SEGV make_variable_value() bash/variables.c:2968:16

[anushakov--- via Bug reports for the GNU Bourne Again SHell]

   Dear Bash Maintainers,



   I encountered an issue in Bash and would like to report it.



   Steps to reproduce



   $ CC=clang-19 CFLAGS=" -g -fsanitize=address " ./configure
   --enable-largefile --without-bash-malloc

   $ make

   $ ./bash -c "declare -n r; declare -c r r"



   Expected Behaviour



   Any messages without asan ERROR.



   Actual Behaviour



   AddressSanitizer:DEADLYSIGNAL
   =================================================================
   ==3974241==ERROR: AddressSanitizer: SEGV on unknown address
   0x000000000000 (pc 0x5947f25fdf50 bp 0x7ffff2879cd0 sp 0x7ffff2879a20
   T0)
   ==3974241==The signal is caused by a READ memory access.
   ==3974241==Hint: address points to the zero page.
       #0 0x5947f25fdf50 in make_variable_value
   /upstream/bash/variables.c:2968:16
       #1 0x5947f25fb5e6 in bind_variable_internal
   /upstream/bash/variables.c:3183:16
       #2 0x5947f25f3e63 in bind_variable
   /upstream/bash/variables.c:3293:11
       #3 0x5947f270ef34 in declare_internal
   /upstream/bash/builtins/./declare.def:826:78
       #4 0x5947f270bfa6 in declare_builtin
   /upstream/bash/builtins/./declare.def:104:11
       #5 0x5947f25f1e3f in execute_builtin
   /upstream/bash/execute_cmd.c:5097:13
       #6 0x5947f25f0e45 in execute_builtin_or_function
   /upstream/bash/execute_cmd.c:5643:14
       #7 0x5947f25dc6e9 in execute_simple_command
   /upstream/bash/execute_cmd.c:4856:13
       #8 0x5947f25d5ce3 in execute_command_internal
   /upstream/bash/execute_cmd.c:938:4
       #9 0x5947f25e1e35 in execute_connection
   /upstream/bash/execute_cmd.c:2887:21
       #10 0x5947f25d6b29 in execute_command_internal
   /upstream/bash/execute_cmd.c:1117:21
       #11 0x5947f2718dd3 in parse_and_execute
   /upstream/bash/builtins/evalstring.c:567:17
       #12 0x5947f2596c23 in run_one_command
   /upstream/bash/shell.c:1483:12
       #13 0x5947f25931f5 in main /upstream/bash/shell.c:768:7
       #14 0x741829545249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #15 0x741829545304 in __libc_start_main
   csu/../csu/libc-start.c:360:3
       #16 0x5947f24b2a70 in _start (/upstream/bash/bash+0xaca70)
   (BuildId: b9fd292ae42f98e3b23d0ac1da70f48e9a32f04d)

   ==3974241==Register values:
   rax = 0x0000000000000000  rbx = 0x00007ffff2879a20  rcx =
   0xf3f3f3f8f1f1f1f1  rdx = 0x000000008fff6fff
   rdi = 0xffffffffffffffff  rsi = 0x0000000000000000  rbp =
   0x00007ffff2879cd0  rsp = 0x00007ffff2879a20
    r8 = 0x0000000000000000   r9 = 0x00007fffffffff01  r10 =
   0x00000a047fff8401  r11 = 0x00000a047fff8488
   r12 = 0x0000000000000000  r13 = 0x00007ffff287c5a8  r14 =
   0x00005947f28bf3d0  r15 = 0x000074182987e020
   AddressSanitizer can not provide additional info.
   SUMMARY: AddressSanitizer: SEGV /upstream/bash/variables.c:2968:16 in
   make_variable_value
   ==3974241==ABORTING

   Additional Notes



   When I do

   $ ./bash -c "declare -n r; declare -i r r"

   or

   $ ./bash -c "declare -n r; declare -a r r"
   or
   $ ./bash -c "declare -n r; declare -c r"

   I don't see any asan errors. I thought case-sensivity type of r-object
   is bug, because I can't reproduce the behavior with other types and



   Bash Version

   commit

   a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b

   root@fb1d7dcac77a:/upstream/bash# ./bash --version

   GNU bash, version 5.3.3(1)-release (x86_64-pc-linux-gnu)

   Copyright (C) 2025 Free Software Foundation, Inc.

   License GPLv3+: GNU GPL version 3 or later
   <http://gnu.org/licenses/gpl.html>



   Also, the behaviour is repeating on release bash 5.2 version.



   System Info

   Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
   23 09:49:19 MSK 2024 x86_64 GNU/Linux

   Debian clang version 19.1.4 (1~deb12u1)

   Target: x86_64-pc-linux-gnu

   Thread model: posix

   InstalledDir: /usr/lib/llvm-19/bin