Roland Mainz
2013-07-30 18:58:28 UTC
Hi!
----
Attached (as "shbfc_compiled_demo1_short_int_wrong_index.sh.gz") is a
compressed (broken) demo script (created via the "brainfuck2shell"
(see http://en.wikipedia.org/wiki/Brainfuck) compiler demo script -
see http://svn.nrubsig.org/svn/people/gisburn/scripts/shbfc.sh and
then filtered via $ ~/bin/ksh shbfc.sh '#demo1' | sed 's/integer
-u/typeset -s -i/g' # to force the use of short integers) which
triggers a crash in ast-ksh.2013-07-27 on SuSE 12.3/AMD64.
The stack trace looks like this:
-- snip --
Program received signal SIGSEGV, Segmentation fault.
0x000000000044426f in nv_putval (np=0x7ffff7f2ce80,
string=0x7fffffffc390 "", flags=26)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/name.c:1837
1837 *(up->sp) = s+(int16_t)l;
(gdb) where
#0 0x000000000044426f in nv_putval (np=0x7ffff7f2ce80,
string=0x7fffffffc390 "", flags=26)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/name.c:1837
#1 0x000000000049e776 in arith (ptr=0x7fffffffc458,
lvalue=0x7fffffffc410, type=1, n=12)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/arith.c:238
#2 0x000000000045cc53 in arith_exec (ep=0x7ffff7f437c0) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/streval.c:307
#3 0x000000000046cdd8 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f42e70, flags=516)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2530
#4 0x000000000046c9c3 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f42cb0, flags=4) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2471
#5 0x000000000046ba87 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff70bf5d0, flags=6) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2223
#6 0x0000000000471841 in sh_funscope_20120720 (shp=0x803260 <sh>,
argn=1, argv=0x7ffff7f1cba8, fun=0x0, arg=0x7fffffffd900, execflg=4)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:4040
#7 0x000000000046fa28 in sh_funct (shp=0x803260 <sh>,
np=0x7ffff7f2cf40, argn=1, argv=0x7ffff7f1cba8, envlist=0x0,
execflg=4)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:3376
#8 0x0000000000469505 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f1cb40, flags=4) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:1559
#9 0x000000000040f472 in exfile (shp=0x803260 <sh>,
iop=0x7ffff7ee0df0, fno=11) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/main.c:603
#10 0x000000000040e6bd in sh_main (ac=2, av=0x7fffffffe258,
userinit=0x0) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/main.c:375
#11 0x000000000040d891 in main (argc=2, argv=0x7fffffffe258) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/pmain.c:45
(gdb) print up
$1 = (union Value *) 0x7ffff7f2cea8
(gdb) print *up->sp
Cannot access memory at address 0xd
-- snip --
Note that the script shouldn't work (because (( p=2**17 )) overflows a
|int16_t| as declared via $ typeset -s -i p # but it should not crash
the shell either... ;-/
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shbfc_compiled_demo1_short_int_wrong_index.sh.gz
Type: application/x-gzip
Size: 4821 bytes
Desc: not available
URL: <http://lists.research.att.com/pipermail/ast-developers/attachments/20130730/7aa02d94/attachment.gz>
----
Attached (as "shbfc_compiled_demo1_short_int_wrong_index.sh.gz") is a
compressed (broken) demo script (created via the "brainfuck2shell"
(see http://en.wikipedia.org/wiki/Brainfuck) compiler demo script -
see http://svn.nrubsig.org/svn/people/gisburn/scripts/shbfc.sh and
then filtered via $ ~/bin/ksh shbfc.sh '#demo1' | sed 's/integer
-u/typeset -s -i/g' # to force the use of short integers) which
triggers a crash in ast-ksh.2013-07-27 on SuSE 12.3/AMD64.
The stack trace looks like this:
-- snip --
Program received signal SIGSEGV, Segmentation fault.
0x000000000044426f in nv_putval (np=0x7ffff7f2ce80,
string=0x7fffffffc390 "", flags=26)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/name.c:1837
1837 *(up->sp) = s+(int16_t)l;
(gdb) where
#0 0x000000000044426f in nv_putval (np=0x7ffff7f2ce80,
string=0x7fffffffc390 "", flags=26)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/name.c:1837
#1 0x000000000049e776 in arith (ptr=0x7fffffffc458,
lvalue=0x7fffffffc410, type=1, n=12)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/arith.c:238
#2 0x000000000045cc53 in arith_exec (ep=0x7ffff7f437c0) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/streval.c:307
#3 0x000000000046cdd8 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f42e70, flags=516)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2530
#4 0x000000000046c9c3 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f42cb0, flags=4) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2471
#5 0x000000000046ba87 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff70bf5d0, flags=6) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:2223
#6 0x0000000000471841 in sh_funscope_20120720 (shp=0x803260 <sh>,
argn=1, argv=0x7ffff7f1cba8, fun=0x0, arg=0x7fffffffd900, execflg=4)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:4040
#7 0x000000000046fa28 in sh_funct (shp=0x803260 <sh>,
np=0x7ffff7f2cf40, argn=1, argv=0x7ffff7f1cba8, envlist=0x0,
execflg=4)
at /home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:3376
#8 0x0000000000469505 in sh_exec (shp=0x803260 <sh>,
t=0x7ffff7f1cb40, flags=4) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/xec.c:1559
#9 0x000000000040f472 in exfile (shp=0x803260 <sh>,
iop=0x7ffff7ee0df0, fno=11) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/main.c:603
#10 0x000000000040e6bd in sh_main (ac=2, av=0x7fffffffe258,
userinit=0x0) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/main.c:375
#11 0x000000000040d891 in main (argc=2, argv=0x7fffffffe258) at
/home/test001/work/ast_ksh_20130727/build_i386_64bit_debug_patched/src/cmd/ksh93/sh/pmain.c:45
(gdb) print up
$1 = (union Value *) 0x7ffff7f2cea8
(gdb) print *up->sp
Cannot access memory at address 0xd
-- snip --
Note that the script shouldn't work (because (( p=2**17 )) overflows a
|int16_t| as declared via $ typeset -s -i p # but it should not crash
the shell either... ;-/
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shbfc_compiled_demo1_short_int_wrong_index.sh.gz
Type: application/x-gzip
Size: 4821 bytes
Desc: not available
URL: <http://lists.research.att.com/pipermail/ast-developers/attachments/20130730/7aa02d94/attachment.gz>