memory hog script crashes bash with segfault

2015-09-11 Thread Konstantin Khlebnikov 
$ ./bash -c ":(){ : $@$@;};: :"
Segmentation fault

$ ./bash --version
GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Re: `foo=1 declare -r foo' prints an error message but its exit status is zero

2015-09-11 Thread Dan Douglas 
On Wednesday, September 9, 2015 2:17:30 PM CDT ziyunfei wrote:
> $ foo=1 declare -r foo
> bash: foo: readonly variable
> $ echo $?
> 0
> $ echo $foo
> 1
> 
> Is this a bug? 
> 
> $ bar=1 readonly bar; # throw an error in Bash 4.2, fixed in Bash 4.3

It's a bit more illustrative when you use `readonly' instead of `declare'. In
the former case bash only prints the error in non-POSIX mode because it
modifies the special builtin to unset its value when the command finishes.
`declare' will print an error in either mode. If there's any bug here it's that
bash fails to bail out and executes the echo command anyway.

 $ ( for sh in bash sh ksh mksh zsh dash bb posh; do printf '%-5s x=%5s 
status=%s\n' "${sh}:" "$("$sh" -c "\${ZSH_VERSION+false}||emulate sh; trap 
'echo \${x+unset}' EXIT; $(

signature.asc
Description: This is a digitally signed message part.

Re: memory hog script crashes bash with segfault

2015-09-11 Thread Konstantin Khlebnikov 
On Fri, Sep 11, 2015 at 3:52 PM, Chet Ramey  wrote:
> On 9/11/15 2:19 AM, Konstantin Khlebnikov wrote:
>> $ ./bash -c ":(){ : $@$@;};: :"
>> Segmentation fault
>
> This is not a memory allocation problem.  You have defined an infinitely
> recursive function that, when executed, eventually exceeds your stack size
> resource limit.  When that happens, the kernel sends a SIGSEGV.

Yep. But this not happens if command runs in interactive mode.
Bash uses default stack (with MAP_GROWSDOWN) in interactive mode
and fixed size stack for "-c" ?

>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>  ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: memory hog script crashes bash with segfault

2015-09-11 Thread Chet Ramey 
On 9/11/15 2:19 AM, Konstantin Khlebnikov wrote:
> $ ./bash -c ":(){ : $@$@;};: :"
> Segmentation fault

This is not a memory allocation problem.  You have defined an infinitely
recursive function that, when executed, eventually exceeds your stack size
resource limit.  When that happens, the kernel sends a SIGSEGV.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Re: memory hog script crashes bash with segfault

2015-09-11 Thread Chet Ramey 
On 9/11/15 10:10 AM, Konstantin Khlebnikov wrote:
> On Fri, Sep 11, 2015 at 3:52 PM, Chet Ramey  wrote:
>> On 9/11/15 2:19 AM, Konstantin Khlebnikov wrote:
>>> $ ./bash -c ":(){ : $@$@;};: :"
>>> Segmentation fault
>>
>> This is not a memory allocation problem.  You have defined an infinitely
>> recursive function that, when executed, eventually exceeds your stack size
>> resource limit.  When that happens, the kernel sends a SIGSEGV.
> 
> Yep. But this not happens if command runs in interactive mode.
> Bash uses default stack (with MAP_GROWSDOWN) in interactive mode
> and fixed size stack for "-c" ?

Bash doesn't do anything different.  It may be that your system sets
different resource limits for interactive shells and non-interactive ones.
Either way, it will eventually fail.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/

Bash crashes on autocompletion of directories with broken nfs mountpoints.

2015-09-11 Thread Bart Polot 
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-unknown-linux-gnu'
-DCONF_VENDOR='unknown' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash'
-DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib
-D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe
-fstack-protector-strong --param=ssp-buffer-size=4
-DDEFAULT_PATH_VALUE='/usr/local/sbin:/usr/local/bin:/usr/bin'
-DSTANDARD_UTILS_PATH='/usr/bin' -DSYS_BASHRC='/etc/bash.bashrc'
-DSYS_BASH_LOGOUT='/etc/bash.bash_logout'
uname output: Linux ranger 3.14.51-1-lts #1 SMP Mon Aug 17 19:21:08 CEST
2015 x86_64 GNU/Linux
Machine Type: x86_64-unknown-linux-gnu

Bash Version: 4.3
Patch Level: 39
Release Status: release

Description:

First bash crashed while trying to cancel the autocomplete of
the contents of a directory which included an unavailable nfs
mountpoint (/mnt/nfs):

1. Mount NFS volume on /mnt/nfs while on wifi
2. Plugged ethernet cable
3. NFS volume is not available, must [force] unmount
4. Type "umount /mnt/" to autocomplete
5. System tries to read directories again, takes a lot of time
6. Press  repeatedly to cancel autocompletion.
7. Bash succeds in showing the subdirectories of /mnt, but then
   crashes


# umount -f /mnt/
iso/ nfs  usb/
# umount -f /mnt/^C*** Error in `-bash': double free or
corruption (fasttop): 0x00e6a160 ***
[ see attached trace1 for details ]


Repeat-By:

Does not always happen exactly like this, but this situation
(broken nfs mount) allows to trigger bash to crash:

# umount /mnt/
iso/ nfs  usb/
# umount /mnt/^C^C [no crash]
# ls /mn*** Error in `-bash': corrupted double-linked list:
0x0241c440 ***
[ see attached trace2 for details ]

-- 
Bart Polot
# umount -f /mnt/
iso/ nfs  usb/ 
# umount -f /mnt/^C*** Error in `-bash': double free or corruption 
(fasttop): 0x00e6a160 ***
=== Backtrace: =
/usr/lib/libc.so.6(+0x72055)[0x7f4f0f756055]
/usr/lib/libc.so.6(+0x779a6)[0x7f4f0f75b9a6]
/usr/lib/libc.so.6(+0x7818e)[0x7f4f0f75c18e]
/usr/lib/libreadline.so.6(rl_complete_internal+0x204)[0x7f4f0ff10e94]
/usr/lib/libreadline.so.6(_rl_dispatch_subseq+0x248)[0x7f4f0ff07fa8]
/usr/lib/libreadline.so.6(readline_internal_char+0x9e)[0x7f4f0ff0844e]
/usr/lib/libreadline.so.6(readline+0x55)[0x7f4f0ff08b85]
-bash[0x41ad54]
-bash[0x41ce69]
-bash[0x41fa7a]
-bash(yyparse+0x379)[0x422fd9]
-bash(parse_command+0x5b)[0x41a69b]
-bash(read_command+0x58)[0x41a768]
-bash(reader_loop+0x119)[0x41a949]
-bash(main+0xe66)[0x419446]
/usr/lib/libc.so.6(__libc_start_main+0xf0)[0x7f4f0f704610]
-bash(_start+0x29)[0x419ba9]
=== Memory map: 
0040-004bd000 r-xp  08:05 1253649   
 /usr/bin/bash
006bc000-006bd000 r--p 000bc000 08:05 1253649   
 /usr/bin/bash
006bd000-006c1000 rw-p 000bd000 08:05 1253649   
 /usr/bin/bash
006c1000-006cb000 rw-p  00:00 0 
00e05000-00e89000 rw-p  00:00 0 
 [heap]
7f4f0800-7f4f08021000 rw-p  00:00 0 
7f4f08021000-7f4f0c00 ---p  00:00 0 
7f4f0ef78000-7f4f0ef8e000 r-xp  08:05 1179879   
 /usr/lib/libgcc_s.so.1
7f4f0ef8e000-7f4f0f18d000 ---p 00016000 08:05 1179879   
 /usr/lib/libgcc_s.so.1
7f4f0f18d000-7f4f0f18e000 rw-p 00015000 08:05 1179879   
 /usr/lib/libgcc_s.so.1
7f4f0f18e000-7f4f0f4d2000 r--p  08:05 1283952   
 /usr/lib/locale/locale-archive
7f4f0f4d2000-7f4f0f4dd000 r-xp  08:05 1205750   
 /usr/lib/libnss_files-2.22.so
7f4f0f4dd000-7f4f0f6dc000 ---p b000 08:05 1205750   
 /usr/lib/libnss_files-2.22.so
7f4f0f6dc000-7f4f0f6dd000 r--p a000 08:05 1205750   
 /usr/lib/libnss_files-2.22.so
7f4f0f6dd000-7f4f0f6de000 rw-p b000 08:05 1205750   
 /usr/lib/libnss_files-2.22.so
7f4f0f6de000-7f4f0f6e4000 rw-p  00:00 0 
7f4f0f6e4000-7f4f0f87f000 r-xp  08:05 1182757   
 /usr/lib/libc-2.22.so
7f4f0f87f000-7f4f0fa7e000 ---p 0019b000 08:05 1182757   
 /usr/lib/libc-2.22.so
7f4f0fa7e000-7f4f0fa82000 r--p 0019a000 08:05 1182757   
 /usr/lib/libc-2.22.so
7f4f0fa82000-7f4f0fa84000 rw-p 0019e000 08:05 1182757