From nobody@FreeBSD.org  Wed Jul  2 14:10:57 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9DA09106567A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  2 Jul 2008 14:10:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 8CA228FC2C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  2 Jul 2008 14:10:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m62EAvSf017926
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 2 Jul 2008 14:10:57 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m62EAvne017925;
	Wed, 2 Jul 2008 14:10:57 GMT
	(envelope-from nobody)
Message-Id: <200807021410.m62EAvne017925@www.freebsd.org>
Date: Wed, 2 Jul 2008 14:10:57 GMT
From: "Dmitry A." <666.root@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: csh exit on signal 11
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         125185
>Category:       bin
>Synopsis:       csh(1) exit on signal 11
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 02 14:20:00 UTC 2008
>Closed-Date:    Thu Nov 24 16:22:22 UTC 2011
>Last-Modified:  Thu Nov 24 16:22:22 UTC 2011
>Originator:     Dmitry A.
>Release:        
>Organization:
79.120.123.5
>Environment:
FreeBSD zingel.dubki.ru 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Wed Apr 23 22:39:55 EEST 2008     root@zingel.dubki.ru:/usr/obj/usr/src/sys/BEASTIE  i386

>Description:
Hello.

I got an error at the use of csh, using the command -

%"`perl -e "print 'A' x1024"` * 0"

error:

pid 72087 (csh), uid 0: exited on signal 11

possibly, it is not critical, check, please.

Thank you.
>How-To-Repeat:
%su
Password:
%"`perl -e "print 'A' x1024"` * 0" > /root/test
Unmatched `.
%whoami
beastie
%su
Password:
%cat ~/test
%
%tail -n 1 /var/run/dmesg.boot
pid 72087 (csh), uid 0: exited on signal 11
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Jul 4 14:51:32 UTC 2008 
Responsible-Changed-Why:  
not something i386 specific 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125185 

From: "Dmitry Andrianov" <666.root@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/125185: csh(1) exit on signal 11
Date: Mon, 7 Jul 2008 09:50:57 +0400

 ------=_Part_14193_4801070.1215409858025
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Possibly, you will be helped by a next text.
 
 ====
 [root@zingel /]# gdb /bin/csh
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols
 found)...
 (gdb) break main
 Function "main" not defined.
 Make breakpoint pending on future shared library load? (y or [n]) y
 
 Breakpoint 1 (main) pending.
 (gdb) r
 Starting program: /bin/csh
 (no debugging symbols found)...(no debugging symbols found)...(no debugging
 symbols found)...(no debugging symbols found)...(no debugging symbols
 found)...%
 (gdb) break main
 Function "main" not defined.
 Make breakpoint pending on future shared library load? (y or [n]) y
 
 Breakpoint 2 (main) pending.
 (gdb) disass
 Dump of assembler code for function read:
 0x281f83cc <read+0>:   mov    $0x3,%eax
 0x281f83d1 <read+5>:   int    $0x80
 0x281f83d3 <read+7>:   jb     0x281f83b8 <write+12>
 0x281f83d5 <read+9>:   ret
 0x281f83d6 <read+10>:   nop
 0x281f83d7 <read+11>:   nop
 0x281f83d8 <read+12>:   nop
 0x281f83d9 <read+13>:   nop
 0x281f83da <read+14>:   nop
 0x281f83db <read+15>:   nop
 0x281f83dc <read+16>:   nop
 0x281f83dd <read+17>:   nop
 0x281f83de <read+18>:   nop
 0x281f83df <read+19>:   nop
 0x281f83e0 <read+20>:   push   %ebp
 0x281f83e1 <read+21>:   mov    %esp,%ebp
 0x281f83e3 <read+23>:   push   %ebx
 0x281f83e4 <read+24>:   call   0x2813f6f7 <_fini+200803>
 0x281f83e9 <read+29>:   add    $0x1040f,%ebx
 0x281f83ef <read+35>:   sub    $0x34,%esp
 0x281f83f2 <read+38>:   mov    0x147a4(%ebx),%eax
 0x281f83f8 <read+44>:   test   %eax,%eax
 ---Type <return> to continue, or q <return> to quit---
 0x281f83fa <read+46>:   je     0x281f8402 <read+54>
 0x281f83fc <read+48>:   add    $0x34,%esp
 0x281f83ff <read+51>:   pop    %ebx
 0x281f8400 <read+52>:   pop    %ebp
 0x281f8401 <read+53>:   ret
 ---Type <return> to continue, or q <return> to quit---
 (gdb) break *0x281f8401
 Breakpoint 3 at 0x281f8401
 (gdb) cont
 Continuing.
 %"`perl -e "print 'A' x1024"` * 0"
 Unmatched `.
 
 Program received signal SIGSEGV, Segmentation fault.
 0x28183862 in calloc () from /lib/libc.so.7
 (gdb) i r
 eax            0x8092ef4   134819572
 ecx            0xc   12
 edx            0x8092ef4   134819572
 ebx            0x282087f8   673220600
 esp            0xbfbfe7b0   0xbfbfe7b0
 ebp            0xbfbfe7f8   0xbfbfe7f8
 esi            0x8000000   134217728
 edi            0x1   1
 eip            0x28183862   0x28183862
 eflags         0x10297   66199
 cs             0x33   51
 ss             0x3b   59
 ds             0x3b   59
 es             0x3b   59
 fs             0x3b   59
 gs             0x1b   27
 (gdb)quit
 
 =====
 
 Thank you.
 
 ------=_Part_14193_4801070.1215409858025
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 <code>Possibly, you will be helped by a next text.<br><br>====<br>[root@zingel /]# gdb /bin/csh <br>GNU gdb 6.1.1 [FreeBSD]<br>Copyright 2004 Free Software Foundation, Inc.<br>GDB is free software, covered by the GNU General Public License, and you are<br>
 welcome to change it and/or distribute copies of it under certain<br>conditions.<br>Type &quot;show copying&quot; to see the conditions.<br>There is absolutely no warranty for GDB.&nbsp; Type &quot;show warranty&quot; for details.<br>
 This GDB was configured as &quot;i386-marcel-freebsd&quot;...(no debugging symbols<br>found)...</code><code><br>(gdb) break main<br>Function &quot;main&quot; not defined.<br>Make breakpoint pending on future shared library load? (y or [n]) y<br>
 <br>Breakpoint 1 (main) pending.<br>(gdb) r<br>Starting program: /bin/csh <br>(no debugging symbols found)...(no debugging symbols found)...(no debugging<br>symbols found)...(no debugging symbols found)...(no debugging symbols<br>
 found)...%<br>(gdb) break main<br>Function &quot;main&quot; not defined.<br>Make breakpoint pending on future shared library load? (y or [n]) y<br><br>Breakpoint 2 (main) pending.<br>(gdb) disass<br>Dump of assembler code for function read:<br>
 0x281f83cc &lt;read+0&gt;:&nbsp; &nbsp;mov&nbsp; &nbsp; $0x3,%eax<br>0x281f83d1 &lt;read+5&gt;:&nbsp; &nbsp;int&nbsp; &nbsp; $0x80<br>0x281f83d3 &lt;read+7&gt;:&nbsp; &nbsp;jb&nbsp; &nbsp; &nbsp;0x281f83b8 &lt;write+12&gt;<br>0x281f83d5 &lt;read+9&gt;:&nbsp; &nbsp;ret&nbsp; &nbsp; <br>0x281f83d6 &lt;read+10&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>
 0x281f83d7 &lt;read+11&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83d8 &lt;read+12&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83d9 &lt;read+13&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83da &lt;read+14&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83db &lt;read+15&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83dc &lt;read+16&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>
 0x281f83dd &lt;read+17&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83de &lt;read+18&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83df &lt;read+19&gt;:&nbsp; &nbsp;nop&nbsp; &nbsp; <br>0x281f83e0 &lt;read+20&gt;:&nbsp; &nbsp;push&nbsp; &nbsp;%ebp<br>0x281f83e1 &lt;read+21&gt;:&nbsp; &nbsp;mov&nbsp; &nbsp; %esp,%ebp<br>0x281f83e3 &lt;read+23&gt;:&nbsp; &nbsp;push&nbsp; &nbsp;%ebx<br>
 0x281f83e4 &lt;read+24&gt;:&nbsp; &nbsp;call&nbsp; &nbsp;0x2813f6f7 &lt;_fini+200803&gt;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; <br>0x281f83e9 &lt;read+29&gt;:&nbsp; &nbsp;add&nbsp; &nbsp; $0x1040f,%ebx<br>0x281f83ef &lt;read+35&gt;:&nbsp; &nbsp;sub&nbsp; &nbsp; $0x34,%esp<br>0x281f83f2 &lt;read+38&gt;:&nbsp; &nbsp;mov&nbsp; &nbsp; 0x147a4(%ebx),%eax<br>
 0x281f83f8 &lt;read+44&gt;:&nbsp; &nbsp;test&nbsp; &nbsp;%eax,%eax<br>---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---<br>0x281f83fa &lt;read+46&gt;:&nbsp; &nbsp;je&nbsp; &nbsp; &nbsp;0x281f8402 &lt;read+54&gt;<br>0x281f83fc &lt;read+48&gt;:&nbsp; &nbsp;add&nbsp; &nbsp; $0x34,%esp<br>
 0x281f83ff &lt;read+51&gt;:&nbsp; &nbsp;pop&nbsp; &nbsp; %ebx<br>0x281f8400 &lt;read+52&gt;:&nbsp; &nbsp;pop&nbsp; &nbsp; %ebp<br>0x281f8401 &lt;read+53&gt;:&nbsp; &nbsp;ret&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; <br>---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---<br>
 (gdb) break *0x281f8401<br>Breakpoint 3 at 0x281f8401<br>(gdb) cont<br>Continuing.<br>%&quot;`perl -e &quot;print &#39;A&#39; x1024&quot;` * 0&quot;<br>Unmatched `.<br><br>Program received signal SIGSEGV, Segmentation fault.<br>
 0x28183862 in calloc () from /lib/libc.so.7<br>(gdb) i r<br></code><code>eax&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x8092ef4&nbsp; &nbsp;134819572<br>ecx&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0xc&nbsp; &nbsp;12<br>edx&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x8092ef4&nbsp; &nbsp;134819572<br>ebx&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x282087f8&nbsp; &nbsp;673220600<br>
 esp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0xbfbfe7b0&nbsp; &nbsp;0xbfbfe7b0<br>ebp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0xbfbfe7f8&nbsp; &nbsp;0xbfbfe7f8<br>esi&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x8000000&nbsp; &nbsp;134217728<br>edi&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x1&nbsp; &nbsp;1<br>eip&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0x28183862&nbsp; &nbsp;0x28183862<br>eflags&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x10297&nbsp; &nbsp;66199<br>
 cs&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x33&nbsp; &nbsp;51<br>ss&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x3b&nbsp; &nbsp;59<br>ds&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x3b&nbsp; &nbsp;59<br>es&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x3b&nbsp; &nbsp;59<br>fs&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x3b&nbsp; &nbsp;59<br>gs&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0x1b&nbsp; &nbsp;27<br>(gdb)quit<br><br>=====<br><br>Thank you.<br><br></code>
 
 ------=_Part_14193_4801070.1215409858025--

From: Nate Eldredge <neldredge@math.ucsd.edu>
To: bug-followup@FreeBSD.org, 666.root@gmail.com
Cc:  
Subject: Re: bin/125185: csh(1) exit on signal 11
Date: Mon, 28 Jul 2008 01:18:38 -0700 (PDT)

 I tracked this down.  Here is the explanation as I understand it.
 
 The traceback from the segfault is as follows, for the record:
 
 #0  0x000000080096cd1e in malloc () from /lib/libc.so.7
 #1  0x000000080096cfee in free () from /lib/libc.so.7
 #2  0x0000000000448066 in sfree (p=0x427e46)
      at /usr/src/bin/csh/../../contrib/tcsh/tc.alloc.c:562
 #3  0x0000000000450e79 in bb_cleanup (xbb=0x7fffffffdf70)
      at /usr/src/bin/csh/../../contrib/tcsh/tc.str.c:521
 #4  0x000000000040d450 in cleanup_until (last_var=0x57b730)
      at /usr/src/bin/csh/../../contrib/tcsh/sh.err.c:444
 #5  0x0000000000406423 in process (catch=1)
      at /usr/src/bin/csh/../../contrib/tcsh/sh.c:2027
 #6  0x0000000000404f5f in main (argc=0, argv=0x7fffffffe7d8)
      at /usr/src/bin/csh/../../contrib/tcsh/sh.c:1304
 
 However, the source of the bug is actually in the function `dobackp', 
 sh.glob.c:646.  tcsh has a "cleanup stack", where a function can push 
 things to be cleaned up, and run them later.  `dobackp' pushes some things 
 on the cleanup stack, then detects the parse error and exits by calling 
 stderror().  The problem is that the whole thing was being run in a 
 subshell started with vfork(), so the stuff appears on the parent's 
 cleanup stack, although they have pointers to objects that only existed 
 for the child.  (More specifically, pointers to a piece of the (regular) 
 stack that is below the parent's current stack pointer, so it can get 
 overwritten.)  When the parent eventually runs its cleanup stack bad 
 things happen.
 
 If you run csh with the -F option, to use fork() instead of vfork(), it 
 does not crash.
 
 It would be easy to fix this specific instance of the bug, by calling 
 cleanup_until() in `dobackp' before calling stderror().  Unfortunately, it 
 looks like there are lots of places where the code tries to exit without 
 cleaning up first, and it is not clear when they might be run in a vforked 
 subshell.  Here are some possibilities:
 
 1. Audit the whole source to find and fix all places where a function may 
 exit without popping the cleanup stack.
 
 2. Set a mark on the stack as soon as vfork() returns in the child, and 
 add code to xexit() or something to have it pop to that mark before 
 exiting.  I have not thought this through completely and am not sure if it 
 is safe.
 
 3. Stop using vfork() altogether.  tcsh should really not be using it when 
 there is non-trivial work for the child to do.  How significant is the 
 extra overhead of fork() in this day and age, when we have copy-on-write?
 
 The upstream tcsh people might also have some ideas, but a bit of Googling 
 did not reveal who they are.
 
 -- 
 
 Nate Eldredge
 neldredge@math.ucsd.edu

From: Alex Keda <admin@lissyara.su>
To: bug-followup@FreeBSD.org, 666.root@gmail.com
Cc:  
Subject: Re: bin/125185: csh(1) exit on signal 11
Date: Tue, 29 Jul 2008 09:24:40 +0400

 I have this bug
 after
 % "`perl -e "print 'A' x1024"` * 0" > /tmp/tst
 i have
 Jul 29 09:22:07 lissyara kernel: pid 1679 (csh), uid 1001: exited on 
 signal 11 (core dumped)
 

From: Nate Eldredge <neldredge@math.ucsd.edu>
To: bug-followup@FreeBSD.org, 666.root@gmail.com
Cc:  
Subject: Re: bin/125185: csh(1) exit on signal 11
Date: Mon, 28 Jul 2008 22:35:31 -0700 (PDT)

 FWIW, I ran the test at http://berlin.ccc.de/~packet/fork_test.c, 
 modifying it to malloc() 10 MB first, to make it have about the same size 
 as a csh process.  On my 1.8 GHz amd64 running 7.0-RELEASE I get
 
 measured fork time: 251396 nsecs
 measured vfork time: 243734 nsecs
 
 a difference of about 3%.  So the penalty for switching back to fork() 
 instead of vfork() wouldn't be very much, and this is certainly the 
 simplest fix -- a one-byte patch :)
 
 Thoughts?
 
 -- 
 
 Nate Eldredge
 neldredge@math.ucsd.edu

From: Nate Eldredge <neldredge@math.ucsd.edu>
To: bug-followup@FreeBSD.org, 666.root@gmail.com
Cc:  
Subject: Re: bin/125185: csh(1) exit on signal 11
Date: Wed, 3 Dec 2008 16:41:36 -0800 (PST)

 This is incorporated into bin/129405.
 
 -- 
 
 Nate Eldredge
 neldredge@math.ucsd.edu
State-Changed-From-To: open->closed 
State-Changed-By: jh 
State-Changed-When: Thu Nov 24 16:22:21 UTC 2011 
State-Changed-Why:  
Incorporated into bin/129405. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=125185 
>Unformatted:
