Hosting Provided By

system/3163: csh core dumps with malloc AJ set

From: David Krause <openbsd(at)davidkrause.com>
Date: Thu Mar 20 2003 - 21:20:39 EST

>Number: 3163
>Category: system
>Synopsis: csh core dumps occasionally when changing directory with malloc AJ set
>Confidential: yes
NetCentral, Inc.
>Environment:

	System      : OpenBSD 3.3
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

This is known by several people for a while now but I never filed an official bug report. csh core dumps occasionally when changing into a directory when you have /etc/malloc.conf -> AJ.

Here's one of the many stack traces (they all look the same):

Core was generated by `csh'.
Program terminated with signal 11, Segmentation fault. #0 0x4e3b in dcanon (cp=0x54140, p=0x64) at /usr/src/bin/csh/dir.c:682 682 }
(gdb) bt

#0  0x4e3b in dcanon (cp=0x54140, p=0x64) at /usr/src/bin/csh/dir.c:682
#1  0x46ec in dgoto (cp=0x54140) at /usr/src/bin/csh/dir.c:419
#2  0x4904 in dfollow (cp=0x4) at /usr/src/bin/csh/dir.c:467
#3  0x459d in dochngd (v=0x4ca34, t=0x54100) at /usr/src/bin/csh/dir.c:375
#4  0xad9a in func (t=0x54100, bp=0x3fea4) at /usr/src/bin/csh/func.c:128
#5  0x16a8c in execute (t=0x54100, wanttty=26142, pipein=0x0, pipeout=0x0)

at /usr/src/bin/csh/sem.c:382
#6 0x16c7c in execute (t=0x540e0, wanttty=26142, pipein=0x0, pipeout=0x0)

at /usr/src/bin/csh/sem.c:446
#7 0x16c7c in execute (t=0x4af80, wanttty=26142, pipein=0x0, pipeout=0x0)

at /usr/src/bin/csh/sem.c:446
#8 0x350d in process (catch=1) at /usr/src/bin/csh/csh.c:1121 #9 0x28e9 in main (argc=0, argv=0xcfbfd974) at /usr/src/bin/csh/csh.c:576 (gdb) p cp
$1 = (Char *) 0xd0d0
(gdb) p p
$2 = (Char *) 0x64
(gdb) list

677		while (*++p)		/* find next slash or end of path */
678		    if (*p == '/') {
679			slash = 1;
680			*p = 0;
681			break;
682		    }
683	
684		if (*sp == '\0')	/* if component is null */
685		    if (--sp == cp)	/* if path is one char (i.e. /) */
686			break;

(gdb) quit

>How-To-Repeat:

/etc/malloc.conf -> AJ and use csh for a while

Example crashes:

Do you need help?

hermes# cd /usr/ports/
Segmentation fault (core dumped)

hermes# pwd
/usr/src/sys/arch/i386/compile/HERMES
hermes# cd /usr/src/sys/
Segmentation fault (core dumped)

>Fix:

lack of NUL termination somewhere?

>Release-Note:
Received on Thu Mar 20 21:29:47 2003

This message: [ Message body ]
Next message: David Krause: "system/3164: ps %MEM always reports 0.0"
Previous message: Miod Vallat: "Re: system/3162"
In reply to Jose Nazario: "i386/3039: reliability bug in mailwrapper: free() before err()"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:52 EDT