Re: Probabilistic crash on zsh 5.9 on x86_64

[Mikael Magnusson <mikachu@xxxxxxxxx>]

On 4/8/23, zsh bug report throwaway email thing
<zsh.throwaway.eDjb3nwqw@xxxxxxxxx> wrote:
> Hello,
>
> I would like to report a bug in zsh 5.9 (x86_64-pc-linux-gnu) (on Arch
> Linux, but I also reproduced on Alpine in QEMU, so it is probably zsh and
> not libc. Also, this does not happen in archiso in qemu, which is also
> weird.).
>
> Repro instructions: run the commands:
> TRAPEXIT() { ls }
> TRAPEXIT
> # if that does not crash, keep typing TRAPEXIT until it does. sometimes it
> doesn't crash.
>
> Expected behavior: zsh might throw an error or something? but it shouldn't
> crash
> Actual behavior: there is an unknown chance that zsh throws an error and
> crashes like this:
> zsh: TRAPEXIT: function not defined by file
> malloc(): unaligned tcache chunk detected
> [1] 34511 IOT instruction (core dumped) zsh
>
> Nothing relevant in dmesg.
>
> If I can help in any way, please contact me.
>
> Kind regards,
> an anonymous bug reporter

It seems to happen reliably for me every time, with these messages,
% MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'
1: parse.c:2817: Heap EPROG has nref > 0
free(): invalid pointer
zsh: abort      MALLOC_CHECK_=3 zsh -fc 'TRAPEXIT() { ls }; TRAPEXIT'

valgrind is also extremely unhappy with this execution path.

-- 
Mikael Magnusson