From nobody Fri Feb 09 23:15:12 2024 X-Original-To: standards@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TWqSw6bhLz5BWbj for ; Fri, 9 Feb 2024 23:15:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TWqSw0tLrz4RvR for ; Fri, 9 Feb 2024 23:15:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707520512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j1UPxJg90v6kFrZCZxSxpdqlea/po3cXSw8N46xPDIc=; b=ldTsM5hmAqnEofidkHopW00WyavLNE4rFT4ViZzjOhzCdGf44WuQ9d5Td92HuvGRF4P1p/ 2vNXkh5FyNWvjhD/nXgcQT3qS0zrcoe4uJbzro5O8Uo3JJN0QQ5fa7P0xyX1PoH2WfZmVV ULmZtPRmbizfXPW6Wp4lFhbdg8+bKpppgqLEd6Q7YJOziQ/YD+WPrK2ccrpDdHFjdl3pPP WokNAs3GfWTOzOJQm1UV4h6z77G6ustTXFBIWxlnL8DTMPZ7gFQXmbykxr9UHUv/sKi2pB HVVhT8Deehc7yoB5dydPkTC2K61ARMW96fKQTEEYDClOHVHRmCiSninEdhF+/Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707520512; a=rsa-sha256; cv=none; b=PUGVcq3yCa5PKH0+OXgCIx9b9g7gKf7tmQ996rW9jmXT8FSCTsRmaFj3kyHYYFJ15O2LyF uSo2rO6TkAx5myfo9WUEPhf89XWSHA1i8jzA0jGKhre0dTqcUd5paFi9T6ddwLajCCXPXF mrfamMraN9bv3U11FZOb9GY6AVFAaaUr7fK2106Fm6zQnRqwK8WGfB8HMqEMN5qOD+P/We BH4FOVcwvAffSbYGVhJRdNNe7s7EdJkwVRJwryvQMSvUPdH9zaV+wg61ZnKuysv+as6N+e a5AiLxlOFv5esbsFNXT4a/BVBYjaJvOzVQYoAE06JI7vQJyvXoNstU+uYbNIVw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TWqSv7367zsHW for ; Fri, 9 Feb 2024 23:15:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 419NFBqK091731 for ; Fri, 9 Feb 2024 23:15:11 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 419NFBQO091730 for standards@FreeBSD.org; Fri, 9 Feb 2024 23:15:11 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: standards@FreeBSD.org Subject: [Bug 276934] tcsh crash in rehist() Date: Fri, 09 Feb 2024 23:15:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: standards X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joyul@juniper.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: standards@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Standards compliance List-Archive: https://lists.freebsd.org/archives/freebsd-standards List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-standards@freebsd.org X-BeenThere: freebsd-standards@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276934 Bug ID: 276934 Summary: tcsh crash in rehist() Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: standards Assignee: standards@FreeBSD.org Reporter: joyul@juniper.net Hi teams, I encountered a crash in rehist() and below is its backtrace. In frame 3, cleanup_sp is 0, which means it's already at the bottom of the cleanup_stac= k, but last_var cannot be found. It seems like in rehist(), it invokes setexit() without updating cleanup_ma= rk. If the program goes to error handling to reset the clean_stack[], it will c= lean more than required, which should be handled by cleanup_until() when the pro= gram jumps back to rehist(). I'm providing a patch below that might fix it. Feel free to apply it to the tcsh git, FreeBSD baseline, or fix it using other solutions. We can downstr= eam it to our local and try it. Thank you. diff --git a/contrib/tcsh/sh.hist.c b/contrib/tcsh/sh.hist.c index 14d862a3e7b..09f4814dbe3 100644 --- a/contrib/tcsh/sh.hist.c +++ b/contrib/tcsh/sh.hist.c @@ -1235,6 +1235,7 @@ rechist(Char *xfname, int ref) struct stat st; static Char *fname; static Char *dumphist[] =3D {STRhistory, STRmhT, 0, 0}; + size_t omark; if (fname =3D=3D NULL && !ref) return; @@ -1308,8 +1309,10 @@ rechist(Char *xfname, int ref) #endif } getexit(osetexit); + omark =3D cleanup_push_mark(); if (setexit() =3D=3D 0) loadhist(fname, 1); + cleanup_pop_mark(omark); resexit(osetexit); } } (gdb) bt #0 thr_kill () at thr_kill.S:4 #1 0x0000000001b7ee61 in __raise (s=3Ds@entry=3D6) at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/ge= n/raise.c:50 #2 0x0000000001c1cca9 in abort () at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/st= dlib/abort.c:64 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at=20 /src/contrib/tcsh/sh.err.c:470 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D) at /src/contrib/tcsh/sh.hist.c:1327 #5 0x000000000021b2d0 in record () at /src/contrib/tcsh/sh.c:2539 #6 0x000000000021b3e1 in phup () at /src/contrib/tcsh/sh.c:1856 #7 0x0000000000261440 in handle_pending_signals () at=20 /src/contrib/tcsh/tc.sig.c:67 #8 0x0000000000233c55 in xwrite (fildes=3D18, buf=3D0x28d170 , nby= te=3D11) at /src/contrib/tcsh/sh.misc.c:719 #9 0x00000000002352ff in flush () at /src/contrib/tcsh/sh.print.c:256 #10 0x00000000002351d3 in xputchar (c=3D, c@entry=3D10) at=20 /src/contrib/tcsh/sh.print.c:183 #11 0x0000000000235dcf in pprint (pp=3D0x1cc33c210a00, flag=3D160) at=20 /src/contrib/tcsh/sh.proc.c:1178 #12 0x0000000000236385 in pjwait (pp=3D0x1cc33c210a00) at=20 /src/contrib/tcsh/sh.proc.c:543 #13 0x00000000002361ab in pwait () at /src/contrib/tcsh/sh.proc.c:473 #14 0x0000000000238c9d in execute (t=3D0x1cc33c25e090, wanttty=3D28987, pipein=3D, pipeout=3D0x0, do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:623 #15 0x0000000000238983 in execute (t=3Dt@entry=3D0x1cc33c25e060, wanttty=3D= 28987, pipein=3D, pipein@entry=3D0x0, pipeout=3Dpipeout@entry=3D0x0= ,=20 do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:724 #16 0x000000000021af01 in process (catch=3D) at=20 /src/contrib/tcsh/sh.c:2166 #17 0x0000000000219d1e in main (argc=3D, argv=3D0x820710290)= at=20 /src/contrib/tcsh/sh.c:1431 (gdb) f 4 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D) at /src/contrib/tcsh/sh.hist.c:1327 (gdb) f 3 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at /src/contrib/tcsh/sh.err.c:470 470 abort(); (gdb) list 456 while (cleanup_sp !=3D 0) { 457 struct cleanup_entry ce; 458=20=20=20=20=20 459 cleanup_sp--; 460=20=20=20=20=20 461 ce =3D cleanup_stack[cleanup_sp]; 462 ce.fn(ce.var); 463 #ifdef CLEANUP_DEBUG 464 syslog(LOG_INFO,"[tcsh][cleanup_until] cleanup_sp %zu, file= =20 %s, line %zu, var %p\n", cleanup_sp, ce.file, ce.line, ce.var); 465 #endif 466 if (ce.var =3D=3D last_var) 467 return; 468 } 469 syslog(LOG_INFO, "abort in cleanup_until\n"); 470 abort(); 471 } 472=20=20=20=20=20 (gdb) p cleanup_sp $3 =3D 0 --=20 You are receiving this mail because: You are the assignee for the bug.=