Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: A repeating core, just sharing backtrace

X-seq: zsh-workers 43156
From: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
To: Zsh hackers list <zsh-workers@xxxxxxx>
Subject: Re: A repeating core, just sharing backtrace
Date: Tue, 10 Jul 2018 14:33:19 +0100
Cms-type: 201P
Dkim-filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20180710133322euoutp015620d358c940844e3c110dd50e2d95ad~ABTYHhNs32299622996euoutp01y
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1531229602; bh=Xc+QNe9NMTse+Y0UTsglZJ6Uajl/73iAuBmVQUl/A+g=; h=Date:From:To:Subject:In-Reply-To:References:From; b=vUTUoygAQfK9qu1G46BqPJqaH9CO1rqbH/pDzUqqQdw5Yhy/TVLf22Ujf9guWfb8n OzTJk+1sK96V8Q66iTL2YIFa3a+Q4lL1F1xBTe9XDcS2pZAcEQRtRoTb/pNm5qsTpv NSOAbTZLP6NKBPhyA+2jpTpSszC+W+juMYdBKkJo=
In-reply-to: <CAKc7PVBQn-ZjZ1T0TLqofETRiRw3xTExJ3aN10FWPqEQSi180w@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Organization: SCSC
References: <CAKc7PVDcW6SRsk7XtjvNkj49C2-o-_BmQywYizh=QOvu5z16iw@mail.gmail.com> <CGME20180705134128epcas4p426987f777de70dfe2dfacda469b39424@epcas4p4.samsung.com> <CAKc7PVBQn-ZjZ1T0TLqofETRiRw3xTExJ3aN10FWPqEQSi180w@mail.gmail.com>

On Thu, 5 Jul 2018 15:40:30 +0200
Sebastian Gniazdowski <sgniazdowski@xxxxxxxxx> wrote:
> I bisected from 5.4.2 to HEAD. The core is fully repeatable. It's a
> larger script (zplugin) operation that causes the core, so currently
> this is kind of a black box.
> 
> f7519811e1bbe990ff1c3d499ffb70cfc2d034f8 is the first bad commit
> commit f7519811e1bbe990ff1c3d499ffb70cfc2d034f8
> Author: Ricardo Giorni <ricardo@xxxxxxxxx>
> Date:   Sun Apr 29 12:05:39 2018 -0700
> 
>     47201: fix 42355 for multiple backslashes
> 
> 
> I think this is a well pointed commit, because any backtrace I
> occurred was going through zshlex:
> 
>     ...
>     frame #5: 0x00007fff5766b256 libsystem_malloc.dylib`free_tiny +
> 628 frame #6: 0x0000000100e076e8 zsh`zfree + 24
>     frame #7: 0x0000000100dc4c3c zsh`gethere + 780
>     frame #8: 0x0000000100dfafc1 zsh`zshlex + 369
>     frame #9: 0x0000000100e26c6f zsh`par_redir + 655
>     frame #10: 0x0000000100e29b5f zsh`par_simple + 2063
>     ...

The zfree() in that backtrace is on a locally allocated buffer, so this
looks like earlier memory corruption, which would fit.

The change in question is quite small but does cause bptr in that for
loop to be incremented possibly twice per loop.  So this change is
probably needed whether or not it fixes the bug.

I hope the pointer arithmetic here is also a bit more transparent[ly
correct].

pws

diff --git a/Src/exec.c b/Src/exec.c
index 5864020..47a4567 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -4418,7 +4418,9 @@ gethere(char **strp, int typ)
 	while ((c = hgetc()) == '\t' && strip)
 	    ;
 	for (;;) {
-	    if (bptr == buf + bsiz) {
+	    if (bptr >= buf + bsiz - 1) {
+		ptrdiff_t toff = t - buf;
+		ptrdiff_t bptroff = bptr - buf;
 		char *newbuf = realloc(buf, 2 * bsiz);
 		if (!newbuf) {
 		    /* out of memory */
@@ -4426,8 +4428,8 @@ gethere(char **strp, int typ)
 		    return NULL;
 		}
 		buf = newbuf;
-		t = buf + bsiz - (bptr - t);
-		bptr = buf + bsiz;
+		t = buf + toff;
+		bptr = buf + bptroff;
 		bsiz *= 2;
 	    }
 	    if (lexstop || c == '\n')

References:
- A repeating core, just sharing backtrace
  - From: Sebastian Gniazdowski
- Re: A repeating core, just sharing backtrace
  - From: Sebastian Gniazdowski

Messages sorted by: Reverse Date, Date, Thread, Author