zsh segfaults on $(( [#2] 0xDEADBEEF ))

zsh segfaults on $(( [#2] 0xDEADBEEF ))

[Andre Pang]

using zsh as a calculator:

    18:00 ~% zsh
    18:00 ~% echo $(( [#16] 0xDEADBEEF ))
    16#DEADBEEF
    18:00 ~% echo $(( [#8] 0xDEADBEEF ))
    8#33653337357
    18:00 ~% echo $(( [#4] 0xDEADBEEF ))
    4#3132223123323233
    18:00 ~% echo $(( [#3] 0xDEADBEEF ))
    3#100122100210211112102
    18:00 ~% echo $(( [#2] 0xDEADBEEF ))
    zsh: 6139 segmentation fault  zsh
    18:00 ~% 

after a few more seconds of playing around (i am now friends
with Esc A):

    18:02 ~% echo $(( [#2] 0x1FFFFF ))
    2#111111111111111111111
    18:02 ~% echo $(( [#2] 0x200000 ))
    zsh: 6192 segmentation fault  zsh

and

    18:07 ~% echo $(( [#3] 0x26F7C528F ))
    3#222222222222222221200
    18:07 ~% echo $(( [#3] 0x26F7C5300 ))
    zsh: 6370 segmentation fault  zsh

this has happened to two machines i've tried it on:

    18:10 wagner:~% uname -a
    Linux wagner 2.4.3 #2 SMP Sat Apr 7 04:28:16 EST 2001 i686 unknown
    18:10 wagner:~% echo $ZSH_VERSION
    3.1.9-dev-6

    18:07 ~% uname -a 
    Linux exodus 2.4.2-exodus #31 Fri Mar 16 09:22:38 EST 2001 i686 unknown
    18:08 ~% echo $ZSH_VERSION
    4.0.1-debian0420

wow.  after >1 year of not finding a single bug in zsh, i
suddenly find two major-ish ones in the same day :)

please cc replies to me (or zsh-users) -- i'm not on zsh-workers.


-- 
#ozone/algorithm <ozone@algorithm.com.au>          - trust.in.love.to.save

RE: zsh segfaults on $(( [#2] 0xDEADBEEF ))

[Andrej Borsenkow]

>     18:00 ~% echo $(( [#2] 0xDEADBEEF ))
>     zsh: 6139 segmentation fault  zsh

Confirmed after long pause;

bor@itsrm2% echo $(( [#2] 0xDEADBEEF ))
zsh: segmentation fault (core dumped)  zsh
bor@itsrm2% dbx =zsh core
dbx V2.4C00 SINIX (Jun 19 2000)
Copyright (C) Siemens AG 1998
Base:   BSD, Copyright (C) The Regents of the University of California
All rights reserved
reading symbolic information ...
Current signal in memory image is: SIGSEGV (11) (address not mapped to object,
faulting address = 0x31303131)
needed shared libraries:
        /tools/lib/zsh/4.0.1-pre-3/zsh/parameter.so
        /tools/lib/zsh/4.0.1-pre-3/zsh/zutil.so
        /tools/lib/zsh/4.0.1-pre-3/zsh/complist.so
        /tools/lib/zsh/4.0.1-pre-3/zsh/complete.so
        /tools/lib/zsh/4.0.1-pre-3/zsh/zle.so
        /usr/lib/libc.so.1
        /lib/libnsl.so
        /lib/libdl.so
        /lib/libsocket.so
... reading /tools/lib/zsh/4.0.1-pre-3/zsh/parameter.so
... reading /tools/lib/zsh/4.0.1-pre-3/zsh/zutil.so
... reading /tools/lib/zsh/4.0.1-pre-3/zsh/complist.so
... reading /tools/lib/zsh/4.0.1-pre-3/zsh/complete.so
... reading /tools/lib/zsh/4.0.1-pre-3/zsh/zle.so
... reading /usr/lib/libc.so.1
... reading /lib/libnsl.so
... reading /lib/libdl.so
... reading /lib/libsocket.so
[using memory image in core]
32bit dbx - 32bit program
Type 'help' for help
(dbx32) where
arithsubst(a = "illegal address (0x31310023)
, bptr = 0x7ffee760, rest = ""), line 2012 in "/tools/src/zsh/Src/subst.c"
$b13, line 163 in "/tools/src/zsh/Src/subst.c"
$b12, line 163 in "/tools/src/zsh/Src/subst.c"
stringsubst(list = 0x7893f8, node = 0x78940c, ssub = 0), line 163 in
"/tools/src/zsh/Src/subst.c"
$b1, line 73 in "/tools/src/zsh/Src/subst.c"
prefork(list = 0x7893f8, flags = 0), line 73 in "/tools/src/zsh/Src/subst.c"
execcmd(state = 0x7ffeeca4, input = 0, output = 0, how = 18, last1 = 2), line
1742 in "/tools/src/zsh/Src/exec.c"
execpline2(state = 0x7ffeeca4, pcode = 131, how = 18, input = 0, output = 0,
last1 = 0), line 1189 in "/tools/src/zsh/Src/exec.c"
execpline(state = 0x7ffeeca4, slcode = 4098, how = 18, last1 = 0), line 982 in
"/tools/src/zsh/Src/exec.c"
execlist(state = 0x7ffeeca4, dont_change_job = 0, exiting = 0), line 826 in
"/tools/src/zsh/Src/exec.c"
execode(p = 0x7893a0, dont_change_job = 0, exiting = 0), line 729 in
"/tools/src/zsh/Src/exec.c"
$b210, line 160 in "/tools/src/zsh/Src/init.c"
.init.loop(toplevel = 1, justonce = 0), line 160 in
"/tools/src/zsh/Src/init.c"
zsh_main(argc = 1, argv = 0x7ffeeddc), line 1209 in
"/tools/src/zsh/Src/init.c"
.main.main(argc = 1, argv = 0x7ffeeddc), line 37 in
"/tools/src/zsh/Src/main.c"
__start() at 0x40a124

>     18:00 ~%
>
> after a few more seconds of playing around (i am now friends
> with Esc A):
>
>     18:02 ~% echo $(( [#2] 0x1FFFFF ))
>     2#111111111111111111111
>     18:02 ~% echo $(( [#2] 0x200000 ))
>     zsh: 6192 segmentation fault  zsh
>

This one works here.

-andrej

PATCH: Re: zsh segfaults on $(( [#2] 0xDEADBEEF ))

[Bart Schaefer]

Well, this one wasn't difficult, at least.


Index: Src/params.c
===================================================================
--- Src/params.c	2001/04/26 04:20:57	1.4
+++ Src/params.c	2001/04/28 17:16:06
@@ -1651,7 +1651,7 @@
 void
 setnumvalue(Value v, mnumber val)
 {
-    char buf[DIGBUFSIZE], *p;
+    char buf[BDIGBUFSIZE], *p;
 
     if (v->pm->flags & PM_READONLY) {
 	zerr("read-only variable: %s", v->pm->nam, 0);
Index: Src/subst.c
===================================================================
--- Src/subst.c	2001/04/26 04:20:58	1.2
+++ Src/subst.c	2001/04/28 17:16:03
@@ -1994,7 +1994,7 @@
 arithsubst(char *a, char **bptr, char *rest)
 {
     char *s = *bptr, *t;
-    char buf[DIGBUFSIZE], *b = buf;
+    char buf[BDIGBUFSIZE], *b = buf;
     mnumber v;
 
     singsub(&a);
Index: Src/system.h
===================================================================
--- Src/system.h	2001/04/21 22:22:54	1.2
+++ Src/system.h	2001/04/28 17:15:14
@@ -406,8 +406,10 @@
 /* DIGBUFSIZ is the length of a buffer which can hold the -LONG_MAX-1 *
  * (or with ZSH_64_BIT_TYPE maybe -LONG_LONG_MAX-1)                   *
  * converted to printable decimal form including the sign and the     *
- * terminating null character. Below 0.30103 > lg 2.                  */
+ * terminating null character. Below 0.30103 > lg 2.                  *
+ * BDIGBUFSIZE is for a number converted to printable binary form.    */
 #define DIGBUFSIZE ((int)(((sizeof(zlong) * 8) - 1) * 0.30103) + 3)
+#define BDIGBUFSIZE ((int)((sizeof(zlong) * 8) + 3))
 
 /* If your stat macros are broken, we will *
  * just undefine them.                     */

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net   

Re: PATCH: Re: zsh segfaults on $(( [#2] 0xDEADBEEF ))

[Bart Schaefer]

On Apr 28,  5:27pm, Bart Schaefer wrote:
}
} Well, this one wasn't difficult, at least.
} 
} +#define BDIGBUFSIZE ((int)((sizeof(zlong) * 8) + 3))

Upon further reflection, I changed that 3 to a 4 in the committed version
of the patch.

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

Zsh: http://www.zsh.org | PHPerl Project: http://phperl.sourceforge.net   

Re: PATCH: Re: zsh segfaults on $(( [#2] 0xDEADBEEF ))

[Peter Stephenson]

Bart wrote:
> }
> } Well, this one wasn't difficult, at least.
> } 
> } +#define BDIGBUFSIZE ((int)((sizeof(zlong) * 8) + 3))
> 
> Upon further reflection, I changed that 3 to a 4 in the committed version
> of the patch.

Just for consistency, this uses BDIGBUFSIZE in two other places which
already create buffers for the same purpose.

Index: Src/params.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/params.c,v
retrieving revision 1.43
diff -u -r1.43 params.c
--- Src/params.c	2001/04/28 17:38:01	1.43
+++ Src/params.c	2001/05/01 09:31:51
@@ -1393,7 +1393,7 @@
 getstrvalue(Value v)
 {
     char *s, **ss;
-    char buf[(sizeof(zlong) * 8) + 4];
+    char buf[BDIGBUFSIZE];
 
     if (!v)
 	return hcalloc(1);
@@ -1535,7 +1535,7 @@
 void
 export_param(Param pm)
 {
-    char buf[(sizeof(zlong) * 8) + 4], *val;
+    char buf[BDIGBUFSIZE], *val;
 
     if (PM_TYPE(pm->flags) & (PM_ARRAY|PM_HASHED)) {
 #if 0	/* Requires changes elsewhere in params.c and builtin.c */

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR Ltd., Unit 300, Science Park, Milton Road,
Cambridge, CB4 0XL, UK                          Tel: +44 (0)1223 392070


**********************************************************************
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential 
and/or privileged material. 
Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by 
persons or entities other than the intended recipient is 
prohibited.  
If you received this in error, please contact the sender and 
delete the material from any computer.
**********************************************************************