bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

memory corruption in bash subshell loop


From: Don Hatch
Subject: memory corruption in bash subshell loop
Date: Tue, 27 Aug 2002 04:53:38 -0400
User-agent: Mutt/1.2.5i

Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DSHELL -DHAVE_CONFIG_H  -D_GNU_SOURCE  -I.  -I. -I./include 
-I./lib -O2 -march=i386 -mcpu=i686
uname output: Linux ack 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 unknown
Machine Type: i686-pc-linux-gnu

Bash Version: 2.05a
Patch Level: 0
Release Status: release

Description:
    The following command in bash usually produces memory corruption
    (report of underflow corruption or a double free) after 12 minutes or so,
    though the timing is not consistent:
        $ (while true; do /bin/true; done)
    To trigger the bug, the parenthesized subshell seems to be necessary,
    as does at least one non-builtin command during the loop
    (thus the /bin/true instead of just true).
    Also, the shell must be interactive
    (e.g. sh -c "(while true; do /bin/true; done)" doesn't seem to do it).
    Here is a less boring way to trigger it:
        $ i=0; (while true; do /bin/echo -n "$((i++)) "; done)

Further analysis:
    The error occurs in a sub-process of the main bash process.
    I inserted a pause() in the error reporting code so I could attach to it
    with gdb, and here is the resulting stack trace.
    Note the reentrant call to free() from inside a SIGCHLD handler
    that got called inside a previous call to free()
    on the same memory address.

    #0  0x420b4c27 in pause () from /lib/i686/libc.so.6
    #1  0x080719f6 in programming_error (format=0x812b2b8 "ÏÏUUUUUU÷\001UU\002")
        at error.c:266
    #2  0x080c2707 in xbotch (mem=0x812b2b8, e=1, 
        s=0x80d9920 "free: called with already freed block argument", 
        file=0x80c8bb9 "array.c", line=78) at malloc.c:287
    #3  0x080c2e5c in internal_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", 
        line=78, flags=1) at malloc.c:743
    #4  0x080c3522 in sh_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", line=78)
        at malloc.c:1010
    #5  0x080969cb in sh_xfree (string=0x812b2b8, file=0x80c8bb9 "array.c", 
        line=78) at xmalloc.c:189
    #6  0x08089062 in destroy_array_element (ae=0x813f8e8) at array.c:78
    #7  0x08089129 in empty_array (a=0x813f1e8) at array.c:108
    #8  0x08070d05 in set_pipestatus_array (ps=0x813f428) at variables.c:3276
    #9  0x0807751a in setjstatus (j=847) at jobs.c:2618
    #10 0x08077183 in set_job_status_and_cleanup (job=847) at jobs.c:2496
    #11 0x08076e95 in waitchld (wpid=-1, block=0) at jobs.c:2394
    #12 0x08076d58 in sigchld_handler (sig=17) at jobs.c:2311
    #13 <signal handler called>
    #14 0x42051127 in vfprintf () from /lib/i686/libc.so.6
    #15 0x4205a287 in fprintf () from /lib/i686/libc.so.6
    #16 0x080c378b in mtrace_free (mem=0x812b2b8, size=2, 
        file=0x80c8bb9 "array.c", line=78) at trace.c:69
    #17 0x080c3046 in internal_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", 
        line=78, flags=1) at malloc.c:794
    #18 0x080c3522 in sh_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", line=78)
        at malloc.c:1010
    #19 0x080969cb in sh_xfree (string=0x812b2b8, file=0x80c8bb9 "array.c", 
        line=78) at xmalloc.c:189
    #20 0x08089062 in destroy_array_element (ae=0x813f8e8) at array.c:78
    #21 0x08089129 in empty_array (a=0x813f1e8) at array.c:108
    #22 0x08070d05 in set_pipestatus_array (ps=0x80da4a8) at variables.c:3276
    #23 0x08070d7f in set_pipestatus_from_exit (s=0) at variables.c:3293
    #24 0x0806af7a in execute_simple_command (simple_command=0x8134e68, 
        pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x813f248)
        at execute_cmd.c:2721
    #25 0x08067a6d in execute_command_internal (command=0x8134e48, 
asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f248) at execute_cmd.c:623
    #26 0x08067385 in execute_command (command=0x8134e48) at execute_cmd.c:317
    #27 0x08069fda in execute_while_or_until (while_command=0x813f008, type=0)
        at execute_cmd.c:2139
    #28 0x08069f65 in execute_while_command (while_command=0x813f008)
        at execute_cmd.c:2107
    #29 0x08067c5d in execute_command_internal (command=0x813f028, 
asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:725
    #30 0x080689be in execute_in_subshell (command=0x813f068, asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:1257
    #31 0x080676e3 in execute_command_internal (command=0x813f068, 
asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:502
    #32 0x08068efe in execute_connection (command=0x813f0a8, asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:1482
    #33 0x08067d6e in execute_command_internal (command=0x813f0a8, 
asynchronous=0, 
        pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:785
    #34 0x08067385 in execute_command (command=0x813f0a8) at execute_cmd.c:317
    #35 0x0805bd15 in reader_loop () at eval.c:139
    #36 0x08059f53 in main (argc=1, argv=0xbffff874, env=0xbffff87c) at 
shell.c:668
    #37 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
-- 
Don Hatch
hatch@hadron.org
http://www.hadron.org/~hatch/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]