Starting program: /home/dualbus/src/gnu/bash/bash bash-4.4$ PS1='$[U[0S]+=]' bash: 0S: value too great for base (error token is "0S") bash: : syntax error in expression (error token is "U") $[U[0S]+=] bash: 0S: value too great for base (error token is "0S")
Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00005555555b1ff7 in expassign () at expr.c:505 #2 0x00005555555b1f4b in expcomma () at expr.c:467 #3 0x00005555555b1ec2 in subexpr (expr=0x55555596a148 "U[0S]+=") at expr.c:449 #4 0x00005555555b1d51 in evalexp (expr=0x55555596a148 "U[0S]+=", flags=1, validp=0x7fffffffbff0) at expr.c:414 #5 0x00005555555d0a73 in param_expand (string=0x55555596a0a8 "$[U[0S]+=]", sindex=0x7fffffffc0e8, quoted=1, expanded_something=0x0, contains_dollar_at=0x7fffffffc0dc, quoted_dollar_at_p=0x7fffffffc0e4, had_quoted_null_p=0x7fffffffc0e0, pflags=0) at subst.c:9159 #6 0x00005555555d1c27 in expand_word_internal (word=0x7fffffffc1f0, quoted=1, isexp=0, contains_dollar_at=0x0, expanded_something=0x0) at subst.c:9655 #7 0x00005555555c4c79 in expand_prompt_string (string=0x55555596a188 "$[U[0S]+=]", quoted=1, wflags=0) at subst.c:3785 #8 0x00005555555934b7 in decode_prompt_string (string=0x55555596a393 "\v") at ./parse.y:5961 #9 0x0000555555592479 in prompt_again () at ./parse.y:5472 #10 0x000055555558ab70 in yylex () at ./parse.y:2677 #11 0x0000555555585e34 in yyparse () at y.tab.c:1821 #12 0x0000555555585772 in parse_command () at eval.c:294 #13 0x0000555555585858 in read_command () at eval.c:338 #14 0x00005555555853b1 in reader_loop () at eval.c:140 #15 0x0000555555582f71 in main (argc=1, argv=0x7fffffffe478, env=0x7fffffffe488) at shell.c:794 (gdb) frame 1 #1 0x00005555555b1ff7 in expassign () at expr.c:505 505 lhs = savestring (tokstr); (gdb) p tokstr $5 = 0x0 I still don't understand why this isn't triggered by: bash-4.4$ "$[U[0S]+=]" bash: 0S: value too great for base (error token is "0S") It seems like the array index expression causes a longjmp in the second case, so it stops evaluating. Found by fuzzing. I think this might be similar to https://lists.gnu.org/archive/html/bug-bash/2017-05/msg00046.html (i.e. ``Segmentation fault in evalerror when xtrace and PS4='$[T[$]]'``) I think the fix *may* be something like: dualbus@debian:~/src/gnu/bash$ git diff -- expr.c diff --git a/expr.c b/expr.c index 1770cc00..d6c50571 100644 --- a/expr.c +++ b/expr.c @@ -494,6 +494,8 @@ expassign () if (lasttok != STR) evalerror (_("attempted assignment to non-variable")); + if (!tokstr) + evalerror (_("XXX")); if (special) { But I don't know.