Ubuntu
zsh package

zsh5 crashed with SIGSEGV in hrealloc()

Bug #1098750 reported by nyuszika7h
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
zsh (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

I can't seem to reproduce this, but here's roughly what I did (yes, I realized, what I'm doing is stupid and doesn't work):

nyuszika7h@ymlyna ~ % validate_passwd() {
> local username
> local password
>
> read -r '?username: ' username
> read -rs '?password: ' password
>
> su "$username" -c /bin/true &
> print "$password" > "/proc/$!/fd/0"
> }
zsh: event not found: /fd/0
127 nyuszika7h@ymlyna ~ % validate_passwd() {
> local username
> local password
>
> read -r '?username: ' username
> read -rs '?password: ' password
>
> su "$username" -c /bin/true &
> print "$password" > "/proc/$\!/fd/0"
> }

A few moments later, zsh crashed.

ProblemType: Crash
DistroRelease: Ubuntu 13.04
Package: zsh 5.0.0-2ubuntu3
ProcVersionSignature: Ubuntu 3.5.0-21.32-generic 3.5.7.1
Uname: Linux 3.5.0-21-generic x86_64
ApportVersion: 2.8-0ubuntu1
Architecture: amd64
Date: Fri Jan 11 23:26:50 2013
ExecutablePath: /bin/zsh5
InstallationDate: Installed on 2013-01-10 (1 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
MarkForUpload: True
ProcCmdline: -zsh
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/zsh
 PATH=(custom, no user)
 TERM=xterm
 XDG_RUNTIME_DIR=<set>
SegvAnalysis:
 Segfault happened at: 0x450877 <hrealloc+135>: mov 0x10(%rbx),%rax
 PC (0x00450877) ok
 source "0x10(%rbx)" (0x00000010) not located in a known VMA region (needed readable region)!
 destination "%rax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: zsh
StacktraceTop:
 hrealloc ()
 add ()
 ?? ()
 ?? ()
 zshlex ()
Title: zsh5 crashed with SIGSEGV in hrealloc()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Revision history for this message
nyuszika7h (lyokon42) wrote :
information type: Private → Public
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 hrealloc (p=0x7ff9d4f0a940 "\232/proc/\212!/fd/0\n}\nvalidate_passwd> ", old=32, new=64) at ../../Src/mem.c:616
 add (c=-722425536, c@entry=100) at ../../Src/lex.c:575
 dquote_parse (endchar=endchar@entry=34 '"', sub=sub@entry=0) at ../../Src/lex.c:1576
 gettokstr (c=c@entry=34, sub=sub@entry=0) at ../../Src/lex.c:1371
 gettok () at ../../Src/lex.c:993

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in zsh (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Revision history for this message
nyuszika7h (lyokon42) wrote :

Updated stack trace with debugging symbols. I have no idea where to get them for _start; if that's needed, any help is appreciated.

Revision history for this message
Erkki Seppälä (flux-inside) wrote :
Download full text (7.3 KiB)

I've been able to crash hrealloc with ease and sadly too often writing multi-line git commit messages. But if I do it as root (as it doesn't have custom configs for zsh), I am not able to. It probably relates to my zsh configuration as I was able to reproduce the problem with only this loaded: http://github.com/zsh-users/zsh-syntax-highlighting (version 4519467). Following backtraces are done with optimization level -O0. Obviously h ending up being 0 is a problem..

% gdb zsh
GNU gdb (GDB) 7.6.1 (Debian 7.6.1-1)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /bin/zsh5...Reading symbols from /usr/lib/debug/.build-id/25/1d29f03c12f43b25ac96d3429c2e9fa6e6633b.debug...done.
done.
(gdb) directory /tmp/zsh-5.0.5/debian/examples/
Source directories searched: /tmp/zsh-5.0.5/debian/examples:$cdir:$cwd
(gdb) run
Starting program: /usr/bin/zsh
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[gdb] [19:47] aiee(pts/18):/tmp% echo 'asdfjioasdf jaiosdfj ioasdf ji
quote> asdjfioajsdf ioasdjfio ajsdio jsdifjaiosdf
quote> asdjfio asdjfioasdjfioasd fjaiosdf
quote> asdjfioasd fjioasdfjioasdfjio asdfjio
quote> ajsdfiojsiodfjiofjsdioajio sdfj ioasdfj ioasjdfioa
quote> djasdiofjioa sdf a sdjfiojasdfjioa sdfj ioasdfj ioasdf
quote> jafiojiosdfj ioasdfj ioasdfj iojaiosdjf ioadsf
quote> ajsdfiojaiosdf jaiosdfj aiosdfj ajfiojfaiosdfj asd fjioasdj fio
quote> asdjfioajsdiof asd fjioadfj ioadjf ioasdjfioa sdjiofjaiosdfj oasdj fio
quote> ajdiofjaio sdfjioasdf jaiosdf jaiosdfjioasdf jaiosdjfio jioasdfjioasdfj

Program received signal SIGSEGV, Segmentation fault.
0x0000000000461a41 in hrealloc (
    p=0x7ffff7fe65b0 "\231asdfjioasdf jaiosdfj ioasdf ji\nasdjfioajsdf ioasdjfio ajsdio jsdifjaiosdf\nasdjfio asdjfioasdjfioasd fjaiosdf \nasdjfioasd fjioasdfjioasdfjio asdfjio \najsdfiojsiodfjiofjsdioajio sdfj ioasdfj ioasjdfioa"...,
    old=512, new=1024) at ../../Src/mem.c:616
616 if (p + old < arena(h) + h->used) {
(gdb) bt full
#0 0x0000000000461a41 in hrealloc (
    p=0x7ffff7fe65b0 "\231asdfjioasdf jaiosdfj ioasdf ji\nasdjfioajsdf ioasdjfio ajsdio jsdifjaiosdf\nasdjfio asdjfioasdjfioasd fjaiosdf \nasdjfioasd fjioasdfjioasdfjio asdfjio \najsdfiojsiodfjiofjsdioajio sdfj ioasdfj ioasjdfioa"...,
    old=512, new=1024) at ../../Src/mem.c:616
        h = 0x0
        ph = 0x7ffff7f6a000
#1 0x0000000000457b23 in add (c=10) at ../../Src/lex.c:579
        newbsiz = 1024
#2 0x000000000045929b in gettokstr (c=10, sub=0) at ../../Src/lex.c:1357
        strquote = 0
        act = 14
        e = 0
        inbl = 0
        bct = 0
        pct = 0
        brct = 0
        fdpar = 0
        intpos = 1
        in_...

Read more...

Revision history for this message
Axel Beckert (xtaran) wrote :

Hi flux,

so you were able to reproduce this with zsh 5.0.5-1 from Debian Unstable/Testing?

Revision history for this message
Erkki Seppälä (flux-inside) wrote :

Yes, sorry, 5.0.5-1 from Debian Unstable on AMD64. I was able to reproduce it both with both the system zsh and a self-compiled debian package (but compiled with -O0 to ease debugging). I've seen this happen with the Zsh of Ubuntu 12.10 as well.

Personally I'm considering just replacing hrealloc with relloc and pay the small (?) performance penalty (didn't look what other changes that would require). Of course, the bug might not be inside hrealloc per se, even if the crash happens there..

Revision history for this message
Axel Beckert (xtaran) wrote :

No need to be sorry. I'm glad about it. :-)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in zsh (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.