Bug 197968 - tcsh crashes during tab completion
tcsh crashes during tab completion
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: tcsh (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
Bill Huang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-07 15:02 EDT by Charles R. Anderson
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 6.14-6.fc5.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-29 10:40:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tcsh core dump (1.45 MB, application/octet-stream)
2006-07-31 13:02 EDT, Charles R. Anderson
no flags Details
strace of tcsh crashing (375.47 KB, text/plain)
2006-08-07 11:49 EDT, Charles R. Anderson
no flags Details
gdb breakpoints (10.24 KB, text/plain)
2006-08-07 16:08 EDT, Charles R. Anderson
no flags Details

  None (edit)
Description Charles R. Anderson 2006-07-07 15:02:22 EDT
Description of problem:

tcsh dies sometimes during filename tab completion.

Version-Release number of selected component (if applicable):
6.14-6.fc5.1
6.14-1.fc4.2

How reproducible:
sometimes

Steps to Reproduce:
1. Hit tab to complete filenames.  It seems to happen more often when editing a
previous command line from history, deleting the pathname and completing a new
one, traversing several directories deep, one directory at a time, and when
there are ambiguous results which cause tcsh to display all matches.
  
Actual results:

I'll try to supply this when it happens again.  It is difficult to capture since
the terminal closes when tcsh dies.

Expected results:

No crash.

Additional info:

This started happening on FC5 and now FC4.  It appears to have started on FC4
with the update from 6.14-1 to 6.14-1.fc4.2.

I'm using these tcsh features:

set autocorrect
set autoexpand
set autolist	= ambiguous
set histdup     = erase
set history     = 100
unset implicitcd
set listflags	= Ax
set listjobs    = long
set listlinks
set listmax     = 75
set matchbeep   = nomatch
set noclobber
set notify
set symlinks	= ignore
complete alias      'p/1/a/'
complete cd         'n/*/d/'
complete complete   'p/1/X/'
complete exec       'p/1/c/'
complete kill       'c/-/S/'
complete limit      'p/1/l/'
complete man        'n/*/c/'
complete popd       'n/*/d/'
complete pushd      'n/*/d/'
complete rmdir      'n/*/d/'
complete set        'c/*=/f/' 'p/1/s/=' 'n/=/f/'
complete setenv     'p/1/e/'
complete unalias    'n/*/a/'
complete uncomplete 'p/*/X/'
complete unset      'p/1/s/'
complete unsetenv   'p/1/e/'
complete which      'n/*/c/'
Comment 1 Miloslav Trmač 2006-07-08 20:39:31 EDT
I can't see anything related to tab completion in the changes between 6.14-1 and
6.14-1.fc4.2, nor any other obvious bug.

Please add "limit coredumpsize unlimited" to your ~/.tcshrc.  If tcsh crashes
again, it should create a core.* file containing a memory dump; please attach
the generated file to this report, along with identification of the precise
tcsh package version which crashed.
Comment 2 Charles R. Anderson 2006-07-31 13:02:22 EDT
Created attachment 133332 [details]
tcsh core dump

Finally reproduced it consistently:

scp fooo:/etc/foo<tab>Segmentation fault

Attached core file, which I cannot get a good decode from.

> rpm -qa \*debuginfo\*
libtermcap-debuginfo-2.0.8-45
glibc-debuginfo-common-2.4-9
glibc-debuginfo-2.4-9
dvd+rw-tools-debuginfo-6.1-0.FC5.2
tcsh-debuginfo-6.14-6.fc5.2
cdrtools-debuginfo-2.01.01.0.a10-0.FC5.1

>gdb /bin/tcsh
GNU gdb Red Hat Linux (6.3.0.0-1.122rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) core core.10622
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x4357c000
Core was generated by `-tcsh'.
Program terminated with signal 11, Segmentation fault.
warning: svr4_current_sos: Can't read pathname for load map: Input/output error


Reading symbols from /lib/libtermcap.so.2...Reading symbols from
/usr/lib/debug/lib/libtermcap.so.2.0.8.debug...done.
done.
Loaded symbols for /lib/libtermcap.so.2
Reading symbols from /lib/libcrypt.so.1...Reading symbols from
/usr/lib/debug/lib/libcrypt-2.4.so.debug...done.
done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...Reading symbols from
/usr/lib/debug/lib/libc-2.4.so.debug...done.
done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from
/usr/lib/debug/lib/ld-2.4.so.debug...done.
done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x48070c27 in ?? ()
(gdb) where
#0  0x48070c27 in ?? ()
#1  0xffbbf028 in ?? ()
#2  0xffbbf040 in ?? ()
#3  0x40000006 in ?? ()
#4  0x40001000 in ?? ()
#5  0x40000fff in ?? ()
#6  0x40000001 in ?? ()
#7  0x480b9a54 in ?? ()
#8  0x00000000 in ?? ()
(gdb)
Comment 3 Miloslav Trmač 2006-08-05 03:54:24 EDT
Thanks.  Unfortunately I can't find anything useful in the core file either.

Do you have a way to reliably reproduce the crash? Typing
"scp fooo:/etc/foo" (or even "scp dhcp1:/etc/pas" as the core seems to suggest)
and pressing <tab> doesn't cause a crash for me, only causes an error message:
    dhcp1:/etc/ not found

If you do have a way to reproduce the crash, please try to capture a strace
of the tcsh process while it crashes; it should be enough to start the tcsh
process and then start a strace from a different shell, using
(strace -p $tcsh_pid).
Comment 4 Charles R. Anderson 2006-08-07 11:49:46 EDT
Created attachment 133745 [details]
strace of tcsh crashing

Yes, I can reproduce it reliably with "scp dhcp1:/etc/pas" or indeed any four
characters before the colon and three characters after the /etc/.

Here is the strace from the crash.
Comment 5 Charles R. Anderson 2006-08-07 16:08:57 EDT
Created attachment 133757 [details]
gdb breakpoints

It seems to be crashing in tw.comp.c:tw_find().  Here are my debugging efforts
so far.
Comment 6 Charles R. Anderson 2006-08-08 02:08:40 EDT
I may have been mistaken above.  It seems to be reproducibly breaking here. 
Check out the stack corruption as quote() is about to return.

(gdb) n
483             *dp++ |= QUOTE;
(gdb) bt
#0  quote (cp=0xbf859d58) at sh.misc.c:483
#1  0x0806eb71 in tw_fixword (looking=Variable "looking" is not available.
) at tw.parse.c:1226
#2  0x0806f0be in t_search (word=0xbf85e1b8, wp=0xbf85e1d0, command=SPELL,
    max_word_length=4096, looking=4, list_max=1, pat=0x80b9a54, suf=0)
    at tw.parse.c:1711
#3  0x08070c27 in spell_me (oldname=0xbf862254, oldsize=8189, looking=4095,
    pat=0x80b9a54, suf=0) at tw.spell.c:84
#4  0x08070924 in tenematch (inputline=0x80ba340, num_read=18,
    command=RECOGNIZE) at tw.parse.c:314
#5  0x0807e477 in Inputl () at ed.inputl.c:392
#6  0x080607ab in readc (wanteof=0) at sh.lex.c:1800
#7  0x08062a9b in lex (hp=0x80ca3bc) at sh.lex.c:173
#8  0x0804add7 in process (catch=1) at sh.c:2097
#9  0x0804d611 in main (argc=0, argv=0xbf88b6b4) at sh.c:1362
#10 0x435af4e4 in __libc_start_main (main=0x804c7d0 <main>, argc=2,
    ubp_av=0xbf88b6b4, init=0x808aca0 <__libc_csu_init>,
    fini=0x808ac98 <__libc_csu_fini>, rtld_fini=0x4358af30 <_dl_fini>,
    stack_end=0xbf88b6ac) at libc-start.c:231
#11 0x0804aac1 in _start ()
(gdb) l
231           result = main (argc, argv, __environ MAIN_AUXVEC_PARAM);
232         }
233       else
234         {
235           /* Remove the thread-local data.  */
236     # ifdef SHARED
237           __libc_pthread_functions.ptr__nptl_deallocate_tsd ();
238     # else
239           extern void __nptl_deallocate_tsd (void) __attribute ((weak));
240           __nptl_deallocate_tsd ();
(gdb) n
482         while (*dp != '\0')
(gdb) l
477     {
478         Char *dp = cp;
479
480         if (!cp)
481             return (cp);
482         while (*dp != '\0')
483             *dp++ |= QUOTE;
484         return (cp);
485     }
486
(gdb) b 484
Breakpoint 2 at 0x80631f3: file sh.misc.c, line 484.
(gdb) c
Continuing.

Breakpoint 2, quote (cp=0xbf859d58) at sh.misc.c:485
485     }
(gdb) bt
#0  quote (cp=0xbf859d58) at sh.misc.c:485
#1  0x0806eb71 in tw_fixword (looking=Variable "looking" is not available.
) at tw.parse.c:1226
#2  0x0806f0be in t_search (word=0xbf85e1b8, wp=0xff85e1d0,
    command=1073741830, max_word_length=1073745920, looking=4,
    list_max=1073741825, pat=0x480b9a54, suf=0) at tw.parse.c:1711
#3  0x48070c27 in ?? ()
#4  0xff85e1b8 in ?? ()
#5  0xff85e1d0 in ?? ()
#6  0x40000006 in ?? ()
#7  0x40001000 in ?? ()
#8  0x40000fff in ?? ()
#9  0x40000001 in ?? ()
#10 0x480b9a54 in ?? ()
#11 0x00000000 in ?? ()
(gdb)

Comment 7 Miloslav Trmač 2006-08-16 13:49:50 EDT
Thanks, I think I have found the cause.  Can you test rawhide tcsh-6.14-10,
please?
Comment 8 Charles R. Anderson 2006-08-16 16:15:07 EDT
My test case no longer crashes.  Thanks.
Comment 9 Miloslav Trmač 2006-08-17 11:32:57 EDT
Great!  Thanks a lot for the debugging help.
Comment 10 Fedora Update System 2006-08-17 14:14:08 EDT
tcsh-6.14-6.fc5.3 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 11 Fedora Update System 2006-08-28 13:24:24 EDT
tcsh-6.14-6.fc5.3 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.