Bug 743840

Summary: ksh segfaults on oop code
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Franc <mfranc>
Component: kshAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2CC: mfranc, mhlavink, ohudlick, ovasik, pmuller, prc
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ksh-20100621-14.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 743837
: 972732 (view as bug list) Environment:
Last Closed: 2012-06-20 14:47:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 743837    
Bug Blocks: 972732    
Attachments:
Description Flags
patch to fix this none

Description Miroslav Franc 2011-10-06 09:36:30 UTC 
+++ This bug was initially created as a clone of Bug #743837 +++

Description of problem:
ssia

Version-Release number of selected component (if applicable):
ksh-20110630-3.fc15.x86_64 # Fedora 15
ksh-20100621-10.el6.x86_64 # RHEL6

How reproducible:
always

Steps to Reproduce:
1. put the following code in the file and run it with ksh
---
typeset -T Something_t=(
   typeset -liSh 'number of objects' count=0
   typeset -lih 'some value' value=0

    create() {
        (( _.count++))
    }
)

.sh.type.Something_t=(value=42)
Something_t n1=()
Something_t n2=n1
---
  
Actual results:
segfault

Expected results:
no segfault

Additional info:
# haven't tried it on i386
# backtrace from fedora version ksh-20110630-3.fc15.x86_64
Program terminated with signal 11, Segmentation fault.
#0  0x000000000040a06e in putdisc (fp=<optimized out>, np=<optimized out>, val=<optimized out>, flag=<optimized out>) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvdisc.c:605
605                             if((mp=vp->bltins[i]) && !nv_isattr(mp,NV_NOFREE))
(gdb) bt
#0  0x000000000040a06e in putdisc (fp=<optimized out>, np=<optimized out>, val=<optimized out>, flag=<optimized out>) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvdisc.c:605
#1  putdisc (np=0x283dd10, val=<optimized out>, flag=<optimized out>, fp=0x283dd90) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvdisc.c:595
#2  0x000000000043d413 in _nv_unset (np=0x283dd10, flags=8193) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/name.c:2491
#3  0x000000000040c5ba in put_type (np=0x283dd10, val=0x283dd60 "n1", flag=8193, fp=0x283de10) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvtype.c:556
#4  0x0000000000443c47 in put_tree (np=0x283dd10, val=0x283dd60 "n1", flags=1, fp=0x283ddd0) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvtree.c:1133
#5  0x000000000040a00e in putdisc (np=0x283dd10, val=0x283dd60 "n1", flag=1, fp=0x283dd90) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvdisc.c:597
#6  0x000000000043b154 in nv_putval (np=0x283dd10, string=0x283dd60 "n1", flags=1) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/name.c:1572
#7  0x000000000040fa72 in nv_settype (np=0x283dd10, tp=<optimized out>, flags=<optimized out>) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/nvtype.c:1395
#8  0x0000000000473da4 in b_common (argv=0x282f1b8, flag=512, troot=0x282c6a0, tp=0x7ffff8632fc0) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/bltins/typeset.c:705
#9  0x000000000047579f in b_typeset (argc=2, argv=0x282f1b0, extra=<optimized out>) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/bltins/typeset.c:448
#10 0x000000000045d441 in sh_exec (t=0x282f110, flags=5) at /usr/src/debug/ksh-20110630/src/cmd/ksh93/sh/xec.c:1287
#11 0x0000000000408838 in exfile ()
#12 0x0000000000407c77 in sh_main ()
#13 0x0000003bdf82139d in __libc_start_main (main=0x406ec0 <main>, argc=2, ubp_av=0x7ffff86338c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7ffff86338b8) at libc-start.c:226
#14 0x0000000000406ef1 in _start ()
Comment 1 Michal Hlavinka 2011-11-03 09:01:48 UTC 
Answer from upstream:
==================================
The problem is that the .sh.type variable should be readonly by scripts.
If you remove the lie
	.sh.type.Something_t=(value=42)
it should not core dump.  I will make .sh.type readonly for the next
release.
==================================
Comment 3 Michal Hlavinka 2012-02-23 07:26:48 UTC 
Created attachment 565208 [details]
patch to fix this
Comment 6 errata-xmlrpc 2012-06-20 14:47:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0952.html