Date: Mon, 30 Aug 1999 10:10:02 -0700 (PDT) From: Tim Vanderhoek <vanderh@ecf.utoronto.ca> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/13463: /bin/sh: malloc() recursive call: segv Message-ID: <199908301710.KAA78807@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/13463; it has been noted by GNATS.
From: Tim Vanderhoek <vanderh@ecf.utoronto.ca>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13463: /bin/sh: malloc() recursive call: segv
Date: Mon, 30 Aug 1999 13:01:16 -0400
On Mon, Aug 30, 1999 at 10:06:32AM +0200, Sheldon Hearn wrote:
>
> How on earth does yywrap recurse on itself like that?
This is what I get if I set malloc_options to AX,
Program terminated with signal 6, Abort trap.
#0 0x806fbd0 in kill ()
(gdb) bt
#0 0x806fbd0 in kill ()
#1 0x808e568 in abort ()
#2 0x808d0db in isatty ()
#3 0x808d0fb in isatty ()
#4 0x808e124 in malloc ()
#5 0x8059ff2 in yywrap ()
#6 0x805a042 in yywrap ()
#7 0x805a5db in history ()
#8 0x8050420 in preadbuffer () at /usr/src/bin/sh/input.c:297
#9 0x8055cf5 in xxreadtoken () at /usr/src/bin/sh/parser.c:776
#10 0x8055b11 in readtoken () at /usr/src/bin/sh/parser.c:693
#11 0x8054da9 in parsecmd (interact=1) at /usr/src/bin/sh/parser.c:145
#12 0x805254b in cmdloop (top=1) at /usr/src/bin/sh/main.c:244
#13 0x80524d3 in main (argc=1, argv=0xbfbfdb48) at
/usr/src/bin/sh/main.c:207
#14 0x80480ed in _start ()
(gdb) print suppressint
$1 = 1
I don't know if that value for suppressint is correct. I tend to
suspect it is.
It's got to be something to do with the signal that starts scrambling
memory. Have a look at this:
# while :; do echo -n ; done
^C
# asdfasdfasdfjkl
asdfasdfasdfjkl: not found
# while :; do echo -n ; done
^C
# asdfasdfasdfasd
asdfasdfasdfasd: not found
# while :; do echo -n ; done
^C
# asdfasdfahwefuiawhefouiaweh
sh in malloc(): error: recursive call.
Abort trap (core dumped)
[malloc_options="AX"]
Martin Cracaeur was the last person to touch the sh signal handling,
but I'm not sure if he touched anything unrelated to trap.c.
The signal handlers (onsig() and onint()) look pretty benign. I can
reproduce it both with and without rootshell. [See the patch at the
end of this message, though].
> By the way, I can't reproduce the problem if I compile with -DDEBUG=2.
Try harder. :-) It reproduces for me when compiled with -DDEBUG=2.
If I apply the following patch, I cannot reproduce the problem.
Perhaps this is enough to give someone who knows more about the sh
sources than me a quicker start on the problem. [I assume it's not
the correct fix, although for all I know, it could be... :-]
--- ~eval.c Mon Aug 30 12:54:40 1999
+++ eval.c Mon Aug 30 12:57:32 1999
@@ -289,7 +289,9 @@
loopnest++;
status = 0;
for (;;) {
+ INTOFF;
evaltree(n->nbinary.ch1, EV_TESTED);
+ INTON;
if (evalskip) {
skipping: if (evalskip == SKIPCONT && --skipcount <= 0) {
evalskip = 0;
@@ -306,7 +308,9 @@
if (exitstatus == 0)
break;
}
+ INTOFF;
evaltree(n->nbinary.ch2, 0);
+ INTON;
status = exitstatus;
if (evalskip)
goto skipping;
--
This is my .signature which gets appended to the end of my messages.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908301710.KAA78807>