From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 3921 invoked from network); 4 Feb 2023 00:31:42 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 4 Feb 2023 00:31:42 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1675470703; b=nwwUcXfzfjTVPSujxYy5xXXVB6tTvBGn5pkYN8BbsRf7hZW4d0IpU8M1Wg2fIfau+462VsZ586 2eElkAPMZyBa46b5cTD06vjSERcDGcwxkJ/qjMiaP/FcdlvTdDUGUoCBt7SCaPHNa4H9MHZyoD bXx+Djhy/+X2nlsaoPgV3UysHBDTIJNADGnSINBTJ9KtSUX4yu4ikQEWA24tD51MwbImI4FMo4 D2fPPlcq5Pc8+5QYZma/8yP81H/+d00Pi9PLBlT2d/EhrVvACJcwY+36bQjIzJBk5c+wonvT74 hRFwi54NkFe+pLtXdxiYKE6Nhn3YZAzoxWKCfcEya5Fh6g==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (mail-qt1-f179.google.com) smtp.remote-ip=209.85.160.179; dkim=pass header.d=gmail.com header.s=20210112 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1675470703; bh=R9qrTmNV5dH7KkHEepvq6Hv2xYTF43g5oWgM6D3e1xM=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:MIME-Version:Content-Transfer-Encoding:Content-Type:Date:To: From:Subject:Message-ID:DKIM-Signature:DKIM-Signature; b=elA8U5JzOND9HItIv9A4QCWPcWnRXgbSgUMefZSLjt7FVMieIKTy3jSpHHwc7lhkpqNo8TY1QT kGi8SLnHJYGTS39V1aI1cm5yl1DrPA2FIGtwQhX9Xq2gkQjzmIZoSAkncvWMmL+uuRhW8SCn8F m42IeJ3GbdHx5MBm2YQnxfe8TfvPkRTwTF2opx9Kw51e1XWSE2Xu9xeKmpEQP1Ad9PsM14PiUv sIN7VVlFioZHBf1RnmdjrEBSFFfqhSP7JioGMYj/WqAduXHGWmyW99gH0E8AG270pvliXIFQC3 /OG6KYhY+yZ1VxmVplVVeJxL/+WONiG74xe6BEDmhvJj9A==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:MIME-Version: Content-Transfer-Encoding:Content-Type:Date:To:From:Subject:Message-ID: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References; bh=qJIRggwygor0BBI5hNkkEdBmWPuYuGu3znDMeNoIHGM=; b=QSbbUbzD8pV4VzU6T0h20lltLs vrc3XmbaqN727hua4WdlP4sQQAqHvLYgbiv3RPX8Fh7pTG55zbpw5zNb/sM7Zi5dZh3/2NmYs16by XDqNEEd6cdcJqMmGVQ0D/SHxQcKIr9utFTRCyXW3wuMsj0awsiFotoCOXWtyINajh9AarqJaW9t0T W6oi8c9x/VlwqXL+KEez3qDIPHX6VOExkoUlXNUs0R3Psi+IETvG/cTG/L7tMlUveDSsIpF0f6JWz TzEGYAeP2SuvhI+XBPegnYTCWgHq7vsxhXZLbE1pTXK6hOKYLcQbgHbCVfvLtsph+ZgaaK+sxbkNF QmtH19tA==; Received: by zero.zsh.org with local id 1pO6T0-000Aq4-Gw; Sat, 04 Feb 2023 00:31:42 +0000 Authentication-Results: zsh.org; iprev=pass (mail-qt1-f179.google.com) smtp.remote-ip=209.85.160.179; dkim=pass header.d=gmail.com header.s=20210112 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none Received: from mail-qt1-f179.google.com ([209.85.160.179]:41508) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128) id 1pO6SV-000AV0-OM; Sat, 04 Feb 2023 00:31:12 +0000 Received: by mail-qt1-f179.google.com with SMTP id z5so7477084qtn.8 for ; Fri, 03 Feb 2023 16:31:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:content-transfer-encoding:date:to:from :subject:message-id:from:to:cc:subject:date:message-id:reply-to; bh=qJIRggwygor0BBI5hNkkEdBmWPuYuGu3znDMeNoIHGM=; b=LC/EgFIlOhg3jQ6w/y02hCLRwz7raMYrywZhg8lJr7hnOO1NnVL5lX5Zbnp6jTSFEG IwTF8BPZbZDTTe15nqB9UTTgKBN5bNDPiRZWH85mjvTaNXY+EHybDQQ9uoYQQiJtYhqd 7qqxD/Y2qlJEgcCMRk+zHyr5GK3zK+kfmFyj1TWDirn3JZ6yx3YcayBiBBn5BsDlHYTj zcl3zJtptSp05qyvIcTb+rnh50nc8ctDqZqvxqeGRaJCj00Aiv7m4TAtNg1vsO6YklqX tJ9wpAooAN2llu9Qc8/gCBNkY4lCj+E5tmeDmMXtFyupFBbd0pgAjlB1vN3xAbF6r3SY Go2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:date:to:from :subject:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qJIRggwygor0BBI5hNkkEdBmWPuYuGu3znDMeNoIHGM=; b=ZXDBPDUZrfRBGcIm1RDa8ydvG1izFmtc4rYlqhpC5ZimFydxnVnki4jJaskm9Iz3PU KMmzqmxW3nHpgbx5aVGYsSfRKQc9DnNteiMHZroCinpEDQ7Kf3OwWW/ogN4S4MTenLfJ BNObcjf39SXJh3PtRmnDwMq1xUg0D8Ksj/Fopt9xvDP499CXtewLIUEvIf6uRFKWec4L o7aui7NioT8lrZeQ5O8UI9zSuFMDp3aIXABufoWHUahSjQxW35jrpd/6PvSCiNn5Z3RS b+tPJt5iHAAPESe/eH4dtH+26XeD/citZ8TPVMlesqdRHYekAsDLEQ/2z+Y+UGxVYGqb yGSg== X-Gm-Message-State: AO0yUKXQY6SsM6OAcJ6dZUSAIRrwZrKtrChm2TCJLfcnPMNzFN3PiAHJ vFPBtVwaCaK4Qxdvc44+apD/Lw+wK60= X-Google-Smtp-Source: AK7set9h+YJz979rW0qjrXOuZUchnxkucqdaAsdwteNQ4tGI/Wl3k4VMlc2oxbwImTOiYOz5+664UQ== X-Received: by 2002:ac8:5b93:0:b0:3b9:d8fc:3206 with SMTP id a19-20020ac85b93000000b003b9d8fc3206mr9799648qta.56.1675470670312; Fri, 03 Feb 2023 16:31:10 -0800 (PST) Received: from ?IPv6:2603:7081:3406:8f26:4371:c9a2:5b6c:46a7? (2603-7081-3406-8f26-4371-c9a2-5b6c-46a7.res6.spectrum.com. [2603:7081:3406:8f26:4371:c9a2:5b6c:46a7]) by smtp.gmail.com with ESMTPSA id u31-20020a05622a199f00b003b0b903720esm2633092qtc.13.2023.02.03.16.31.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Feb 2023 16:31:09 -0800 (PST) Message-ID: Subject: Segmentation fault at exit with set -u and pipe From: Cebtenzzre To: zsh-workers@zsh.org Date: Fri, 03 Feb 2023 19:31:08 -0500 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.3 MIME-Version: 1.0 X-Seq: 51358 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: I have discovered a case where zsh will segfault at exit. Here is an example that reproduces it more often than not: set -u trap 'sleep 1' EXIT : | test $x The trap line is not actually required but makes the issue easier to reproduce. I have been able to reproduce this on both zsh 5.9 and latest master (bffdbccda69683ce857dfad457e3209c0f00aa0c "51354: Fix markup in man page version" at the time of this writing). According to git bisect, this appears to be a regression caused by commit e127ceaae87414588d4c839fc4cc04f02c2ed8c5 "50149: Remove all remaining =3D(...) files at shell exit"). Below is the report that ASAN gives me on zsh 5.9. It appears that cleanfilelists frees memory that is sometimes referenced later in the exit process. $ zsh repr.zsh repr.zsh:3: x: parameter not set =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D4032127=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x60300000dde0 at pc 0x558958e3cbf9 bp 0x7fff485bc8e0 sp 0x7fff485bc8d0 READ of size 8 at 0x60300000dde0 thread T0 #0 0x558958e3cbf8 in getlinknode /usr/src/debug/zsh/zsh-5.9/Src/linklis= t.c:215 #1 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs= .c:1354 #2 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs= .c:1350 #3 0x558958e25e97 in deletejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:14= 40 #4 0x558958e26e67 in printjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:128= 4 #5 0x558958e290bd in update_job /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:6= 24 #6 0x558958ed01bd in wait_for_processes /usr/src/debug/zsh/zsh-5.9/Src/= signals.c:562 #7 0x558958ecf3a4 in zhandler /usr/src/debug/zsh/zsh-5.9/Src/signals.c:= 649 #8 0x7fcb150049ff (/usr/lib/libc.so.6+0x389ff) #9 0x7fcb15004cb8 in sigsuspend (/usr/lib/libc.so.6+0x38cb8) #10 0x558958ecd5e7 in signal_suspend /usr/src/debug/zsh/zsh-5.9/Src/sig= nals.c:393 #11 0x558958e2a8e3 in zwaitjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:16= 28 #12 0x558958e2bc2f in waitonejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:= 1678 #13 0x558958e2bc2f in waitjobs /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:16= 98 #14 0x558958dd1ba5 in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1= 785 #15 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:14= 44 #16 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:122= 1 #17 0x558958ed4b10 in dotrapargs /usr/src/debug/zsh/zsh-5.9/Src/signals= .c:1383 #18 0x558958ece9ad in dotrap /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1= 489 #19 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:58= 87 #20 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:58= 20 #21 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:18= 05 #22 0x558958d7023c in main main.c:93 #23 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f) #24 0x7fcb14fef349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) #25 0x558958d70824 in _start ../sysdeps/x86_64/start.S:115 0x60300000dde0 is located 0 bytes inside of 24-byte region [0x60300000dde0,= 0x60300000ddf8) freed by thread T0 here: #0 0x7fcb153d9672 in __interceptor_free /usr/src/debug/gcc/libsanitizer= /asan/asan_malloc_linux.cpp:52 #1 0x558958e4fbdc in zfree /usr/src/debug/zsh/zsh-5.9/Src/mem.c:1871 #2 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs= .c:1365 #3 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs= .c:1350 #4 0x558958e25dfc in cleanfilelists /usr/src/debug/zsh/zsh-5.9/Src/jobs= .c:1378 #5 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:586= 3 #6 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:582= 0 #7 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:180= 5 #8 0x558958d7023c in main main.c:93 #9 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f) previously allocated by thread T0 here: #0 0x7fcb153daa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitiz= er/asan/asan_malloc_linux.cpp:69 #1 0x558958e4e9c0 in zalloc /usr/src/debug/zsh/zsh-5.9/Src/mem.c:966 #2 0x558958e3c6a1 in znewlinklist /usr/src/debug/zsh/zsh-5.9/Src/linkli= st.c:120 #3 0x558958e2588c in addfilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:= 1307 #4 0x558958dcf83f in execpline2 /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1= 973 #5 0x558958dd034e in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:16= 89 #6 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:144= 4 #7 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221 #8 0x558958e130cc in loop /usr/src/debug/zsh/zsh-5.9/Src/init.c:212 #9 0x558958e1eea8 in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:179= 4 #10 0x558958d7023c in main main.c:93 #11 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f) SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/zsh/zsh-5.9/S= rc/linklist.c:215 in getlinknode Shadow bytes around the buggy address: 0x0c067fff9b60: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff9b70: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 0x0c067fff9b80: 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa 0x0c067fff9b90: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff9ba0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa =3D>0x0c067fff9bb0: 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd fd fa 0x0c067fff9bc0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff9bd0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D4032127=3D=3DABORTING Thanks, Cebtenzzre