From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from euclid.skiles.gatech.edu (list@euclid.skiles.gatech.edu [130.207.146.50]) by melb.werple.net.au (8.7.5/8.7.3) with ESMTP id KAA16506 for ; Thu, 9 May 1996 10:06:08 +1000 (EST) Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id TAA20173; Wed, 8 May 1996 19:53:20 -0400 (EDT) Resent-Date: Wed, 8 May 1996 19:53:20 -0400 (EDT) Message-Id: Subject: Re: compctl bug with beta17 on Linux To: zsh-workers@math.gatech.edu Date: Thu, 9 May 1996 01:51:15 +0200 (MET DST) Cc: hniksic@gnjilux.cc.fer.hr In-Reply-To: <199605080944.LAA04529@gnjilux.cc.fer.hr> from "Hrvoje Niksic" at May 8, 96 11:44:30 am From: Thorsten Meinecke Organization: none. Location: Berlin, Germany X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"lMUgB3.0.7x4.lFJan"@euclid> Resent-From: zsh-workers@math.gatech.edu X-Mailing-List: archive/latest/1019 X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu In archive/latest/1007, Hrvoje Niksic wrote: > compctl -g '*(D-/)' cd > cd /home/p[TAB] [beta17 dumps core, if there's no file/dir named p* in /home] I was able to reproduce this bug on my Linux-box. > gdb shows that the shell fails in zle_tricky.c, in the second call of > get_ccompctl, where the cmdstr contains garbage (instead of "cd"), and > causes declaration char *cmd = dupstring(cmdstr) to coredump in strcpy. Is this condition likely to occur? SIGSEGV caused by overlapping strings in strcpy(). That may explain why this bug went by unnoticed for such a long time. > Further analysis shows that cmdstr (or at least the contents of the memory > it points to) gets garbled when newlinklist() is called That's close. You were lucky that the memory cmdstr pointed to wasn't corrupted in the first place. I do not claim that I understand even a small percentage of what is going on in zle_tricky, but it looks like there went something wrong with heap allocation in regard to cmdstr. Assignments to cmdstr happen one or more times in get_comp_string(), de- pending on the lexer's output. The command strings found are stored onto the current heap, and only the last (that is, innermost) one found will be used subsequently. But before anything useful can be done with cmdstr, the heap will be released! That prompts my idea of the fix: simply make the string that cmdstr points to permanent and free it when we are done. Can somebody more proficient in zle_tricky hacking comment on the risk of introducing a memory leak here? Regards, Thorsten *** 2.25 1996/05/05 10:06:07 --- zle_tricky.c 1996/05/08 19:00:49 *************** *** 575,582 **** --- 575,583 ---- we -= chl; if (wb < 0 || we < 0) return; } + cmdstr = ztrdup(cmdstr); freeheap(); /* Save the lexer state, in case the completion code uses the lexer somewhere (e.g. when processing a compctl -s flag). */ lexsave(); *************** *** 733,740 **** --- 734,742 ---- } /* Reset the lexer state, pop the heap. */ lexrestore(); popheap(); + zsfree(cmdstr); zsfree(qword); menuce = complexpect; }