Hello, I'm hunting down a crash in bash seen in an interactive session that terminated my shell with an error message like this: "free(): invalid next size (fast)".
During my experiments to reproduce the crash I'm using valgrind to find memory issues early - and it seems like I found a minimal input string that causes issues. However, sometimes it has to be entered twice to create an issue. REPRODUCE: user@linux64c:~> valgrind `which bash` ==2019163== Memcheck, a memory error detector ==2019163== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==2019163== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==2019163== Command: /usr/bin/bash ==2019163== user@linux64c:~$ $(for p in ; ;) bash: syntax error near unexpected token `;' user@linux64c:~$ $(for p in ; ;) ==2019163== Invalid read of size 1 ==2019163== at 0x13DDFA: ??? (in /usr/bin/bash) ==2019163== by 0x13FF5A: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x13A743: read_command (in /usr/bin/bash) ==2019163== by 0x13A8F5: reader_loop (in /usr/bin/bash) ==2019163== by 0x1393D8: main (in /usr/bin/bash) ==2019163== Address 0x4abf3ce is 2 bytes before a block of size 10 alloc'd ==2019163== at 0x48417B4: malloc (vg_replace_malloc.c:381) ==2019163== by 0x1A2CFF: xrealloc (in /usr/bin/bash) ==2019163== by 0x140A50: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x1AA2F9: parse_and_execute (in /usr/bin/bash) ==2019163== by 0x1A942D: ??? (in /usr/bin/bash) ==2019163== by 0x1A95C6: maybe_execute_file (in /usr/bin/bash) ==2019163== by 0x138FBC: main (in /usr/bin/bash) ==2019163== ==2019163== Invalid read of size 1 ==2019163== at 0x1401CD: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x13A743: read_command (in /usr/bin/bash) ==2019163== by 0x13A8F5: reader_loop (in /usr/bin/bash) ==2019163== by 0x1393D8: main (in /usr/bin/bash) ==2019163== Address 0x4abf3ce is 2 bytes before a block of size 10 alloc'd ==2019163== at 0x48417B4: malloc (vg_replace_malloc.c:381) ==2019163== by 0x1A2CFF: xrealloc (in /usr/bin/bash) ==2019163== by 0x140A50: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x1AA2F9: parse_and_execute (in /usr/bin/bash) ==2019163== by 0x1A942D: ??? (in /usr/bin/bash) ==2019163== by 0x1A95C6: maybe_execute_file (in /usr/bin/bash) ==2019163== by 0x138FBC: main (in /usr/bin/bash) ==2019163== ==2019163== Invalid write of size 1 ==2019163== at 0x141C94: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x13A743: read_command (in /usr/bin/bash) ==2019163== by 0x13A8F5: reader_loop (in /usr/bin/bash) ==2019163== by 0x1393D8: main (in /usr/bin/bash) ==2019163== Address 0x4abf3cf is 1 bytes before a block of size 10 alloc'd ==2019163== at 0x48417B4: malloc (vg_replace_malloc.c:381) ==2019163== by 0x1A2CFF: xrealloc (in /usr/bin/bash) ==2019163== by 0x140A50: ??? (in /usr/bin/bash) ==2019163== by 0x1440BA: yyparse (in /usr/bin/bash) ==2019163== by 0x13A5B5: parse_command (in /usr/bin/bash) ==2019163== by 0x1AA2F9: parse_and_execute (in /usr/bin/bash) ==2019163== by 0x1A942D: ??? (in /usr/bin/bash) ==2019163== by 0x1A95C6: maybe_execute_file (in /usr/bin/bash) ==2019163== by 0x138FBC: main (in /usr/bin/bash) ==2019163== bash: syntax error near unexpected token `;' user@linux64c:~$ OS / VERSION information: user@linux64c:~> lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm user@linux64c:~> sudo apt info bash Package: bash Version: 5.2.15-2+b9 Priority: required Essential: yes Section: shells Source: bash (5.2.15-2) Maintainer: Matthias Klose <[email protected]> Installed-Size: 7,336 kB Pre-Depends: libc6 (>= 2.36), libtinfo6 (>= 6) Depends: base-files (>= 2.1.12), debianutils (>= 5.6-0.1) Recommends: bash-completion (>= 20060301-0) [...] user@linux64c:~$ echo $BASH_VERSION 5.2.15(1)-release I hope this is not a false positive, but with similar patterns I got a real crash. However, I haven't been able to create a reproducible example for the crashes, yet. Perhaps this bug report will help to find and fix the issue. It might be a long-standing bug, since bash 4.1.2(1) on a different Linux system shows a similar valgrind stacktrace with the same input pattern.
