Bug #13720
Updated by Andy Fiddaman about 1 year ago
<pre>
$ echo ${.sh.lineno}
0
$ typeset -u .sh.lineno
mdb: stop on SIGABRT
> ::umem_status
Status: ready and active
Concurrency: 32
Logs: (inactive)
Message buffer:
free(fffffc7feec267f0): invalid or corrupted buffer
stack trace:
libumem.so.1'umem_err_recoverable+0xd3
libumem.so.1'process_free+0xa5
libumem.so.1'umem_malloc_free+0x1a
libast.so.1'_ast_free+0xe
libshell.so.1'_nv_unset+0x460
libshell.so.1'nv_putv+0x9a
libshell.so.1'put_trans+0x231
libshell.so.1'nv_putv+0x14b
libshell.so.1'_nv_unset+0x422
libshell.so.1'nv_newattr+0x4d0
libshell.so.1'setall+0xfcc
libshell.so.1'b_typeset+0x748
libshell.so.1'sh_exec+0x3d68
libshell.so.1'exfile+0xaaf
libshell.so.1'sh_main+0x3da
ksh'main+0x51
ksh'_start_crt+0x87
ksh'_start+0x18
</pre>
The buffer that it's attempting to free is:
<pre>
> fffffc7feee467f0::whatis
fffffc7feee467f0 is libshell.so.1`sh+0x90, in /usr/lib/amd64/libshell.so.1 [fffffc7feee41000,fffffc7feee47000)
</pre>
i.e., it's a pointer to the global &shp->st.lineno and should not be freed.
@data/variables.c@ contains:
<pre>
"LINENO", NV_NOFREE|NV_INTEGER, (char*)0,
...
".sh.lineno", NV_INTEGER, (char*)0,
</pre>
the @${.sh.lineno}@ instance should also be marked as non-free.
This change is taken from https://github.com/ksh93/ksh/, where they say:
> - Running 'unset .sh.lineno' creates a memory fault, so fix that
> by giving it the NV_NOFREE attribute. This crash was happening
> because ${.sh.lineno} is an integer that cannot be freed from
> memory with free(3).