From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22415 invoked from network); 11 Apr 2023 16:29:39 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 11 Apr 2023 16:29:39 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1681230579; b=QGvFDSCwVaD62xUia+9e0NoMh4/Slki53MK5VfxRCwmYM72x5R+FXEm9pXE6PxRk/J+EdxasEK yHSDSx5ORdnhfsGG9yuTBM7ggwgcuIFZGCVrtqBJetl4XYhZ6mt3ioqxN3Zg8NqaWnoNgfyT1g lxIjOE64CDo7A7NhQc2hm/cq5805r8QtsTsPK+/qlYouiEqm5S+xKwho+E4vsPxrwOqgXYb42g 5RFm1J9aCUbWOryEexE+ojQvAuXtffxu6dZRL4WenSNOBZtb3W2UTiuzWU1gci4gIdZZbu6/5E tsf7Ypg+gYwwuxdKaOUu29tRKiD/oZFa8PvkecaeXzMjrw==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (smtpq2.tb.ukmail.iss.as9143.net) smtp.remote-ip=212.54.57.97; dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256; dmarc=pass header.from=ntlworld.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1681230579; bh=P4/dO8VzZYsR/QKf9IPA+eGFM78Nh9ZLM65ud8VPU4s=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:References:In-Reply-To:Subject:To:From:Date:DKIM-Signature: DKIM-Signature; b=pPs6dRTuMh2DOWqwSiwj6liPlFk23ijiS2n07ZISxXA/x9e4vJngdaqtSk7FWdoj12/GeBMISL kId04Rtwl19wix+4HraEwc9rTs6YY9LX+G3Tv4jb5RLQbmWWtjGFjGhCeRQpPiw2XZc3sQSkTK 9Soo5VTC858zq2KNHKWMT1M36+DYXAU4CGcyUCP9UX9DhcRDGyq8mI7Z/gEniEdrZkUwj85NOQ H3+xioPlvikUSuf8KycHXIWwClbA++VsZpuRDt5QHIHCw/EIMlOve/lVHeo/EGFFWPsSztYZH1 rdF8KruTJxm5eIagS78g3qd1nr6Y3BIzJMBd1RefzHeeZA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Message-ID:References:In-Reply-To:Subject:To:From: Date:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=qacpFaxbeq7K7u7QN39eoEiS8s6nsz5tUvDxzuDznX0=; b=kna4nD5Vg6vrMTSMEz3ufg9zt2 RyOXsmdrqYB2b1EnttiGk/YPy+qI0BR2Klj1VOw2vFnktWsmTUSWR9pch43w0Bqs3gOoMpozZsGyx fjyfrxEiDEK7DhEPIOnvO8WlEGJTaNzuZFc1npjlnFxYVxzOl2mx4EyzALgHeJof/s8hb1kHJG5c/ 8zp61CYsxEKbPsMnliQ7Tob6o9tqFvbJEd6R2OFnkZzqMBObqd/6XTDLpTrK4x045p63w9ZyqBh3Q epuU+dT4zayBmSCahExOEGSt+QPDINEkMzp2S6H4PEmhqNSDiD2ruWh8JxVayzYIWFd8xoSEKpc9U hoH6B+8A==; Received: by zero.zsh.org with local id 1pmGsE-0007TI-Cy; Tue, 11 Apr 2023 16:29:38 +0000 Authentication-Results: zsh.org; iprev=pass (smtpq2.tb.ukmail.iss.as9143.net) smtp.remote-ip=212.54.57.97; dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256; dmarc=pass header.from=ntlworld.com; arc=none Received: from smtpq2.tb.ukmail.iss.as9143.net ([212.54.57.97]:53460) by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1pmGrx-0007AK-SW; Tue, 11 Apr 2023 16:29:23 +0000 Received: from [212.54.57.106] (helo=csmtp2.tb.ukmail.iss.as9143.net) by smtpq2.tb.ukmail.iss.as9143.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from
2023/04/09 6:36, Mikael Magnusson <mikachu@gmail=2Ecom>= wrlte:It seems to happen reliably for me every time, with these messages,It seems memory pointed to by 'Eprog p' (in function freeeprog(),
% = MALLOC_CHECK_=3D3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
1: parse=2Ec:281= 7: Heap EPROG has nref > 0
free(): invalid pointer
zsh: abort = MALLOC_CHECK_=3D3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
pars= e=2Ec:2817) is already freed=2E
If TRAPEXIT() is called directly, ex= ecshfunc(shf, =2E=2E) is called
with shf pointing to the node "TRAPEXIT"= in shfunctab=2E
Then it calls
doshfunc(shf, =2E=2E)
starttr= apscope() // exec=2Ec:5821
unsettrap() // signals=2Ec:1079
= shfunctab->freenode(shf) // signals=2Ec:982
this means shf = is freed by freeshfuncnode(shf)=2E But doshfunc()
continues to use shf (= =3Dshfunc in this function), and calls
runshfunc(prog=3Dshf->funcde= f, =2E=2E) // exec=2Ec:5963
This leads to crash, of course=2E
The= simplest thing we can do would be just to prohibit
users/scripts from c= alling TRAPEXIT() directly=2E I guess this
can be done by, for example, = rejecting (with error message)
shf->node=2Enam=3D=3D"TRAPEXIT" at the= top of execshfunc(shf,=2E=2E)=2E
But then users can't test TRAPEXIT= manually=2E