Bug 1105139 - ksh segfaults if unset running function from another one
Summary: ksh segfaults if unset running function from another one
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ksh
Version: 20
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-05 13:22 UTC by Filip Krska
Modified: 2014-09-05 22:22 UTC (History)
2 users (show)

Fixed In Version: ksh-20120801-19.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of: 1105138
Environment:
Last Closed: 2014-09-05 22:21:27 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Filip Krska 2014-06-05 13:22:54 UTC 
reproduces with ksh-20120801-17.fc20.x86_64 as well

+++ This bug was initially created as a clone of Bug #1105138 +++

Description of problem:

When leaving function which was unset in the meantime ksh segfaults on the line:

/usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/xec.c:3573		np->nvalue.rp->running  -= 2;

because np->nvalue.rp is cleared to 0x0 via _nv_unset upon unset.

Version-Release number of selected component (if applicable):

ksh-20120801-10.el6_5.6.x86_64

How reproducible:

Always

Steps to Reproduce:
1. create a script test.sh:
#!/bin/ksh

function ftest {
        ftest2
}


function ftest2 {
        unset -f ftest
}

ftest


2. run the script

Actual results:

Segmentation fault (core dumped)

Expected results:

No coredump

Additional info:

I'm not sure what is the right approach or if the behavior is defined in any standard. E.g. bash, zsh (and ksh-20100621 too, hence the Regression keyword) proceed with the unset -f even in current function and finishes the function without any error. However ksh-20120801 refuses to unset function from itself, thanks to test in _nv_unset (name.c)

2494		if(is_afunction(np) && np->nvalue.ip)
2495		{
2496			register struct slnod *slp = (struct slnod*)(np->nvenv);
2497			if(shp->st.real_fun == np->nvalue.rp)                      <-- this equals
2498			{
2499				np->nvalue.rp->running |= 1;
2500				return;
2501			}

See reproducer script:

function ftest {
	type ftest
	unset -f ftest
	type ftest
}

type ftest
ftest
type ftest

So either ksh should insist on refusing unsetting function even in nested case (test np->nvalue.rp->running in _nv_unset ?) or test existence of np->nvalue.rp->running at the end of sh_funct?
Comment 1 Fedora Update System 2014-07-24 15:59:22 UTC 
ksh-20120801-19.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ksh-20120801-19.fc19
Comment 2 Fedora Update System 2014-07-24 15:59:31 UTC 
ksh-20120801-19.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ksh-20120801-19.fc20
Comment 3 lnie 2014-07-25 03:56:51 UTC 
ksh-20120801-19.fc20
Comment 4 lnie 2014-07-25 03:57:51 UTC 
ksh-20120801-19.fc20 works
Comment 5 Fedora Update System 2014-07-25 10:04:30 UTC 
Package ksh-20120801-19.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ksh-20120801-19.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8804/ksh-20120801-19.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-09-05 22:21:27 UTC 
ksh-20120801-19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-09-05 22:22:28 UTC 
ksh-20120801-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.