[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
memory corruption in bash subshell loop
From: |
Don Hatch |
Subject: |
memory corruption in bash subshell loop |
Date: |
Tue, 27 Aug 2002 04:53:38 -0400 |
User-agent: |
Mutt/1.2.5i |
Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu'
-DCONF_VENDOR='pc' -DSHELL -DHAVE_CONFIG_H -D_GNU_SOURCE -I. -I. -I./include
-I./lib -O2 -march=i386 -mcpu=i686
uname output: Linux ack 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 unknown
Machine Type: i686-pc-linux-gnu
Bash Version: 2.05a
Patch Level: 0
Release Status: release
Description:
The following command in bash usually produces memory corruption
(report of underflow corruption or a double free) after 12 minutes or so,
though the timing is not consistent:
$ (while true; do /bin/true; done)
To trigger the bug, the parenthesized subshell seems to be necessary,
as does at least one non-builtin command during the loop
(thus the /bin/true instead of just true).
Also, the shell must be interactive
(e.g. sh -c "(while true; do /bin/true; done)" doesn't seem to do it).
Here is a less boring way to trigger it:
$ i=0; (while true; do /bin/echo -n "$((i++)) "; done)
Further analysis:
The error occurs in a sub-process of the main bash process.
I inserted a pause() in the error reporting code so I could attach to it
with gdb, and here is the resulting stack trace.
Note the reentrant call to free() from inside a SIGCHLD handler
that got called inside a previous call to free()
on the same memory address.
#0 0x420b4c27 in pause () from /lib/i686/libc.so.6
#1 0x080719f6 in programming_error (format=0x812b2b8 "ÏÏUUUUUU÷\001UU\002")
at error.c:266
#2 0x080c2707 in xbotch (mem=0x812b2b8, e=1,
s=0x80d9920 "free: called with already freed block argument",
file=0x80c8bb9 "array.c", line=78) at malloc.c:287
#3 0x080c2e5c in internal_free (mem=0x812b2b8, file=0x80c8bb9 "array.c",
line=78, flags=1) at malloc.c:743
#4 0x080c3522 in sh_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", line=78)
at malloc.c:1010
#5 0x080969cb in sh_xfree (string=0x812b2b8, file=0x80c8bb9 "array.c",
line=78) at xmalloc.c:189
#6 0x08089062 in destroy_array_element (ae=0x813f8e8) at array.c:78
#7 0x08089129 in empty_array (a=0x813f1e8) at array.c:108
#8 0x08070d05 in set_pipestatus_array (ps=0x813f428) at variables.c:3276
#9 0x0807751a in setjstatus (j=847) at jobs.c:2618
#10 0x08077183 in set_job_status_and_cleanup (job=847) at jobs.c:2496
#11 0x08076e95 in waitchld (wpid=-1, block=0) at jobs.c:2394
#12 0x08076d58 in sigchld_handler (sig=17) at jobs.c:2311
#13 <signal handler called>
#14 0x42051127 in vfprintf () from /lib/i686/libc.so.6
#15 0x4205a287 in fprintf () from /lib/i686/libc.so.6
#16 0x080c378b in mtrace_free (mem=0x812b2b8, size=2,
file=0x80c8bb9 "array.c", line=78) at trace.c:69
#17 0x080c3046 in internal_free (mem=0x812b2b8, file=0x80c8bb9 "array.c",
line=78, flags=1) at malloc.c:794
#18 0x080c3522 in sh_free (mem=0x812b2b8, file=0x80c8bb9 "array.c", line=78)
at malloc.c:1010
#19 0x080969cb in sh_xfree (string=0x812b2b8, file=0x80c8bb9 "array.c",
line=78) at xmalloc.c:189
#20 0x08089062 in destroy_array_element (ae=0x813f8e8) at array.c:78
#21 0x08089129 in empty_array (a=0x813f1e8) at array.c:108
#22 0x08070d05 in set_pipestatus_array (ps=0x80da4a8) at variables.c:3276
#23 0x08070d7f in set_pipestatus_from_exit (s=0) at variables.c:3293
#24 0x0806af7a in execute_simple_command (simple_command=0x8134e68,
pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x813f248)
at execute_cmd.c:2721
#25 0x08067a6d in execute_command_internal (command=0x8134e48,
asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f248) at execute_cmd.c:623
#26 0x08067385 in execute_command (command=0x8134e48) at execute_cmd.c:317
#27 0x08069fda in execute_while_or_until (while_command=0x813f008, type=0)
at execute_cmd.c:2139
#28 0x08069f65 in execute_while_command (while_command=0x813f008)
at execute_cmd.c:2107
#29 0x08067c5d in execute_command_internal (command=0x813f028,
asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:725
#30 0x080689be in execute_in_subshell (command=0x813f068, asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:1257
#31 0x080676e3 in execute_command_internal (command=0x813f068,
asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:502
#32 0x08068efe in execute_connection (command=0x813f0a8, asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:1482
#33 0x08067d6e in execute_command_internal (command=0x813f0a8,
asynchronous=0,
pipe_in=-1, pipe_out=-1, fds_to_close=0x813f0c8) at execute_cmd.c:785
#34 0x08067385 in execute_command (command=0x813f0a8) at execute_cmd.c:317
#35 0x0805bd15 in reader_loop () at eval.c:139
#36 0x08059f53 in main (argc=1, argv=0xbffff874, env=0xbffff87c) at
shell.c:668
#37 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
--
Don Hatch
hatch@hadron.org
http://www.hadron.org/~hatch/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- memory corruption in bash subshell loop,
Don Hatch <=