bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AddressSanitizer: heap-use-after-free ../../../bash/lib/readline/display


From: Eduardo Bustamante
Subject: AddressSanitizer: heap-use-after-free ../../../bash/lib/readline/display.c:2092 in update_line
Date: Fri, 19 May 2017 01:41:36 -0500

Run with: bash -c 'read -e' < file # patched bash

File base64:

KgMSGQX//wD/NBs1NTUbNRITNTU13TVGFgkVNTU1NdA1RhYJBTUzNdA1Rp4HB2BJYAcH9QcGAAAL
C2AzNdA1Rj0HB2BJBwYAAAsLAQBgYAIAgAAAAAiAAAAZgBVZYCAbAAEArq6urq6urq6urq6u/4Cu
rq6urq6urq6urq4AAWAZGRkZ5AAQGv9AoBsF

The error under ASAN:

==31690==ERROR: AddressSanitizer: heap-use-after-free on address
0x61d00001a4b8 at pc 0x561a9673234b bp 0x7ffc6b8d0db0 sp
0x7ffc6b8d0da8
READ of size 4 at 0x61d00001a4b8 thread T0
    #0 0x561a9673234a in update_line ../../../bash/lib/readline/display.c:2092
    #1 0x561a9672e589 in rl_redisplay ../../../bash/lib/readline/display.c:1121
    #2 0x561a966f7aef in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
    #3 0x561a966f7ec5 in readline_internal_char
../../../bash/lib/readline/readline.c:638
    #4 0x561a966f7ee2 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
    #5 0x561a966f7f06 in readline_internal
../../../bash/lib/readline/readline.c:670
    #6 0x561a966f75bc in readline ../../../bash/lib/readline/readline.c:374
    #7 0x561a966b2991 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
    #8 0x561a966b0302 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
    #9 0x561a965c6a1d in execute_builtin ../bash/execute_cmd.c:4605
    #10 0x561a965c8633 in execute_builtin_or_function ../bash/execute_cmd.c:5103
    #11 0x561a965c5eb3 in execute_simple_command ../bash/execute_cmd.c:4391
    #12 0x561a965b3db2 in execute_command_internal ../bash/execute_cmd.c:811
    #13 0x561a9669d986 in parse_and_execute ../../bash/builtins/evalstring.c:430
    #14 0x561a9657f271 in run_one_command ../bash/shell.c:1405
    #15 0x561a9657d74a in main ../bash/shell.c:718
    #16 0x7f7ce77c72b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #17 0x561a9657c5b9 in _start
(/home/dualbus/src/gnu/bash-build-read-asan/bash+0x7f5b9)

0x61d00001a4b8 is located 56 bytes inside of 2048-byte region
[0x61d00001a480,0x61d00001ac80)
freed by thread T0 here:
    #0 0x7f7ce8035090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x561a9668c6a6 in xrealloc ../bash/xmalloc.c:133
    #2 0x561a9672bc4c in rl_redisplay ../../../bash/lib/readline/display.c:966
    #3 0x561a966f7aef in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
    #4 0x561a966f7ec5 in readline_internal_char
../../../bash/lib/readline/readline.c:638
    #5 0x561a966f7ee2 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
    #6 0x561a966f7f06 in readline_internal
../../../bash/lib/readline/readline.c:670
    #7 0x561a966f75bc in readline ../../../bash/lib/readline/readline.c:374
    #8 0x561a966b2991 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
    #9 0x561a966b0302 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
    #10 0x561a965c6a1d in execute_builtin ../bash/execute_cmd.c:4605
    #11 0x561a965c8633 in execute_builtin_or_function ../bash/execute_cmd.c:5103
    #12 0x561a965c5eb3 in execute_simple_command ../bash/execute_cmd.c:4391
    #13 0x561a965b3db2 in execute_command_internal ../bash/execute_cmd.c:811
    #14 0x561a9669d986 in parse_and_execute ../../bash/builtins/evalstring.c:430
    #15 0x561a9657f271 in run_one_command ../bash/shell.c:1405
    #16 0x561a9657d74a in main ../bash/shell.c:718
    #17 0x7f7ce77c72b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7f7ce8035090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x561a9668c6a6 in xrealloc ../bash/xmalloc.c:133
    #2 0x561a9672bc4c in rl_redisplay ../../../bash/lib/readline/display.c:966
    #3 0x561a966f7aef in _rl_internal_char_cleanup
../../../bash/lib/readline/readline.c:514
    #4 0x561a966f7ec5 in readline_internal_char
../../../bash/lib/readline/readline.c:638
    #5 0x561a966f7ee2 in readline_internal_charloop
../../../bash/lib/readline/readline.c:656
    #6 0x561a966f7f06 in readline_internal
../../../bash/lib/readline/readline.c:670
    #7 0x561a966f75bc in readline ../../../bash/lib/readline/readline.c:374
    #8 0x561a966b2991 in edit_line
../../bash/builtins/../../bash/builtins/read.def:1090
    #9 0x561a966b0302 in read_builtin
../../bash/builtins/../../bash/builtins/read.def:554
    #10 0x561a965c6a1d in execute_builtin ../bash/execute_cmd.c:4605
    #11 0x561a965c8633 in execute_builtin_or_function ../bash/execute_cmd.c:5103
    #12 0x561a965c5eb3 in execute_simple_command ../bash/execute_cmd.c:4391
    #13 0x561a965b3db2 in execute_command_internal ../bash/execute_cmd.c:811
    #14 0x561a9669d986 in parse_and_execute ../../bash/builtins/evalstring.c:430
    #15 0x561a9657f271 in run_one_command ../bash/shell.c:1405
    #16 0x561a9657d74a in main ../bash/shell.c:718
    #17 0x7f7ce77c72b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free
../../../bash/lib/readline/display.c:2092 in update_line
Shadow bytes around the buggy address:
  0x0c3a7fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a7fffb490: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c3a7fffb4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffb4b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffb4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffb4d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffb4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31690==ABORTING


I can sometimes get it to crash under certain conditions I do not understand:

Core was generated by `./bash -c PATH= read -e'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:685
685     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:685
#1  0x000055842ec430cb in update_line (old=0x5584308a7668 ' ' <repeats
200 times>..., new=0x558430827668 ' ' <repeats 200 times>...,
    current_line=174, omax=80, nmax=-13920, inv_botlin=2223) at
../../../bash/lib/readline/display.c:1609
#2  0x000055842ec42135 in rl_redisplay () at
../../../bash/lib/readline/display.c:1121
#3  0x000055842ec2d21a in _rl_internal_char_cleanup () at
../../../bash/lib/readline/readline.c:514
#4  0x000055842ec2d481 in readline_internal_char () at
../../../bash/lib/readline/readline.c:638
#5  0x000055842ec2d49e in readline_internal_charloop () at
../../../bash/lib/readline/readline.c:656
#6  0x000055842ec2d4c2 in readline_internal () at
../../../bash/lib/readline/readline.c:670
#7  0x000055842ec2cedf in readline (prompt=0x55842ec71e0c "") at
../../../bash/lib/readline/readline.c:374
#8  0x000055842ec0640c in edit_line (p=0x55842ec71e0c "", itext=0x0)
at ../../bash/builtins/../../bash/builtins/read.def:1090
#9  0x000055842ec0518e in read_builtin (list=0x0) at
../../bash/builtins/../../bash/builtins/read.def:554
#10 0x000055842eb9d9c7 in execute_builtin (builtin=0x55842ec04435
<read_builtin>, words=0x5584306c5648, flags=64, subshell=0)
    at ../bash/execute_cmd.c:4605
#11 0x000055842eb9e927 in execute_builtin_or_function
(words=0x5584306c5648, builtin=0x55842ec04435 <read_builtin>, var=0x0,
    redirects=0x0, fds_to_close=0x5584306c4de8, flags=64) at
../bash/execute_cmd.c:5103
#12 0x000055842eb9d2a9 in execute_simple_command
(simple_command=0x5584306c4d08, pipe_in=-1, pipe_out=-1, async=0,
    fds_to_close=0x5584306c4de8) at ../bash/execute_cmd.c:4391
#13 0x000055842eb969df in execute_command_internal
(command=0x5584306c4cc8, asynchronous=0, pipe_in=-1, pipe_out=-1,
    fds_to_close=0x5584306c4de8) at ../bash/execute_cmd.c:811
#14 0x000055842ebfd308 in parse_and_execute (string=0x5584306ad268
"PATH= read -e", from_file=0x55842ec5a630 "-c", flags=4)
    at ../../bash/builtins/evalstring.c:430
#15 0x000055842eb7dce5 in run_one_command (command=0x7ffe61128755
"PATH= read -e") at ../bash/shell.c:1405
#16 0x000055842eb7ce04 in main (argc=3, argv=0x7ffe611276e8,
env=0x7ffe61127708) at ../bash/shell.c:718


Under valgrind:

dualbus@debian:~/src/gnu/bash-build-read$ valgrind --log-fd=3 ./bash
-c 'read -e' < 
/home/dualbus/bash-fuzzing/read-readline/output/3/crashes/id:000201,sig:11,src:015972+016614,op:splice,rep:4
3>&1 >/dev/null 2>&1
==31832== Memcheck, a memory error detector
==31832== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31832== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==31832== Command: ./bash -c read\ -e
==31832==
==31832== Invalid write of size 4
==31832==    at 0x1FBCCF: rl_redisplay (display.c:1019)
==31832==    by 0x1E7219: _rl_internal_char_cleanup (readline.c:514)
==31832==    by 0x1E7480: readline_internal_char (readline.c:638)
==31832==    by 0x1E749D: readline_internal_charloop (readline.c:656)
==31832==    by 0x1E74C1: readline_internal (readline.c:670)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==    by 0x158926: execute_builtin_or_function (execute_cmd.c:5103)
==31832==    by 0x1572A8: execute_simple_command (execute_cmd.c:4391)
==31832==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31832==  Address 0x56a6760 is 112 bytes inside an unallocated block
of size 3,528,944 in arena "client"
==31832==
==31832== Conditional jump or move depends on uninitialised value(s)
==31832==    at 0x1FCBCD: update_line (display.c:1471)
==31832==    by 0x1FC134: rl_redisplay (display.c:1121)
==31832==    by 0x1E7219: _rl_internal_char_cleanup (readline.c:514)
==31832==    by 0x1E7480: readline_internal_char (readline.c:638)
==31832==    by 0x1E749D: readline_internal_charloop (readline.c:656)
==31832==    by 0x1E74C1: readline_internal (readline.c:670)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==    by 0x158926: execute_builtin_or_function (execute_cmd.c:5103)
==31832==    by 0x1572A8: execute_simple_command (execute_cmd.c:4391)
==31832==
==31832== Invalid read of size 4
==31832==    at 0x1FE2B8: update_line (display.c:2092)
==31832==    by 0x1FC134: rl_redisplay (display.c:1121)
==31832==    by 0x1E7219: _rl_internal_char_cleanup (readline.c:514)
==31832==    by 0x1E7480: readline_internal_char (readline.c:638)
==31832==    by 0x1E749D: readline_internal_charloop (readline.c:656)
==31832==    by 0x1E74C1: readline_internal (readline.c:670)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==    by 0x158926: execute_builtin_or_function (execute_cmd.c:5103)
==31832==    by 0x1572A8: execute_simple_command (execute_cmd.c:4391)
==31832==  Address 0x564bb30 is 48 bytes inside a block of size 1,024 free'd
==31832==    at 0x4C2DDCF: realloc (vg_replace_malloc.c:785)
==31832==    by 0x1AF0DB: xrealloc (xmalloc.c:133)
==31832==    by 0x1FB612: rl_redisplay (display.c:966)
==31832==    by 0x1E7219: _rl_internal_char_cleanup (readline.c:514)
==31832==    by 0x1E7480: readline_internal_char (readline.c:638)
==31832==    by 0x1E749D: readline_internal_charloop (readline.c:656)
==31832==    by 0x1E74C1: readline_internal (readline.c:670)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==    by 0x158926: execute_builtin_or_function (execute_cmd.c:5103)
==31832==  Block was alloc'd at
==31832==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31832==    by 0x1AF046: xmalloc (xmalloc.c:112)
==31832==    by 0x1FAC2B: init_line_structures (display.c:639)
==31832==    by 0x1FACD9: rl_redisplay (display.c:677)
==31832==    by 0x1E7029: readline_internal_setup (readline.c:444)
==31832==    by 0x1E74BC: readline_internal (readline.c:669)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==    by 0x158926: execute_builtin_or_function (execute_cmd.c:5103)
==31832==    by 0x1572A8: execute_simple_command (execute_cmd.c:4391)
==31832==
==31832== Invalid write of size 4
==31832==    at 0x1FBCCF: rl_redisplay (display.c:1019)
==31832==    by 0x1FF20F: rl_clear_message (display.c:2663)
==31832==    by 0x200BA5: _rl_abort_internal (util.c:102)
==31832==    by 0x1E7B55: _rl_dispatch_subseq (readline.c:892)
==31832==    by 0x1E77BD: _rl_dispatch (readline.c:797)
==31832==    by 0x1E7445: readline_internal_char (readline.c:629)
==31832==    by 0x1E749D: readline_internal_charloop (readline.c:656)
==31832==    by 0x1E74C1: readline_internal (readline.c:670)
==31832==    by 0x1E6EDE: readline (readline.c:374)
==31832==    by 0x1C040B: edit_line (read.def:1090)
==31832==    by 0x1BF18D: read_builtin (read.def:554)
==31832==    by 0x1579C6: execute_builtin (execute_cmd.c:4605)
==31832==  Address 0x586358c is 636 bytes inside an unallocated block
of size 1,707,216 in arena "client"
==31832==
==31833== Invalid read of size 1
==31833==    at 0x211E31: internal_free (malloc.c:873)
==31833==    by 0x212B14: sh_free (malloc.c:1271)
==31833==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31833==    by 0x1D07FE: glob_filename (glob.c:1341)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31833==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31833==    by 0x1CFD40: glob_filename (glob.c:1050)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31833==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31833==
==31833== Invalid read of size 4
==31833==    at 0x211E66: internal_free (malloc.c:881)
==31833==    by 0x212B14: sh_free (malloc.c:1271)
==31833==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31833==    by 0x1D07FE: glob_filename (glob.c:1341)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==  Address 0x586336c is 4 bytes before a block of size 8 alloc'd
==31833==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31833==    by 0x1CFD40: glob_filename (glob.c:1050)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31833==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31833==
==31833== Invalid read of size 1
==31833==    at 0x211E6C: internal_free (malloc.c:884)
==31833==    by 0x212B14: sh_free (malloc.c:1271)
==31833==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31833==    by 0x1D07FE: glob_filename (glob.c:1341)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31833==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31833==    by 0x1CFD40: glob_filename (glob.c:1050)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31833==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31833==
==31833== Invalid read of size 1
==31833==    at 0x211E73: internal_free (malloc.c:886)
==31833==    by 0x212B14: sh_free (malloc.c:1271)
==31833==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31833==    by 0x1D07FE: glob_filename (glob.c:1341)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31833==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31833==    by 0x1CFD40: glob_filename (glob.c:1050)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31833==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31833==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31833==    by 0x17CF05: command_substitute (subst.c:6107)
==31833==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31833==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31833==
==31833==
==31833== Process terminating with default action of signal 6
(SIGABRT): dumping core
==31833==    at 0x5298FCF: raise (raise.c:51)
==31833==    by 0x529A3F9: abort (abort.c:89)
==31833==    by 0x164AD0: programming_error (error.c:175)
==31833==    by 0x210E4E: xbotch (malloc.c:329)
==31833==    by 0x211EDB: internal_free (malloc.c:890)
==31833==    by 0x212B14: sh_free (malloc.c:1271)
==31833==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31833==    by 0x1D07FE: glob_filename (glob.c:1341)
==31833==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31833==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31833==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31833==    by 0x187FE7: expand_words (subst.c:10611)
==31833==
==31833== HEAP SUMMARY:
==31833==     in use at exit: 813,413 bytes in 271 blocks
==31833==   total heap usage: 1,050 allocs, 779 frees, 2,416,157 bytes allocated
==31833==
==31833== LEAK SUMMARY:
==31833==    definitely lost: 0 bytes in 0 blocks
==31833==    indirectly lost: 0 bytes in 0 blocks
==31833==      possibly lost: 0 bytes in 0 blocks
==31833==    still reachable: 813,413 bytes in 271 blocks
==31833==         suppressed: 0 bytes in 0 blocks
==31833== Rerun with --leak-check=full to see details of leaked memory
==31833==
==31833== For counts of detected and suppressed errors, rerun with: -v
==31833== Use --track-origins=yes to see where uninitialised values come from
==31833== ERROR SUMMARY: 269 errors from 8 contexts (suppressed: 0 from 0)
==31834== Invalid read of size 1
==31834==    at 0x211E31: internal_free (malloc.c:873)
==31834==    by 0x212B14: sh_free (malloc.c:1271)
==31834==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31834==    by 0x1D07FE: glob_filename (glob.c:1341)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31834==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31834==    by 0x1CFD40: glob_filename (glob.c:1050)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31834==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31834==
==31834== Invalid read of size 4
==31834==    at 0x211E66: internal_free (malloc.c:881)
==31834==    by 0x212B14: sh_free (malloc.c:1271)
==31834==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31834==    by 0x1D07FE: glob_filename (glob.c:1341)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==  Address 0x586336c is 4 bytes before a block of size 8 alloc'd
==31834==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31834==    by 0x1CFD40: glob_filename (glob.c:1050)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31834==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31834==
==31834== Invalid read of size 1
==31834==    at 0x211E6C: internal_free (malloc.c:884)
==31834==    by 0x212B14: sh_free (malloc.c:1271)
==31834==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31834==    by 0x1D07FE: glob_filename (glob.c:1341)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31834==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31834==    by 0x1CFD40: glob_filename (glob.c:1050)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31834==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31834==
==31834== Invalid read of size 1
==31834==    at 0x211E73: internal_free (malloc.c:886)
==31834==    by 0x212B14: sh_free (malloc.c:1271)
==31834==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31834==    by 0x1D07FE: glob_filename (glob.c:1341)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==  Address 0x5863368 is 8 bytes before a block of size 8 alloc'd
==31834==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==31834==    by 0x1CFD40: glob_filename (glob.c:1050)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==    by 0x156CD4: execute_simple_command (execute_cmd.c:4220)
==31834==    by 0x1509DE: execute_command_internal (execute_cmd.c:811)
==31834==    by 0x1B7307: parse_and_execute (evalstring.c:430)
==31834==    by 0x17CF05: command_substitute (subst.c:6107)
==31834==    by 0x185F0D: expand_word_internal (subst.c:9720)
==31834==    by 0x17892C: call_expand_word_internal (subst.c:3650)
==31834==
==31834==
==31834== Process terminating with default action of signal 6
(SIGABRT): dumping core
==31834==    at 0x5298FCF: raise (raise.c:51)
==31834==    by 0x529A3F9: abort (abort.c:89)
==31834==    by 0x164AD0: programming_error (error.c:175)
==31834==    by 0x210E4E: xbotch (malloc.c:329)
==31834==    by 0x211EDB: internal_free (malloc.c:890)
==31834==    by 0x212B14: sh_free (malloc.c:1271)
==31834==    by 0x1AF33B: sh_xfree (xmalloc.c:221)
==31834==    by 0x1D07FE: glob_filename (glob.c:1341)
==31834==    by 0x18FC7E: shell_glob_filename (pathexp.c:427)
==31834==    by 0x1880A3: glob_expand_word_list (subst.c:10662)
==31834==    by 0x188E3B: expand_word_list_internal (subst.c:11098)
==31834==    by 0x187FE7: expand_words (subst.c:10611)
==31834==
==31834== HEAP SUMMARY:
==31834==     in use at exit: 813,413 bytes in 271 blocks
==31834==   total heap usage: 1,050 allocs, 779 frees, 2,416,157 bytes allocated
==31834==
==31834== LEAK SUMMARY:
==31834==    definitely lost: 0 bytes in 0 blocks
==31834==    indirectly lost: 0 bytes in 0 blocks
==31834==      possibly lost: 0 bytes in 0 blocks
==31834==    still reachable: 813,413 bytes in 271 blocks
==31834==         suppressed: 0 bytes in 0 blocks
==31834== Rerun with --leak-check=full to see details of leaked memory
==31834==
==31834== For counts of detected and suppressed errors, rerun with: -v
==31834== Use --track-origins=yes to see where uninitialised values come from
==31834== ERROR SUMMARY: 269 errors from 8 contexts (suppressed: 0 from 0)
==31835==
==31835== HEAP SUMMARY:
==31835==     in use at exit: 813,405 bytes in 270 blocks
==31835==   total heap usage: 1,045 allocs, 775 frees, 2,415,955 bytes allocated
==31835==
==31835== LEAK SUMMARY:
==31835==    definitely lost: 0 bytes in 0 blocks
==31835==    indirectly lost: 0 bytes in 0 blocks
==31835==      possibly lost: 0 bytes in 0 blocks
==31835==    still reachable: 813,405 bytes in 270 blocks
==31835==         suppressed: 0 bytes in 0 blocks
==31835== Rerun with --leak-check=full to see details of leaked memory
==31835==
==31835== For counts of detected and suppressed errors, rerun with: -v
==31835== Use --track-origins=yes to see where uninitialised values come from
==31835== ERROR SUMMARY: 265 errors from 4 contexts (suppressed: 0 from 0)
==31832== Invalid free() / delete / delete[] / realloc()
==31832==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==31832==    by 0x1AF131: xfree (xmalloc.c:148)
==31832==    by 0x18EE08: unwind_frame_run_internal (unwind_prot.c:333)
==31832==    by 0x18E4DA: without_interrupts (unwind_prot.c:123)
==31832==    by 0x18E56E: run_unwind_frame (unwind_prot.c:151)
==31832==    by 0x1B6FA0: parse_and_execute (evalstring.c:322)
==31832==    by 0x137CE4: run_one_command (shell.c:1405)
==31832==    by 0x136E03: main (shell.c:718)
==31832==  Address 0x4237d88 is in the brk data segment 0x4226000-0x425afff
==31832==
==31832==
==31832== HEAP SUMMARY:
==31832==     in use at exit: 813,405 bytes in 270 blocks
==31832==   total heap usage: 1,045 allocs, 777 frees, 2,415,955 bytes allocated
==31832==
==31832== LEAK SUMMARY:
==31832==    definitely lost: 0 bytes in 0 blocks
==31832==    indirectly lost: 0 bytes in 0 blocks
==31832==      possibly lost: 0 bytes in 0 blocks
==31832==    still reachable: 813,405 bytes in 270 blocks
==31832==         suppressed: 0 bytes in 0 blocks
==31832== Rerun with --leak-check=full to see details of leaked memory
==31832==
==31832== For counts of detected and suppressed errors, rerun with: -v
==31832== Use --track-origins=yes to see where uninitialised values come from
==31832== ERROR SUMMARY: 267 errors from 5 contexts (suppressed: 0 from 0)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]