* memory leak (2): named reference
@ 2024-06-28 10:19 Jun T
2024-08-05 22:53 ` Bart Schaefer
0 siblings, 1 reply; 4+ messages in thread
From: Jun T @ 2024-06-28 10:19 UTC (permalink / raw)
To: zsh-workers
This is the second problem (related with the named reference).
In the following all the tests are run as
% valgrind --leak-check=full zsh -f test_n
% cat test1
typeset -n ptr
ptr=ptr
Invalid read of size 8
at 0x1A498C: assignstrvalue (params.c:2814)
Address 0x4bd6120 is 48 bytes inside a block of size 80 free'd
by 0x193DB1: zfree (mem.c:1871)
by 0x1AE241: freeparamnode (params.c:5913)
by 0x1AA4A1: unsetparam_pm (params.c:3871)
by 0x1AF873: setscope (params.c:6374)
by 0x1A4983: assignstrvalue (params.c:2813)
assignstrvalue() calls setscope(pm), and when it finds the self reference
(params.c:6374) it calls (indirectly) zfree(pm). But just after returning
from setscope() (params.c:2814) the freed pm is used.
% cat test2
typeset -n ptr
for ptr in foo
do; done
4 bytes in 1 blocks are definitely lost in loss record 20 of 384
by 0x1935B9: zalloc (mem.c:966)
by 0x1CEB5E: ztrdup (string.c:83)
by 0x188FBE: execfor (loop.c:168)
This is simple. In execfor()
loop.c:168 setloopvar(name, ztrdup(str))
but in setloopvar(name, value)
params.c:6329 SETREFNAME(pm, ztrdup(value))
I think we don't need two ztrdup()'s here, and the problem can be fixed
by removing the second ztrdup().
% cat test3
typeset -n ref
for ref in one ref
do; done
Invalid read of size 4
at 0x1AF3D9: setloopvar (params.c:6333)
Address 0x4bd5af0 is 16 bytes inside a block of size 80 free'd
by 0x193DB1: zfree (mem.c:1871)
by 0x1AE241: freeparamnode (params.c:5913)
by 0x1AA4A1: unsetparam_pm (params.c:3871)
by 0x1AFB27: setscope (params.c:6409)
by 0x1AF3D4: setloopvar (params.c:6332)
This similar to test1. setscope(pm) (params.c:6332) calls zfree(pm),
but the pm used just after it.
test3 also causes two memory leaks.
One is the same as test2; 7 bytes ("aa" and "ref", allocated by
ztrdup() at loop.c:168) are lost.
In the other, 4 bytes ("ref", allocated by ztrdup() at params.c:6329)
are lost. This is caused by aborting the loop by the self reference
and can't be fixed by removing the ztrdup() from params.c:6329.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: memory leak (2): named reference
2024-06-28 10:19 memory leak (2): named reference Jun T
@ 2024-08-05 22:53 ` Bart Schaefer
2024-08-06 16:03 ` Jun. T
0 siblings, 1 reply; 4+ messages in thread
From: Bart Schaefer @ 2024-08-05 22:53 UTC (permalink / raw)
To: Jun T; +Cc: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 1825 bytes --]
On Fri, Jun 28, 2024 at 3:19 AM Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
>
> % cat test1
> typeset -n ptr
> ptr=ptr
>
> Invalid read of size 8
> at 0x1A498C: assignstrvalue (params.c:2814)
Can fix this one by testing errflag.
> % cat test2
> typeset -n ptr
> for ptr in foo
> do; done
>
> 4 bytes in 1 blocks are definitely lost in loss record 20 of 384
>
> This is simple. In execfor()
> loop.c:168 setloopvar(name, ztrdup(str))
> but in setloopvar(name, value)
> params.c:6329 SETREFNAME(pm, ztrdup(value))
> I think we don't need two ztrdup()'s here, and the problem can be fixed
> by removing the second ztrdup().
Actually it seems to be best to remove the first ztrdup() (loop.c:168)
and just allow setloopvar() to always do the allocation. This means
adding a ztrdup() to the "else" case in setloopvar().
> % cat test3
> typeset -n ref
> for ref in one ref
> do; done
>
> Invalid read of size 4
> at 0x1AF3D9: setloopvar (params.c:6333)
Another that can be avoided by testing errflag.
> test3 also causes two memory leaks.
> One is the same as test2
Fixed by the suggested ztrdup() removal.
> In the other, 4 bytes ("ref", allocated by ztrdup() at params.c:6329)
> are lost. This is caused by aborting the loop by the self reference
This is more difficult. What's actually leaking is the value of "one"
in the multiple-var "for" construct, when we bail out on the "ref"
error.
The fix for this would require memoizing each parameter in the "for"
list and freeing (unsetting) them all when a later one encounters an
error.
I'm inclined to ignore this because it's not a wild pointer and won't
occur in an otherwise correct script, but if someone has a clever
suggestion for handling this without a lot of overhead, please speak
up.
[-- Attachment #2: loopvar-leak.txt --]
[-- Type: text/plain, Size: 1299 bytes --]
diff --git a/Src/loop.c b/Src/loop.c
index 0f3847541..84dc66476 100644
--- a/Src/loop.c
+++ b/Src/loop.c
@@ -165,7 +165,7 @@ execfor(Estate state, int do_exec)
fprintf(xtrerr, "%s=%s\n", name, str);
fflush(xtrerr);
}
- setloopvar(name, ztrdup(str));
+ setloopvar(name, str);
count++;
}
if (!count)
diff --git a/Src/params.c b/Src/params.c
index f65aa1e80..f143a790f 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -2811,9 +2811,10 @@ assignstrvalue(Value v, char *val, int flags)
break;
}
setscope(v->pm);
- if ((!v->pm->env && !(v->pm->node.flags & PM_EXPORTED) &&
- !(isset(ALLEXPORT) && !(v->pm->node.flags & PM_HASHELEM))) ||
- (v->pm->node.flags & PM_ARRAY) || v->pm->ename)
+ if (errflag ||
+ ((!v->pm->env && !(v->pm->node.flags & PM_EXPORTED) &&
+ !(isset(ALLEXPORT) && !(v->pm->node.flags & PM_HASHELEM))) ||
+ (v->pm->node.flags & PM_ARRAY) || v->pm->ename))
return;
export_param(v->pm);
}
@@ -6330,9 +6331,10 @@ setloopvar(char *name, char *value)
pm->node.flags &= ~PM_UNSET;
pm->node.flags |= PM_NEWREF;
setscope(pm);
- pm->node.flags &= ~PM_NEWREF;
+ if (!errflag)
+ pm->node.flags &= ~PM_NEWREF;
} else
- setsparam(name, value);
+ setsparam(name, ztrdup(value));
}
/**/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: memory leak (2): named reference
2024-08-05 22:53 ` Bart Schaefer
@ 2024-08-06 16:03 ` Jun. T
2024-08-06 18:53 ` Bart Schaefer
0 siblings, 1 reply; 4+ messages in thread
From: Jun. T @ 2024-08-06 16:03 UTC (permalink / raw)
To: zsh-workers
> 2024/08/06 7:53, Bart Schaefer <schaefer@brasslantern.com> wrote:
>
> On Fri, Jun 28, 2024 at 3:19 AM Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
>
>> % cat test3
>> typeset -n ref
>> for ref in one ref
>> do; done
>
>> test3 also causes two memory leaks.
>> One is the same as test2
>> In the other, 4 bytes ("ref", allocated by ztrdup() at params.c:6329)
(yes, what was leaking was 4 bytes for "one")
>> are lost. This is caused by aborting the loop by the self reference
Sorry I was wrong. The leak was not due to the "self-reference" error.
The following gives no error but still causes the leak:
% cat test4
typeset -n ref
for ref in a b2 c2345
do; done
valgrind says 5 bytes ("a" and "b2") are lost. It seems the problem is in
the macro SETREFNAME() used in setloopvar(). It overwrites pm->u.str
without freeing the old value. How about the following?
diff --git a/Src/params.c b/Src/params.c
index f143a790f..b710ddbf6 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -482,7 +482,8 @@ static initparam argvparam_pm = IPDEF9("", &pparams, NULL, \
#define GETREFNAME(PM) (((PM)->node.flags & PM_SPECIAL) ? \
(PM)->gsu.s->getfn(PM) : (PM)->u.str)
#define SETREFNAME(PM,S) (((PM)->node.flags & PM_SPECIAL) ? \
- (PM)->gsu.s->setfn(PM,(S)) : ((PM)->u.str = (S)))
+ (PM)->gsu.s->setfn(PM,(S)) : \
+ (zsfree((PM)->u.str), (PM)->u.str = (S)))
static Param argvparam;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: memory leak (2): named reference
2024-08-06 16:03 ` Jun. T
@ 2024-08-06 18:53 ` Bart Schaefer
0 siblings, 0 replies; 4+ messages in thread
From: Bart Schaefer @ 2024-08-06 18:53 UTC (permalink / raw)
To: Zsh hackers list
On Tue, Aug 6, 2024 at 9:03 AM Jun. T <takimoto-j@kba.biglobe.ne.jp> wrote:
>
> valgrind says 5 bytes ("a" and "b2") are lost. It seems the problem is in
> the macro SETREFNAME() used in setloopvar(). It overwrites pm->u.str
> without freeing the old value. How about the following?
This looks fine. I'll commit it later.
> diff --git a/Src/params.c b/Src/params.c
> index f143a790f..b710ddbf6 100644
> --- a/Src/params.c
> +++ b/Src/params.c
> @@ -482,7 +482,8 @@ static initparam argvparam_pm = IPDEF9("", &pparams, NULL, \
> #define GETREFNAME(PM) (((PM)->node.flags & PM_SPECIAL) ? \
> (PM)->gsu.s->getfn(PM) : (PM)->u.str)
> #define SETREFNAME(PM,S) (((PM)->node.flags & PM_SPECIAL) ? \
> - (PM)->gsu.s->setfn(PM,(S)) : ((PM)->u.str = (S)))
> + (PM)->gsu.s->setfn(PM,(S)) : \
> + (zsfree((PM)->u.str), (PM)->u.str = (S)))
>
> static Param argvparam;
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-08-06 18:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-28 10:19 memory leak (2): named reference Jun T
2024-08-05 22:53 ` Bart Schaefer
2024-08-06 16:03 ` Jun. T
2024-08-06 18:53 ` Bart Schaefer
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).