Description of problem: tcsh dies sometimes during filename tab completion. Version-Release number of selected component (if applicable): 6.14-6.fc5.1 6.14-1.fc4.2 How reproducible: sometimes Steps to Reproduce: 1. Hit tab to complete filenames. It seems to happen more often when editing a previous command line from history, deleting the pathname and completing a new one, traversing several directories deep, one directory at a time, and when there are ambiguous results which cause tcsh to display all matches. Actual results: I'll try to supply this when it happens again. It is difficult to capture since the terminal closes when tcsh dies. Expected results: No crash. Additional info: This started happening on FC5 and now FC4. It appears to have started on FC4 with the update from 6.14-1 to 6.14-1.fc4.2. I'm using these tcsh features: set autocorrect set autoexpand set autolist = ambiguous set histdup = erase set history = 100 unset implicitcd set listflags = Ax set listjobs = long set listlinks set listmax = 75 set matchbeep = nomatch set noclobber set notify set symlinks = ignore complete alias 'p/1/a/' complete cd 'n/*/d/' complete complete 'p/1/X/' complete exec 'p/1/c/' complete kill 'c/-/S/' complete limit 'p/1/l/' complete man 'n/*/c/' complete popd 'n/*/d/' complete pushd 'n/*/d/' complete rmdir 'n/*/d/' complete set 'c/*=/f/' 'p/1/s/=' 'n/=/f/' complete setenv 'p/1/e/' complete unalias 'n/*/a/' complete uncomplete 'p/*/X/' complete unset 'p/1/s/' complete unsetenv 'p/1/e/' complete which 'n/*/c/'
I can't see anything related to tab completion in the changes between 6.14-1 and 6.14-1.fc4.2, nor any other obvious bug. Please add "limit coredumpsize unlimited" to your ~/.tcshrc. If tcsh crashes again, it should create a core.* file containing a memory dump; please attach the generated file to this report, along with identification of the precise tcsh package version which crashed.
Created attachment 133332 [details] tcsh core dump Finally reproduced it consistently: scp fooo:/etc/foo<tab>Segmentation fault Attached core file, which I cannot get a good decode from. > rpm -qa \*debuginfo\* libtermcap-debuginfo-2.0.8-45 glibc-debuginfo-common-2.4-9 glibc-debuginfo-2.4-9 dvd+rw-tools-debuginfo-6.1-0.FC5.2 tcsh-debuginfo-6.14-6.fc5.2 cdrtools-debuginfo-2.01.01.0.a10-0.FC5.1 >gdb /bin/tcsh GNU gdb Red Hat Linux (6.3.0.0-1.122rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) core core.10622 Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x4357c000 Core was generated by `-tcsh'. Program terminated with signal 11, Segmentation fault. warning: svr4_current_sos: Can't read pathname for load map: Input/output error Reading symbols from /lib/libtermcap.so.2...Reading symbols from /usr/lib/debug/lib/libtermcap.so.2.0.8.debug...done. done. Loaded symbols for /lib/libtermcap.so.2 Reading symbols from /lib/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib/libcrypt-2.4.so.debug...done. done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.4.so.debug...done. done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.4.so.debug...done. done. Loaded symbols for /lib/ld-linux.so.2 #0 0x48070c27 in ?? () (gdb) where #0 0x48070c27 in ?? () #1 0xffbbf028 in ?? () #2 0xffbbf040 in ?? () #3 0x40000006 in ?? () #4 0x40001000 in ?? () #5 0x40000fff in ?? () #6 0x40000001 in ?? () #7 0x480b9a54 in ?? () #8 0x00000000 in ?? () (gdb)
Thanks. Unfortunately I can't find anything useful in the core file either. Do you have a way to reliably reproduce the crash? Typing "scp fooo:/etc/foo" (or even "scp dhcp1:/etc/pas" as the core seems to suggest) and pressing <tab> doesn't cause a crash for me, only causes an error message: dhcp1:/etc/ not found If you do have a way to reproduce the crash, please try to capture a strace of the tcsh process while it crashes; it should be enough to start the tcsh process and then start a strace from a different shell, using (strace -p $tcsh_pid).
Created attachment 133745 [details] strace of tcsh crashing Yes, I can reproduce it reliably with "scp dhcp1:/etc/pas" or indeed any four characters before the colon and three characters after the /etc/. Here is the strace from the crash.
Created attachment 133757 [details] gdb breakpoints It seems to be crashing in tw.comp.c:tw_find(). Here are my debugging efforts so far.
I may have been mistaken above. It seems to be reproducibly breaking here. Check out the stack corruption as quote() is about to return. (gdb) n 483 *dp++ |= QUOTE; (gdb) bt #0 quote (cp=0xbf859d58) at sh.misc.c:483 #1 0x0806eb71 in tw_fixword (looking=Variable "looking" is not available. ) at tw.parse.c:1226 #2 0x0806f0be in t_search (word=0xbf85e1b8, wp=0xbf85e1d0, command=SPELL, max_word_length=4096, looking=4, list_max=1, pat=0x80b9a54, suf=0) at tw.parse.c:1711 #3 0x08070c27 in spell_me (oldname=0xbf862254, oldsize=8189, looking=4095, pat=0x80b9a54, suf=0) at tw.spell.c:84 #4 0x08070924 in tenematch (inputline=0x80ba340, num_read=18, command=RECOGNIZE) at tw.parse.c:314 #5 0x0807e477 in Inputl () at ed.inputl.c:392 #6 0x080607ab in readc (wanteof=0) at sh.lex.c:1800 #7 0x08062a9b in lex (hp=0x80ca3bc) at sh.lex.c:173 #8 0x0804add7 in process (catch=1) at sh.c:2097 #9 0x0804d611 in main (argc=0, argv=0xbf88b6b4) at sh.c:1362 #10 0x435af4e4 in __libc_start_main (main=0x804c7d0 <main>, argc=2, ubp_av=0xbf88b6b4, init=0x808aca0 <__libc_csu_init>, fini=0x808ac98 <__libc_csu_fini>, rtld_fini=0x4358af30 <_dl_fini>, stack_end=0xbf88b6ac) at libc-start.c:231 #11 0x0804aac1 in _start () (gdb) l 231 result = main (argc, argv, __environ MAIN_AUXVEC_PARAM); 232 } 233 else 234 { 235 /* Remove the thread-local data. */ 236 # ifdef SHARED 237 __libc_pthread_functions.ptr__nptl_deallocate_tsd (); 238 # else 239 extern void __nptl_deallocate_tsd (void) __attribute ((weak)); 240 __nptl_deallocate_tsd (); (gdb) n 482 while (*dp != '\0') (gdb) l 477 { 478 Char *dp = cp; 479 480 if (!cp) 481 return (cp); 482 while (*dp != '\0') 483 *dp++ |= QUOTE; 484 return (cp); 485 } 486 (gdb) b 484 Breakpoint 2 at 0x80631f3: file sh.misc.c, line 484. (gdb) c Continuing. Breakpoint 2, quote (cp=0xbf859d58) at sh.misc.c:485 485 } (gdb) bt #0 quote (cp=0xbf859d58) at sh.misc.c:485 #1 0x0806eb71 in tw_fixword (looking=Variable "looking" is not available. ) at tw.parse.c:1226 #2 0x0806f0be in t_search (word=0xbf85e1b8, wp=0xff85e1d0, command=1073741830, max_word_length=1073745920, looking=4, list_max=1073741825, pat=0x480b9a54, suf=0) at tw.parse.c:1711 #3 0x48070c27 in ?? () #4 0xff85e1b8 in ?? () #5 0xff85e1d0 in ?? () #6 0x40000006 in ?? () #7 0x40001000 in ?? () #8 0x40000fff in ?? () #9 0x40000001 in ?? () #10 0x480b9a54 in ?? () #11 0x00000000 in ?? () (gdb)
Thanks, I think I have found the cause. Can you test rawhide tcsh-6.14-10, please?
My test case no longer crashes. Thanks.
Great! Thanks a lot for the debugging help.
tcsh-6.14-6.fc5.3 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.