ZSH completion crash with "typeset compstate"

ZSH completion crash with "typeset compstate"

[Mickaël THOMAS]

Found this by accident (I intended to use "typeset -p" for debugging).

% _f() { typeset compstate } ; compdef _f f
% f
Program received signal SIGSEGV, Segmentation fault.
0x00000000004d8324 in set_compstate (pm=0x7b6c90, ht=0x83b3c0) at
complete.c:1270
1270                            zsfree(*((char **) cp->var));
(gdb) p cp->var
$1 = (void *) 0x0
(gdb) bt 10
#0  0x00000000004d8324 in set_compstate (pm=0x7b6c90, ht=0x83b3c0) at
complete.c:1270
#1  0x000000000046f9b0 in scanendscope (hn=0x7b6c90, flags=0) at params.c:5091
#2  0x0000000000439240 in scanmatchtable (ht=0x7a1be0, pprog=0x0,
sorted=0, flags1=0, flags2=0, scanfunc=0x46f76c <scanendscope>,
scanflags=0) at hashtable.c:428
#3  0x00000000004392b6 in scanhashtable (ht=0x7a1be0, sorted=0,
flags1=0, flags2=0, scanfunc=0x46f76c <scanendscope>, scanflags=0) at
hashtable.c:444
#4  0x000000000046f651 in endparamscope () at params.c:5033
#5  0x000000000042dfb0 in runshfunc (prog=0x7aefa0, wrap=0x0,
name=0x7ffff7fc4028 "_f") at exec.c:5390
#6  0x00000000004d89ed in comp_wrapper (prog=0x7aefa0, w=0x0,
name=0x7ffff7fc4028 "_f") at complete.c:1472
#7  0x000000000042decc in runshfunc (prog=0x7aefa0, wrap=0x777f60
<wrapper>, name=0x7ffff7fc4028 "_f") at exec.c:5370
#8  0x000000000042d9a6 in doshfunc (shfunc=0x7b6810,
doshargs=0x7ffff7fc88e8, noreturnval=0) at exec.c:5251
#9  0x000000000042cc9a in execshfunc (shf=0x7b6810,
args=0x7ffff7fc88e8) at exec.c:4877

Re: ZSH completion crash with "typeset compstate"

[Peter Stephenson]

On Sun, 04 Sep 2016 22:04:45 +0200
Mickaël THOMAS <mickael9@gmail.com> wrote:
> Found this by accident (I intended to use "typeset -p" for debugging).
> 
> % _f() { typeset compstate } ; compdef _f f
> % f
      ^<TAB>
> Program received signal SIGSEGV, Segmentation fault.

No great surprise this does something funny, the question is how to make
it a bit safer.

Here's one possible easy way: mark the parameter as being allowed to
have only a single instance, so you can't make a local copy with a
typeset.  The case above now produces an error message:

_f:typeset: compstate: can only have a single instance

I think trying to make compstate safe about multiple instances is both
difficult and pointless.

There's no undocumented overloading that prevents me from using 1<<20
for the new flag, is there?

pws

diff --git a/Src/Zle/complete.c b/Src/Zle/complete.c
index b28b95e..4bf238f 100644
--- a/Src/Zle/complete.c
+++ b/Src/Zle/complete.c
@@ -1238,8 +1238,9 @@ makecompparams(void)
 
     addcompparams(comprparams, comprpms);
 
-    if (!(cpm = createparam(COMPSTATENAME,
-			    PM_SPECIAL|PM_REMOVABLE|PM_LOCAL|PM_HASHED)))
+    if (!(cpm = createparam(
+	      COMPSTATENAME,
+	      PM_SPECIAL|PM_REMOVABLE|PM_SINGLE|PM_LOCAL|PM_HASHED)))
 	cpm = (Param) paramtab->getnode(paramtab, COMPSTATENAME);
     DPUTS(!cpm, "param not set in makecompparams");
 
diff --git a/Src/builtin.c b/Src/builtin.c
index da45300..3b82c9e 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -2266,6 +2266,10 @@ typeset_single(char *cname, char *pname, Param pm, UNUSED(int func),
 	    zerrnam(cname, "%s: restricted", pname);
 	    return pm;
 	}
+	if (pm->node.flags & PM_SINGLE) {
+	    zerrnam(cname, "%s: can only have a single instance", pname);
+	    return pm;
+	}
 	/*
 	 * For specials, we keep the same struct but zero everything.
 	 * Maybe it would be easier to create a new struct but copy
diff --git a/Src/zsh.h b/Src/zsh.h
index 36fddd0..87e6a98 100644
--- a/Src/zsh.h
+++ b/Src/zsh.h
@@ -1792,6 +1792,7 @@ struct tieddata {
 #define PM_ZSHSTORED	(1<<18) /* function stored in zsh form              */
 
 /* Remaining flags do not correspond directly to command line arguments */
+#define PM_SINGLE       (1<<20) /* special can only have a single instance  */
 #define PM_LOCAL	(1<<21) /* this parameter will be made local        */
 #define PM_SPECIAL	(1<<22) /* special builtin parameter                */
 #define PM_DONTIMPORT	(1<<23)	/* do not import this variable              */