Malloc assertion fails in ${parameter#word} when LC_CTYPE=C.UTF-8

Fri, 22 Sep 2023 23:17:25 -0700 

I'm getting this error with Bash 5.2 from Nixpkgs.

```
$ path/to/env - foo=bar LC_CTYPE=C.UTF-8 path/to/valgrind path/to/bash -c 'echo ${foo#spam}' 
...<snip>
malloc: subst.c:5343: assertion botched
free: called with unallocated block argument
Aborting...==2952489==
==2952489== Process terminating with default action of signal 6 (SIGABRT): dumping core ==2952489==    at 0x48DFA8C: __pthread_kill_implementation (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6) ==2952489==    by 0x4890C85: raise (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6) ==2952489==    by 0x487A8B9: abort (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6) 
==2952489==    by 0x4403A0: programming_error (error.c:175)
==2952489==    by 0x4A0D83: xbotch (malloc.c:390)
==2952489==    by 0x4A102D: internal_free (malloc.c:985)
==2952489==    by 0x4A1DD0: sh_free (malloc.c:1459)
==2952489==    by 0x47459C: sh_xfree (xmalloc.c:223)
==2952489==    by 0x44DABC: remove_pattern (subst.c:5343)
==2952489==    by 0x45F8BD: parameter_brace_remove_pattern (subst.c:5925)
==2952489==    by 0x45961D: parameter_brace_expand (subst.c:10111)
==2952489==    by 0x45A0A7: param_expand (subst.c:10559)
...<snip>

```

(Full output [here][1])
Note: I inserted debug statements in my build, so the numbers may be a bit off. 

This error occurs:
- Only when running Bash in Valgrind. I don't know if the Valgrind VM enables 
  this check which is normally disabled?

- Only when LC_CTYPE=C.UTF-8. Any other LC_CTYPE (whether it is a "real" or
  non-existant locale) will not cause the crash.
- Only when foo is set to a non-empty string (doesn't matter if it contains the 
  pattern, "spam", or not).
The failing assertion can be triggered by inserting `free(wparam);` just after `n = xdupmbstowcs (&wparam, NULL, param)`. Somehow `xdupmbstowcs` is returning 
memory it never allocated, only when the locale is set to C.UTF-8.

I am experiencing this problem on x86_64, Ubuntu 22.04.3, Linux
5.15.0-83-generic, but I tried to remove all of the system-dependent attributes (clean env, no local dependencies) of this bug. This can be reproduced using the following 
[Nix flake][2]. Download `flake.nix` and `flake.lock` and run `nix run`.

Any help on this issue would be appreciated.
[1]: https://gist.github.com/charmoniumQ/c5a0a1dbec4452a203e9dd8ec20a3458#file-output-txt 
[2]: https://gist.github.com/charmoniumQ/c5a0a1dbec4452a203e9dd8ec20a3458

Reply via email to