Bug#535232: zsh: segfaults while trying to free in hend

Tue, 30 Jun 2009 15:25:49 -0700 

Package: zsh
Version: 4.3.10-2
Severity: important

Recently (one or two weeks, probably when I upgraded to the current version of
zsh), I've been seeing intermittent segfaults - I'll run a command like less or
cd and my terminal will die on me.  I've never seen it happen in a long-running
shell; if it makes it through the first few commands, everything works.

I got the attached backtrace.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages zsh depends on:
ii  libc6                     2.9-12         GNU C Library: Shared libraries
ii  libcap2                   1:2.16-5       support for getting/setting POSIX.
ii  libncursesw5              5.7+20090523-1 shared libraries for terminal hand

Versions of packages zsh recommends:
ii  libc6                         2.9-12     GNU C Library: Shared libraries
ii  libpcre3                      7.8-2      Perl 5 Compatible Regular Expressi

Versions of packages zsh suggests:
pn  zsh-doc                       <none>     (no description available)

-- no debconf information

(run as 'MALLOC_CHECK_=2 gdb /bin/zsh4' with zsh 4.3.10-2)


Script started on Tue 30 Jun 2009 05:41:18 PM EDT
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run
Starting program: /bin/zsh4 
/home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bindkey 
-m' disables multibyte support
]2;deng-aberr:  /home/aberryman]1;deng-aberr/etc/zsh/zshrc:unalias:42: no 
such hash table element: run-help
]2;deng-aberr:  /home/aberryman]1;deng-aberr%          
                                                                                
                                         

[~] deng-aberr| qqpx gt0
[... some stuff censored, command just sets up some environment variables ...]
/home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: `bindkey 
-m' disables multibyte support
]2;[QPX:gt0]  deng-aberr:  
/home/aberryman]1;deng-aberr%                           
                                                                                
                        

[~] deng-aberr| ccd $Q

Program received signal SIGABRT, Aborted.
0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) backtrace full
#0  0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x00002ad0ef99c153 in *__GI_abort () at abort.c:88
        act = {__sigaction_handler = {sa_handler = 0x48f682, sa_sigaction = 
0x48f682}, sa_mask = {__val = {7022288, 
      140736343534660, 4781697, 140736343534576, 4732811, 0, 4594111, 
4971973988617027653, 4781697, 76, 1, 128, 4585798, 
      140736343534660, 4736491, 4781791}}, sa_flags = 4415891, sa_restorer = 
0x7fffbbc36ce0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00002ad0ef9d9140 in malloc_printerr (action=2, str=0x2ad0efa814cd 
"free(): invalid pointer", ptr=0x806) at malloc.c:5999
No locals.
#3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
        hookargs = <value optimized out>
        flag = 8
        save = 0
        hookret = 0
        stack_pos = 0
        hf = 0xd17440 "/home/aberryman/.history"
#4  0x0000000000440e8e in loop (toplevel=1, justonce=0) at ../../Src/init.c:150
        prog = (Eprog) 0x2ad0eefdb700
#5  0x0000000000441d56 in zsh_main (argc=<value optimized out>, argv=<value 
optimized out>) at ../../Src/init.c:1409
        t = <value optimized out>
#6  0x00002ad0ef9855a6 in __libc_start_main (main=0x40fbc0 <main>, argc=1, 
ubp_av=0x7fffbbc37028, init=0x48d250 <__libc_csu_init>, 
    fini=<value optimized out>, rtld_fini=<value optimized out>, 
stack_end=0x7fffbbc37018) at libc-start.c:222
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {4772432, 
-8474123038685510702, 4258512, 140736343535648, 0, 0, 
        8474273082816742354, -2322728423309425710}, mask_was_saved = 0}}, priv 
= {pad = {0x0, 0x0, 0x1, 0x40fbc0}, data = {
      prev = 0x0, cleanup = 0x0, canceltype = 1}}}
        not_first_call = <value optimized out>
#7  0x000000000040faf9 in _start () at ../sysdeps/x86_64/elf/start.S:113
No locals.
(gdb) frame 3
#3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
1271    ../../Src/hist.c: No such file or directory.
        in ../../Src/hist.c
(gdb) info locals
hookargs = <value optimized out>
flag = 8
save = 0
hookret = 0
stack_pos = 0
hf = 0xd17440 "/home/aberryman/.history"
(gdb) print chwords
$1 = (short int *) 0xd20b50
(gdb) print chwords
$2 = 0
(gdb) print chline
$3 = 0xd49c50 ""
(gdb) print chwordlen
$4 = 64
(gdb) print chwords[64]
$5 = 144
(gdb) print *chwords[65]
$6 = 0
(gdb) print chline
$7 = 0xd49c50 ""
(gdb) print hlinesz
$8 = 64
(gdb) print chline[hlinesz]
$9 = 10 '\n'
(gdb) print chline[hlinesz+1]
$10 = 0 '\0'
(gdb) quit
The program is running.  Exit anyway? (y or n) y


hist.c:1271 is a zfree on chwords, but that array still exists, as does the one 
freed in the previous line, chline

Reply via email to