Description of problem: I ran emulate sh in zsh. Version-Release number of selected component: zsh-5.2-6.fc25 Additional info: reporter: libreport-2.8.0 backtrace_rating: 4 cmdline: zsh crash_function: zcontext_save_partial executable: /usr/bin/zsh global_pid: 8235 kernel: 4.10.8-200.fc25.x86_64 pkg_fingerprint: 4089 D8F2 FDB1 9C98 pkg_vendor: Fedora Project runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (10 frames) #2 zcontext_save_partial at context.c:58 #3 zcontext_save at context.c:82 #4 parse_string at exec.c:221 #5 getoutput at exec.c:4094 #6 stringsubst at subst.c:320 #7 prefork at subst.c:85 #8 execcmd at exec.c:3603 #9 execpline2 at exec.c:1748 #10 execpline at exec.c:1526 #11 execlist at exec.c:1284
Created attachment 1270669 [details] File: backtrace
Created attachment 1270670 [details] File: cgroup
Created attachment 1270671 [details] File: core_backtrace
Created attachment 1270672 [details] File: dso_list
Created attachment 1270673 [details] File: environ
Created attachment 1270674 [details] File: exploitable
Created attachment 1270675 [details] File: limits
Created attachment 1270676 [details] File: maps
Created attachment 1270677 [details] File: mountinfo
Created attachment 1270678 [details] File: namespaces
Created attachment 1270679 [details] File: open_fds
Created attachment 1270680 [details] File: proc_pid_status
Created attachment 1270681 [details] File: var_log_messages
The crash happened in the implementation of malloc(), most likely due to infinite call recursion in Zsh. Could you please provide some steps to reproduce? The backtrace seems to go over /usr/share/powerline/zsh/powerline.zsh multiple times but I was not able to trigger it locally.
I tried it some times and it does not happen always. I could reproduce it in the official fedora:25 docker container: ``` docker run --rm -it fedora:25 bash Unable to find image 'fedora:25' locally Trying to pull repository docker.io/library/fedora ... sha256:b44cdaee0feafc85cab454e2023807f66725c727655b6bef260aa6d21dd2b068: Pulling from docker.io/library/fedora bc5187a39b05: Pull complete Digest: sha256:b44cdaee0feafc85cab454e2023807f66725c727655b6bef260aa6d21dd2b068 Status: Downloaded newer image for docker.io/fedora:25 [root@bc58f1756ef6 /]# dnf install zsh powerline Fedora 25 - x86_64 - Updates 25 MB/s | 21 MB 00:00 Fedora 25 - x86_64 61 MB/s | 50 MB 00:00 Last metadata expiration check: 0:00:13 ago on Tue Apr 11 10:19:15 2017. [...] Importing GPG key 0xFDB19C98 [...] Installed: aajohan-comfortaa-fonts.noarch 2.004-6.fc24 fontconfig.x86_64 2.12.1-1.fc25 fontpackages-filesystem.noarch 1.44-17.fc24 freetype.x86_64 2.6.5-3.fc25 http-parser.x86_64 2.7.1-3.fc25 libgit2.x86_64 0.24.6-1.fc25 libpng.x86_64 2:1.6.27-1.fc25 libstdc++.x86_64 6.3.1-1.fc25 powerline.x86_64 2.5-3.fc25 powerline-fonts.x86_64 2.5-3.fc25 python3-cffi.x86_64 1.7.0-2.fc25 python3-ply.noarch 3.8-2.fc25 python3-pycparser.noarch 2.14-7.fc25 python3-pygit2.x86_64 0.24.2-1.fc25 zsh.x86_64 5.2-6.fc25 Complete! [root@bc58f1756ef6 /]# echo '. /usr/share/powerline/zsh/powerline.zsh' > ~/.zshrc [root@bc58f1756ef6 /]# zsh root / emulate sh Segmentation fault (core dumped) ```
Thanks! I was able to reproduce it locally. There seems to be infinite call recursion at the shell level: +zsh:1> emulate sh +_powerline_set_jobnum:11> _POWERLINE_JOBNUM=0 +_powerline_set_main_keymap_name:1> local REPLY +_powerline_set_main_keymap_name:2> _powerline_get_main_keymap_name +_powerline_get_main_keymap_name:1> REPLY=+_powerline_get_main_keymap_name:1> bindkey -lL main +_powerline_get_main_keymap_name:1> REPLY=main +_powerline_set_main_keymap_name:3> _powerline_set_true_keymap_name main +_powerline_set_true_keymap_name:1> _POWERLINE_MODE=main +_powerline_set_true_keymap_name:2> bindkey -lL main +_powerline_set_true_keymap_name:2> local plm_bk='bindkey -A emacs main' +_powerline_set_true_keymap_name:3> [[ 'bindkey -A emacs main' == bindkey\ -A* ]] +_powerline_set_true_keymap_name:4> _powerline_set_true_keymap_name main +_powerline_set_true_keymap_name:1> _POWERLINE_MODE=main +_powerline_set_true_keymap_name:2> bindkey -lL main +_powerline_set_true_keymap_name:2> local plm_bk='bindkey -A emacs main' +_powerline_set_true_keymap_name:3> [[ 'bindkey -A emacs main' == bindkey\ -A* ]] +_powerline_set_true_keymap_name:4> _powerline_set_true_keymap_name main +_powerline_set_true_keymap_name:1> _POWERLINE_MODE=main +_powerline_set_true_keymap_name:2> bindkey -lL main +_powerline_set_true_keymap_name:2> local plm_bk='bindkey -A emacs main' +_powerline_set_true_keymap_name:3> [[ 'bindkey -A emacs main' == bindkey\ -A* ]] +_powerline_set_true_keymap_name:4> _powerline_set_true_keymap_name main
reported upstream: http://www.zsh.org/mla/workers/2017/msg00623.html
Thanks for figuring out the issue :D
The cause of this bug is an unbounded shell call recursion in powerline, which should be fixed on its own. Based on the upstream discussion, there seems to be no reliable and portable way to prevent zsh from crashing in this situation. We can just make the crash less likely to happen. Either we can decrease the nesting limit for shell calls, or we can make zsh consume less stack memory, perhaps by using the -fconserve-stack flag of GCC?
downstream commit: https://src.fedoraproject.org/cgit/rpms/zsh.git/commit/?id=2524ac47
zsh-5.3.1-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2d9e10ba5f
Now I get the message _powerline_set_true_keymap_name:2: job table full and no segfault. Looks good to me ;)
Thank you for testing the update!
zsh-5.3.1-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2d9e10ba5f
zsh-5.3.1-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Since zsh-5.4.2-2.fc28 the call depth limit is configurable by $FUNCNEST at run time (500 by default), so the extra GCC flag is no longer needed. I have just backported the upstream commits designed to solve this class of issues: https://src.fedoraproject.org/cgit/rpms/zsh.git/commit/?id=bde7c931