From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-37338-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 3091 invoked by alias); 7 Dec 2015 14:31:56 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 37338
Received: (qmail 8195 invoked from network); 7 Dec 2015 14:31:55 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,NML_ADSP_CUSTOM_MED,SPF_HELO_PASS autolearn=no
	autolearn_force=no version=3.4.0
X-Injected-Via-Gmane: http://gmane.org/
To: zsh-workers@zsh.org
From: Christian Neukirchen <chneukirchen@gmail.com>
Subject: Re: Segfault with zsh 5.2
Date: Mon, 07 Dec 2015 15:31:32 +0100
Message-ID: <878u56jpob.fsf@gmail.com>
References: <87h9jujttm.fsf@gmail.com>
	<20151207135532.1a285c15@pwslap01u.europe.root.pri>
Mime-Version: 1.0
Content-Type: text/plain
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: host248-2.natpool.mwn.de
In-Reply-To: <20151207135532.1a285c15@pwslap01u.europe.root.pri> (Peter
	Stephenson's message of "Mon, 07 Dec 2015 13:55:32 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Peter Stephenson <p.stephenson@samsung.com> writes:

> On Mon, 7 Dec 2015 14:01:57 +0100
> Christian Neukirchen <chneukirchen@gmail.com> wrote:
>>   zle-line-init() {
>>     BUFFER="$ICMD"
>>     zle accept-line
>>     zle -D zle-line-init
>>   }
>
> I couldn't get your crash to happen easily, and the crash
> actually happened in a normal alloc high up in the execution tree so
> doesn't give us much direct help apart from pointing at memory
> management.  (The call was protected by signal queueing, by the way.)
>
> However, there's definitely something very dodgy in memory management
> for the code above.  It's always been this way, so I think the fact it's
> just shown up is an accident.  I couldn't get valgrind to show it up,
> for some reason, but the evidence from gdb is incontrovertible.

I have one valgrid run, I shall test your patch soon:

juno ~% valgrind zsh -is eval sleep 0 0 0 0        
==1389== Memcheck, a memory error detector
==1389== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1389== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1389== Command: zsh -is eval sleep 0 0 0 0
==1389== 
==1397== 
==1397== HEAP SUMMARY:
==1397==     in use at exit: 527,943 bytes in 10,860 blocks
==1397==   total heap usage: 16,675 allocs, 5,815 frees, 3,817,997 bytes allocated
==1397== 
==1397== LEAK SUMMARY:
==1397==    definitely lost: 0 bytes in 0 blocks
==1397==    indirectly lost: 0 bytes in 0 blocks
==1397==      possibly lost: 0 bytes in 0 blocks
==1397==    still reachable: 527,943 bytes in 10,860 blocks
==1397==         suppressed: 0 bytes in 0 blocks
==1397== Rerun with --leak-check=full to see details of leaked memory
==1397== 
==1397== For counts of detected and suppressed errors, rerun with: -v
==1397== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1407==                                                                        
==1407== HEAP SUMMARY:
==1407==     in use at exit: 1,891,117 bytes in 47,441 blocks
==1407==   total heap usage: 56,449 allocs, 9,008 frees, 6,313,464 bytes allocated
==1407== 
==1407== LEAK SUMMARY:
==1407==    definitely lost: 0 bytes in 0 blocks
==1407==    indirectly lost: 0 bytes in 0 blocks
==1407==      possibly lost: 0 bytes in 0 blocks
==1407==    still reachable: 1,891,117 bytes in 47,441 blocks
==1407==         suppressed: 0 bytes in 0 blocks
==1407== Rerun with --leak-check=full to see details of leaked memory
==1407== 
==1407== For counts of detected and suppressed errors, rerun with: -v
==1407== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==1389== Invalid read of size 4
==1389==    at 0x6187FD9: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x61A0C20: zlecallhook (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6189097: zleread (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x1550A9: zleentry (in /usr/bin/zsh)
==1389==    by 0x156648: ingetc.part.1 (in /usr/bin/zsh)
==1389==    by 0x14E22C: ihgetc (in /usr/bin/zsh)
==1389==    by 0x16039E: zshlex.part.1 (in /usr/bin/zsh)
==1389==    by 0x17EB6E: parse_event (in /usr/bin/zsh)
==1389==    by 0x151C18: loop (in /usr/bin/zsh)
==1389==    by 0x155753: zsh_main (in /usr/bin/zsh)
==1389==    by 0x57D167F: (below main) (libc-start.c:289)
==1389==  Address 0x6edca70 is 0 bytes inside a block of size 40 free'd
==1389==    at 0x4C2AE10: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x6196D67: unbindwidget (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6196DB4: bin_zle_del (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x13D97C: execode (in /usr/bin/zsh)
==1389==    by 0x13E45A: runshfunc (in /usr/bin/zsh)
==1389==    by 0x13EDCF: doshfunc (in /usr/bin/zsh)
==1389==    by 0x6187FB1: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==  Block was alloc'd at
==1389==    at 0x4C29BA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x167C7B: zalloc (in /usr/bin/zsh)
==1389==    by 0x6197413: bin_zle_new (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x162AB1: execif (in /usr/bin/zsh)
==1389==    by 0x139E5C: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389== 
==1389== Invalid write of size 4
==1389==    at 0x6187FEA: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x61A0C20: zlecallhook (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6189097: zleread (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x1550A9: zleentry (in /usr/bin/zsh)
==1389==    by 0x156648: ingetc.part.1 (in /usr/bin/zsh)
==1389==    by 0x14E22C: ihgetc (in /usr/bin/zsh)
==1389==    by 0x16039E: zshlex.part.1 (in /usr/bin/zsh)
==1389==    by 0x17EB6E: parse_event (in /usr/bin/zsh)
==1389==    by 0x151C18: loop (in /usr/bin/zsh)
==1389==    by 0x155753: zsh_main (in /usr/bin/zsh)
==1389==    by 0x57D167F: (below main) (libc-start.c:289)
==1389==  Address 0x6edca70 is 0 bytes inside a block of size 40 free'd
==1389==    at 0x4C2AE10: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x6196D67: unbindwidget (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x6196DB4: bin_zle_del (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x13D97C: execode (in /usr/bin/zsh)
==1389==    by 0x13E45A: runshfunc (in /usr/bin/zsh)
==1389==    by 0x13EDCF: doshfunc (in /usr/bin/zsh)
==1389==    by 0x6187FB1: execzlefunc (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==  Block was alloc'd at
==1389==    at 0x4C29BA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1389==    by 0x167C7B: zalloc (in /usr/bin/zsh)
==1389==    by 0x6197413: bin_zle_new (in /usr/lib/zsh/5.2/zsh/zle.so)
==1389==    by 0x12CB14: execbuiltin (in /usr/bin/zsh)
==1389==    by 0x13ADEC: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389==    by 0x13D5F8: execlist (in /usr/bin/zsh)
==1389==    by 0x162AB1: execif (in /usr/bin/zsh)
==1389==    by 0x139E5C: execcmd (in /usr/bin/zsh)
==1389==    by 0x13B94D: execpline2 (in /usr/bin/zsh)
==1389==    by 0x13BD3A: execpline (in /usr/bin/zsh)
==1389== 
sleep 0 0 0 0
==1410==                                                                        
==1410== HEAP SUMMARY:
==1410==     in use at exit: 1,895,679 bytes in 47,458 blocks
==1410==   total heap usage: 56,713 allocs, 9,255 frees, 6,340,861 bytes allocated
==1410== 
==1410== LEAK SUMMARY:
==1410==    definitely lost: 0 bytes in 0 blocks
==1410==    indirectly lost: 0 bytes in 0 blocks
==1410==      possibly lost: 0 bytes in 0 blocks
==1410==    still reachable: 1,895,679 bytes in 47,458 blocks
==1410==         suppressed: 0 bytes in 0 blocks
==1410== Rerun with --leak-check=full to see details of leaked memory
==1410== 
==1410== For counts of detected and suppressed errors, rerun with: -v
==1410== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)


-- 
Christian Neukirchen  <chneukirchen@gmail.com>  http://chneukirchen.org