From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22415 invoked from network); 11 Apr 2023 16:29:39 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 11 Apr 2023 16:29:39 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1681230579; b=QGvFDSCwVaD62xUia+9e0NoMh4/Slki53MK5VfxRCwmYM72x5R+FXEm9pXE6PxRk/J+EdxasEK yHSDSx5ORdnhfsGG9yuTBM7ggwgcuIFZGCVrtqBJetl4XYhZ6mt3ioqxN3Zg8NqaWnoNgfyT1g lxIjOE64CDo7A7NhQc2hm/cq5805r8QtsTsPK+/qlYouiEqm5S+xKwho+E4vsPxrwOqgXYb42g 5RFm1J9aCUbWOryEexE+ojQvAuXtffxu6dZRL4WenSNOBZtb3W2UTiuzWU1gci4gIdZZbu6/5E tsf7Ypg+gYwwuxdKaOUu29tRKiD/oZFa8PvkecaeXzMjrw==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (smtpq2.tb.ukmail.iss.as9143.net) smtp.remote-ip=212.54.57.97; dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256; dmarc=pass header.from=ntlworld.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1681230579; bh=P4/dO8VzZYsR/QKf9IPA+eGFM78Nh9ZLM65ud8VPU4s=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:References:In-Reply-To:Subject:To:From:Date:DKIM-Signature: DKIM-Signature; b=pPs6dRTuMh2DOWqwSiwj6liPlFk23ijiS2n07ZISxXA/x9e4vJngdaqtSk7FWdoj12/GeBMISL kId04Rtwl19wix+4HraEwc9rTs6YY9LX+G3Tv4jb5RLQbmWWtjGFjGhCeRQpPiw2XZc3sQSkTK 9Soo5VTC858zq2KNHKWMT1M36+DYXAU4CGcyUCP9UX9DhcRDGyq8mI7Z/gEniEdrZkUwj85NOQ H3+xioPlvikUSuf8KycHXIWwClbA++VsZpuRDt5QHIHCw/EIMlOve/lVHeo/EGFFWPsSztYZH1 rdF8KruTJxm5eIagS78g3qd1nr6Y3BIzJMBd1RefzHeeZA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Message-ID:References:In-Reply-To:Subject:To:From: Date:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=qacpFaxbeq7K7u7QN39eoEiS8s6nsz5tUvDxzuDznX0=; b=kna4nD5Vg6vrMTSMEz3ufg9zt2 RyOXsmdrqYB2b1EnttiGk/YPy+qI0BR2Klj1VOw2vFnktWsmTUSWR9pch43w0Bqs3gOoMpozZsGyx fjyfrxEiDEK7DhEPIOnvO8WlEGJTaNzuZFc1npjlnFxYVxzOl2mx4EyzALgHeJof/s8hb1kHJG5c/ 8zp61CYsxEKbPsMnliQ7Tob6o9tqFvbJEd6R2OFnkZzqMBObqd/6XTDLpTrK4x045p63w9ZyqBh3Q epuU+dT4zayBmSCahExOEGSt+QPDINEkMzp2S6H4PEmhqNSDiD2ruWh8JxVayzYIWFd8xoSEKpc9U hoH6B+8A==; Received: by zero.zsh.org with local id 1pmGsE-0007TI-Cy; Tue, 11 Apr 2023 16:29:38 +0000 Authentication-Results: zsh.org; iprev=pass (smtpq2.tb.ukmail.iss.as9143.net) smtp.remote-ip=212.54.57.97; dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256; dmarc=pass header.from=ntlworld.com; arc=none Received: from smtpq2.tb.ukmail.iss.as9143.net ([212.54.57.97]:53460) by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1pmGrx-0007AK-SW; Tue, 11 Apr 2023 16:29:23 +0000 Received: from [212.54.57.106] (helo=csmtp2.tb.ukmail.iss.as9143.net) by smtpq2.tb.ukmail.iss.as9143.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pmGrx-0001kp-Ms for zsh-workers@zsh.org; Tue, 11 Apr 2023 18:29:21 +0200 Received: from [127.0.0.1] ([82.132.218.156]) by cmsmtp with ESMTPA id mGrxpEgj5NOHpmGrxpJjFo; Tue, 11 Apr 2023 18:29:21 +0200 X-SourceIP: 82.132.218.156 X-Authenticated-Sender: p.w.stephenson@ntlworld.com X-Spam: 0 X-Authority: v=2.4 cv=f66ORs+M c=1 sm=1 tr=0 ts=64358ae1 cx=a_exe a=fvgvUy5uHtLUzFaOBOYDug==:117 a=fvgvUy5uHtLUzFaOBOYDug==:17 a=dKHAf1wccvYA:10 a=pGLkceISAAAA:8 a=Uki3vkAKRfTc3MzZpisA:9 a=QEXdDO2ut3YA:10 a=0vL8ZFtHD1G3q9JWQ5IA:9 a=Y3rXO4VKrMYiMe1H:21 a=_W_S_7VecoQA:10 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com; s=meg.feb2017; t=1681230561; bh=qacpFaxbeq7K7u7QN39eoEiS8s6nsz5tUvDxzuDznX0=; h=Date:From:To:Subject:In-Reply-To:References; b=fxGgRLZKc6CvIWA/0Nl6HmvedQu6mKpYG0wZmRsR0hr6VMhVfgxHbFQhCRb77PIne Dh2+rc3LeQhkz7K7O5FeA30obuks+1WJnpoax3waWU+eJPGGZmIuI5mTUVH0qHDoo6 vrRwqaHk5byvfhd8/XBP+GBEOA3qx7J84G7f9bpps/xkC6JPVyqTBvLshO3UK2rsd0 Zl3MZv9SS6CSpvo5WuGJZOnpnbFwf5tFoL8LZaDu62bd5fy54/Ew9KmQcYgx1CN3H0 WJTtmjBK4GArIUMnx4jFx12L0Y8PEZvyk7WFVt46iAhrqYQ4PiZ1BqxroBo8Qpavlt QfW7AvCHcvenQ== Date: Tue, 11 Apr 2023 17:29:20 +0100 From: Peter Stephenson To: zsh-workers@zsh.org, "Jun. T" Subject: Re: Probabilistic crash on zsh 5.9 on x86_64 User-Agent: K-9 Mail for Android In-Reply-To: <48A7DCE2-AEC1-4777-949C-50917EDCECB1@kba.biglobe.ne.jp> References: <48A7DCE2-AEC1-4777-949C-50917EDCECB1@kba.biglobe.ne.jp> Message-ID: <5C4788C8-4E40-4565-AFE8-84D57949BC8C@ntlworld.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----JFAJN0YWYLCGVQ73GK8MNRT10ISUF9 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4xfEpLbh4bypTDRkKfyF4h5044jEPZ/wIoIwrqLkez9te8X9hU/CEvEEJ8wWG6CfjHCnVgoj5wEvo2T37GEpr+qSMWV9eiVFO0qPpfzZakOv8dujkm/237 wHO3EiEtD64xfWAlin1+v8P7uAoIvpcnkfzDW2jBXfNMVQLB84FsJZyr73xnDOx7GEY0xynf5gzWu0TKPkAMfoP1dMcyZciaRzIDQctb/0D7CePQcBhbcNCS cbBGuK+aAmCnJTXWGGsrDg== X-Seq: 51643 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: ------JFAJN0YWYLCGVQ73GK8MNRT10ISUF9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable (Please excuse illiterate response, I'm away but should be back with a real computer in a day or so=2E) This indicates something is wrong with the reference counting: it shouldn't be possible for a shell code chunk to be visible to the user without it being marked as having at least one reference=2E pws On 11 April 2023 17:14:15 BST, "Jun=2E T" wrote: > >> 2023/04/09 6:36, Mikael Magnusson wrlte: > >> It seems to happen reliably for me every time, with these messages, >> % MALLOC_CHECK_=3D3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT' >> 1: parse=2Ec:2817: Heap EPROG has nref > 0 >> free(): invalid pointer >> zsh: abort MALLOC_CHECK_=3D3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT' > >It seems memory pointed to by 'Eprog p' (in function freeeprog(), >parse=2Ec:2817) is already freed=2E > >If TRAPEXIT() is called directly, execshfunc(shf, =2E=2E) is called >with shf pointing to the node "TRAPEXIT" in shfunctab=2E >Then it calls > >doshfunc(shf, =2E=2E) > starttrapscope() // exec=2Ec:5821 > unsettrap() // signals=2Ec:1079 > shfunctab->freenode(shf) // signals=2Ec:982 > >this means shf is freed by freeshfuncnode(shf)=2E But doshfunc() >continues to use shf (=3Dshfunc in this function), and calls > runshfunc(prog=3Dshf->funcdef, =2E=2E) // exec=2Ec:5963 >This leads to crash, of course=2E > >The simplest thing we can do would be just to prohibit >users/scripts from calling TRAPEXIT() directly=2E I guess this >can be done by, for example, rejecting (with error message) >shf->node=2Enam=3D=3D"TRAPEXIT" at the top of execshfunc(shf,=2E=2E)=2E > >But then users can't test TRAPEXIT manually=2E > ------JFAJN0YWYLCGVQ73GK8MNRT10ISUF9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable (Please excuse illiterate response, I'm away but s= hould be
back with a real computer in a day or so=2E)

This indica= tes something is wrong with the reference counting:
it shouldn't be poss= ible for a shell code chunk to be visible
to the user without it being m= arked as having at least one reference=2E

pws


On 11 April 2023 17:14:15 BST, "Jun=2E T" <takimoto-j@k= ba=2Ebiglobe=2Ene=2Ejp> wrote:

2023/04/09 6:36, Mikael Magnusson <mikachu@gmail=2Ecom>=
 wrlte:

Then it calls

doshfunc(shf, =2E=2E)
  starttr=
apscope()			// exec=2Ec:5821
    unsettrap()				// signals=2Ec:1079
 =
     shfunctab->freenode(shf)		// signals=2Ec:982

this means shf =
is freed by freeshfuncnode(shf)=2E But doshfunc()
continues to use shf (=
=3Dshfunc in this function), and calls
  runshfunc(prog=3Dshf->funcde=
f, =2E=2E)	// exec=2Ec:5963
This leads to crash, of course=2E

The=
 simplest thing we can do would be just to prohibit
users/scripts from c=
alling TRAPEXIT() directly=2E I guess this
can be done by, for example, =
rejecting (with error message)
shf->node=2Enam=3D=3D"TRAPEXIT" at the=
 top of execshfunc(shf,=2E=2E)=2E

But then users can't test TRAPEXIT=
 manually=2E

------JFAJN0YWYLCGVQ73GK8MNRT10ISUF9--