Bug - invalid pointer

Bug - invalid pointer

[John Ramsden]

I would like to report a bug that causes zsh to crash with an invalid pointer.

So far I've only been able to reproduce the bug in dolphin's embedded terminal, an associated bug report can be on KDE bug reports [1].

The message I get upon the crash is:

---

free(): invalid pointer
Warning: Program '/usr/bin/zsh' crashed.

---

This only happens in dolphin, and only upon opening a new dolphin window. If I close and re-open the terminal panel, there is no crash.

Downgrade of zsh (5.5-1 => 5.4.2-2) fixes the issue.

1 - https://bugs.kde.org/show_bug.cgi?id=393058

-- 
  John Ramsden

Re: Bug - invalid pointer

[Bart Schaefer]

On Fri, Apr 13, 2018 at 2:56 PM, John Ramsden <ramsdenj@riseup.net> wrote:
>
> This only happens in dolphin, and only upon opening a new dolphin window. If I close and re-open the terminal panel, there is no crash.
>
> Downgrade of zsh (5.5-1 => 5.4.2-2) fixes the issue.
>
> 1 - https://bugs.kde.org/show_bug.cgi?id=393058

Took a quick look at that -- the stack traces aren't very useful
because zsh was not compiled with debugging symbols, so no line
numbers or source file names.  However, there have been literally no
changes to the code where you're encountering the error (zrefresh et
al) since 5.4.1, so there must be a bad allocation somewhere else that
is only manifesting when you reach that point.

In fact it's pretty likely to be some kind of signal-management thing
causing malloc re-entrance.

Re: Bug - invalid pointer

[John Ramsden]

Should I recompile with debugging symbols and let you know what shows up? How would you like me to proceed to help debug the issue?

-- 
  John Ramsden

On Fri, Apr 13, 2018, at 6:29 PM, Bart Schaefer wrote:
> On Fri, Apr 13, 2018 at 2:56 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> >
> > This only happens in dolphin, and only upon opening a new dolphin window. If I close and re-open the terminal panel, there is no crash.
> >
> > Downgrade of zsh (5.5-1 => 5.4.2-2) fixes the issue.
> >
> > 1 - https://bugs.kde.org/show_bug.cgi?id=393058
> 
> Took a quick look at that -- the stack traces aren't very useful
> because zsh was not compiled with debugging symbols, so no line
> numbers or source file names.  However, there have been literally no
> changes to the code where you're encountering the error (zrefresh et
> al) since 5.4.1, so there must be a bad allocation somewhere else that
> is only manifesting when you reach that point.
> 
> In fact it's pretty likely to be some kind of signal-management thing
> causing malloc re-entrance.

Re: Bug - invalid pointer

[Bart Schaefer]

On Fri, Apr 13, 2018 at 6:43 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> Should I recompile with debugging symbols and let you know what shows up? How would you like me to proceed to help debug the issue?

First thing you should try is put a "sleep 2" somewhere in your
startup files, and see if that makes the problem go away.

If it does, it has something to do with how dolphin is doing terminal
startup, possibly in combination with the desktop manager doing window
sizing.  At that point it gets a lot more difficult because we need to
see how signals are being sent/handled.

If the sleep does not resolve the issue, then we can get into
recompiling ... most likely: configure --enable-zsh-debug
--enable-zsh-mem-debug

Re: Bug - invalid pointer

[Bart Schaefer]

[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]

On Sat, Apr 14, 2018 at 3:20 AM, Julien Nicoulaud <
julien.nicoulaud@gmail.com> wrote:
>
> I bisected it and I think it was introduced by commit 5f6a52c06:
> https://github.com/zsh-users/zsh/commit/5f6a52c06
>
> Hope this helps!

Yes, indeed.  From that commit:

> diff --git a/Src/utils.c b/Src/utils.c
>> index 4c0ebe6..74fdac3 100644
>> --- a/Src/utils.c
>> +++ b/Src/utils.c
>> @@ -1832,7 +1832,7 @@ adjustlines(int signalled)
>>      else
>>         shttyinfo.winsize.ws_row = zterm_lines;
>>  #endif /* TIOCGWINSZ */
>> -    if (zterm_lines <= 0) {
>> +    if (zterm_lines < 0) {
>>         DPUTS(signalled, "BUG: Impossible TIOCGWINSZ rows");
>>         zterm_lines = tclines > 0 ? tclines : 24;
>>      }
>> @@ -1856,7 +1856,7 @@ adjustcolumns(int signalled)
>>      else
>>         shttyinfo.winsize.ws_col = zterm_columns;
>>  #endif /* TIOCGWINSZ */
>> -    if (zterm_columns <= 0) {
>> +    if (zterm_columns < 0) {
>>         DPUTS(signalled, "BUG: Impossible TIOCGWINSZ cols");
>>         zterm_columns = tccolumns > 0 ? tccolumns : 80;
>>      }
>>
>
That's obviously doing more (or rather less) than it was meant to, the only
intention was to silence the DPUTS().

diff --git a/Src/utils.c b/Src/utils.c
index 180693d..b418517 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1834,8 +1834,9 @@ adjustlines(int signalled)
     else
     shttyinfo.winsize.ws_row = zterm_lines;
 #endif /* TIOCGWINSZ */
-    if (zterm_lines < 0) {
-    DPUTS(signalled, "BUG: Impossible TIOCGWINSZ rows");
+    if (zterm_lines <= 0) {
+    DPUTS(signalled && zterm_lines < 0,
+          "BUG: Impossible TIOCGWINSZ rows");
     zterm_lines = tclines > 0 ? tclines : 24;
     }

@@ -1858,8 +1859,9 @@ adjustcolumns(int signalled)
     else
     shttyinfo.winsize.ws_col = zterm_columns;
 #endif /* TIOCGWINSZ */
-    if (zterm_columns < 0) {
-    DPUTS(signalled, "BUG: Impossible TIOCGWINSZ cols");
+    if (zterm_columns <= 0) {
+    DPUTS(signalled && zterm_columns < 0,
+          "BUG: Impossible TIOCGWINSZ cols");
     zterm_columns = tccolumns > 0 ? tccolumns : 80;
     }

Re: Bug - invalid pointer

[Julien Nicoulaud]

Hi,

I encountered this bug while working on some zsh docker images, and I
can reproduce it consistently in a headless environment.

To reproduce:
 * git clone https://github.com/zsh-users/zsh-docker.git
 * In Dockerfile, remove the "--enable-zsh-mem" configure option (I
used it to workaround this bug)
 * make build VERSION=master
 * docker run -it zshusers/zsh-master:latest

I bisected it and I think it was introduced by commit 5f6a52c06:
https://github.com/zsh-users/zsh/commit/5f6a52c06

Hope this helps!
Julien

2018-04-14 7:34 GMT+02:00 John Ramsden <ramsdenj@riseup.net>:
> So will this be fixed in another release? Or is this a KDE
>
> --
>   John Ramsden
>
> On Fri, Apr 13, 2018, at 8:57 PM, Bart Schaefer wrote:
>> On Fri, Apr 13, 2018 at 8:19 PM, John Ramsden <ramsdenj@riseup.net> wrote:
>> > Interesting, so adding 'sleep 0.25' to the top of my zshrc seems to have fixed the problem. That's only really a work around though...
>>
>> You could also try turning off window animations in your desktop
>> config.  Having a window zoom in from tiny to full size may look cool,
>> but it sends a bazilion window-size-change events to the process
>> running inside it.

Re: Bug - invalid pointer

[John Ramsden]

So will this be fixed in another release? Or is this a KDE 

-- 
  John Ramsden

On Fri, Apr 13, 2018, at 8:57 PM, Bart Schaefer wrote:
> On Fri, Apr 13, 2018 at 8:19 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> > Interesting, so adding 'sleep 0.25' to the top of my zshrc seems to have fixed the problem. That's only really a work around though...
> 
> You could also try turning off window animations in your desktop
> config.  Having a window zoom in from tiny to full size may look cool,
> but it sends a bazilion window-size-change events to the process
> running inside it.

Re: Bug - invalid pointer

[Bart Schaefer]

On Fri, Apr 13, 2018 at 8:19 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> Interesting, so adding 'sleep 0.25' to the top of my zshrc seems to have fixed the problem. That's only really a work around though...

You could also try turning off window animations in your desktop
config.  Having a window zoom in from tiny to full size may look cool,
but it sends a bazilion window-size-change events to the process
running inside it.

Re: Bug - invalid pointer

[John Ramsden]

Interesting, so adding 'sleep 0.25' to the top of my zshrc seems to have fixed the problem. That's only really a work around though...

-- 
  John Ramsden

On Fri, Apr 13, 2018, at 7:16 PM, Bart Schaefer wrote:
> On Fri, Apr 13, 2018 at 7:00 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> > Okay, so I went ahead and recompiled by adding 'options=(debug !strip)' to my PKGBUILD on Arch. That's all I changed so if I need to do something else to get full debugging symbols let me know.
> 
> Well, there's what I said in other email about what gets passed to configure.
> 
> However, the trace you provided points to code for managing the width
> of the window, so I would guess the window is changing size while zle
> is trying to get started.  There's code to try to block SIGWINCH until
> zle is actually ready to go, expecting the window to therefore have
> stabilized by the time its size is needed, but it looks like this is
> slipping around that somehow.

Re: Bug - invalid pointer

[Bart Schaefer]

On Fri, Apr 13, 2018 at 7:00 PM, John Ramsden <ramsdenj@riseup.net> wrote:
> Okay, so I went ahead and recompiled by adding 'options=(debug !strip)' to my PKGBUILD on Arch. That's all I changed so if I need to do something else to get full debugging symbols let me know.

Well, there's what I said in other email about what gets passed to configure.

However, the trace you provided points to code for managing the width
of the window, so I would guess the window is changing size while zle
is trying to get started.  There's code to try to block SIGWINCH until
zle is actually ready to go, expecting the window to therefore have
stabilized by the time its size is needed, but it looks like this is
slipping around that somehow.

Re: Bug - invalid pointer

[John Ramsden]

Okay, so I went ahead and recompiled by adding 'options=(debug !strip)' to my PKGBUILD on Arch. That's all I changed so if I need to do something else to get full debugging symbols let me know.

Here's the new core dump:

coredumpctl gdb 15809
           PID: 15809 (zsh)
           UID: 1000 (john)
           GID: 1000 (john)
        Signal: 6 (ABRT)
     Timestamp: Fri 2018-04-13 18:53:35 PDT (1min 44s ago)
  Command Line: /usr/bin/zsh
    Executable: /usr/bin/zsh
 Control Group: /user.slice/user-1000.slice/session-c1.scope
          Unit: session-c1.scope
         Slice: user-1000.slice
       Session: c1
     Owner UID: 1000 (john)
       Boot ID: 529c2cf77df04e549005b8b08ace78d1
    Machine ID: 6f76760fe58f4b6293e0004853517d7d
      Hostname: wooly
       Storage: /var/lib/systemd/coredump/core.zsh.1000.529c2cf77df04e549005b8b08ace78d1.15809.1523670815000000.lz4
       Message: Process 15809 (zsh) of user 1000 dumped core.
                
                Stack trace of thread 15809:
                #0  0x00007f27252fc860 raise (libc.so.6)
                #1  0x00007f27252fdec9 abort (libc.so.6)
                #2  0x00007f272533f437 __libc_message (libc.so.6)
                #3  0x00007f272534578b malloc_printerr (libc.so.6)
                #4  0x00007f272534724c _int_free (libc.so.6)
                #5  0x00007f2724e91e19 singlerefresh (zle.so)
                #6  0x00007f2724e852e6 zleread (zle.so)
                #7  0x0000556344d3a784 zleentry (zsh)
                #8  0x0000556344d3bcb8 inputline (zsh)
                #9  0x0000556344d3356c ihgetc (zsh)
                #10 0x0000556344d4565e gettok (zsh)
                #11 0x0000556344d65437 parse_event (zsh)
                #12 0x0000556344d36ee5 loop (zsh)
                #13 0x0000556344d3adf6 zsh_main (zsh)
                #14 0x00007f27252e8f4a __libc_start_main (libc.so.6)
                #15 0x0000556344d009aa _start (zsh)

GNU gdb (GDB) 8.1
(gdb) bt
#0  0x00007f27252fc860 in raise () from /usr/lib/libc.so.6
#1  0x00007f27252fdec9 in abort () from /usr/lib/libc.so.6
#2  0x00007f272533f437 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007f272534578b in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007f272534724c in _int_free () from /usr/lib/libc.so.6
#5  0x00007f2724e91e19 in singlerefresh (tmpcs=<optimized out>, tmpll=0, tmpline=0x5563468aebc0 L"") at zle_refresh.c:2656
#6  zrefresh () at zle_refresh.c:1188
#7  0x00007f2724e852e6 in zleread (lp=<optimized out>, rp=<optimized out>, flags=<optimized out>, context=<optimized out>, init=0x7f2724ea3abd "zle-line-init", 
    finish=0x7f2724ea3aad "zle-line-finish") at zle_main.c:1322
#8  0x0000556344d3a784 in zleentry (cmd=cmd@entry=1) at init.c:1602
#9  0x0000556344d3bcb8 in inputline () at input.c:295
#10 ingetc () at input.c:228
#11 0x0000556344d3bedf in ingetc () at input.c:196
#12 0x0000556344d3356c in ihgetc () at hist.c:407
#13 0x0000556344d4565e in gettok () at lex.c:611
#14 zshlex () at lex.c:275
#15 0x0000556344d4639e in zshlex () at lex.c:268
#16 0x0000556344d65437 in parse_event (endtok=endtok@entry=37) at parse.c:581
#17 0x0000556344d36ee5 in loop (toplevel=toplevel@entry=1, justonce=justonce@entry=0) at init.c:146
#18 0x0000556344d3adf6 in zsh_main (argc=<optimized out>, argv=<optimized out>) at init.c:1756
#19 0x00007f27252e8f4a in __libc_start_main () from /usr/lib/libc.so.6
#20 0x0000556344d009aa in _start ()