(Please excuse illiterate response, I'm away but should be
back with a real computer in a day or so.)

This indicates something is wrong with the reference counting:
it shouldn't be possible for a shell code chunk to be visible
to the user without it being marked as having at least one reference.

pws


On 11 April 2023 17:14:15 BST, "Jun. T" <takimoto-j@kba.biglobe.ne.jp> wrote:

2023/04/09 6:36, Mikael Magnusson <mikachu@gmail.com> wrlte:

It seems to happen reliably for me every time, with these messages,
% MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
1: parse.c:2817: Heap EPROG has nref > 0
free(): invalid pointer
zsh: abort      MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'

It seems memory pointed to by 'Eprog p' (in function freeeprog(),
parse.c:2817) is already freed.

If TRAPEXIT() is called directly, execshfunc(shf, ..) is called
with shf pointing to the node "TRAPEXIT" in shfunctab.
Then it calls

doshfunc(shf, ..)
  starttrapscope()			// exec.c:5821
    unsettrap()				// signals.c:1079
      shfunctab->freenode(shf)		// signals.c:982

this means shf is freed by freeshfuncnode(shf). But doshfunc()
continues to use shf (=shfunc in this function), and calls
  runshfunc(prog=shf->funcdef, ..)	// exec.c:5963
This leads to crash, of course.

The simplest thing we can do would be just to prohibit
users/scripts from calling TRAPEXIT() directly. I guess this
can be done by, for example, rejecting (with error message)
shf->node.nam=="TRAPEXIT" at the top of execshfunc(shf,..).

But then users can't test TRAPEXIT manually.