Date: Fri, 09 Feb 2024 23:15:44 +0000 From: bugzilla-noreply@freebsd.org To: standards@FreeBSD.org Subject: [Bug 276935] tcsh crash in rehist() Message-ID: <bug-276935-99@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276935 Bug ID: 276935 Summary: tcsh crash in rehist() Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: standards Assignee: standards@FreeBSD.org Reporter: joyul@juniper.net Hi teams, I encountered a crash in rehist() and below is its backtrace. In frame 3, cleanup_sp is 0, which means it's already at the bottom of the cleanup_stac= k, but last_var cannot be found. It seems like in rehist(), it invokes setexit() without updating cleanup_ma= rk. If the program goes to error handling to reset the clean_stack[], it will c= lean more than required, which should be handled by cleanup_until() when the pro= gram jumps back to rehist(). I'm providing a patch below that might fix it. Feel free to apply it to the tcsh git, FreeBSD baseline, or fix it using other solutions. We can downstr= eam it to our local and try it. Thank you. diff --git a/contrib/tcsh/sh.hist.c b/contrib/tcsh/sh.hist.c index 14d862a3e7b..09f4814dbe3 100644 --- a/contrib/tcsh/sh.hist.c +++ b/contrib/tcsh/sh.hist.c @@ -1235,6 +1235,7 @@ rechist(Char *xfname, int ref) struct stat st; static Char *fname; static Char *dumphist[] =3D {STRhistory, STRmhT, 0, 0}; + size_t omark; if (fname =3D=3D NULL && !ref) return; @@ -1308,8 +1309,10 @@ rechist(Char *xfname, int ref) #endif } getexit(osetexit); + omark =3D cleanup_push_mark(); if (setexit() =3D=3D 0) loadhist(fname, 1); + cleanup_pop_mark(omark); resexit(osetexit); } } (gdb) bt #0 thr_kill () at thr_kill.S:4 #1 0x0000000001b7ee61 in __raise (s=3Ds@entry=3D6) at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/ge= n/raise.c:50 #2 0x0000000001c1cca9 in abort () at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/st= dlib/abort.c:64 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at=20 /src/contrib/tcsh/sh.err.c:470 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D<opti= mized out>) at /src/contrib/tcsh/sh.hist.c:1327 #5 0x000000000021b2d0 in record () at /src/contrib/tcsh/sh.c:2539 #6 0x000000000021b3e1 in phup () at /src/contrib/tcsh/sh.c:1856 #7 0x0000000000261440 in handle_pending_signals () at=20 /src/contrib/tcsh/tc.sig.c:67 #8 0x0000000000233c55 in xwrite (fildes=3D18, buf=3D0x28d170 <linbuf>, nby= te=3D11) at /src/contrib/tcsh/sh.misc.c:719 #9 0x00000000002352ff in flush () at /src/contrib/tcsh/sh.print.c:256 #10 0x00000000002351d3 in xputchar (c=3D<optimized out>, c@entry=3D10) at=20 /src/contrib/tcsh/sh.print.c:183 #11 0x0000000000235dcf in pprint (pp=3D0x1cc33c210a00, flag=3D160) at=20 /src/contrib/tcsh/sh.proc.c:1178 #12 0x0000000000236385 in pjwait (pp=3D0x1cc33c210a00) at=20 /src/contrib/tcsh/sh.proc.c:543 #13 0x00000000002361ab in pwait () at /src/contrib/tcsh/sh.proc.c:473 #14 0x0000000000238c9d in execute (t=3D0x1cc33c25e090, wanttty=3D28987, pipein=3D<optimized out>, pipeout=3D0x0, do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:623 #15 0x0000000000238983 in execute (t=3Dt@entry=3D0x1cc33c25e060, wanttty=3D= 28987, pipein=3D<optimized out>, pipein@entry=3D0x0, pipeout=3Dpipeout@entry=3D0x0= ,=20 do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:724 #16 0x000000000021af01 in process (catch=3D<optimized out>) at=20 /src/contrib/tcsh/sh.c:2166 #17 0x0000000000219d1e in main (argc=3D<optimized out>, argv=3D0x820710290)= at=20 /src/contrib/tcsh/sh.c:1431 (gdb) f 4 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D<opti= mized out>) at /src/contrib/tcsh/sh.hist.c:1327 (gdb) f 3 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at /src/contrib/tcsh/sh.err.c:470 470 abort(); (gdb) list 456 while (cleanup_sp !=3D 0) { 457 struct cleanup_entry ce; 458=20=20=20=20=20 459 cleanup_sp--; 460=20=20=20=20=20 461 ce =3D cleanup_stack[cleanup_sp]; 462 ce.fn(ce.var); 463 #ifdef CLEANUP_DEBUG 464 syslog(LOG_INFO,"[tcsh][cleanup_until] cleanup_sp %zu, file= =20 %s, line %zu, var %p\n", cleanup_sp, ce.file, ce.line, ce.var); 465 #endif 466 if (ce.var =3D=3D last_var) 467 return; 468 } 469 syslog(LOG_INFO, "abort in cleanup_until\n"); 470 abort(); 471 } 472=20=20=20=20=20 (gdb) p cleanup_sp $3 =3D 0 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276935-99>