reading a job name from deallocated storage

[G. Branden Robinson]

Hi folks,

Does any one remember if this an already-fixed bug in Bash?  I'm running
a pretty old version.

GNU bash, version 5.0.3(1)-release (x86_64-pc-linux-gnu)

Long story short, I have a regression test script that needs to enable
job control (because I need to read from an unseekable file descriptor
that _isn't_ the standard input, and I chose /dev/tty because it's
fairly widely implemented).  So I start a process that reads from
/dev/tty, but since I've done that I need to background that process so
I can kill it.

I observe three things:

1. The name of the backgrounded job is misreported when I kill it;
   earlier, the name reported was "wail", a function internal to the
   script that is not anywhere in the process group of the backgrounded
   command.
2. If I go back earlier in the script and add "|| exit 77" to a couple
   of lines well before any of this job-handling stuff, the name of the
   backgrounded job turns into garbage bytes.
3. The garbage mutates on successive runs with no further changes to the
   script.

To me, this smells like a read from uninitialized/deallocated storage.

Before I go build a bleeding edge version of Bash and feed this script
to it, I was wondering if this problem sounded familiar to anyone.

Script attached.  The jobby bits are at the bottom.  It is for perusal,
not execution--if you try it against a released version of groff's
preconv(1) command, it will fail before getting to the behavior above.

(Yes, I am using "set -e".  I've already read all about why I shouldn't,
and my avoidance of it in other groff regression tests has proven
unsatisfying[1].)

Regards,
Branden

[1] 
https://git.savannah.gnu.org/cgit/groff.git/commit/?id=a58b4cb5ba7344f9734677231039ee5bb19e9b36

do-not-seek-the-unseekable.sh
Description: Bourne shell script

signature.asc
Description: PGP signature