From nobody Fri Feb 09 23:15:44 2024 X-Original-To: standards@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TWqTX5ySMz5BWNY for ; Fri, 9 Feb 2024 23:15:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TWqTX3z9Mz4RyX for ; Fri, 9 Feb 2024 23:15:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707520544; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vrvgq/3VdARywHjlp+po63xcQwelGrdAtWVm2IpB1Hk=; b=Rhf4RPMkdkrvfeLT72fB1UgKjt8RCPICv6p2UdB/zaeYx6iHz3fDay3/uj8ZaEWKKuad79 AIw6+yrcLDHjVS2RhU1ch5YDpozH1dO109kM59MfH75aRWKBsuKA2CrSx2VxqzNsD3/FXX ABYlBLHxiFY7ZO7EyzcmsVQDb4Za0OnpMRaYdSPr+gmX+uWIBkx591GrJkrMGmBvajhx1d ysD9XOB0RyQvqp7um5Kfuu7bngQhmODAHLXQpmhbP/Zd6ODorz5xLVwOLbWgxjgXwB9/qH /Y+yFH4ymnTlda9CNoY+cS8SIXO2e0+1N3i31rY6f2JZyQnoODiWUyZmVaxdzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707520544; a=rsa-sha256; cv=none; b=pgMyNJ9AlgIctV7hjoHAfJZ9vAmBas3RFWd9gVNKTw3iXYH31VXv3pnpQayh5F7tEKlFzw fLU5CJu07DdvG/byLX9J/iFgu13DhLjj1VHRt5gzQC2zKOzzBaomz1D8ahkB51x8FbmjD5 KggjgI10s9/KF384uEsfyhv4vITUmWce302bmrTCywhm0ql8q7g8x7U5vXXWiVj/VbO1ak dOSHxW19p9ctD7ihnu6tC4mP94QEaAS4h7bMYOElZL642pKstNi2GVkgNvw4DP4hxEZiKh 9Ev8vfDdHPfWQjw3IbAaV4pwt3JjZt7CioTsVJzag2/MDfejFkPVij8/vP13yA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TWqTX31ppzskQ for ; Fri, 9 Feb 2024 23:15:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 419NFi40093439 for ; Fri, 9 Feb 2024 23:15:44 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 419NFixH093436 for standards@FreeBSD.org; Fri, 9 Feb 2024 23:15:44 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: standards@FreeBSD.org Subject: [Bug 276935] tcsh crash in rehist() Date: Fri, 09 Feb 2024 23:15:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: standards X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joyul@juniper.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: standards@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Standards compliance List-Archive: https://lists.freebsd.org/archives/freebsd-standards List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-standards@freebsd.org X-BeenThere: freebsd-standards@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276935 Bug ID: 276935 Summary: tcsh crash in rehist() Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: standards Assignee: standards@FreeBSD.org Reporter: joyul@juniper.net Hi teams, I encountered a crash in rehist() and below is its backtrace. In frame 3, cleanup_sp is 0, which means it's already at the bottom of the cleanup_stac= k, but last_var cannot be found. It seems like in rehist(), it invokes setexit() without updating cleanup_ma= rk. If the program goes to error handling to reset the clean_stack[], it will c= lean more than required, which should be handled by cleanup_until() when the pro= gram jumps back to rehist(). I'm providing a patch below that might fix it. Feel free to apply it to the tcsh git, FreeBSD baseline, or fix it using other solutions. We can downstr= eam it to our local and try it. Thank you. diff --git a/contrib/tcsh/sh.hist.c b/contrib/tcsh/sh.hist.c index 14d862a3e7b..09f4814dbe3 100644 --- a/contrib/tcsh/sh.hist.c +++ b/contrib/tcsh/sh.hist.c @@ -1235,6 +1235,7 @@ rechist(Char *xfname, int ref) struct stat st; static Char *fname; static Char *dumphist[] =3D {STRhistory, STRmhT, 0, 0}; + size_t omark; if (fname =3D=3D NULL && !ref) return; @@ -1308,8 +1309,10 @@ rechist(Char *xfname, int ref) #endif } getexit(osetexit); + omark =3D cleanup_push_mark(); if (setexit() =3D=3D 0) loadhist(fname, 1); + cleanup_pop_mark(omark); resexit(osetexit); } } (gdb) bt #0 thr_kill () at thr_kill.S:4 #1 0x0000000001b7ee61 in __raise (s=3Ds@entry=3D6) at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/ge= n/raise.c:50 #2 0x0000000001c1cca9 in abort () at /.amd/svl-engdata5vs2/occamdev/build/freebsd/main/sandbox-main-202401181141= /freebsd/main/20240118.171413__ci_fbsd_builder_main.c38f35a/src/lib/libc/st= dlib/abort.c:64 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at=20 /src/contrib/tcsh/sh.err.c:470 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D) at /src/contrib/tcsh/sh.hist.c:1327 #5 0x000000000021b2d0 in record () at /src/contrib/tcsh/sh.c:2539 #6 0x000000000021b3e1 in phup () at /src/contrib/tcsh/sh.c:1856 #7 0x0000000000261440 in handle_pending_signals () at=20 /src/contrib/tcsh/tc.sig.c:67 #8 0x0000000000233c55 in xwrite (fildes=3D18, buf=3D0x28d170 , nby= te=3D11) at /src/contrib/tcsh/sh.misc.c:719 #9 0x00000000002352ff in flush () at /src/contrib/tcsh/sh.print.c:256 #10 0x00000000002351d3 in xputchar (c=3D, c@entry=3D10) at=20 /src/contrib/tcsh/sh.print.c:183 #11 0x0000000000235dcf in pprint (pp=3D0x1cc33c210a00, flag=3D160) at=20 /src/contrib/tcsh/sh.proc.c:1178 #12 0x0000000000236385 in pjwait (pp=3D0x1cc33c210a00) at=20 /src/contrib/tcsh/sh.proc.c:543 #13 0x00000000002361ab in pwait () at /src/contrib/tcsh/sh.proc.c:473 #14 0x0000000000238c9d in execute (t=3D0x1cc33c25e090, wanttty=3D28987, pipein=3D, pipeout=3D0x0, do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:623 #15 0x0000000000238983 in execute (t=3Dt@entry=3D0x1cc33c25e060, wanttty=3D= 28987, pipein=3D, pipein@entry=3D0x0, pipeout=3Dpipeout@entry=3D0x0= ,=20 do_glob=3Ddo_glob@entry=3D1) at /src/contrib/tcsh/sh.sem.c:724 #16 0x000000000021af01 in process (catch=3D) at=20 /src/contrib/tcsh/sh.c:2166 #17 0x0000000000219d1e in main (argc=3D, argv=3D0x820710290)= at=20 /src/contrib/tcsh/sh.c:1431 (gdb) f 4 #4 0x000000000022e68f in rechist (xfname=3Dxfname@entry=3D0x0, ref=3D) at /src/contrib/tcsh/sh.hist.c:1327 (gdb) f 3 #3 0x000000000022148c in cleanup_until (last_var=3D0x1cc33c26ee80) at /src/contrib/tcsh/sh.err.c:470 470 abort(); (gdb) list 456 while (cleanup_sp !=3D 0) { 457 struct cleanup_entry ce; 458=20=20=20=20=20 459 cleanup_sp--; 460=20=20=20=20=20 461 ce =3D cleanup_stack[cleanup_sp]; 462 ce.fn(ce.var); 463 #ifdef CLEANUP_DEBUG 464 syslog(LOG_INFO,"[tcsh][cleanup_until] cleanup_sp %zu, file= =20 %s, line %zu, var %p\n", cleanup_sp, ce.file, ce.line, ce.var); 465 #endif 466 if (ce.var =3D=3D last_var) 467 return; 468 } 469 syslog(LOG_INFO, "abort in cleanup_until\n"); 470 abort(); 471 } 472=20=20=20=20=20 (gdb) p cleanup_sp $3 =3D 0 --=20 You are receiving this mail because: You are the assignee for the bug.=