(Please excuse illiterate response, I'm away but should be
back with a real computer in a day or so.)

This indicates something is wrong with the reference counting:
it shouldn't be possible for a shell code chunk to be visible
to the user without it being marked as having at least one reference.

pws


On 11 April 2023 17:14:15 BST, "Jun. T" <takimoto-j@kba.biglobe.ne.jp> wrote:
>
>> 2023/04/09 6:36, Mikael Magnusson <mikachu@gmail.com> wrlte:
>
>> It seems to happen reliably for me every time, with these messages,
>> % MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
>> 1: parse.c:2817: Heap EPROG has nref > 0
>> free(): invalid pointer
>> zsh: abort      MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
>
>It seems memory pointed to by 'Eprog p' (in function freeeprog(),
>parse.c:2817) is already freed.
>
>If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
>with shf pointing to the node "TRAPEXIT" in shfunctab.
>Then it calls
>
>doshfunc(shf, ..)
>  starttrapscope()			// exec.c:5821
>    unsettrap()				// signals.c:1079
>      shfunctab->freenode(shf)		// signals.c:982
>
>this means shf is freed by freeshfuncnode(shf). But doshfunc()
>continues to use shf (=shfunc in this function), and calls
>  runshfunc(prog=shf->funcdef, ..)	// exec.c:5963
>This leads to crash, of course.
>
>The simplest thing we can do would be just to prohibit
>users/scripts from calling TRAPEXIT() directly. I guess this
>can be done by, for example, rejecting (with error message)
>shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).
>
>But then users can't test TRAPEXIT manually.
>