On Mon, Apr 14, 2014 at 10:21:59AM -0400, David Korn wrote: > Does this happen after applying the patch you sent?
Indeed ... but I've seen a similar crash before ... now I've modified the
patch to avoid both this crash and also the crash without the patch.
Compare with attached patch. Here I set
slp->slptr = 0
after it has been closed in _nv_unset() and check for a valid slptr
in sh_funstaks().
If this is wrong then please show me how to avoid those invalid reads
on already freed data. I've several users around here which indeed
see this with their scripts even with the default _AST_std_malloc==0
Now one remaining problem is the !(flags&NV_ARRAY) in nv_create() that is
without ksh crashes with comvar.sh and builtin_poll.sh ... with this
change the crash for comvar.sh is gone but then builtin_poll.sh does
crash on an other place
#0 0x000000000043d5ab in nv_create (name=0x7efd70 "pl[16388]", root=0x7f2f20,
flags=132608, dp=0x7fff71569e60)
at /usr/src/packages/BUILD/ksh93/src/cmd/ksh93/sh/name.c:1222
1222 if(ap && ap->table &&
tp)
Beside this I see always that io.sh from the test suite chrashes
with shcomp on a SIGPIPE.
Also sometime the signal.sh hangs in a futex() which indicates that
memory was allocated within a signal handler.
> On Mon, Apr 14, 2014 at 3:27 AM, Dr. Werner Fink <[email protected]> wrote:
>
> > Hi,
> >
> > this is what valgrind shows
> >
> > ==23137== Invalid read of size 2
> > ==23137== at 0x57DB446: stkclose (stk.c:312)
> > ==23137== by 0x511CB6A: sh_funstaks (parse.c:495)
> > ==23137== by 0x511CB99: sh_freeup (parse.c:476)
> > ==23137== by 0x5139567: sh_eval_20120720 (xec.c:4202)
> > ==23137== by 0x50C75C0: b_dot_cmd (misc.c:295)
> > ==23137== by 0x5138B54: sh_exec (xec.c:1382)
> > ==23137== by 0x50D4956: exfile (main.c:627)
> > ==23137== by 0x50D52D9: sh_main (main.c:399)
> > ==23137== by 0x5F17C15: (below main) (in /lib64/libc-2.11.3.so)
> > ==23137== Address 0x62f3430 is 224 bytes inside a block of size 248
> > free'd
> > ==23137== at 0x4C2852A: free (in
> > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> > ==23137== by 0x57DBC44: stkexcept (stk.c:182)
> > ==23137== by 0x582CCF0: sfraise (sfraise.c:90)
> > ==23137== by 0x5812C48: sfclose (sfclose.c:160)
> > ==23137== by 0x5113BAC: _nv_unset (name.c:2639)
> > ==23137== by 0x50CF10F: unall (typeset.c:1285)
> > ==23137== by 0x5138B54: sh_exec (xec.c:1382)
> > ==23137== by 0x513346C: sh_exec (xec.c:2255)
> > ==23137== by 0x5139409: sh_eval_20120720 (xec.c:4189)
> > ==23137== by 0x50C75C0: b_dot_cmd (misc.c:295)
> > ==23137== by 0x5138B54: sh_exec (xec.c:1382)
> > ==23137== by 0x50D4956: exfile (main.c:627)
> >
> > that is that in sh_eval_20120720() witin the while loop the stream is
> > freed by sh_exec() -> unall() -> _nv_unset() -> sfclose()
> > and later on after the loop with sh_freeup() -> sh_funstaks() -> stkclose()
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
--- src/cmd/ksh93/sh/array.c
+++ src/cmd/ksh93/sh/array.c 2014-04-11 14:58:27.000000000 +0000
@@ -1782,8 +1782,8 @@
return((void*)ap);
case NV_ADELETE:
if(ap->cur)
- {
- if(!ap->header.scope || (Dt_t*)ap->header.scope==ap->header.table || !nv_search(ap->cur->nvname,(Dt_t*)ap->header.scope,0))
+ { Dt_t* scope = ap->header.scope;
+ if(!scope || scope==ap->header.table || !nv_search(ap->cur->nvname,scope,0))
ap->header.nelem--;
_nv_unset(ap->cur,NV_RDONLY);
nv_delete(ap->cur,ap->header.table,0);
--- src/cmd/ksh93/sh/macro.c
+++ src/cmd/ksh93/sh/macro.c 2014-04-08 09:27:37.050234765 +0000
@@ -2134,7 +2134,6 @@ static void comsubst(Mac_t *mp,register
if(t)
{
fcsave(&save);
- sfclose(sp);
if(t->tre.tretyp==0 && !t->com.comarg && !t->com.comset)
{
/* special case $(<file) and $(<#file) */
@@ -2142,6 +2141,8 @@ static void comsubst(Mac_t *mp,register
int r;
struct checkpt buff;
struct ionod *ip=0;
+ if (sp)
+ sfclose(sp);
sh_pushcontext(mp->shp,&buff,SH_JMPIO);
if((ip=t->tre.treio) &&
((ip->iofile&IOLSEEK) || !(ip->iofile&IOUFD)) &&
--- src/cmd/ksh93/sh/name.c
+++ src/cmd/ksh93/sh/name.c 2014-04-07 10:06:20.150735631 +0000
@@ -947,7 +947,7 @@
if(c)
*sp = c;
top = 0;
- if(np && !nv_isattr(np,NV_MINIMAL) && shp->oldnp && !np->nvenv && shp->oldnp!=np)
+ if(np && !nv_isattr(np,NV_MINIMAL) && shp->oldnp && !np->nvenv && shp->oldnp!=np && !(flags&NV_ARRAY))
np->nvenv = (char*)shp->oldnp;
shp->oldnp = np;
if(isref)
@@ -1312,7 +1312,9 @@
{
cp += 2;
dp->last = cp;
+#if NVCACHE
nvcache.ok = 0;
+#endif
shp->oldnp = np = nv_parentnode(shp->oldnp);
if(*cp==0)
return(np);
@@ -2629,9 +2629,15 @@ void _nv_unset(register Namval_t *np,int
}
dtclose(rp->sdict);
}
+ /*
+ * stkclose() does do sfclose() finally which
+ * its self does free() the stream slp->slptr
+ */
if(flags&NV_TABLE)
while(stkclose(slp->slptr)==1);
- sfclose(slp->slptr);
+ else
+ sfclose(slp->slptr);
+ slp->slptr = 0;
free((void*)np->nvalue.ip);
np->nvalue.ip = 0;
}
--- src/cmd/ksh93/sh/parse.c
+++ src/cmd/ksh93/sh/parse.c 2014-04-14 14:24:29.098237738 +0200
@@ -486,11 +486,14 @@
void sh_funstaks(register struct slnod *slp,int flag)
{
register struct slnod *slpold;
- while(slpold=slp)
+ while(slp)
{
if(slp->slchild)
sh_funstaks(slp->slchild,flag);
+ slpold = slp;
slp = slp->slnext;
+ if (!slpold->slptr)
+ continue;
if(flag<=0)
stakdelete(slpold->slptr);
else
--- src/lib/libast/misc/spawnvex.c
+++ src/lib/libast/misc/spawnvex.c 2014-04-04 13:30:25.522235886 +0000
@@ -596,6 +596,8 @@ spawnvex_apply(Spawnvex_t* vex, int cur,
}
else if (i >= vex->cur)
break;
+ if (!vex->op)
+ break;
op = vex->op[i++].number;
arg = vex->op[i++].number;
if (!(op & 1))
--- src/cmd/ksh93/sh/xec.c
+++ src/cmd/ksh93/sh/xec.c 2014-04-08 17:29:25.458235619 +0000
@@ -4187,7 +4187,7 @@ int sh_eval_20120720(Shell_t *shp,regist
mode = sh_state(SH_INTERACTIVE);
}
sh_exec(shp,t,sh_isstate(shp,SH_ERREXIT)|sh_isstate(shp,SH_NOFORK)|(mode&~SH_FUNEVAL));
- if(!(mode&SH_FUNEVAL))
+ if(!io_save)
break;
}
sh_popcontext(shp,buffp);
pgpDRCVRI0NTE.pgp
Description: PGP signature
_______________________________________________ ast-developers mailing list [email protected] http://lists.research.att.com/mailman/listinfo/ast-developers
