* Zsh 5.9 segfault, likely due to unsafe signal handler
@ 2023-01-02 15:13 Jacob Greenfield
2023-01-16 22:48 ` Bart Schaefer
0 siblings, 1 reply; 2+ messages in thread
From: Jacob Greenfield @ 2023-01-02 15:13 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 993 bytes --]
Hello,
I am using zsh 5.9 (ARM64) via Homebrew on macOS 13.1 and I ran into a segfault as I was exiting a manpage. Unfortunately I can't seem to reproduce it, but I'm attaching the crash log to this email.
I'm not very familiar with zsh's source but after a quick look, I noticed that `zhandler` calls `wait_for_processes`, which really doesn't seem to be async-signal-safe <https://en.cppreference.com/w/c/program/signal>. For example it reads from the global variable `cmdoutpid` which is just a `pid_t` rather than a `volatile sig_atomic_t` or a lock-free atomic; since it's a regular, static, non-volatile, non-atomic variable, reading it from a signal handler could lead to a data race and other UB. It makes sense that this issue would be difficult to reproduce, and that it would appear more easily on Apple Silicon which has extremely out-of-order execution that tends to trigger latent memory bugs like this.
Happy New Year! Hope this helps.
Best,
Jacob Greenfield

[-- Attachment #2.1: Type: text/html, Size: 1327 bytes --]
[-- Attachment #2.2: zsh-2023-01-02-074639.ips --]
[-- Type: application/octet-stream, Size: 8895 bytes --]
{"app_name":"zsh","timestamp":"2023-01-02 07:46:39.00 -0500","app_version":"","slice_uuid":"c873f823-0840-33b3-9ea2-98e48facb213","build_version":"","platform":1,"share_with_app_devs":1,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.1 (22C65)","roots_installed":0,"incident_id":"C2745B29-3850-4E84-BE89-5ACBCB5635E3","name":"zsh"}
{
"uptime" : 470000,
"procRole" : "Unspecified",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "MacBookPro18,3",
"coalitionID" : 74941,
"osVersion" : {
"train" : "macOS 13.1",
"build" : "22C65",
"releaseType" : "User"
},
"captureTime" : "2023-01-02 07:46:38.2449 -0500",
"incident" : "C2745B29-3850-4E84-BE89-5ACBCB5635E3",
"pid" : 80902,
"translated" : false,
"cpuType" : "ARM-64",
"roots_installed" : 0,
"bug_type" : "309",
"procLaunch" : "2023-01-01 21:58:42.6027 -0500",
"procStartAbsTime" : 10830003788819,
"procExitAbsTime" : 11448225207697,
"procName" : "zsh",
"procPath" : "\/opt\/homebrew\/*\/zsh",
"parentProc" : "Exited process",
"parentPid" : 80901,
"coalitionName" : "com.apple.Terminal",
"crashReporterKey" : "45C0C43B-3D6A-F32E-1560-C0F47673421C",
"responsiblePid" : 77689,
"responsibleProc" : "Terminal",
"wakeTime" : 6959,
"sleepWakeUUID" : "0A04DC3A-3799-4809-B767-6C8E81F39884",
"sip" : "enabled",
"vmRegionInfo" : "0xf12df25ea70 is not in any region. Bytes after previous region: 16092691294833 Bytes before following region: 88979388634512\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n commpage (reserved) 1000000000-7000000000 [384.0G] ---\/--- SM=NUL ...(unallocated)\n---> GAP OF 0x5f9000000000 BYTES\n MALLOC_NANO 600000000000-600008000000 [128.0M] rw-\/rwx SM=COW ",
"exception" : {"codes":"0x0000000000000001, 0x00000f12df25ea70","rawCodes":[1,16573727631984],"type":"EXC_BAD_ACCESS","signal":"SIGSEGV","subtype":"KERN_INVALID_ADDRESS at 0x00000f12df25ea70"},
"termination" : {"flags":0,"code":11,"namespace":"SIGNAL","indicator":"Segmentation fault: 11","byProc":"exc handler","byPid":80902},
"vmregioninfo" : "0xf12df25ea70 is not in any region. Bytes after previous region: 16092691294833 Bytes before following region: 88979388634512\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n commpage (reserved) 1000000000-7000000000 [384.0G] ---\/--- SM=NUL ...(unallocated)\n---> GAP OF 0x5f9000000000 BYTES\n MALLOC_NANO 600000000000-600008000000 [128.0M] rw-\/rwx SM=COW ",
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":5408853,"threadState":{"x":[{"value":16573727631968},{"value":0},{"value":0},{"value":18446744073709551600},{"value":84},{"value":82},{"value":554050781184},{"value":3344},{"value":105553176357472},{"value":4907503616},{"value":2105574300},{"value":1},{"value":129},{"value":1},{"value":128},{"value":0},{"value":6778449616,"symbolLocation":0,"symbol":"_platform_memmove"},{"value":8390611448},{"value":0},{"value":105553176357472},{"value":0},{"value":8308589088,"symbolLocation":0,"symbol":"usual"},{"value":0},{"value":0},{"value":4338810931},{"value":0},{"value":1},{"value":0},{"value":1}],"flavor":"ARM_THREAD_STATE64","lr":{"value":4338500616},"cpsr":{"value":536875008},"fp":{"value":6128592016},"sp":{"value":6128592000},"esr":{"value":2449473541,"description":"(Data Abort) byte read Translation fault"},"pc":{"value":4338529844,"matchesCrashFrame":1},"far":{"value":16573727631984}},"queue":"com.apple.main-thread","frames":[{"imageOffset":243252,"symbol":"getlinknode","symbolLocation":24,"imageIndex":0},{"imageOffset":214024,"symbol":"deletefilelist","symbolLocation":32,"imageIndex":0},{"imageOffset":214024,"symbol":"deletefilelist","symbolLocation":32,"imageIndex":0},{"imageOffset":213348,"symbol":"deletejob","symbolLocation":24,"imageIndex":0},{"imageOffset":211876,"symbol":"printjob","symbolLocation":2408,"imageIndex":0},{"imageOffset":209112,"symbol":"update_job","symbolLocation":1656,"imageIndex":0},{"imageOffset":394804,"symbol":"wait_for_processes","symbolLocation":768,"imageIndex":0},{"imageOffset":393176,"symbol":"zhandler","symbolLocation":328,"imageIndex":0},{"imageOffset":17060,"symbol":"_sigtramp","symbolLocation":56,"imageIndex":1},{"imageOffset":177184,"symbol":"lockhistfile","symbolLocation":320,"imageIndex":0},{"imageOffset":173208,"symbol":"savehistfile","symbolLocation":168,"imageIndex":0},{"imageOffset":60072,"symbol":"zexit","symbolLocation":492,"imageIndex":0},{"imageOffset":393560,"symbol":"zhandler","symbolLocation":712,"imageIndex":0},{"imageOffset":17060,"symbol":"_sigtramp","symbolLocation":56,"imageIndex":1},{"imageOffset":394024,"symbol":"signal_suspend","symbolLocation":72,"imageIndex":0},{"imageOffset":224692,"imageIndex":0},{"imageOffset":215444,"symbol":"waitjobs","symbolLocation":68,"imageIndex":0},{"imageOffset":87820,"imageIndex":0},{"imageOffset":84616,"symbol":"execlist","symbolLocation":1948,"imageIndex":0},{"imageOffset":82624,"symbol":"execode","symbolLocation":200,"imageIndex":0},{"imageOffset":189672,"symbol":"loop","symbolLocation":804,"imageIndex":0},{"imageOffset":201520,"symbol":"zsh_main","symbolLocation":1216,"imageIndex":0},{"imageOffset":24144,"symbol":"start","symbolLocation":2544,"imageIndex":2}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "arm64",
"base" : 4338286592,
"size" : 540672,
"uuid" : "c873f823-0840-33b3-9ea2-98e48facb213",
"path" : "\/opt\/homebrew\/*\/zsh",
"name" : "zsh"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6778433536,
"size" : 32764,
"uuid" : "b215ae90-4ed2-3fcd-8ccc-6c0d93cc4f41",
"path" : "\/usr\/lib\/system\/libsystem_platform.dylib",
"name" : "libsystem_platform.dylib"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6774923264,
"size" : 568164,
"uuid" : "487cfdeb-9b07-39bf-bfb9-970b61aea2d1",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
},
{
"size" : 0,
"source" : "A",
"base" : 0,
"uuid" : "00000000-0000-0000-0000-000000000000"
}
],
"sharedCache" : {
"base" : 6774276096,
"size" : 3434283008,
"uuid" : "00a1fbb6-43e1-3c11-8483-faf0db659249"
},
"vmSummary" : "ReadOnly portion of Libraries: Total=775.0M resident=0K(0%) swapped_out_or_unallocated=775.0M(100%)\nWritable regions: Total=839.9M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=839.9M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nActivity Tracing 256K 1 \nKernel Alloc Once 32K 1 \nMALLOC 207.2M 25 \nMALLOC guard page 96K 5 \nMALLOC_MEDIUM (reserved) 240.0M 2 reserved VM address space (unallocated)\nMALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)\nSTACK GUARD 56.0M 1 \nStack 8176K 1 \nVM_ALLOCATE 480K 9 \n__AUTH 46K 11 \n__AUTH_CONST 76K 40 \n__DATA 527K 59 \n__DATA_CONST 476K 60 \n__DATA_DIRTY 78K 22 \n__LINKEDIT 767.6M 20 \n__OBJC_CONST 11K 5 \n__OBJC_RO 65.4M 1 \n__OBJC_RW 1986K 1 \n__TEXT 7628K 62 \ndyld private memory 256K 1 \nshared memory 32K 2 \n=========== ======= ======= \nTOTAL 1.7G 330 \nTOTAL, minus reserved VM space 1.1G 330 \n",
"legacyInfo" : {
"threadTriggered" : {
"queue" : "com.apple.main-thread"
}
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "62868a738e8ae2385955687e",
"factorPackIds" : {
"SIRI_DICTATION_ASSETS" : "62868adbcec4674079196394"
},
"deploymentId" : 250000003
},
{
"rolloutId" : "6112e3d2fc54bc3389840661",
"factorPackIds" : {
"SIRI_TEXT_TO_SPEECH" : "638fdbc51d92412bfb488027"
},
"deploymentId" : 240000291
}
],
"experiments" : [
]
}
}
[-- Attachment #2.3: Type: text/html, Size: 212 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-01-16 22:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-02 15:13 Zsh 5.9 segfault, likely due to unsafe signal handler Jacob Greenfield
2023-01-16 22:48 ` Bart Schaefer
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).