Bug 197968
Summary: | tcsh crashes during tab completion | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Charles R. Anderson <cra> | ||||||||
Component: | tcsh | Assignee: | Miloslav Trmač <mitr> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Bill Huang <bhuang> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 5 | ||||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 6.14-6.fc5.3 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2006-08-29 14:40:08 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Charles R. Anderson
2006-07-07 19:02:22 UTC
I can't see anything related to tab completion in the changes between 6.14-1 and 6.14-1.fc4.2, nor any other obvious bug. Please add "limit coredumpsize unlimited" to your ~/.tcshrc. If tcsh crashes again, it should create a core.* file containing a memory dump; please attach the generated file to this report, along with identification of the precise tcsh package version which crashed. Created attachment 133332 [details] tcsh core dump Finally reproduced it consistently: scp fooo:/etc/foo<tab>Segmentation fault Attached core file, which I cannot get a good decode from. > rpm -qa \*debuginfo\* libtermcap-debuginfo-2.0.8-45 glibc-debuginfo-common-2.4-9 glibc-debuginfo-2.4-9 dvd+rw-tools-debuginfo-6.1-0.FC5.2 tcsh-debuginfo-6.14-6.fc5.2 cdrtools-debuginfo-2.01.01.0.a10-0.FC5.1 >gdb /bin/tcsh GNU gdb Red Hat Linux (6.3.0.0-1.122rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) core core.10622 Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x4357c000 Core was generated by `-tcsh'. Program terminated with signal 11, Segmentation fault. warning: svr4_current_sos: Can't read pathname for load map: Input/output error Reading symbols from /lib/libtermcap.so.2...Reading symbols from /usr/lib/debug/lib/libtermcap.so.2.0.8.debug...done. done. Loaded symbols for /lib/libtermcap.so.2 Reading symbols from /lib/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib/libcrypt-2.4.so.debug...done. done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.4.so.debug...done. done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.4.so.debug...done. done. Loaded symbols for /lib/ld-linux.so.2 #0 0x48070c27 in ?? () (gdb) where #0 0x48070c27 in ?? () #1 0xffbbf028 in ?? () #2 0xffbbf040 in ?? () #3 0x40000006 in ?? () #4 0x40001000 in ?? () #5 0x40000fff in ?? () #6 0x40000001 in ?? () #7 0x480b9a54 in ?? () #8 0x00000000 in ?? () (gdb) Thanks. Unfortunately I can't find anything useful in the core file either. Do you have a way to reliably reproduce the crash? Typing "scp fooo:/etc/foo" (or even "scp dhcp1:/etc/pas" as the core seems to suggest) and pressing <tab> doesn't cause a crash for me, only causes an error message: dhcp1:/etc/ not found If you do have a way to reproduce the crash, please try to capture a strace of the tcsh process while it crashes; it should be enough to start the tcsh process and then start a strace from a different shell, using (strace -p $tcsh_pid). Created attachment 133745 [details]
strace of tcsh crashing
Yes, I can reproduce it reliably with "scp dhcp1:/etc/pas" or indeed any four
characters before the colon and three characters after the /etc/.
Here is the strace from the crash.
Created attachment 133757 [details]
gdb breakpoints
It seems to be crashing in tw.comp.c:tw_find(). Here are my debugging efforts
so far.
I may have been mistaken above. It seems to be reproducibly breaking here. Check out the stack corruption as quote() is about to return. (gdb) n 483 *dp++ |= QUOTE; (gdb) bt #0 quote (cp=0xbf859d58) at sh.misc.c:483 #1 0x0806eb71 in tw_fixword (looking=Variable "looking" is not available. ) at tw.parse.c:1226 #2 0x0806f0be in t_search (word=0xbf85e1b8, wp=0xbf85e1d0, command=SPELL, max_word_length=4096, looking=4, list_max=1, pat=0x80b9a54, suf=0) at tw.parse.c:1711 #3 0x08070c27 in spell_me (oldname=0xbf862254, oldsize=8189, looking=4095, pat=0x80b9a54, suf=0) at tw.spell.c:84 #4 0x08070924 in tenematch (inputline=0x80ba340, num_read=18, command=RECOGNIZE) at tw.parse.c:314 #5 0x0807e477 in Inputl () at ed.inputl.c:392 #6 0x080607ab in readc (wanteof=0) at sh.lex.c:1800 #7 0x08062a9b in lex (hp=0x80ca3bc) at sh.lex.c:173 #8 0x0804add7 in process (catch=1) at sh.c:2097 #9 0x0804d611 in main (argc=0, argv=0xbf88b6b4) at sh.c:1362 #10 0x435af4e4 in __libc_start_main (main=0x804c7d0 <main>, argc=2, ubp_av=0xbf88b6b4, init=0x808aca0 <__libc_csu_init>, fini=0x808ac98 <__libc_csu_fini>, rtld_fini=0x4358af30 <_dl_fini>, stack_end=0xbf88b6ac) at libc-start.c:231 #11 0x0804aac1 in _start () (gdb) l 231 result = main (argc, argv, __environ MAIN_AUXVEC_PARAM); 232 } 233 else 234 { 235 /* Remove the thread-local data. */ 236 # ifdef SHARED 237 __libc_pthread_functions.ptr__nptl_deallocate_tsd (); 238 # else 239 extern void __nptl_deallocate_tsd (void) __attribute ((weak)); 240 __nptl_deallocate_tsd (); (gdb) n 482 while (*dp != '\0') (gdb) l 477 { 478 Char *dp = cp; 479 480 if (!cp) 481 return (cp); 482 while (*dp != '\0') 483 *dp++ |= QUOTE; 484 return (cp); 485 } 486 (gdb) b 484 Breakpoint 2 at 0x80631f3: file sh.misc.c, line 484. (gdb) c Continuing. Breakpoint 2, quote (cp=0xbf859d58) at sh.misc.c:485 485 } (gdb) bt #0 quote (cp=0xbf859d58) at sh.misc.c:485 #1 0x0806eb71 in tw_fixword (looking=Variable "looking" is not available. ) at tw.parse.c:1226 #2 0x0806f0be in t_search (word=0xbf85e1b8, wp=0xff85e1d0, command=1073741830, max_word_length=1073745920, looking=4, list_max=1073741825, pat=0x480b9a54, suf=0) at tw.parse.c:1711 #3 0x48070c27 in ?? () #4 0xff85e1b8 in ?? () #5 0xff85e1d0 in ?? () #6 0x40000006 in ?? () #7 0x40001000 in ?? () #8 0x40000fff in ?? () #9 0x40000001 in ?? () #10 0x480b9a54 in ?? () #11 0x00000000 in ?? () (gdb) Thanks, I think I have found the cause. Can you test rawhide tcsh-6.14-10, please? My test case no longer crashes. Thanks. Great! Thanks a lot for the debugging help. tcsh-6.14-6.fc5.3 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. tcsh-6.14-6.fc5.3 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. |