Bug#535232: zsh: segfaults while trying to free in hend

Sun, 09 Aug 2009 11:49:14 -0700 

On Tue, Jun 30, 2009 at 06:21:33PM -0400, Alec Berryman wrote:
> Recently (one or two weeks, probably when I upgraded to the current version of
> zsh), I've been seeing intermittent segfaults - I'll run a command like less 
> or
> cd and my terminal will die on me.  I've never seen it happen in a 
> long-running
> shell; if it makes it through the first few commands, everything works.
> 
> I got the attached backtrace.

Thanks.

> (run as 'MALLOC_CHECK_=2 gdb /bin/zsh4' with zsh 4.3.10-2)
> 
> 
> Script started on Tue 30 Jun 2009 05:41:18 PM EDT
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
> (gdb) run
> Starting program: /bin/zsh4 
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: 
> `bindkey -m' disables multibyte support
> ]2;deng-aberr:  /home/aberryman]1;deng-aberr/etc/zsh/zshrc:unalias:42: no 
> such hash table element: run-help
> ]2;deng-aberr:  /home/aberryman]1;deng-aberr%        
>                                                                               
>                                              
> 
> [~] deng-aberr| qqpx gt0
> [... some stuff censored, command just sets up some environment variables ...]
> /home/aberryman/dotfiles/bash/interactive-shell:bindkey:281: warning: 
> `bindkey -m' disables multibyte support
> ]2;[QPX:gt0]  deng-aberr:  
> /home/aberryman]1;deng-aberr%                         
>                                                                               
>                             
> 
> [~] deng-aberr| ccd $Q
> 
> Program received signal SIGABRT, Aborted.
> 0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at 
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
>       in ../nptl/sysdeps/unix/sysv/linux/raise.c
> (gdb) backtrace full
> #0  0x00002ad0ef999065 in *__GI_raise (sig=<value optimized out>) at 
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
>       pid = <value optimized out>
>       selftid = <value optimized out>
> #1  0x00002ad0ef99c153 in *__GI_abort () at abort.c:88
>       act = {__sigaction_handler = {sa_handler = 0x48f682, sa_sigaction = 
> 0x48f682}, sa_mask = {__val = {7022288, 
>       140736343534660, 4781697, 140736343534576, 4732811, 0, 4594111, 
> 4971973988617027653, 4781697, 76, 1, 128, 4585798, 
>       140736343534660, 4736491, 4781791}}, sa_flags = 4415891, sa_restorer = 
> 0x7fffbbc36ce0}
>       sigs = {__val = {32, 0 <repeats 15 times>}}
> #2  0x00002ad0ef9d9140 in malloc_printerr (action=2, str=0x2ad0efa814cd 
> "free(): invalid pointer", ptr=0x806) at malloc.c:5999
> No locals.
> #3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
>       hookargs = <value optimized out>
>       flag = 8
>       save = 0
>       hookret = 0
>       stack_pos = 0
>       hf = 0xd17440 "/home/aberryman/.history"
> #4  0x0000000000440e8e in loop (toplevel=1, justonce=0) at 
> ../../Src/init.c:150
>       prog = (Eprog) 0x2ad0eefdb700
> #5  0x0000000000441d56 in zsh_main (argc=<value optimized out>, argv=<value 
> optimized out>) at ../../Src/init.c:1409
>       t = <value optimized out>
> #6  0x00002ad0ef9855a6 in __libc_start_main (main=0x40fbc0 <main>, argc=1, 
> ubp_av=0x7fffbbc37028, init=0x48d250 <__libc_csu_init>, 
>     fini=<value optimized out>, rtld_fini=<value optimized out>, 
> stack_end=0x7fffbbc37018) at libc-start.c:222
>       result = <value optimized out>
>       unwind_buf = {cancel_jmp_buf = {{jmp_buf = {4772432, 
> -8474123038685510702, 4258512, 140736343535648, 0, 0, 
>         8474273082816742354, -2322728423309425710}, mask_was_saved = 0}}, 
> priv = {pad = {0x0, 0x0, 0x1, 0x40fbc0}, data = {
>       prev = 0x0, cleanup = 0x0, canceltype = 1}}}
>       not_first_call = <value optimized out>
> #7  0x000000000040faf9 in _start () at ../sysdeps/x86_64/elf/start.S:113
> No locals.
> (gdb) frame 3
> #3  0x000000000043b90c in hend (prog=0x0) at ../../Src/hist.c:1271
> 1271  ../../Src/hist.c: No such file or directory.
>       in ../../Src/hist.c
> (gdb) info locals
> hookargs = <value optimized out>
> flag = 8
> save = 0
> hookret = 0
> stack_pos = 0
> hf = 0xd17440 "/home/aberryman/.history"
> (gdb) print chwords
> $1 = (short int *) 0xd20b50
> (gdb) print chwords
> $2 = 0
> (gdb) print chline
> $3 = 0xd49c50 ""
> (gdb) print chwordlen
> $4 = 64
> (gdb) print chwords[64]
> $5 = 144
> (gdb) print *chwords[65]
> $6 = 0
> (gdb) print chline
> $7 = 0xd49c50 ""
> (gdb) print hlinesz
> $8 = 64
> (gdb) print chline[hlinesz]
> $9 = 10 '\n'
> (gdb) print chline[hlinesz+1]
> $10 = 0 '\0'
> (gdb) quit
> The program is running.  Exit anyway? (y or n) y
> 
> 
> hist.c:1271 is a zfree on chwords, but that array still exists, as does the 
> one freed in the previous line, chline




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to