zsh-workers
 help / color / mirror / code / Atom feed
* Zsh 5.9 segfault, likely due to unsafe signal handler
@ 2023-01-02 15:13 Jacob Greenfield
  2023-01-16 22:48 ` Bart Schaefer
  0 siblings, 1 reply; 2+ messages in thread
From: Jacob Greenfield @ 2023-01-02 15:13 UTC (permalink / raw)
  To: zsh-workers

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

Hello,

I am using zsh 5.9 (ARM64) via Homebrew on macOS 13.1 and I ran into a segfault as I was exiting a manpage. Unfortunately I can't seem to reproduce it, but I'm attaching the crash log to this email.

I'm not very familiar with zsh's source but after a quick look, I noticed that `zhandler` calls `wait_for_processes`, which really doesn't seem to be async-signal-safe <https://en.cppreference.com/w/c/program/signal>. For example it reads from the global variable `cmdoutpid` which is just a `pid_t` rather than a `volatile sig_atomic_t` or a lock-free atomic; since it's a regular, static, non-volatile, non-atomic variable, reading it from a signal handler could lead to a data race and other UB. It makes sense that this issue would be difficult to reproduce, and that it would appear more easily on Apple Silicon which has extremely out-of-order execution that tends to trigger latent memory bugs like this.

Happy New Year! Hope this helps.

Best,
Jacob Greenfield



[-- Attachment #2.1: Type: text/html, Size: 1327 bytes --]

[-- Attachment #2.2: zsh-2023-01-02-074639.ips --]
[-- Type: application/octet-stream, Size: 8895 bytes --]

{"app_name":"zsh","timestamp":"2023-01-02 07:46:39.00 -0500","app_version":"","slice_uuid":"c873f823-0840-33b3-9ea2-98e48facb213","build_version":"","platform":1,"share_with_app_devs":1,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.1 (22C65)","roots_installed":0,"incident_id":"C2745B29-3850-4E84-BE89-5ACBCB5635E3","name":"zsh"}
{
  "uptime" : 470000,
  "procRole" : "Unspecified",
  "version" : 2,
  "userID" : 501,
  "deployVersion" : 210,
  "modelCode" : "MacBookPro18,3",
  "coalitionID" : 74941,
  "osVersion" : {
    "train" : "macOS 13.1",
    "build" : "22C65",
    "releaseType" : "User"
  },
  "captureTime" : "2023-01-02 07:46:38.2449 -0500",
  "incident" : "C2745B29-3850-4E84-BE89-5ACBCB5635E3",
  "pid" : 80902,
  "translated" : false,
  "cpuType" : "ARM-64",
  "roots_installed" : 0,
  "bug_type" : "309",
  "procLaunch" : "2023-01-01 21:58:42.6027 -0500",
  "procStartAbsTime" : 10830003788819,
  "procExitAbsTime" : 11448225207697,
  "procName" : "zsh",
  "procPath" : "\/opt\/homebrew\/*\/zsh",
  "parentProc" : "Exited process",
  "parentPid" : 80901,
  "coalitionName" : "com.apple.Terminal",
  "crashReporterKey" : "45C0C43B-3D6A-F32E-1560-C0F47673421C",
  "responsiblePid" : 77689,
  "responsibleProc" : "Terminal",
  "wakeTime" : 6959,
  "sleepWakeUUID" : "0A04DC3A-3799-4809-B767-6C8E81F39884",
  "sip" : "enabled",
  "vmRegionInfo" : "0xf12df25ea70 is not in any region.  Bytes after previous region: 16092691294833  Bytes before following region: 88979388634512\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      commpage (reserved)        1000000000-7000000000   [384.0G] ---\/--- SM=NUL  ...(unallocated)\n--->  GAP OF 0x5f9000000000 BYTES\n      MALLOC_NANO              600000000000-600008000000 [128.0M] rw-\/rwx SM=COW  ",
  "exception" : {"codes":"0x0000000000000001, 0x00000f12df25ea70","rawCodes":[1,16573727631984],"type":"EXC_BAD_ACCESS","signal":"SIGSEGV","subtype":"KERN_INVALID_ADDRESS at 0x00000f12df25ea70"},
  "termination" : {"flags":0,"code":11,"namespace":"SIGNAL","indicator":"Segmentation fault: 11","byProc":"exc handler","byPid":80902},
  "vmregioninfo" : "0xf12df25ea70 is not in any region.  Bytes after previous region: 16092691294833  Bytes before following region: 88979388634512\n      REGION TYPE                    START - END         [ VSIZE] PRT\/MAX SHRMOD  REGION DETAIL\n      commpage (reserved)        1000000000-7000000000   [384.0G] ---\/--- SM=NUL  ...(unallocated)\n--->  GAP OF 0x5f9000000000 BYTES\n      MALLOC_NANO              600000000000-600008000000 [128.0M] rw-\/rwx SM=COW  ",
  "extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
  "faultingThread" : 0,
  "threads" : [{"triggered":true,"id":5408853,"threadState":{"x":[{"value":16573727631968},{"value":0},{"value":0},{"value":18446744073709551600},{"value":84},{"value":82},{"value":554050781184},{"value":3344},{"value":105553176357472},{"value":4907503616},{"value":2105574300},{"value":1},{"value":129},{"value":1},{"value":128},{"value":0},{"value":6778449616,"symbolLocation":0,"symbol":"_platform_memmove"},{"value":8390611448},{"value":0},{"value":105553176357472},{"value":0},{"value":8308589088,"symbolLocation":0,"symbol":"usual"},{"value":0},{"value":0},{"value":4338810931},{"value":0},{"value":1},{"value":0},{"value":1}],"flavor":"ARM_THREAD_STATE64","lr":{"value":4338500616},"cpsr":{"value":536875008},"fp":{"value":6128592016},"sp":{"value":6128592000},"esr":{"value":2449473541,"description":"(Data Abort) byte read Translation fault"},"pc":{"value":4338529844,"matchesCrashFrame":1},"far":{"value":16573727631984}},"queue":"com.apple.main-thread","frames":[{"imageOffset":243252,"symbol":"getlinknode","symbolLocation":24,"imageIndex":0},{"imageOffset":214024,"symbol":"deletefilelist","symbolLocation":32,"imageIndex":0},{"imageOffset":214024,"symbol":"deletefilelist","symbolLocation":32,"imageIndex":0},{"imageOffset":213348,"symbol":"deletejob","symbolLocation":24,"imageIndex":0},{"imageOffset":211876,"symbol":"printjob","symbolLocation":2408,"imageIndex":0},{"imageOffset":209112,"symbol":"update_job","symbolLocation":1656,"imageIndex":0},{"imageOffset":394804,"symbol":"wait_for_processes","symbolLocation":768,"imageIndex":0},{"imageOffset":393176,"symbol":"zhandler","symbolLocation":328,"imageIndex":0},{"imageOffset":17060,"symbol":"_sigtramp","symbolLocation":56,"imageIndex":1},{"imageOffset":177184,"symbol":"lockhistfile","symbolLocation":320,"imageIndex":0},{"imageOffset":173208,"symbol":"savehistfile","symbolLocation":168,"imageIndex":0},{"imageOffset":60072,"symbol":"zexit","symbolLocation":492,"imageIndex":0},{"imageOffset":393560,"symbol":"zhandler","symbolLocation":712,"imageIndex":0},{"imageOffset":17060,"symbol":"_sigtramp","symbolLocation":56,"imageIndex":1},{"imageOffset":394024,"symbol":"signal_suspend","symbolLocation":72,"imageIndex":0},{"imageOffset":224692,"imageIndex":0},{"imageOffset":215444,"symbol":"waitjobs","symbolLocation":68,"imageIndex":0},{"imageOffset":87820,"imageIndex":0},{"imageOffset":84616,"symbol":"execlist","symbolLocation":1948,"imageIndex":0},{"imageOffset":82624,"symbol":"execode","symbolLocation":200,"imageIndex":0},{"imageOffset":189672,"symbol":"loop","symbolLocation":804,"imageIndex":0},{"imageOffset":201520,"symbol":"zsh_main","symbolLocation":1216,"imageIndex":0},{"imageOffset":24144,"symbol":"start","symbolLocation":2544,"imageIndex":2}]}],
  "usedImages" : [
  {
    "source" : "P",
    "arch" : "arm64",
    "base" : 4338286592,
    "size" : 540672,
    "uuid" : "c873f823-0840-33b3-9ea2-98e48facb213",
    "path" : "\/opt\/homebrew\/*\/zsh",
    "name" : "zsh"
  },
  {
    "source" : "P",
    "arch" : "arm64e",
    "base" : 6778433536,
    "size" : 32764,
    "uuid" : "b215ae90-4ed2-3fcd-8ccc-6c0d93cc4f41",
    "path" : "\/usr\/lib\/system\/libsystem_platform.dylib",
    "name" : "libsystem_platform.dylib"
  },
  {
    "source" : "P",
    "arch" : "arm64e",
    "base" : 6774923264,
    "size" : 568164,
    "uuid" : "487cfdeb-9b07-39bf-bfb9-970b61aea2d1",
    "path" : "\/usr\/lib\/dyld",
    "name" : "dyld"
  },
  {
    "size" : 0,
    "source" : "A",
    "base" : 0,
    "uuid" : "00000000-0000-0000-0000-000000000000"
  }
],
  "sharedCache" : {
  "base" : 6774276096,
  "size" : 3434283008,
  "uuid" : "00a1fbb6-43e1-3c11-8483-faf0db659249"
},
  "vmSummary" : "ReadOnly portion of Libraries: Total=775.0M resident=0K(0%) swapped_out_or_unallocated=775.0M(100%)\nWritable regions: Total=839.9M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=839.9M(100%)\n\n                                VIRTUAL   REGION \nREGION TYPE                        SIZE    COUNT (non-coalesced) \n===========                     =======  ======= \nActivity Tracing                   256K        1 \nKernel Alloc Once                   32K        1 \nMALLOC                           207.2M       25 \nMALLOC guard page                   96K        5 \nMALLOC_MEDIUM (reserved)         240.0M        2         reserved VM address space (unallocated)\nMALLOC_NANO (reserved)           384.0M        1         reserved VM address space (unallocated)\nSTACK GUARD                       56.0M        1 \nStack                             8176K        1 \nVM_ALLOCATE                        480K        9 \n__AUTH                              46K       11 \n__AUTH_CONST                        76K       40 \n__DATA                             527K       59 \n__DATA_CONST                       476K       60 \n__DATA_DIRTY                        78K       22 \n__LINKEDIT                       767.6M       20 \n__OBJC_CONST                        11K        5 \n__OBJC_RO                         65.4M        1 \n__OBJC_RW                         1986K        1 \n__TEXT                            7628K       62 \ndyld private memory                256K        1 \nshared memory                       32K        2 \n===========                     =======  ======= \nTOTAL                              1.7G      330 \nTOTAL, minus reserved VM space     1.1G      330 \n",
  "legacyInfo" : {
  "threadTriggered" : {
    "queue" : "com.apple.main-thread"
  }
},
  "trialInfo" : {
  "rollouts" : [
    {
      "rolloutId" : "62868a738e8ae2385955687e",
      "factorPackIds" : {
        "SIRI_DICTATION_ASSETS" : "62868adbcec4674079196394"
      },
      "deploymentId" : 250000003
    },
    {
      "rolloutId" : "6112e3d2fc54bc3389840661",
      "factorPackIds" : {
        "SIRI_TEXT_TO_SPEECH" : "638fdbc51d92412bfb488027"
      },
      "deploymentId" : 240000291
    }
  ],
  "experiments" : [

  ]
}
}

[-- Attachment #2.3: Type: text/html, Size: 212 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-01-16 22:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-02 15:13 Zsh 5.9 segfault, likely due to unsafe signal handler Jacob Greenfield
2023-01-16 22:48 ` Bart Schaefer

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).