bash crash processing b=b+1 after array read

phil colbourn Sun, 24 Feb 2013 23:33:37 -0800

phil@rex:~$ unset a b X; declare -i a b=1; declare -ia X=(1 2 3);
phil@rex:~$ unset a b X; declare -i a b=1; declare -ia X=(1 2 3); (( a=X[b]
)); echo $a
2
phil@rex:~$ cd Development/pc-z80
phil@rex:~/Development/pc-z80$ chmod +x pc-crash-bash.bash
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash2
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
2
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
2
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
3
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
200
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
100
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
This works: 200
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
This works: 200
But a 'b=b+1' after an array read crashes bash.
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
This works: 200
This works: 200
But a 'b=b+1' after an array read crashes bash.
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: 100
This works: 200
This works: 200
But a 'b=b+1' after an array read crashes bash.
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ declare -ia X=({0..1000}); echo ${X[3]}
3
phil@rex:~/Development/pc-z80$ declare -ia X=({0..1000..100}); echo ${X[3]}
300
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: a=-1  b=2
This works: a=-1  b=3
This works: a=300  b=3
This works: a=300  b=4
This works: a=400  b=5
This works: a=500  b=6
This works: a=500  b=8
This works: a=500  b=10
This works: a=0  b=11
This works: a=0  b=12
This works: a=0  b=13
This works: a=0  b=14
But a 'b=b+1' after an array read crashes bash.
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ ./pc-crash-bash.bash
Howto crash bash
This works: a=-1  b=2
This works: a=-1  b=3
This works: a=300  b=3
This works: a=300  b=4
This works: a=400  b=5
This works: a=500  b=6
This works: a=500  b=8
This works: a=500  b=10
This works: a=0  b=11
This works: a=0  b=12
This works: a=0  b=13
This works: a=0  b=14
But a 'b=b+1' after an array read crashes bash.
Segmentation fault (core dumped)
phil@rex:~/Development/pc-z80$ bashbug
Processing '/etc/jupp/editorrc'...done
Processing '/etc/jupp/editorrc'...done














Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H   -I.  -I../bash -I../bash/include -I../bash/lib
 -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4
-Wformat -Werror=format-security -Wall
uname output: Linux rex 3.7.5-030705-generic #201301280206 SMP Mon Jan 28
07:07:29 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.2
Patch Level: 37
Release Status: release

Description:

Within (( )), 'b=b+1' will crash bash with a segment fault if it follows an
array read such as 'a=X[b]'.

Once, a test line entered into a bash prompt crashed my terminal window as
well.

Repeat-By:
#!/bin/bash printf "Howto crash bash\n" unset a b X declare -i a=-1 b=1
declare -ia X=( {0..1000..100} ) printf "But a 'b=b+1' after an array read
crashes bash.\n" (( a=X[b], b=b+1 )); printf "This crashes: a=%d b=%d\n" $a
$b

Fix:

Don't run a command after an array read

eg.

Do this instead

#!/bin/bash printf "Howto crash bash\n" unset a b X declare -i a=-1 b=1
declare -ia X=( {0..1000..100} ) printf "But a 'b=b+1' after an array read
crashes bash.\n" (( a=X[b] )); (( b=b+1 )); printf "This crashes: a=%d
b=%d\n" $a $b

More detailed script looking at what case crashes bash:

It seems that b+=1 is ok, but b=b+1 is not.


#!/bin/bash
printf "Howto crash bash\n"
unset a b X
declare -i a=-1 b=1
declare -ia X=( {0..1000..100} )
(( b+=1                 )); printf "This works: a=%d  b=%d\n" $a $b
(( b=b+1                )); printf "This works: a=%d  b=%d\n" $a $b
(( a=X[b]               )); printf "This works: a=%d  b=%d\n" $a $b
(( a=X[b],       b+=1   )); printf "This works: a=%d  b=%d\n" $a $b
(( a=X[b] )); (( b+=1   )); printf "This works: a=%d  b=%d\n" $a $b
(( a=X[b] )); (( b=b+1  )); printf "This works: a=%d  b=%d\n" $a $b
(( b+=1,         b+=1   )); printf "This works: a=%d  b=%d\n" $a $b
(( b=b+1,        b=b+1  )); printf "This works: a=%d  b=%d\n" $a $b
(( b+=1  ));  (( a=X[b] )); printf "This works: a=%d  b=%d\n" $a $b
(( b=b+1 ));  (( a=X[b] )); printf "This works: a=%d  b=%d\n" $a $b
(( b+=1,         a=X[b] )); printf "This works: a=%d  b=%d\n" $a $b
(( b=b+1,        a=X[b] )); printf "This works: a=%d  b=%d\n" $a $b

printf "But a 'b=b+1' after an array read crashes bash.\n"

(( a=X[b],       b=b+1  )); printf "This crashes: a=%d  b=%d\n" $a $b

Phil

bash crash processing b=b+1 after array read

Reply via email to