From: Cebtenzzre <cebtenzzre@gmail.com>
To: zsh-workers@zsh.org
Subject: Segmentation fault at exit with set -u and pipe
Date: Fri, 03 Feb 2023 19:31:08 -0500 [thread overview]
Message-ID: <c5910bed3ba080d552a05d623f3d85c9b897ea11.camel@gmail.com> (raw)
I have discovered a case where zsh will segfault at exit. Here is an
example that reproduces it more often than not:
set -u
trap 'sleep 1' EXIT
: | test $x
The trap line is not actually required but makes the issue easier to
reproduce. I have been able to reproduce this on both zsh 5.9 and latest
master (bffdbccda69683ce857dfad457e3209c0f00aa0c "51354: Fix markup in
man page version" at the time of this writing).
According to git bisect, this appears to be a regression caused by
commit e127ceaae87414588d4c839fc4cc04f02c2ed8c5 "50149: Remove all
remaining =(...) files at shell exit"). Below is the report that ASAN
gives me on zsh 5.9. It appears that cleanfilelists frees memory that is
sometimes referenced later in the exit process.
$ zsh repr.zsh
repr.zsh:3: x: parameter not set
=================================================================
==4032127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000dde0 at pc 0x558958e3cbf9 bp 0x7fff485bc8e0 sp 0x7fff485bc8d0
READ of size 8 at 0x60300000dde0 thread T0
#0 0x558958e3cbf8 in getlinknode /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215
#1 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1354
#2 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
#3 0x558958e25e97 in deletejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1440
#4 0x558958e26e67 in printjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1284
#5 0x558958e290bd in update_job /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:624
#6 0x558958ed01bd in wait_for_processes /usr/src/debug/zsh/zsh-5.9/Src/signals.c:562
#7 0x558958ecf3a4 in zhandler /usr/src/debug/zsh/zsh-5.9/Src/signals.c:649
#8 0x7fcb150049ff (/usr/lib/libc.so.6+0x389ff)
#9 0x7fcb15004cb8 in sigsuspend (/usr/lib/libc.so.6+0x38cb8)
#10 0x558958ecd5e7 in signal_suspend /usr/src/debug/zsh/zsh-5.9/Src/signals.c:393
#11 0x558958e2a8e3 in zwaitjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1628
#12 0x558958e2bc2f in waitonejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1678
#13 0x558958e2bc2f in waitjobs /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1698
#14 0x558958dd1ba5 in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1785
#15 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
#16 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
#17 0x558958ed4b10 in dotrapargs /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1383
#18 0x558958ece9ad in dotrap /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1489
#19 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5887
#20 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
#21 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
#22 0x558958d7023c in main main.c:93
#23 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
#24 0x7fcb14fef349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
#25 0x558958d70824 in _start ../sysdeps/x86_64/start.S:115
0x60300000dde0 is located 0 bytes inside of 24-byte region [0x60300000dde0,0x60300000ddf8)
freed by thread T0 here:
#0 0x7fcb153d9672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x558958e4fbdc in zfree /usr/src/debug/zsh/zsh-5.9/Src/mem.c:1871
#2 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1365
#3 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
#4 0x558958e25dfc in cleanfilelists /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1378
#5 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5863
#6 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
#7 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
#8 0x558958d7023c in main main.c:93
#9 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
previously allocated by thread T0 here:
#0 0x7fcb153daa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x558958e4e9c0 in zalloc /usr/src/debug/zsh/zsh-5.9/Src/mem.c:966
#2 0x558958e3c6a1 in znewlinklist /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:120
#3 0x558958e2588c in addfilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1307
#4 0x558958dcf83f in execpline2 /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1973
#5 0x558958dd034e in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1689
#6 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
#7 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
#8 0x558958e130cc in loop /usr/src/debug/zsh/zsh-5.9/Src/init.c:212
#9 0x558958e1eea8 in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1794
#10 0x558958d7023c in main main.c:93
#11 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215 in getlinknode
Shadow bytes around the buggy address:
0x0c067fff9b60: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9b70: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff9b80: 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff9b90: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9ba0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff9bb0: 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd fd fa
0x0c067fff9bc0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9bd0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4032127==ABORTING
Thanks,
Cebtenzzre
next reply other threads:[~2023-02-04 0:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-04 0:31 Cebtenzzre [this message]
2023-02-12 5:31 ` Bart Schaefer
2023-02-12 18:13 ` Cebtenzzre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5910bed3ba080d552a05d623f3d85c9b897ea11.camel@gmail.com \
--to=cebtenzzre@gmail.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).