Bash `devel' crashes under the following circumstances:
| dualbus@system76-pc:/tmp/build-bash-devel$ CFLAGS='-O0 -ggdb'
~/src/gnu/bash/configure --with-bash-malloc
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ make -j$(nproc)
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ ./bash -c $'x=0; :
${x/#[0\xef\xbf\xbd\\Z[:]]}'
| Segmentation fault (core dumped)
Here's the stack trace:
| dualbus@system76-pc:/tmp/build-bash-devel$ gdb ./bash --args ./bash -c $'x=0;
: ${x/#[0\xef\xbf\xbd\\Z[:]]}'
| GNU gdb (Debian 8.2.1-2+b1) 8.2.1
| (...)
| Reading symbols from ./bash...done.
| (gdb) r
| Starting program: /tmp/build-bash-devel/bash -c x=0\;\ :\
\$\{x/\#\[0�\\Z\[:\]\]\}
|
| Program received signal SIGSEGV, Segmentation fault.
| 0x00005555555d1fae in pat_subst (string=0x55555575f298 "0",
pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at
/home/dualbus/src/gnu/bash/subst.c:8136
| 8136 if (str && *str)
| (gdb) bt
| #0 0x00005555555d1fae in pat_subst (string=0x55555575f298 "0",
pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at
/home/dualbus/src/gnu/bash/subst.c:8136
| #1 0x00005555555d250b in parameter_brace_patsub (varname=0x55555575f248 "x",
value=0x55555575f288 "0", ind=0, patsub=0x555555763f48 "#[0�\\Z[:]]", quoted=0,
pflags=0, flags=0)
| at /home/dualbus/src/gnu/bash/subst.c:8306
| #2 0x00005555555d47e2 in parameter_brace_expand (string=0x555555763f28
"${x/#[0�\\Z[:]]}", indexp=0x7fffffffe0d8, quoted=0, pflags=0,
quoted_dollar_atp=0x7fffffffe1d4,
| contains_dollar_at=0x7fffffffe1cc) at
/home/dualbus/src/gnu/bash/subst.c:9028
| #3 0x00005555555d5ae8 in param_expand (string=0x555555763f28
"${x/#[0�\\Z[:]]}", sindex=0x7fffffffe1d8, quoted=0,
expanded_something=0x7fffffffe374, contains_dollar_at=0x7fffffffe1cc,
| quoted_dollar_at_p=0x7fffffffe1d4, had_quoted_null_p=0x7fffffffe1d0,
pflags=0) at /home/dualbus/src/gnu/bash/subst.c:9557
| #4 0x00005555555d6ed8 in expand_word_internal (word=0x555555763f68,
quoted=0, isexp=0, contains_dollar_at=0x7fffffffe370,
expanded_something=0x7fffffffe374)
| at /home/dualbus/src/gnu/bash/subst.c:10125
| #5 0x00005555555da0b6 in shell_expand_word_list (tlist=0x555555763f88,
eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11504
| #6 0x00005555555da3bb in expand_word_list_internal (list=0x555555763948,
eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11628
| #7 0x00005555555d95b9 in expand_words (list=0x555555763948) at
/home/dualbus/src/gnu/bash/subst.c:11148
| #8 0x00005555555a51d9 in execute_simple_command
(simple_command=0x5555557639c8, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x555555763a88)
| at /home/dualbus/src/gnu/bash/execute_cmd.c:4334
| #9 0x000055555559ed6b in execute_command_internal (command=0x555555763988,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
| at /home/dualbus/src/gnu/bash/execute_cmd.c:823
| #10 0x00005555555a2116 in execute_connection (command=0x555555763a48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88) at
/home/dualbus/src/gnu/bash/execute_cmd.c:2707
| #11 0x000055555559f134 in execute_command_internal (command=0x555555763a48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
| at /home/dualbus/src/gnu/bash/execute_cmd.c:996
| #12 0x0000555555609e4d in parse_and_execute (string=0x5555557632c8 "x=0; :
${x/#[0�\\Z[:]]}", from_file=0x55555566b0f0 "-c", flags=4)
| at /home/dualbus/src/gnu/bash/builtins/evalstring.c:458
| #13 0x0000555555585632 in run_one_command (command=0x7fffffffebdc "x=0; :
${x/#[0�\\Z[:]]}") at /home/dualbus/src/gnu/bash/shell.c:1424
| #14 0x000055555558477d in main (argc=3, argv=0x7fffffffe8f8,
env=0x7fffffffe918) at /home/dualbus/src/gnu/bash/shell.c:735
|
| (gdb) p str
| $1 = 0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address
0xdfdfdfdfdfdfdfdf>
I have been looking around but I don't understand what's going on. I can see
that the value of `str' comes from `e', which in turn comes from
`match_pattern', but it's not clear to me why this is happening.
