From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15651 invoked from network); 18 Jan 2003 21:48:10 -0000 Received: from sunsite.dk (130.225.247.90) by ns1.primenet.com.au with SMTP; 18 Jan 2003 21:48:10 -0000 Received: (qmail 29349 invoked by alias); 18 Jan 2003 21:48:02 -0000 Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 18128 Received: (qmail 29340 invoked from network); 18 Jan 2003 21:48:01 -0000 X-MessageWall-Score: 0 (sunsite.dk) Date: Sat, 18 Jan 2003 21:47:59 +0000 (GMT) From: X-X-Sender: To: Subject: segfault bug in menu selection + diagnosis Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, I'm new to zsh and have been playing with the nice completion stuff. I've found a segfaulting bug which appears to be reproducable. This was against zsh-4.0.6, but I've also confirmed it with the HEAD branch in CVS (18/1/03 21:20). Steps to reproduce: 1. Start a new shell which uses new-style completion and the following styles: zstyle ':completion:*:kill:*' menu yes select zstyle ':completion:*:kill:*' force-list always These aren't actually necessary -- if you press tab enough times to get the menu select to appear it happens too. 2. Type 'kill ' 3. Press tab to get menu selection of processes (so a single process ID appears on the command line and the first process in the list is highlighted) 4. Resize your terminal to make it a bit wider, causing a SIGWINCH 5. Press the UP arrow 6. Segmentation fault should occur If it doesn't happen straight away, try starting afresh and moving around a little bit with the arrows before resizing. This was on an i386 RedHat 8.0 system. The info below pertains to zsh-4.0.6. Backtrace indicates that the crash occurs in domenuselect() in complist.c:2272, in a call to dosingle(**p), while deferencing p twice. The memory it pointed to has been freed, and doing print (char*) p in gdb shows a string (in this case): "=01;31:(jobs)*.Z=01;31:(jobs)*.gz=01;"... So I suppose the memory has been reused for some strings that have been later allocated. I don't know enough about the structure of the source code to fix the problem, but I think it's happening because the zrefresh() that's called as a result of handling the SIGWINCH (the signal is delivered during the domenuselect call to getkeycmd() at line 1781) eventually causes complistmatches() to be called, thus freeing the 'mtab' global array unexpectedly (at least to domenuselect()), so 'p' is invalid. Thanks. I hope I've provided enough information to resolve the issue.