* Segmentation fault at exit with set -u and pipe
@ 2023-02-04 0:31 Cebtenzzre
2023-02-12 5:31 ` Bart Schaefer
0 siblings, 1 reply; 3+ messages in thread
From: Cebtenzzre @ 2023-02-04 0:31 UTC (permalink / raw)
To: zsh-workers
I have discovered a case where zsh will segfault at exit. Here is an
example that reproduces it more often than not:
set -u
trap 'sleep 1' EXIT
: | test $x
The trap line is not actually required but makes the issue easier to
reproduce. I have been able to reproduce this on both zsh 5.9 and latest
master (bffdbccda69683ce857dfad457e3209c0f00aa0c "51354: Fix markup in
man page version" at the time of this writing).
According to git bisect, this appears to be a regression caused by
commit e127ceaae87414588d4c839fc4cc04f02c2ed8c5 "50149: Remove all
remaining =(...) files at shell exit"). Below is the report that ASAN
gives me on zsh 5.9. It appears that cleanfilelists frees memory that is
sometimes referenced later in the exit process.
$ zsh repr.zsh
repr.zsh:3: x: parameter not set
=================================================================
==4032127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000dde0 at pc 0x558958e3cbf9 bp 0x7fff485bc8e0 sp 0x7fff485bc8d0
READ of size 8 at 0x60300000dde0 thread T0
#0 0x558958e3cbf8 in getlinknode /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215
#1 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1354
#2 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
#3 0x558958e25e97 in deletejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1440
#4 0x558958e26e67 in printjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1284
#5 0x558958e290bd in update_job /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:624
#6 0x558958ed01bd in wait_for_processes /usr/src/debug/zsh/zsh-5.9/Src/signals.c:562
#7 0x558958ecf3a4 in zhandler /usr/src/debug/zsh/zsh-5.9/Src/signals.c:649
#8 0x7fcb150049ff (/usr/lib/libc.so.6+0x389ff)
#9 0x7fcb15004cb8 in sigsuspend (/usr/lib/libc.so.6+0x38cb8)
#10 0x558958ecd5e7 in signal_suspend /usr/src/debug/zsh/zsh-5.9/Src/signals.c:393
#11 0x558958e2a8e3 in zwaitjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1628
#12 0x558958e2bc2f in waitonejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1678
#13 0x558958e2bc2f in waitjobs /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1698
#14 0x558958dd1ba5 in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1785
#15 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
#16 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
#17 0x558958ed4b10 in dotrapargs /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1383
#18 0x558958ece9ad in dotrap /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1489
#19 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5887
#20 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
#21 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
#22 0x558958d7023c in main main.c:93
#23 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
#24 0x7fcb14fef349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
#25 0x558958d70824 in _start ../sysdeps/x86_64/start.S:115
0x60300000dde0 is located 0 bytes inside of 24-byte region [0x60300000dde0,0x60300000ddf8)
freed by thread T0 here:
#0 0x7fcb153d9672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x558958e4fbdc in zfree /usr/src/debug/zsh/zsh-5.9/Src/mem.c:1871
#2 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1365
#3 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
#4 0x558958e25dfc in cleanfilelists /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1378
#5 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5863
#6 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
#7 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
#8 0x558958d7023c in main main.c:93
#9 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
previously allocated by thread T0 here:
#0 0x7fcb153daa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x558958e4e9c0 in zalloc /usr/src/debug/zsh/zsh-5.9/Src/mem.c:966
#2 0x558958e3c6a1 in znewlinklist /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:120
#3 0x558958e2588c in addfilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1307
#4 0x558958dcf83f in execpline2 /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1973
#5 0x558958dd034e in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1689
#6 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
#7 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
#8 0x558958e130cc in loop /usr/src/debug/zsh/zsh-5.9/Src/init.c:212
#9 0x558958e1eea8 in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1794
#10 0x558958d7023c in main main.c:93
#11 0x7fcb14fef28f (/usr/lib/libc.so.6+0x2328f)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215 in getlinknode
Shadow bytes around the buggy address:
0x0c067fff9b60: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9b70: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x0c067fff9b80: 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fff9b90: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9ba0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff9bb0: 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd fd fa
0x0c067fff9bc0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
0x0c067fff9bd0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4032127==ABORTING
Thanks,
Cebtenzzre
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Segmentation fault at exit with set -u and pipe
2023-02-04 0:31 Segmentation fault at exit with set -u and pipe Cebtenzzre
@ 2023-02-12 5:31 ` Bart Schaefer
2023-02-12 18:13 ` Cebtenzzre
0 siblings, 1 reply; 3+ messages in thread
From: Bart Schaefer @ 2023-02-12 5:31 UTC (permalink / raw)
To: Cebtenzzre; +Cc: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 189 bytes --]
On Fri, Feb 3, 2023 at 4:32 PM Cebtenzzre <cebtenzzre@gmail.com> wrote:
>
> It appears that cleanfilelists frees memory that is
> sometimes referenced later in the exit process.
Try this.
[-- Attachment #2: cleanfilelists-bug.txt --]
[-- Type: text/plain, Size: 637 bytes --]
diff --git a/Src/jobs.c b/Src/jobs.c
index 4863962b9..59ddd952e 100644
--- a/Src/jobs.c
+++ b/Src/jobs.c
@@ -1372,8 +1372,10 @@ cleanfilelists(void)
DPUTS(shell_exiting >= 0, "BUG: cleanfilelists() before exit");
- for (i = 1; i <= maxjob; i++)
+ for (i = 1; i <= maxjob; i++) {
deletefilelist(jobtab[i].filelist, 0);
+ jobtab[i].filelist = 0;
+ }
}
/**/
@@ -1531,8 +1533,10 @@ havefiles(void)
int i;
for (i = 1; i <= maxjob; i++)
- if (jobtab[i].stat && jobtab[i].filelist)
+ if (jobtab[i].stat && jobtab[i].filelist &&
+ peekfirst(jobtab[i].filelist)) {
return 1;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Segmentation fault at exit with set -u and pipe
2023-02-12 5:31 ` Bart Schaefer
@ 2023-02-12 18:13 ` Cebtenzzre
0 siblings, 0 replies; 3+ messages in thread
From: Cebtenzzre @ 2023-02-12 18:13 UTC (permalink / raw)
To: Bart Schaefer; +Cc: zsh-workers
On Sat, 2023-02-11 at 21:31 -0800, Bart Schaefer wrote:
> On Fri, Feb 3, 2023 at 4:32 PM Cebtenzzre <cebtenzzre@gmail.com>
> wrote:
> >
> > It appears that cleanfilelists frees memory that is
> > sometimes referenced later in the exit process.
>
> Try this.
With the provided patch, I can no longer reproduce the issue. Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-12 18:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-04 0:31 Segmentation fault at exit with set -u and pipe Cebtenzzre
2023-02-12 5:31 ` Bart Schaefer
2023-02-12 18:13 ` Cebtenzzre
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).