Ubuntu
bash package

crash when completing a single-quoted word which ends with a backslash

Bug #476736 reported by CarloBaldassi on 2009-11-06

This bug affects 4 people

Affects		Status	Importance	Assigned to
	Gnu Bash	Fix Released	Undecided	Unassigned
	bash (Ubuntu)	Fix Released	Undecided	Unassigned
Nominated for Karmic by Danilo Piazzalunga

Bug Description

Binary package hint: bash

0) My system:

I'm using Ubuntu Karmic, this is some output from uname:
Linux 2.6.31-14-generic #48-Ubuntu SMP i686 GNU/Linux

I'm using bash package version 4.0-5ubuntu2 [ bash --version gives: 4.0.33(1)-release (i486-pc-linux-gnu) ]

1) Steps to reproduce the bug:

type in a terminal:

ls 'test\<tab>

where <tab> means pressing the tab key

2) Expected result:

filename completion

3) Actual result:

Bash prints out this message:

malloc: unknown:0: assertion botched
free: start and end chunk sizes differ
Aborting...
malloc: unknown:0: assertion botched
free: start and end chunk sizes differ
Aborting...

sometimes a bash crash occurs.

4) More details:

This seems like a bash_completion problem, but the function actually crashing is the compgen builtin function.
However, I haven't been able to reproduce the bug without passign through the bash_completion itself, i.e. if I create a file called "alt_filedir" with this content:

_filedir()
{
local A='test\'
compgen -d -- "$A"
}

and then I source it in bash typing:

. alt_filedir

in the command line, and I subsequently try to give a completion command starting with a quote, I obtain the crash.
If the completion doesn't start with a quote the crash doesn't occur.
If I give those same commands from the command line directly, everything works fine and it even finds the appropriate completions.

Revision history for this message

Alexandre Isoard (surfmaths) wrote on 2009-12-16:

This bug occurs with double-quoted words ending with a backslash too.

Revision history for this message

tonfa (bboissin) wrote on 2009-12-16:

Download full text (3.1 KiB)

full backtrace:

tonfa@pirzuine:/tmp$ "\
malloc: unknown:0: assertion botched
free: start and end chunk sizes differ
last command: gdb bash
Aborting...
Program received signal SIGABRT, Aborted.
0x00daa422 in __kernel_vsyscall ()
(gdb) bt
#0 0x00daa422 in __kernel_vsyscall ()
#1 0x00c234d1 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0x00c26932 in *__GI_abort () at abort.c:92
#3 0x080810ec in programming_error (format=0x8106de0 "free: start and end chunk sizes differ") at ../bash/error.c:175
#4 0x080ebe8b in xbotch (mem=<value optimized out>, e=<value optimized out>, s=0x7909 <Address 0x7909 out of bounds>, file=0x81026f9 "unknown", line=0)
    at ../../../bash/lib/malloc/malloc.c:319
#5 0x080ebfe9 in internal_free (mem=0x8402788, file=<value optimized out>, line=<value optimized out>, flags=0) at ../../../bash/lib/malloc/malloc.c:902
#6 0x080d1208 in rl_filename_completion_function (text=0x8432848 "/home/tonfa/local/bin/\\", state=0) at ../../../bash/lib/readline/complete.c:2137
#7 0x080a59bb in command_word_completion_function (hint_text=0x8123248 "\\", state=0) at ../bash/bashline.c:1765
#8 0x080d23a5 in rl_completion_matches (text=0x8123248 "\\", entry_function=0x80a5400 <command_word_completion_function>)
    at ../../../bash/lib/readline/complete.c:1887
#9 0x080a6168 in bash_default_completion (text=0x8123248 "\\", start=0, end=2, qc=34, compflags=<value optimized out>) at ../bash/bashline.c:1414
#10 0x080a759e in attempt_shell_completion (text=0x8123248 "\\", start=1, end=2) at ../bash/bashline.c:1363
#11 0x080d244a in gen_completion_matches (text=0x8123248 "\\", start=6, end=30985, our_func=0x80d10b0 <rl_filename_completion_function>, found_quote=6,
    quote_char=34) at ../../../bash/lib/readline/complete.c:1023
#12 0x080d37c3 in rl_complete_internal (what_to_do=9) at ../../../bash/lib/readline/complete.c:1746
#13 0x080cbd21 in _rl_dispatch_subseq (key=9, map=0x810a760, got_subseq=0) at ../../../bash/lib/readline/readline.c:769
#14 0x080cc0a5 in _rl_dispatch (key=9, map=0x810a760) at ../../../bash/lib/readline/readline.c:719
#15 0x080cc43c in readline_internal_char () at ../../../bash/lib/readline/readline.c:548
#16 0x080cc845 in readline_internal_charloop (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:575
#17 readline_internal (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:589
#18 readline (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:338
#19 0x08065e17 in yy_readline_get () at ../bash/parse.y:1314
#20 0x08067216 in yy_getc (remove_quoted_newline=<value optimized out>) at ../bash/parse.y:1247
#21 shell_getc (remove_quoted_newline=<value optimized out>) at ../bash/parse.y:2096
#22 0x08069cd2 in read_token (command=<value optimized out>) at ../bash/parse.y:2730
#23 0x0806c97b in yylex () at ../bash/parse.y:2362
#24 yyparse () at y.tab.c:2010
#25 0x08064820 in parse_command () at ../bash/eval.c:228
#26 0x080648ef in read_command () at ../bash/eval.c:272
#27 0x08064b35 in reader_loop () at ../bash/eval.c:137
#28 0x080640c9 in main (argc=1, argv=0xbffff4d4, env=0xbffff4dc) at ../bash/shell.c...

full backtrace:

tonfa@pirzuine:/tmp$ "\
malloc: unknown:0: assertion botched
free: start and end chunk sizes differ
last command: gdb bash
Aborting...
Program received signal SIGABRT, Aborted.
0x00daa422 in __kernel_vsyscall ()
(gdb) bt
#0  0x00daa422 in __kernel_vsyscall ()
#1  0x00c234d1 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00c26932 in *__GI_abort () at abort.c:92
#3  0x080810ec in programming_error (format=0x8106de0 "free: start and end chunk sizes differ") at ../bash/error.c:175
#4  0x080ebe8b in xbotch (mem=<value optimized out>, e=<value optimized out>, s=0x7909 <Address 0x7909 out of bounds>, file=0x81026f9 "unknown", line=0)
    at ../../../bash/lib/malloc/malloc.c:319
#5  0x080ebfe9 in internal_free (mem=0x8402788, file=<value optimized out>, line=<value optimized out>, flags=0) at ../../../bash/lib/malloc/malloc.c:902
#6  0x080d1208 in rl_filename_completion_function (text=0x8432848 "/home/tonfa/local/bin/\\", state=0) at ../../../bash/lib/readline/complete.c:2137
#7  0x080a59bb in command_word_completion_function (hint_text=0x8123248 "\\", state=0) at ../bash/bashline.c:1765
#8  0x080d23a5 in rl_completion_matches (text=0x8123248 "\\", entry_function=0x80a5400 <command_word_completion_function>)
    at ../../../bash/lib/readline/complete.c:1887
#9  0x080a6168 in bash_default_completion (text=0x8123248 "\\", start=0, end=2, qc=34, compflags=<value optimized out>) at ../bash/bashline.c:1414
#10 0x080a759e in attempt_shell_completion (text=0x8123248 "\\", start=1, end=2) at ../bash/bashline.c:1363
#11 0x080d244a in gen_completion_matches (text=0x8123248 "\\", start=6, end=30985, our_func=0x80d10b0 <rl_filename_completion_function>, found_quote=6, 
    quote_char=34) at ../../../bash/lib/readline/complete.c:1023
#12 0x080d37c3 in rl_complete_internal (what_to_do=9) at ../../../bash/lib/readline/complete.c:1746
#13 0x080cbd21 in _rl_dispatch_subseq (key=9, map=0x810a760, got_subseq=0) at ../../../bash/lib/readline/readline.c:769
#14 0x080cc0a5 in _rl_dispatch (key=9, map=0x810a760) at ../../../bash/lib/readline/readline.c:719
#15 0x080cc43c in readline_internal_char () at ../../../bash/lib/readline/readline.c:548
#16 0x080cc845 in readline_internal_charloop (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:575
#17 readline_internal (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:589
#18 readline (prompt=0x8432408 "tonfa@pirzuine:/tmp$ ") at ../../../bash/lib/readline/readline.c:338
#19 0x08065e17 in yy_readline_get () at ../bash/parse.y:1314
#20 0x08067216 in yy_getc (remove_quoted_newline=<value optimized out>) at ../bash/parse.y:1247
#21 shell_getc (remove_quoted_newline=<value optimized out>) at ../bash/parse.y:2096
#22 0x08069cd2 in read_token (command=<value optimized out>) at ../bash/parse.y:2730
#23 0x0806c97b in yylex () at ../bash/parse.y:2362
#24 yyparse () at y.tab.c:2010
#25 0x08064820 in parse_command () at ../bash/eval.c:228
#26 0x080648ef in read_command () at ../bash/eval.c:272
#27 0x08064b35 in reader_loop () at ../bash/eval.c:137
#28 0x080640c9 in main (argc=1, argv=0xbffff4d4, env=0xbffff4dc) at ../bash/shell.c:741

Revision history for this message

tonfa (bboissin) wrote on 2009-12-17:

If the string was ending with '\', there was a write after the allocated area, which would overwrite some malloc information, hence the error.

The following fixes it for me:

--- bash/bashline.c 2009-12-17 02:13:36.000000000 +0100
+++ /tmp/bashline.c 2009-12-17 02:12:10.000000000 +0100
@@ -3223,9 +3223,10 @@
else if (quoted == '"' && ((sh_syntaxtab[p[1]] & CBSDQUOTE) == 0))
*r++ = *p;

- *r++ = *++p;
- if (*p == '\0')
+ if (*++p == '\0')
      break;
+
+ *r++ = *p;
    continue;
  }
       /* Close quote. */

Cheers,

Benoit

Revision history for this message

Matthias Klose (doko) wrote on 2010-01-05:

fixed in 4.1

Changed in gnubash:
status:	New → Fix Released

Revision history for this message

Matthias Klose (doko) wrote on 2010-01-05:

fixed in 4.1-1ubuntu1 (lucid)

Changed in bash (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntubash package

crash when completing a single-quoted word which ends with a backslash

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
bash package