Created attachment 1279048 [details] test.sh Description of problem: ksh crash due to syntax error Version-Release number of selected component (if applicable): ksh-20120801-31.fc25.x86_64 How reproducible: Always Steps to Reproduce: 1. Run Attached script 'test.sh' Actual results: ksh crash due to syntax error Expected results: ksh should not crash
Created attachment 1279051 [details] ksh-20120801-syntax-error.patch
Comment on attachment 1279051 [details] ksh-20120801-syntax-error.patch The fix looks good. On the other hand, I do not think it is complete. I can still see invalid reads while running it under valgrind: /tmp/test.sh: syntax error at line 30: `}' unexpected ==12417== Invalid read of size 8 ==12417== at 0x4D7644: sfraise (sfraise.c:84) ==12417== by 0x4C6B52: _sfcleanup (sfmode.c:91) ==12417== by 0x558440F: __run_exit_handlers (exit.c:83) ==12417== by 0x5584469: exit (exit.c:105) ==12417== by 0x41A846: sh_done (fault.c:671) ==12417== by 0x4076AA: sh_main (main.c:354) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Address 0x59708e0 is 208 bytes inside a block of size 248 free'd ==12417== at 0x4C2ED4A: free (vg_replace_malloc.c:530) ==12417== by 0x4A3454: stkexcept (stk.c:182) ==12417== by 0x4D7687: sfraise (sfraise.c:90) ==12417== by 0x4C408A: sfclose (sfclose.c:160) ==12417== by 0x44793B: funct (parse.c:915) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Block was alloc'd at ==12417== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==12417== by 0x4A2F1B: stkopen (stk.c:221) ==12417== by 0x447337: funct (parse.c:851) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== ==12417== Invalid read of size 8 ==12417== at 0x4D764E: sfraise (sfraise.c:88) ==12417== by 0x4C6B52: _sfcleanup (sfmode.c:91) ==12417== by 0x558440F: __run_exit_handlers (exit.c:83) ==12417== by 0x5584469: exit (exit.c:105) ==12417== by 0x41A846: sh_done (fault.c:671) ==12417== by 0x4076AA: sh_main (main.c:354) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Address 0x59708d8 is 200 bytes inside a block of size 248 free'd ==12417== at 0x4C2ED4A: free (vg_replace_malloc.c:530) ==12417== by 0x4A3454: stkexcept (stk.c:182) ==12417== by 0x4D7687: sfraise (sfraise.c:90) ==12417== by 0x4C408A: sfclose (sfclose.c:160) ==12417== by 0x44793B: funct (parse.c:915) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Block was alloc'd at ==12417== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==12417== by 0x4A2F1B: stkopen (stk.c:221) ==12417== by 0x447337: funct (parse.c:851) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== ==12417== Invalid read of size 8 ==12417== at 0x4D7684: sfraise (sfraise.c:90) ==12417== by 0x4C6B52: _sfcleanup (sfmode.c:91) ==12417== by 0x558440F: __run_exit_handlers (exit.c:83) ==12417== by 0x5584469: exit (exit.c:105) ==12417== by 0x41A846: sh_done (fault.c:671) ==12417== by 0x4076AA: sh_main (main.c:354) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Address 0x59708d8 is 200 bytes inside a block of size 248 free'd ==12417== at 0x4C2ED4A: free (vg_replace_malloc.c:530) ==12417== by 0x4A3454: stkexcept (stk.c:182) ==12417== by 0x4D7687: sfraise (sfraise.c:90) ==12417== by 0x4C408A: sfclose (sfclose.c:160) ==12417== by 0x44793B: funct (parse.c:915) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) ==12417== Block was alloc'd at ==12417== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==12417== by 0x4A2F1B: stkopen (stk.c:221) ==12417== by 0x447337: funct (parse.c:851) ==12417== by 0x448E1F: item (parse.c:1354) ==12417== by 0x449D3D: term (parse.c:577) ==12417== by 0x449F2A: list (parse.c:547) ==12417== by 0x449F2A: sh_cmd (parse.c:497) ==12417== by 0x44A318: sh_parse (parse.c:386) ==12417== by 0x406814: exfile (main.c:563) ==12417== by 0x4076A0: sh_main (main.c:353) ==12417== by 0x556A400: (below main) (libc-start.c:289) Surprisingly, those invalid reads do not occur with ksh-20120801-34.el7.
This crash was caused by compiler optimizations and can be fixed by making 'savstak' variable volatile. This[1] is the fix used by upstream to avoid the crash . Thanks kdudka for helping me find the fix. [1] https://github.com/att/ast/blob/c506cb548d9b4bcebef92c86e948657728760e15/src/cmd/ksh93/sh/parse.c#L762
ksh-20120801-35.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-85e9b616de
ksh-20120801-35.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-85e9b616de
ksh-20120801-35.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.