On Fri, Oct 17, 2025 at 4:16 PM Chet Ramey <[email protected]> wrote:
>
> On 10/17/25 2:01 AM, Casey Connor wrote:
>
> > Bash Version: 5.2
> > Patch Level: 15
> > Release Status: release
> >
> > Description:
> >
> > If I open a new terminal and enter the (obviously malformed) command
> > "$(;" (without quotes) I get a bash crash about 90% of the time.
>
> Thanks for the report. I can't reproduce this using bash-5.3 on RHEL. I
> don't have a Debian system handy to test on.
>
I can reproduce this on Debian 12 but only if bash is started exactly as
OP describes, with the specified contents in ~/.bashrc, not e.g. using
--rcfile /tmp/op.bashrc.
This is the gdb backtrace with symbols from debuginfod:
#0 __pthread_kill_implementation (threadid=281473379614752,
signo=signo@entry=6, no_tid=no_tid@entry=0)
at ./nptl/pthread_kill.c:44
#1 0x0000ffffa0b23c64 in __pthread_kill_internal (signo=6,
threadid=<optimized out>)
at ./nptl/pthread_kill.c:78
#2 0x0000ffffa0ada8ac in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3 0x0000ffffa0ac7480 in __GI_abort () at ./stdlib/abort.c:79
#4 0x0000ffffa0b17b4c in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0xffffa0bfb040 "%s\n")
at ../sysdeps/posix/libc_fatal.c:156
#5 0x0000ffffa0b2e1bc in malloc_printerr (str=str@entry=0xffffa0bf62e8
"free(): invalid next size (fast)")
at ./malloc/malloc.c:5660
#6 0x0000ffffa0b2ffc0 in _int_free (av=0xffffa0c40af0 <main_arena>,
p=p@entry=0xaaaae3b1c990,
have_lock=have_lock@entry=0) at ./malloc/malloc.c:4518
#7 0x0000ffffa0b32a9c in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3385
#8 0x0000aaaab88e843c in dispose_word (w=0xaaaae3b1fce0) at
.././dispose_cmd.c:249
#9 0x0000aaaab88e8550 in dispose_words (list=0x0) at .././dispose_cmd.c:273
#10 0x0000aaaab88e8778 in dispose_command (command=0xaaaae3b232a0) at
.././dispose_cmd.c:152
#11 0x0000aaaab88e86b8 in dispose_command (command=0xaaaae3b1cc80) at
.././dispose_cmd.c:163
#12 0x0000aaaab8947354 in parse_and_execute (string=<optimized out>,
from_file=from_file@entry=0xaaaab89956f0 "PROMPT_COMMAND",
flags=flags@entry=1029)
at ../.././builtins/evalstring.c:541
#13 0x0000aaaab88d94d4 in execute_variable_command (
command=0xaaaae3b1c9e0 "echo \\[$(date +%H:%M:%S)\\];history
-a;\nhistory -c; history -r",
vname=vname@entry=0xaaaab89956f0 "PROMPT_COMMAND") at
/usr/local/src/chet/src/bash/src/parse.y:2830
#14 0x0000aaaab88d5560 in execute_prompt_command () at .././eval.c:315
#15 parse_command () at .././eval.c:341
#16 0x0000aaaab88d5610 in read_command () at .././eval.c:392
#17 0x0000aaaab88d57ec in reader_loop () at .././eval.c:139
#18 0x0000aaaab88d3ff4 in main (argc=1, argv=0xffffd4e21ba8, env=<optimized
out>) at .././shell.c:833
And a somewhat different one from lldb:
* thread #1, name = 'bash', stop reason = signal SIGABRT
* frame #0: 0x0000ffffb3953c18
libc.so.6`__pthread_kill_implementation(threadid=281473696526368, signo=6,
no_tid=<unavailable>) at pthread_kill.c:44:76
frame #1: 0x0000ffffb390a8ac libc.so.6`__GI_raise(sig=6) at
raise.c:26:13
frame #2: 0x0000ffffb38f7480 libc.so.6`__GI_abort at abort.c:79:7
frame #3: 0x0000ffffb3947b4c libc.so.6`__libc_message(action=do_abort,
fmt="%s\n") at libc_fatal.c:156:5
frame #4: 0x0000ffffb395e1bc
libc.so.6`malloc_printerr(str=<unavailable>) at malloc.c:5660:3
frame #5: 0x0000ffffb395ffc0 libc.so.6`_int_free(av=0x0000ffffb3a70af0,
p=0x0000aaaaf83ff990, have_lock=<unavailable>) at malloc.c:4518:4
frame #6: 0x0000ffffb3962a9c
libc.so.6`__GI___libc_free(mem=<unavailable>) at malloc.c:3385:7
frame #7: 0x0000aaaae3b9ebcc bash`clear_history + 92
frame #8: 0x0000aaaae3b3f88c bash`bash_clear_history + 12
frame #9: 0x0000aaaae3b5a6a8 bash`history_builtin + 632
frame #10: 0x0000aaaae3af9090 bash`___lldb_unnamed_symbol2868 + 720
frame #11: 0x0000aaaae3aff3a8 bash`execute_command_internal + 14216
frame #12: 0x0000aaaae3aff7e0 bash`execute_command + 128
frame #13: 0x0000aaaae3b0168c bash`___lldb_unnamed_symbol2888 + 636
frame #14: 0x0000aaaae3afc610 bash`execute_command_internal + 2544
frame #15: 0x0000aaaae3b57348 bash`parse_and_execute + 1528
frame #16: 0x0000aaaae3ae94d4 bash`execute_variable_command + 148
frame #17: 0x0000aaaae3ae5560 bash`parse_command + 320
frame #18: 0x0000aaaae3ae5610 bash`read_command + 112
frame #19: 0x0000aaaae3ae57ec bash`reader_loop + 252
frame #20: 0x0000aaaae3ae3ff4 bash`main + 5236
