From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no
	version=3.4.4
Received: (qmail 20629 invoked from network); 11 Apr 2023 16:15:03 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 11 Apr 2023 16:15:03 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1681229703;
	 b=f3hvMpWes3fWkU08SsEUfsNs1uwGD3IM9hz7jTyD4ZpPg1MIMc0m8ivaX3J7M8xWo/oUtExdXU
	  A204gmyNYLaiKiJXedrPyC3DkvUC0Y/izdgmKJVNRmYurOnWBKiLUI+fgdAKzEdei1nWnLA2hR
	  vlKgGUDIQ96nBKJMJbpGZXIxf5D8Srxj4qOzgAEfedeaTZXwx04I7huLteCowmrsGzlldbffnT
	  PlpMDQ33lbmvKAWnVj1dzWUHHGL8sKcrlO3k1wuvA9iBcWSU1yIf4+EQmyoxpJuIIgZV/JqtB0
	  H/cQ1KYSQAmEasGVOktbnrLXn9xmoUgpvqAJim/F0pPfiw==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (snd01010-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.26;
	dmarc=none header.from=kba.biglobe.ne.jp;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1681229703;
	bh=2z9eNXb4BaR2nhbJmtLEQSciIVIo8CdMmRCXCnTteho=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:Message-ID:In-Reply-To:To:References:Date:Subject:
	  MIME-Version:Content-Transfer-Encoding:Content-Type:From:DKIM-Signature;
	b=R6EefcXgiJ7yjuKlc9dCJWFQFBeqBHmDvNnJijqRwYOTJ+Hc88S9/Tt9V5XG8GjhLmNJ263MYa
	  kpoOo1tJSZBAF0T0BB2YEKRH9pqvRZgLmwfp6Yp6wxtoaW8tr52j2NcVW8HxlKonLvbvjYDzV0
	  ux+kexqJod4i62vLXARgOu9ofwzrFMNzd7185vdeUAAHnaU6kIPygM6Q0CplAi3TGiu3DzEBEr
	  OGWsE6y20mMWKTJB3TP5OFuswmxn0LuJnkAIXhXkqyi89TIvA7b6TC7miCcx5PrRiL7O5hBFZ1
	  NE2J9S60o0wDoviGIFif+QCPSYVbvb9xbHlx27OXOF8rxw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:Message-Id:In-Reply-To:To:References:
	Date:Subject:Mime-Version:Content-Transfer-Encoding:Content-Type:From:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=MZ+TW33AX3FoamHW2G83ddHKL1JZsCOeeSkEOZ7JWJE=; b=LeupK+EnOuip1pDmPXnewghw1l
	7PpRCBXBO1C3Jvh+9xpH1q6UJTjM3ils8MYt1275GkGlxyIgmmIy6SRRAClIKMy8CSv5CP/TpFsvm
	y6ihsvz9M2CFCvCZ2ULPgFKVbC1roChxN4Tw5TqIakE3rYE0Jd+cL30W3aU+oOqzT4friluNAu6dz
	snmp6LJK0/OqnfulzTvxanI4CCe0WoX7GvBi2ifcWbEJ+b7tLhOYiGc0iNrRyFWCsmxY6kS3M6Tez
	pDZmEctTO1hGRmAb/VMBY+3WJlP1xKHNLTlQOrAD27MT/qWadnYNuacXaNp2rT1w3UMQoz8XQGI2I
	ju1OLi4Q==;
Received: by zero.zsh.org with local
	id 1pmGe3-0006Yi-N5;
	Tue, 11 Apr 2023 16:14:59 +0000
Authentication-Results: zsh.org;
	iprev=pass (snd01010-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.26;
	dmarc=none header.from=kba.biglobe.ne.jp;
	arc=none
Received: from snd01010-bg.im.kddi.ne.jp ([27.86.113.26]:14209 helo=dfmta1008.biglobe.ne.jp)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1pmGdT-0006F6-Lp;
	Tue, 11 Apr 2023 16:14:27 +0000
Received: from mail.biglobe.ne.jp by omta1008.biglobe.ne.jp with ESMTP
          id <20230411161416790.EQKG.4048.mail.biglobe.ne.jp@biglobe.ne.jp>
          for <zsh-workers@zsh.org>; Wed, 12 Apr 2023 01:14:16 +0900
From: "Jun. T" <takimoto-j@kba.biglobe.ne.jp>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.2\))
Subject: Re: Probabilistic crash on zsh 5.9 on x86_64
Date: Wed, 12 Apr 2023 01:14:15 +0900
References: <tBWb5KtvEqjlaLFHtCcVrAmwPrj7aqaF50nYi_P69Xa6TiBh0ybu3JumnENwN5dGJJHi-unfO4E8igE27tXgSefdlNpUmOoAZ5fyBKSv2SU=@proton.me>
 <CAHYJk3QaY_ejw2gCw5d1BzyvB4W3EyU7cb1TWtZpRhx=QSpw+w@mail.gmail.com>
To: zsh-workers@zsh.org
In-Reply-To: <CAHYJk3QaY_ejw2gCw5d1BzyvB4W3EyU7cb1TWtZpRhx=QSpw+w@mail.gmail.com>
Message-Id: <48A7DCE2-AEC1-4777-949C-50917EDCECB1@kba.biglobe.ne.jp>
X-Mailer: Apple Mail (2.3696.120.41.1.2)
X-Biglobe-Sender: takimoto-j@kba.biglobe.ne.jp
X-Seq: 51642
Archived-At: <https://zsh.org/workers/51642>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>


> 2023/04/09 6:36, Mikael Magnusson <mikachu@gmail.com> wrlte:

> It seems to happen reliably for me every time, with these messages,
> % MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
> 1: parse.c:2817: Heap EPROG has nref > 0
> free(): invalid pointer
> zsh: abort      MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'

It seems memory pointed to by 'Eprog p' (in function freeeprog(),
parse.c:2817) is already freed.

If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
with shf pointing to the node "TRAPEXIT" in shfunctab.
Then it calls

doshfunc(shf, ..)
  starttrapscope()			// exec.c:5821
    unsettrap()				// signals.c:1079
      shfunctab->freenode(shf)		// signals.c:982

this means shf is freed by freeshfuncnode(shf). But doshfunc()
continues to use shf (=shfunc in this function), and calls
  runshfunc(prog=shf->funcdef, ..)	// exec.c:5963
This leads to crash, of course.

The simplest thing we can do would be just to prohibit
users/scripts from calling TRAPEXIT() directly. I guess this
can be done by, for example, rejecting (with error message)
shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).

But then users can't test TRAPEXIT manually.