Project

General

Profile

Bug #13720

Updated by Andy Fiddaman about 1 year ago

<pre> 
 $ echo ${.sh.lineno} 
 0 
 $ typeset -u .sh.lineno 
 mdb: stop on SIGABRT 
 > ::umem_status 
 Status:           ready and active 
 Concurrency:      32 
 Logs:             (inactive) 
 Message buffer: 
 free(fffffc7feec267f0): invalid or corrupted buffer 
 stack trace: 
 libumem.so.1'umem_err_recoverable+0xd3 
 libumem.so.1'process_free+0xa5 
 libumem.so.1'umem_malloc_free+0x1a 
 libast.so.1'_ast_free+0xe 
 libshell.so.1'_nv_unset+0x460 
 libshell.so.1'nv_putv+0x9a 
 libshell.so.1'put_trans+0x231 
 libshell.so.1'nv_putv+0x14b 
 libshell.so.1'_nv_unset+0x422 
 libshell.so.1'nv_newattr+0x4d0 
 libshell.so.1'setall+0xfcc 
 libshell.so.1'b_typeset+0x748 
 libshell.so.1'sh_exec+0x3d68 
 libshell.so.1'exfile+0xaaf 
 libshell.so.1'sh_main+0x3da 
 ksh'main+0x51 
 ksh'_start_crt+0x87 
 ksh'_start+0x18 
 </pre> 

 The buffer that it's attempting to free is: 

 <pre> 
 > fffffc7feee467f0::whatis 
 fffffc7feee467f0 is libshell.so.1`sh+0x90, in /usr/lib/amd64/libshell.so.1 [fffffc7feee41000,fffffc7feee47000) 
 </pre> 

 i.e., it's a pointer to the global &shp->st.lineno and should not be freed. 

 @data/variables.c@ contains: 

 <pre> 
         "LINENO",         NV_NOFREE|NV_INTEGER,             (char*)0, 
 ... 
         ".sh.lineno",     NV_INTEGER,             (char*)0, 
 </pre> 

 the @${.sh.lineno}@ instance should also be marked as non-free. 
 This change is taken from https://github.com/ksh93/ksh/, where they say: 

 >    - Running 'unset .sh.lineno' creates a memory fault, so fix that 
 >     by giving it the NV_NOFREE attribute. This crash was happening 
 >     because ${.sh.lineno} is an integer that cannot be freed from 
 >     memory with free(3).

Back