zsh-workers
 help / color / mirror / code / Atom feed
* Segmentation fault at exit with set -u and pipe
@ 2023-02-04  0:31 Cebtenzzre
  2023-02-12  5:31 ` Bart Schaefer
  0 siblings, 1 reply; 3+ messages in thread
From: Cebtenzzre @ 2023-02-04  0:31 UTC (permalink / raw)
  To: zsh-workers

I have discovered a case where zsh will segfault at exit. Here is an
example that reproduces it more often than not:

set -u
trap 'sleep 1' EXIT
: | test $x

The trap line is not actually required but makes the issue easier to
reproduce. I have been able to reproduce this on both zsh 5.9 and latest
master (bffdbccda69683ce857dfad457e3209c0f00aa0c "51354: Fix markup in
man page version" at the time of this writing).

According to git bisect, this appears to be a regression caused by
commit e127ceaae87414588d4c839fc4cc04f02c2ed8c5 "50149: Remove all
remaining =(...) files at shell exit"). Below is the report that ASAN
gives me on zsh 5.9. It appears that cleanfilelists frees memory that is
sometimes referenced later in the exit process.

$ zsh repr.zsh
repr.zsh:3: x: parameter not set
=================================================================
==4032127==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000dde0 at pc 0x558958e3cbf9 bp 0x7fff485bc8e0 sp 0x7fff485bc8d0
READ of size 8 at 0x60300000dde0 thread T0
    #0 0x558958e3cbf8 in getlinknode /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215
    #1 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1354
    #2 0x558958e25e97 in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
    #3 0x558958e25e97 in deletejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1440
    #4 0x558958e26e67 in printjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1284
    #5 0x558958e290bd in update_job /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:624
    #6 0x558958ed01bd in wait_for_processes /usr/src/debug/zsh/zsh-5.9/Src/signals.c:562
    #7 0x558958ecf3a4 in zhandler /usr/src/debug/zsh/zsh-5.9/Src/signals.c:649
    #8 0x7fcb150049ff  (/usr/lib/libc.so.6+0x389ff)
    #9 0x7fcb15004cb8 in sigsuspend (/usr/lib/libc.so.6+0x38cb8)
    #10 0x558958ecd5e7 in signal_suspend /usr/src/debug/zsh/zsh-5.9/Src/signals.c:393
    #11 0x558958e2a8e3 in zwaitjob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1628
    #12 0x558958e2bc2f in waitonejob /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1678
    #13 0x558958e2bc2f in waitjobs /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1698
    #14 0x558958dd1ba5 in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1785
    #15 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
    #16 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
    #17 0x558958ed4b10 in dotrapargs /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1383
    #18 0x558958ece9ad in dotrap /usr/src/debug/zsh/zsh-5.9/Src/signals.c:1489
    #19 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5887
    #20 0x558958dab0a6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
    #21 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
    #22 0x558958d7023c in main main.c:93
    #23 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)
    #24 0x7fcb14fef349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
    #25 0x558958d70824 in _start ../sysdeps/x86_64/start.S:115

0x60300000dde0 is located 0 bytes inside of 24-byte region [0x60300000dde0,0x60300000ddf8)
freed by thread T0 here:
    #0 0x7fcb153d9672 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x558958e4fbdc in zfree /usr/src/debug/zsh/zsh-5.9/Src/mem.c:1871
    #2 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1365
    #3 0x558958e25dfc in deletefilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1350
    #4 0x558958e25dfc in cleanfilelists /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1378
    #5 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5863
    #6 0x558958daabf6 in zexit /usr/src/debug/zsh/zsh-5.9/Src/builtin.c:5820
    #7 0x558958e1f00e in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1805
    #8 0x558958d7023c in main main.c:93
    #9 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)

previously allocated by thread T0 here:
    #0 0x7fcb153daa89 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x558958e4e9c0 in zalloc /usr/src/debug/zsh/zsh-5.9/Src/mem.c:966
    #2 0x558958e3c6a1 in znewlinklist /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:120
    #3 0x558958e2588c in addfilelist /usr/src/debug/zsh/zsh-5.9/Src/jobs.c:1307
    #4 0x558958dcf83f in execpline2 /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1973
    #5 0x558958dd034e in execpline /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1689
    #6 0x558958dd457b in execlist /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1444
    #7 0x558958dd54f5 in execode /usr/src/debug/zsh/zsh-5.9/Src/exec.c:1221
    #8 0x558958e130cc in loop /usr/src/debug/zsh/zsh-5.9/Src/init.c:212
    #9 0x558958e1eea8 in zsh_main /usr/src/debug/zsh/zsh-5.9/Src/init.c:1794
    #10 0x558958d7023c in main main.c:93
    #11 0x7fcb14fef28f  (/usr/lib/libc.so.6+0x2328f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/zsh/zsh-5.9/Src/linklist.c:215 in getlinknode
Shadow bytes around the buggy address:
  0x0c067fff9b60: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9b70: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff9b80: 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff9b90: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9ba0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x0c067fff9bb0: 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd fd fa
  0x0c067fff9bc0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9bd0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4032127==ABORTING


Thanks,
Cebtenzzre


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-02-12 18:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-04  0:31 Segmentation fault at exit with set -u and pipe Cebtenzzre
2023-02-12  5:31 ` Bart Schaefer
2023-02-12 18:13   ` Cebtenzzre

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).