From nobody@FreeBSD.ORG  Mon Jul 17 11:35:06 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 9BB2B37BCAF; Mon, 17 Jul 2000 11:34:58 -0700 (PDT)
Message-Id: <20000717183458.9BB2B37BCAF@hub.freebsd.org>
Date: Mon, 17 Jul 2000 11:34:58 -0700 (PDT)
From: pfeifer@dbai.tuwien.ac.at
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: sh dumps core reproducibly
X-Send-Pr-Version: www-1.0

>Number:         19983
>Category:       bin
>Synopsis:       sh dumps core reproducibly
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    tegge
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 17 11:40:01 PDT 2000
>Closed-Date:    Wed Aug 16 14:08:18 MEST 2000
>Last-Modified:  Wed Aug 16 14:08:42 MEST 2000
>Originator:     Gerald Pfeifer
>Release:        4.0-RELEASE
>Organization:
>Environment:
FreeBSD taygeta.dbai.tuwien.ac.at 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Wed Jul 12 21:20:37 CEST 2000
root@taygeta.dbai.tuwien.ac.at:/usr/src/sys/compile/GERALD_MADE_4.0  i386
>Description:
I consistently get the following core dump from /bin/sh for the script
listed under "How to repeat":

  sh in free(): warning: junk pointer, too low to make sense.
  Segmentation fault

I tested this on two 4.0-RELEASE boxes. Another box, running 3.4-RELEASE
aborts a bit differently.

  sh in free(): warning: junk pointer, too low to make sense.
  Oops, stackp deleted
  Abort trap

>How-To-Repeat:
Run the script below in a large directory tree (which is not necessarily
a CVS tree) like /usr/share. After about 12 directories the segmentation
fault happens.

Nearly any modification of this script -- even removing some parameters
of the cvs command! -- makes the problem go away!

---- cut ----
#!/bin/sh

find `pwd` -type d -exec echo {} \; |
    while read name; do
        dir=`dirname $name`
        if [ -d $dir ]; then
            echo "Updating $dir"

            visited="$visited:$dir"

            cd $dir
            cvs -q update -PAd -l
        fi
    done

>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Tue Jul 18 09:39:27 PDT 2000 
State-Changed-Why:  
Iffy-looking How-To-Repeat. :-) 

Could you compile a debuggable sh binary and send a backtrace of the     
dump to <freebsd-gnats-submit@FreeBSD.ORG>, preserving this subject      
line? 

That should help the maintainer of the shell significantly.   



Responsible-Changed-From-To: freebsd-bugs->cracauer 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Jul 18 09:39:27 PDT 2000 
Responsible-Changed-Why:  
Over to the Bourne Identity. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19983 

From: Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at>
To: sheldonh@freebsd.org
Cc: freebsd-gnats-submit@freebsd.org, cracauer@freebsd.org
Subject: Re: bin/19983: sh dumps core reproducibly
Date: Wed, 19 Jul 2000 00:19:36 +0200 (CEST)

 On Tue, 18 Jul 2000 sheldonh@freebsd.org wrote:
 > Could you compile a debuggable sh binary and send a backtrace of the    
 > dump to <freebsd-gnats-submit@FreeBSD.ORG>, preserving this subject     
 > line?
 > 
 > That should help the maintainer of the shell significantly.  
 
 Here we go! Fortunately, also the debug binary crashes. ;-)
 
 Program terminated with signal 11, Segmentation fault.
 #0  popstackmark (mark=0xbfbfd79c) at memalloc.c:191
 191                     stackp = sp->prev;
 (gdb) bt
 #0  popstackmark (mark=0xbfbfd79c) at memalloc.c:191
 #1  0x804b9a7 in evalcommand (cmd=0x80a32d4, flags=0, backcmd=0x0)
     at eval.c:917
 #2  0x804a8f9 in evaltree (n=0x80a32d4, flags=0) at eval.c:269
 #3  0x804a863 in evaltree (n=0x80a32e4, flags=0) at eval.c:241
 #4  0x804a772 in evaltree (n=0x80a332c, flags=0) at eval.c:203
 #5  0x804a772 in evaltree (n=0x80a33b4, flags=0) at eval.c:203
 #6  0x804a863 in evaltree (n=0x809e484, flags=0) at eval.c:241
 #7  0x804a863 in evaltree (n=0x80a33c4, flags=0) at eval.c:241
 #8  0x804a9ef in evalloop (n=0x809e3c0) at eval.c:317
 #9  0x804a882 in evaltree (n=0x809e3c0, flags=1) at eval.c:248
 #10 0x804ae21 in evalpipe (n=0x809e39c) at eval.c:511
 #11 0x804a8ea in evaltree (n=0x809e39c, flags=0) at eval.c:266
 #12 0x80517f3 in cmdloop (top=1) at main.c:253
 #13 0x8051713 in main (argc=2, argv=0xbfbfd938) at main.c:202
 #14 0x80480e9 in _start ()
 
 I could reproduce the bug with a debug version of sh both on 3.4 and 4.0:
 
 Please note that nearly *any* change to the script makes the bug go away,
 even replacing `pwd` by some fixed path! Weird.
 
 Gerald
 -- 
 Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/
 Have a look at http://petition.eurolinux.org -- it's not about Linux, btw!
 
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: cracauer@FreeBSD.org
Cc: tegge@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/19983: sh dumps core reproducibly
Date: Mon, 07 Aug 2000 11:42:08 +0200

 Hi Martin,
 
 May I assign bin/19983 to Tor, who's come up with a patch, or would you
 still like to own this?  I ask because I know that you've got very
 little time available for FreeBSD at the moment.
 
 Ciao,
 Sheldon.
 
State-Changed-From-To: feedback->open 
State-Changed-By: sheldonh 
State-Changed-When: Mon Aug 7 02:55:26 PDT 2000 
State-Changed-Why:  
Feedback was sent but didn't seem to make it into the 
audit trail. 


Responsible-Changed-From-To: cracauer->tegge 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Aug 7 02:55:26 PDT 2000 
Responsible-Changed-Why:  
Tor has a patch that Martin is happy with. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19983 

From: Martin Cracauer <cracauer@cons.org>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: cracauer@FreeBSD.ORG, tegge@FreeBSD.ORG,
	freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/19983: sh dumps core reproducibly
Date: Mon, 7 Aug 2000 11:54:10 +0200

 In <8616.965641328@axl.ops.uunet.co.za>, Sheldon Hearn wrote: 
 > 
 > May I assign bin/19983 to Tor, who's come up with a patch, or would you
 > still like to own this?  I ask because I know that you've got very
 > little time available for FreeBSD at the moment.
 
 Actually, my timeconsumer ended with a full day of talking to very
 nice and brigth hackers a few thousand miles away last Friday :-)
 
 I'm cleaning up some things and will restart on my PRs soons.
 
 Having said this, I see no reason not to commit this particular patch
 and close the PR right now.
 
 Martin
 -- 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 Martin Cracauer <cracauer@cons.org> http://www.cons.org/cracauer/
 BSD User Group Hamburg, Germany     http://www.bsdhh.org/
 
State-Changed-From-To: open->closed 
State-Changed-By: cracauer 
State-Changed-When: Wed Aug 16 14:08:18 MEST 2000 
State-Changed-Why:  
Fix in -current.  Will be in 4-stable soon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19983 
>Unformatted:
