foo=bar baz=${|...;} cmd segfauls after running ...

[Emanuele Torre]

If you run a simple command that runs something (not just assignments)
and contains an assignment word with ${|;} that is preceeded by at least
one other assignment word, bash segfaults.

Reproducible with   a= b=${|:;} :

$ gdb --args ./bash -c 'a= b=${|:;} :'
Reading symbols from ./bash...
(gdb) r
Starting program: /home/emanuele6/git/bash/bash -c a=\ b=\$\{\|:\;\}\ :
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x555e2c8d in hash_search (string=string@entry=0x55769e50 "b", 
table=table@entry=0x5577a0d0, flags=flags@entry=0) at hashlib.c:249
249   for (list = table->bucket_array ? table->bucket_array[bucket] : 0; 
list; list = list->next)
(gdb) bt
#0  0x555e2c8d in hash_search (string=string@entry=0x55769e50 "b", 
table=table@entry=0x5577a0d0, flags=flags@entry=0) at hashlib.c:249
#1  0x555b5673 in hash_lookup (name=0x55769e50 "b", 
hashed_vars=) at variables.c:1933
#2  assign_in_env (word=, flags=1) at variables.c:3616
#3  0x555c895b in do_assignment_statements (varlist=, 
command=, is_nullcmd=is_nullcmd@entry=0) at subst.c:13136
#4  0x555e21b7 in expand_word_list_internal (list=, 
eflags=31) at subst.c:13240
#5  expand_words (list=) at subst.c:12552
#6  0x555a976a in execute_simple_command 
(simple_command=0x55776490, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x55776650) at execute_cmd.c:4617
#7  execute_command_internal (command=, 
asynchronous=asynchronous@entry=0, pipe_in=pipe_in@entry=-1, 
pipe_out=pipe_out@entry=-1, fds_to_close=fds_to_close@entry=0x55776650) at 
execute_cmd.c:938
#8  0x556108f9 in parse_and_execute (string=, 
from_file=from_file@entry=0x5566e080 "-c", flags=flags@entry=20) at 
evalstring.c:567
#9  0x5558ad9a in run_one_command (command=0x7fffde61 "a= b=${|:;} 
:") at shell.c:1483
#10 0x55589b26 in main (argc=3, argv=0x7fffda98, 
env=0x7fffdab8) at shell.c:768

o/
 emanuele6

Re: Is this a bug?

[Collin Funk]

Hi,

George R Goffe  writes:

> I've been trying to build bash from a repository 
> "https://git.savannah.gnu.org/git/bash.git"; and a having the devil's own time 
> in the process.
>
> Did I just catch the repository in the middle of a rework? I have a
> full log of the build process if it's needed. The failure appears with
> the nonexperimental GCC as well as a version I built a few days ago
> from their repository. gcc-15.0.1-0.9.fc42.x86_64 or gcc (GCC) 15.0.1
> 20250320 (experimental).
>
> I'm seeing a TON of messages like these, am I doing something wrong?

Recent versions of GCC and Clang have gotten strict about function
prototypes since C23 made the following:

int foo ();

equal to:

int foo (void);

In previous versions of C this was not true, 'foo' was just declared as
a function without any information about number of arguments or their
type.

C23 also got rid of K&R declarations like:

int
main (argc, argv)
  int argc;
  char *argv;
{
  ...
}

This is why you now see the warnings after upgrading to Fedora 42 with a
new C compiler.

Try building from the 'devel' branch where prototypes have been fixed.

Collin