core dump by completion.

core dump by completion.

[Tanaka Akira]

I got core by testing.  Although I coudn't find a way to reproduce
this, it is caused by following command line.

is27e1u11% find -ctime s -exec find -<TAB>
zsh: bus error (core dumped)  Src/zsh -f

Z(2):akr@is27e1u11% gdb Src/zsh core
...
189         for (node = list->first; node; node = next) {
(gdb) where
#0  0x60e44 in freelinklist (list=0x31, freefunc=0x9e298 <freestr>) at linklist.c:189
#1  0xfef856b0 in ca_parse_line (d=0x160dd0) at computil.c:1038
#2  0xfef87368 in bin_comparguments (nam=0xf3d08 "comparguments", args=0xf4970, ops=0xffbeafd0 "", func=0) at computil.c:1363
#3  0x1c1c4 in execbuiltin (args=0xf3d00, bn=0xfef9c140) at builtin.c:363
#4  0x361fc in execcmd (state=0xffbeb860, input=0, output=0, how=18, last1=2) at exec.c:2157
#5  0x3194c in execpline2 (state=0xffbeb860, pcode=10499, how=18, input=0, output=0, last1=0) at exec.c:1119
#6  0x3087c in execpline (state=0xffbeb860, slcode=3074, how=18, last1=0) at exec.c:915
#7  0x2ffd8 in execlist (state=0xffbeb860, dont_change_job=1, exiting=0) at exec.c:766
#8  0x62ce0 in execif (state=0xffbeb860, do_exec=0) at loop.c:454
#9  0x35e68 in execcmd (state=0xffbeb860, input=0, output=0, how=18, last1=2) at exec.c:2109
#10 0x3194c in execpline2 (state=0xffbeb860, pcode=10499, how=18, input=0, output=0, last1=0) at exec.c:1119
#11 0x3087c in execpline (state=0xffbeb860, slcode=455682, how=18, last1=0) at exec.c:915
#12 0x2ffd8 in execlist (state=0xffbeb860, dont_change_job=1, exiting=0) at exec.c:766
#13 0x2fda0 in execode (p=0x12cc48, dont_change_job=1, exiting=0) at exec.c:712
#14 0x3a210 in runshfunc (prog=0x12cc48, wrap=0x0, name=0xf3830 "_arguments") at exec.c:3238
#15 0xff00a51c in comp_wrapper (prog=0x12cc48, w=0x0, name=0xf3830 "_arguments") at complete.c:1237
#16 0x3a158 in runshfunc (prog=0x12cc48, wrap=0xff0368c8, name=0xf3830 "_arguments") at exec.c:3226
#17 0x39e38 in doshfunc (name=0xf0170 "_arguments", prog=0x12cc48, doshargs=0xf2c40, flags=8192, noreturnval=0) at exec.c:3173
#18 0x39628 in execshfunc (shf=0xf0128, args=0xf2c40) at exec.c:3020
#19 0x360fc in execcmd (state=0xffbebff0, input=0, output=0, how=18, last1=2) at exec.c:2146
#20 0x3194c in execpline2 (state=0xffbebff0, pcode=259, how=18, input=0, output=0, last1=0) at exec.c:1119
#21 0x3087c in execpline (state=0xffbebff0, slcode=30210, how=18, last1=0) at exec.c:915
#22 0x2ffd8 in execlist (state=0xffbebff0, dont_change_job=1, exiting=0) at exec.c:766
#23 0x2fda0 in execode (p=0x144b18, dont_change_job=1, exiting=0) at exec.c:712
#24 0x3a210 in runshfunc (prog=0x144b18, wrap=0x0, name=0xf2c38 "_find") at exec.c:3238
#25 0xff00a51c in comp_wrapper (prog=0x144b18, w=0x0, name=0xf2c38 "_find") at complete.c:1237
#26 0x3a158 in runshfunc (prog=0x144b18, wrap=0xff0368c8, name=0xf2c38 "_find") at exec.c:3226
#27 0x39e38 in doshfunc (name=0xf5300 "_find", prog=0x144b18, doshargs=0xf2bf0, flags=8192, noreturnval=0) at exec.c:3173
#28 0x39628 in execshfunc (shf=0x100730, args=0xf2bf0) at exec.c:3020
#29 0x360fc in execcmd (state=0xffbecb70, input=0, output=0, how=2, last1=2) at exec.c:2146
#30 0x3194c in execpline2 (state=0xffbecb70, pcode=5059, how=2, input=0, output=0, last1=0) at exec.c:1119
#31 0x3087c in execpline (state=0xffbecb70, slcode=1570, how=2, last1=0) at exec.c:915
#32 0x3000c in execlist (state=0xffbecb70, dont_change_job=1, exiting=0) at exec.c:773
#33 0x62e68 in execif (state=0xffbecb70, do_exec=0) at loop.c:469
#34 0x35e68 in execcmd (state=0xffbecb70, input=0, output=0, how=2, last1=2) at exec.c:2109
#35 0x3194c in execpline2 (state=0xffbecb70, pcode=4931, how=2, input=0, output=0, last1=0) at exec.c:1119
#36 0x3087c in execpline (state=0xffbecb70, slcode=33282, how=2, last1=0) at exec.c:915
#37 0x2ffd8 in execlist (state=0xffbecb70, dont_change_job=1, exiting=0) at exec.c:766
#38 0x2fda0 in execode (p=0x10aec8, dont_change_job=1, exiting=0) at exec.c:712
#39 0x3a210 in runshfunc (prog=0x10aec8, wrap=0x0, name=0xf20b8 "_normal") at exec.c:3238
#40 0xff00a51c in comp_wrapper (prog=0x10aec8, w=0x0, name=0xf20b8 "_normal") at complete.c:1237
#41 0x3a158 in runshfunc (prog=0x10aec8, wrap=0xff0368c8, name=0xf20b8 "_normal") at exec.c:3226
#42 0x39e38 in doshfunc (name=0x1034b0 "_normal", prog=0x10aec8, doshargs=0xf2078, flags=8192, noreturnval=0) at exec.c:3173
#43 0x39628 in execshfunc (shf=0x102ba8, args=0xf2078) at exec.c:3020
#44 0x360fc in execcmd (state=0xffbed6f0, input=0, output=0, how=18, last1=2) at exec.c:2146
#45 0x3194c in execpline2 (state=0xffbed6f0, pcode=2819, how=18, input=0, output=0, last1=0) at exec.c:1119
#46 0x3087c in execpline (state=0xffbed6f0, slcode=2050, how=18, last1=0) at exec.c:915
#47 0x2ffd8 in execlist (state=0xffbed6f0, dont_change_job=1, exiting=0) at exec.c:766
#48 0x62e68 in execif (state=0xffbed6f0, do_exec=0) at loop.c:469
#49 0x35e68 in execcmd (state=0xffbed6f0, input=0, output=0, how=2, last1=2) at exec.c:2109
#50 0x3194c in execpline2 (state=0xffbed6f0, pcode=2691, how=2, input=0, output=0, last1=0) at exec.c:1119
#51 0x3087c in execpline (state=0xffbed6f0, slcode=48642, how=2, last1=0) at exec.c:915
#52 0x2ffd8 in execlist (state=0xffbed6f0, dont_change_job=1, exiting=0) at exec.c:766
#53 0x2fda0 in execode (p=0x10ae00, dont_change_job=1, exiting=0) at exec.c:712
#54 0x3a210 in runshfunc (prog=0x10ae00, wrap=0x0, name=0xf1ac0 "_complete") at exec.c:3238
#55 0xff00a51c in comp_wrapper (prog=0x10ae00, w=0x0, name=0xf1ac0 "_complete") at complete.c:1237
#56 0x3a158 in runshfunc (prog=0x10ae00, wrap=0xff0368c8, name=0xf1ac0 "_complete") at exec.c:3226
#57 0x39e38 in doshfunc (name=0xf62d0 "_complete", prog=0x10ae00, doshargs=0xf1a68, flags=8192, noreturnval=0) at exec.c:3173
#58 0x39628 in execshfunc (shf=0xf6240, args=0xf1a68) at exec.c:3020
#59 0x360fc in execcmd (state=0xffbee6b8, input=0, output=0, how=18, last1=2) at exec.c:2146
#60 0x3194c in execpline2 (state=0xffbee6b8, pcode=4355, how=18, input=0, output=0, last1=0) at exec.c:1119
#61 0x3087c in execpline (state=0xffbee6b8, slcode=1538, how=18, last1=0) at exec.c:915
#62 0x2ffd8 in execlist (state=0xffbee6b8, dont_change_job=1, exiting=0) at exec.c:766
#63 0x62ce0 in execif (state=0xffbee6b8, do_exec=0) at loop.c:454
#64 0x35e68 in execcmd (state=0xffbee6b8, input=0, output=0, how=18, last1=2) at exec.c:2109
#65 0x3194c in execpline2 (state=0xffbee6b8, pcode=4355, how=18, input=0, output=0, last1=0) at exec.c:1119
#66 0x3087c in execpline (state=0xffbee6b8, slcode=10242, how=18, last1=0) at exec.c:915
#67 0x2ffd8 in execlist (state=0xffbee6b8, dont_change_job=1, exiting=0) at exec.c:766
#68 0x615dc in execfor (state=0xffbee6b8, do_exec=0) at loop.c:134
#69 0x35e68 in execcmd (state=0xffbee6b8, input=0, output=0, how=2, last1=2) at exec.c:2109
#70 0x3194c in execpline2 (state=0xffbee6b8, pcode=4291, how=2, input=0, output=0, last1=0) at exec.c:1119
#71 0x3087c in execpline (state=0xffbee6b8, slcode=12802, how=2, last1=0) at exec.c:915
#72 0x2ffd8 in execlist (state=0xffbee6b8, dont_change_job=1, exiting=0) at exec.c:766
#73 0x2fda0 in execode (p=0xd8240, dont_change_job=1, exiting=0) at exec.c:712
#74 0x3a210 in runshfunc (prog=0xd8240, wrap=0x0, name=0xf0b00 "_main_complete") at exec.c:3238
#75 0xff00a51c in comp_wrapper (prog=0xd8240, w=0x0, name=0xf0b00 "_main_complete") at complete.c:1237
#76 0x3a158 in runshfunc (prog=0xd8240, wrap=0xff0368c8, name=0xf0b00 "_main_complete") at exec.c:3226
#77 0x39e38 in doshfunc (name=0xeff18 "_main_complete", prog=0xd8240, doshargs=0x0, flags=0, noreturnval=0) at exec.c:3173
#78 0xff00d048 in callcompfunc (s=0xdc5d8 "-", fn=0xeff18 "_main_complete") at compcore.c:727
#79 0xff00db1c in makecomplist (s=0xdc5d8 "-", incmd=0, lst=0) at compcore.c:884
#80 0xff00b5b4 in do_completion (dummy=0xff0ae4dc, dat=0xffbeeca8) at compcore.c:313
#81 0x6d488 in runhookdef (h=0xff0ae4dc, d=0xffbeeca8) at module.c:1613
#82 0xff08cdc0 in docompletion (s=0x192218 "-", lst=0, incmd=0) at zle_tricky.c:1680
#83 0xff088a68 in docomplete (lst=0) at zle_tricky.c:741
#84 0xff086624 in expandorcomplete (args=0xff0ae458) at zle_tricky.c:260
#85 0xff0860d8 in completecall (args=0xff0ae458) at zle_tricky.c:165
#86 0xff076fc8 in execzlefunc (func=0xff0ac3b4, args=0xff0ae458) at zle_main.c:645
#87 0xff076aa4 in zleread (lp=0xd5ea0 "%m%# ", rp=0x0, flags=3) at zle_main.c:564
#88 0x53b88 in inputline () at input.c:265
#89 0x53954 in ingetc () at input.c:210
#90 0x491d0 in ihgetc () at hist.c:242
#91 0x5bb44 in gettok () at lex.c:560
#92 0x5aea0 in yylex () at lex.c:313
#93 0x7a1d0 in parse_event () at parse.c:292
#94 0x4fdc4 in loop (toplevel=1, justonce=0) at init.c:115
#95 0x1b2a8 in main (argc=2, argv=0xffbef46c) at ./main.c:89
(gdb) 
-- 
Tanaka Akira

Re: core dump by completion.

[Sven Wischnowsky]

Tanaka and I had a bit of a private discussion, trying to find
the memory bug he mentioned. He found a way to reproduce it:

> ...
>
> I couldn't remember.  But finally I found a reproducible way to dump core.
> 
> Z(2):akr@is27e1u11% Src/zsh -f
> is27e1u11% bindkey -e; autoload -U compinit; compinit -D; compdef _tst tst
> is27e1u11% _tst () { _arguments -a ":desc1:(arg1)" "*::desc2:_tst2" }
> is27e1u11% _tst2 () { _arguments "*:de:($CURRENT)" }
> is27e1u11% tst -a <TAB><TAB><TAB><TAB><TAB><TAB><TAB><TAB><TAB><TAB>
> ->
> is27e1u11% tst -a arg1 2 3 4 5 6 7 8 9 zsh: bus error (core dumped)  Src/zsh -f

When the cache of parsed _argument descriptions was full and a new one 
was added and that one happened to be the one just used, a bit of
information needed by the next invocation of ca_parse_line() was
overwritten: it didn't know the correct number of options anymore.

Of course, the cache entry for the definitions that were just used
shouldn't be used for the next set of definitions. And get_cadef()
tried to avoid that -- failing to do so because of a rather stupid
off-by-one error.

Thanks, Tanaka.

Bye
 Sven

diff -ru ../z.old/Src/Zle/computil.c Src/Zle/computil.c
--- ../z.old/Src/Zle/computil.c	Tue Feb  8 11:07:54 2000
+++ Src/Zle/computil.c	Tue Feb  8 11:47:25 2000
@@ -875,7 +875,7 @@
     Cadef *p, *min, new;
     int i, na = arrlen(args);
 
-    for (i = MAX_CACACHE, p = cadef_cache, min = NULL; *p && i--; p++)
+    for (i = MAX_CACACHE, p = cadef_cache, min = NULL; *p && i; p++, i--)
 	if (*p && na == (*p)->ndefs && arrcmp(args, (*p)->defs)) {
 	    (*p)->lastt = time(0);
 
@@ -1003,6 +1003,7 @@
 
 struct castate {
     Cadef d;
+    int nopts;
     Caarg def, ddef;
     Caopt curopt;
     int opt, arg, argbeg, optbeg, nargbeg, restbeg;
@@ -1029,7 +1030,7 @@
     /* Free old state. */
 
     if (ca_alloced) {
-	int i = ca_laststate.d->nopts;
+	int i = ca_laststate.nopts;
 	LinkList *p = ca_laststate.oargs;
 
 	freelinklist(ca_laststate.args, freestr);
@@ -1048,6 +1049,7 @@
     /* Default values for the state. */
 
     state.d = d;
+    state.nopts = d->nopts;
     state.def = state.ddef = NULL;
     state.curopt = NULL;
     state.argbeg = state.optbeg = state.nargbeg = state.restbeg =

--
Sven Wischnowsky                         wischnow@informatik.hu-berlin.de

Re: core dump by completion.

[Tanaka Akira]

In article <200002041507.QAA29235@beta.informatik.hu-berlin.de>,
  Sven Wischnowsky <wischnow@informatik.hu-berlin.de> writes:

> I can't reproduce it and I can't find an error in the
> allocation/freeing scheme for oargs[]. So I guess, someone has
> overwritten parts of that array. Do you still have the core dump? If
> so, could you tell me the values of the surrounding fields (in
> ca_parse_line(): p[-2], p[0], etc.)? Maybe that gives a hint where it
> is overwritten.

ok.

#0  0x60e44 in freelinklist (list=0x31, freefunc=0x9e298 <freestr>) at linklist.c:189
189         for (node = list->first; node; node = next) {
(gdb) up
#1  0xfef856b0 in ca_parse_line (d=0x160dd0) at computil.c:1038
1038                    freelinklist(p[-1], freestr);
(gdb) print p[-10]
$1 = 0x0
(gdb) print p[-9]
$2 = 0x0
(gdb) print p[-8]
$3 = 0x0
(gdb) print p[-7]
$4 = 0x0
(gdb) print p[-6]
$5 = 0x0
(gdb) print p[-5]
$6 = 0x0
(gdb) print p[-4]
$7 = 0x0
(gdb) print p[-3]
$8 = 0x0
(gdb) print p[-2]
$9 = 0x0
(gdb) print p[-1]
$10 = 0x31
(gdb) print p[0]
$11 = 0x7363616e
(gdb) print p[1]
$12 = 0x0
(gdb) print p[2]
$13 = 0x0
(gdb) print p[3]
$14 = 0x4
(gdb) print p[4]
$15 = 0x0
(gdb) print p[5]
$16 = 0x0
(gdb) print p[6]
$17 = 0x0
(gdb) print p[7]
$18 = 0xffffffff
(gdb) print p[8]
$19 = 0x0
(gdb) print p[9]
$20 = 0x13fb98
(gdb) print p[10]
$21 = 0x0
(gdb) print ca_laststate
$22 = {d = 0x0, def = 0x0, ddef = 0x0, curopt = 0x0, opt = 0, arg = 0, argbeg = 0, optbeg = 0, nargbeg = 0, restbeg = 0, inopt = 0, inrest = 0, inarg = 0, 
  nth = 0, doff = 1365864, singles = 1231384, args = 0x135928, oargs = 0x15f870}
(gdb) print p
$23 = (LinkList *) 0x13324c
(gdb) print i
$24 = 44
-- 
Tanaka Akira

Re: core dump by completion.

[Sven Wischnowsky]

Tanaka Akira wrote:

> I got core by testing.  Although I coudn't find a way to reproduce
> this, it is caused by following command line.
> 
> is27e1u11% find -ctime s -exec find -<TAB>
> zsh: bus error (core dumped)  Src/zsh -f
> 
> Z(2):akr@is27e1u11% gdb Src/zsh core
> ...
> 189         for (node = list->first; node; node = next) {
> (gdb) where
> #0  0x60e44 in freelinklist (list=0x31, freefunc=0x9e298 <freestr>) at linklist.c:189
> #1  0xfef856b0 in ca_parse_line (d=0x160dd0) at computil.c:1038

I can't reproduce it and I can't find an error in the
allocation/freeing scheme for oargs[]. So I guess, someone has
overwritten parts of that array. Do you still have the core dump? If
so, could you tell me the values of the surrounding fields (in
ca_parse_line(): p[-2], p[0], etc.)? Maybe that gives a hint where it
is overwritten.

Bye
 Sven


--
Sven Wischnowsky                         wischnow@informatik.hu-berlin.de