> is a dupstring() or zhalloc() in a spot that should be a ztrdup() or
> zalloc() instead.  Most likely you're goig to need to find the place
> where amatches->matches is being set, rather than the spot where it is
> already pointing at garbage.

So I'm in permmatches, [1], and after this makearray call, the prpre
pointer is off, I have never looked at this code before though, so I
don't really know where this mlist array is coming from. At this
point, this is the second time the breakpoint gets hit though, only
one element in mlist (== amatches->lmatches) seems to be set,
(gdb) print **(Cmatch*)amatches->lmatches->node->next->dat
$3 = {str = 0x726174736f747561 <Address 0x726174736f747561 out of bounds>,
  orig = 0x99000074 <Address 0x99000074 out of bounds>,
  ipre = 0x726f772f616e6164 <Address 0x726f772f616e6164 out of bounds>,
  ripre = 0x99003a6b <Address 0x99003a6b out of bounds>,
  isuf = 0x7f2f69be4138 "\350A\276i/\177",
  ppre = 0xffffffff00000000 <Address 0xffffffff00000000 out of
bounds>, psuf = 0x0,
  prpre = 0x7f2f00000001 <Address 0x7f2f00000001 out of bounds>,
  pre = 0x7f2f69be407c "/work:", suf = 0x1 <Address 0x1 out of
bounds>, disp = 0x0,
  autoq = 0x0, flags = 1774076128, brpl = 0x0, brsl = 0x500000005, rems = 0x0,
  remf = 0x645f746900000000 <Address 0x645f746900000000 out of
bounds>, qipl = 0, qisl = 0,
  rnum = 4, gnum = 0, mode = 1774076024, modec = 47 '/', fmode = 4,
fmodec = 47 '/'}

If I do this
if (g->matches && *g->matches) (*g->matches)->prpre = NULL;
the crash goes away and I get the correct completion, but if I try to
zero out the prpre in the mlist entry, it still crashes, so I'm
obviously a bit confused about what's going on. This is g->matches
right after the makearray() call,
(gdb) print **g->matches
$5 = {str = 0x7f2f69be4068 "autostart", orig = 0x7f2f69be4340 "autostart",
  ipre = 0x7f2f69be4010 "dana/work:", ripre = 0x0, isuf = 0x0,
  ppre = 0x7f2f69be4038 "data/", psuf = 0x0,
  prpre = 0x7f2f6ad6c8c8 <Address 0x7f2f6ad6c8c8 out of bounds>, pre =
0x0, suf = 0x0,
  disp = 0x0, autoq = 0x0, flags = 1, brpl = 0x0, brsl = 0x0, rems =
0x0, remf = 0x0,
  qipl = 0, qisl = 0, rnum = 0, gnum = 0, mode = 16877, modec = 47
'/', fmode = 16877,
  fmodec = 47 '/'}

So I feel like I'm somehow not looking at the right mlist entry since
this has more correct stuff than the element I looked at above. (The
commandline I'm completing is "git show dana/work:data/au").

-- 
Mikael Magnusson

[1]
Breakpoint 1, permmatches (last=0) at compcore.c:3305
3305		    g->matches = makearray(mlist, 1, g->flags, &nn, &nl, &ll);
(gdb) bt
#0  permmatches (last=0) at compcore.c:3305
#1  0x00007f2f68b2d8e2 in get_nmatches (pm=0x16d30e0) at complete.c:1267
#2  0x000000000046413d in getstrvalue (v=0x7fffeed14670) at params.c:1938
#3  0x000000000046226c in getarg (str=0x7fffeed144c0,
inv=0x7fffeed144cc, v=0x7fffeed14670,
    a2=0, w=0x7fffeed144b8, prevcharlen=0x7fffeed144ac,
nextcharlen=0x7fffeed144a8)
    at params.c:1282
#4  0x0000000000463750 in getindex (pptr=0x7fffeed14550,
v=0x7fffeed14670, flags=256)
    at params.c:1670
#5  0x0000000000463e95 in fetchvalue (v=0x7fffeed14670,
pptr=0x7fffeed146b0, bracks=1,
    flags=256) at params.c:1886
#6  0x0000000000484bff in paramsubst (l=0x7fffeed14cc0, n=0x7fffeed14ca0,
    str=0x7fffeed14a20, qt=1, ssub=4) at subst.c:2188
#7  0x0000000000480df0 in stringsubst (list=0x7fffeed14cc0,
node=0x7fffeed14ca0, ssub=4,
    asssub=0) at subst.c:214
#8  0x0000000000480580 in prefork (list=0x7fffeed14cc0, flags=4) at subst.c:77
#9  0x00000000004813da in singsub (s=0x7fffeed14d88) at subst.c:369
#10 0x0000000000423ce4 in evalcond (state=0x7fffeed156b0,
fromtest=0x0) at cond.c:186
#11 0x000000000042ea24 in execcond (state=0x7fffeed156b0, do_exec=0)
at exec.c:4046
#12 0x0000000000426ec3 in execsimple (state=0x7fffeed156b0) at exec.c:1068
#13 0x00000000004271d6 in execlist (state=0x7fffeed156b0,
dont_change_job=1, exiting=0)
    at exec.c:1175
#14 0x0000000000452656 in execif (state=0x7fffeed156b0, do_exec=0) at loop.c:515
#15 0x000000000042cbc8 in execcmd (state=0x7fffeed156b0, input=0,
output=0, how=18, last1=2)
    at exec.c:3129
#16 0x00000000004286f3 in execpline2 (state=0x7fffeed156b0,
pcode=20035, how=18, input=0,
    output=0, last1=0) at exec.c:1640
#17 0x0000000000427ba9 in execpline (state=0x7fffeed156b0,
slcode=1296386, how=18, last1=0)
    at exec.c:1424
#18 0x000000000042733d in execlist (state=0x7fffeed156b0,
dont_change_job=1, exiting=0)
    at exec.c:1207
#19 0x0000000000426d5f in execode (p=0x1757e30, dont_change_job=1, exiting=0,
    context=0x49a156 "shfunc") at exec.c:1028
#20 0x000000000042fffe in runshfunc (prog=0x1757e30, wrap=0x0,
    name=0x7f2f6ad82af0 "_arguments") at exec.c:4646
#21 0x00007f2f68b2df65 in comp_wrapper (prog=0x1757e30, w=0x0,
    name=0x7f2f6ad82af0 "_arguments") at complete.c:1455
#22 0x000000000042ff64 in runshfunc (prog=0x1757e30, wrap=0x7f2f68d4bda0,
    name=0x7f2f6ad82af0 "_arguments") at exec.c:4631

Re: completion crash

[Peter Stephenson]

On Wed, 30 Mar 2011 20:34:46 +0200
Mikael Magnusson <mikachu@gmail.com> wrote:
> So I'm in permmatches, [1], and after this makearray call, the prpre
> pointer is off, I have never looked at this code before though, so I
> don't really know where this mlist array is coming from.

The nearest fix I can see to code of this kind is zsh-workers/22565,
http://www.zsh.org/mla/workers/2006/msg00452.html

though there may be others in that neighbourhood; I'm certainly vaguely
aware of one that smelled similar over the last few years and the commit
log for compcore.c suggests it's probably that (though I don't know the
one I'm thinking of was fixed in compcore.c).  It's all down to the
fact that the place is full of global variables that are tied to a
particular memory allocation state without any guide to the programmer
or debugger of how.  So you end up having to guess where it is or isn't
appropriate to use, ignore or clear those variables.

zsh-workers/23478,
http://www.zsh.org/mla/workers/2007/msg00399.html
is also similar; that was in compresult.c, also 20150,
http://www.zsh.org/mla/workers/2004/msg00803.html

-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/