Skip to content

Instantly share code, notes, and snippets.

@charmoniumQ
Last active September 23, 2023 01:06
Show Gist options
  • Save charmoniumQ/c5a0a1dbec4452a203e9dd8ec20a3458 to your computer and use it in GitHub Desktop.
Save charmoniumQ/c5a0a1dbec4452a203e9dd8ec20a3458 to your computer and use it in GitHub Desktop.
Bash crashes in Valgrind when LC_CTYPE is set to C.UTF-8
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1695227375,
"narHash": "sha256-76WTkeCu3npPZDkay2hB2Dj3cOuCiF0P41dbmXWUKtA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe977679240ac2027b151ecca1bc6ce808c2e8af",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}
{
outputs = { self, nixpkgs }:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
bash = pkgs.enableDebugging pkgs.bash;
in {
apps."${system}".default = {
# This program crashes reliably!
# Taking out the valgrind causes it to not crash.
# Taking out LC_CTYPE causes it to not crash (but still has an invalid free())
type = "app";
program = "${pkgs.writeShellScript "test.sh" ''
${pkgs.toybox}/bin/env - foo=bar LC_CTYPE=C.UTF-8 ${pkgs.valgrind}/bin/valgrind ${bash}/bin/bash -c 'echo ''${foo#baz}'
''}";
};
};
}
$ nix run
==2917070== Memcheck, a memory error detector
==2917070== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==2917070== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==2917070== Command: /nix/store/mcvpsizgc6irihzykac8a49rini1v25l-bash-5.2-p15/bin/bash -c echo\ ${foo#ba}
==2917070==
==2917070== Invalid read of size 1
==2917070== at 0x4A0DCD: internal_free (malloc.c:967)
==2917070== by 0x4A1BBA: sh_free (malloc.c:1457)
==2917070== by 0x4743A7: sh_xfree (xmalloc.c:223)
==2917070== by 0x44D7D2: remove_pattern (subst.c:5336)
==2917070== by 0x45F6C8: parameter_brace_remove_pattern (subst.c:5904)
==2917070== by 0x459428: parameter_brace_expand (subst.c:10090)
==2917070== by 0x459EB2: param_expand (subst.c:10538)
==2917070== by 0x45ADB6: expand_word_internal (subst.c:11236)
==2917070== by 0x4603A7: shell_expand_word_list (subst.c:12816)
==2917070== by 0x4604C4: expand_word_list_internal (subst.c:13000)
==2917070== by 0x4605C1: expand_words (subst.c:12280)
==2917070== by 0x432B4C: execute_simple_command (execute_cmd.c:4506)
==2917070== Address 0x4a9fac0 is 16 bytes before a block of size 128 alloc'd
==2917070== at 0x48477FC: realloc (in /nix/store/14fg82n6grqhrd2algx31sv1kmgvz0gl-valgrind-3.21.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2917070== by 0x492FE2: xdupmbstowcs2 (xmbsrtowcs.c:210)
==2917070== by 0x4932F0: xdupmbstowcs (xmbsrtowcs.c:298)
==2917070== by 0x44D789: remove_pattern (subst.c:5318)
==2917070== by 0x45F6C8: parameter_brace_remove_pattern (subst.c:5904)
==2917070== by 0x459428: parameter_brace_expand (subst.c:10090)
==2917070== by 0x459EB2: param_expand (subst.c:10538)
==2917070== by 0x45ADB6: expand_word_internal (subst.c:11236)
==2917070== by 0x4603A7: shell_expand_word_list (subst.c:12816)
==2917070== by 0x4604C4: expand_word_list_internal (subst.c:13000)
==2917070== by 0x4605C1: expand_words (subst.c:12280)
==2917070== by 0x432B4C: execute_simple_command (execute_cmd.c:4506)
==2917070==
==2917070== Invalid read of size 1
==2917070== at 0x4A0DDC: internal_free (malloc.c:978)
==2917070== by 0x4A1BBA: sh_free (malloc.c:1457)
==2917070== by 0x4743A7: sh_xfree (xmalloc.c:223)
==2917070== by 0x44D7D2: remove_pattern (subst.c:5336)
==2917070== by 0x45F6C8: parameter_brace_remove_pattern (subst.c:5904)
==2917070== by 0x459428: parameter_brace_expand (subst.c:10090)
==2917070== by 0x459EB2: param_expand (subst.c:10538)
==2917070== by 0x45ADB6: expand_word_internal (subst.c:11236)
==2917070== by 0x4603A7: shell_expand_word_list (subst.c:12816)
==2917070== by 0x4604C4: expand_word_list_internal (subst.c:13000)
==2917070== by 0x4605C1: expand_words (subst.c:12280)
==2917070== by 0x432B4C: execute_simple_command (execute_cmd.c:4506)
==2917070== Address 0x4a9fac0 is 16 bytes before a block of size 128 alloc'd
==2917070== at 0x48477FC: realloc (in /nix/store/14fg82n6grqhrd2algx31sv1kmgvz0gl-valgrind-3.21.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2917070== by 0x492FE2: xdupmbstowcs2 (xmbsrtowcs.c:210)
==2917070== by 0x4932F0: xdupmbstowcs (xmbsrtowcs.c:298)
==2917070== by 0x44D789: remove_pattern (subst.c:5318)
==2917070== by 0x45F6C8: parameter_brace_remove_pattern (subst.c:5904)
==2917070== by 0x459428: parameter_brace_expand (subst.c:10090)
==2917070== by 0x459EB2: param_expand (subst.c:10538)
==2917070== by 0x45ADB6: expand_word_internal (subst.c:11236)
==2917070== by 0x4603A7: shell_expand_word_list (subst.c:12816)
==2917070== by 0x4604C4: expand_word_list_internal (subst.c:13000)
==2917070== by 0x4605C1: expand_words (subst.c:12280)
==2917070== by 0x432B4C: execute_simple_command (execute_cmd.c:4506)
==2917070==
malloc: subst.c:5336: assertion botched
free: called with unallocated block argument
Aborting...==2917070==
==2917070== Process terminating with default action of signal 6 (SIGABRT): dumping core
==2917070== at 0x48DFA8C: __pthread_kill_implementation (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6)
==2917070== by 0x4890C85: raise (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6)
==2917070== by 0x487A8B9: abort (in /nix/store/aw2fw9ag10wr9pf0qk4nk5sxi0q0bn56-glibc-2.37-8/lib/libc.so.6)
==2917070== by 0x4403A0: programming_error (error.c:175)
==2917070== by 0x4A0B8E: xbotch (malloc.c:390)
==2917070== by 0x4A0E1A: internal_free (malloc.c:984)
==2917070== by 0x4A1BBA: sh_free (malloc.c:1457)
==2917070== by 0x4743A7: sh_xfree (xmalloc.c:223)
==2917070== by 0x44D7D2: remove_pattern (subst.c:5336)
==2917070== by 0x45F6C8: parameter_brace_remove_pattern (subst.c:5904)
==2917070== by 0x459428: parameter_brace_expand (subst.c:10090)
==2917070== by 0x459EB2: param_expand (subst.c:10538)
==2917070==
==2917070== HEAP SUMMARY:
==2917070== in use at exit: 153,368 bytes in 2,409 blocks
==2917070== total heap usage: 2,436 allocs, 27 frees, 211,978 bytes allocated
==2917070==
==2917070== LEAK SUMMARY:
==2917070== definitely lost: 0 bytes in 0 blocks
==2917070== indirectly lost: 0 bytes in 0 blocks
==2917070== possibly lost: 33,123 bytes in 1,052 blocks
==2917070== still reachable: 120,245 bytes in 1,357 blocks
==2917070== suppressed: 0 bytes in 0 blocks
==2917070== Rerun with --leak-check=full to see details of leaked memory
==2917070==
==2917070== For lists of detected and suppressed errors, rerun with: -s
==2917070== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
/nix/store/sbf599f5q19cn7xm3l641irs6acg39zh-test.sh: line 2: 2917070 Aborted (core dumped) /nix/store/v45j2p2izb3pa2fxdw978bahhkb2ghza-toybox-0.8.10/bin/env - foo=bar LC_CTYPE=C.UTF-8 /nix/store/14fg82n6grqhrd2algx31sv1kmgvz0gl-valgrind-3.21.0/bin/valgrind /nix/store/mcvpsizgc6irihzykac8a49rini1v25l-bash-5.2-p15/bin/bash -c 'echo ${foo#ba}'
$ echo $?
134
$ nix run
==2934752== Memcheck, a memory error detector
==2934752== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==2934752== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==2934752== Command: /nix/store/mcvpsizgc6irihzykac8a49rini1v25l-bash-5.2-p15/bin/bash -c echo\ ${foo#baz}
==2934752==
bar
==2934752== Invalid free() / delete / delete[] / realloc()
==2934752== at 0x4845154: free (in /nix/store/14fg82n6grqhrd2algx31sv1kmgvz0gl-valgrind-3.21.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==2934752== by 0x474289: xfree (xmalloc.c:150)
==2934752== by 0x464B27: unwind_frame_run_internal (unwind_prot.c:326)
==2934752== by 0x4646D1: without_interrupts (unwind_prot.c:118)
==2934752== by 0x464C95: run_unwind_frame (unwind_prot.c:144)
==2934752== by 0x47AF1E: parse_and_execute (evalstring.c:577)
==2934752== by 0x41C0DF: run_one_command (shell.c:1473)
==2934752== by 0x41D77F: main (shell.c:763)
==2934752== Address 0x4042790 is in the brk data segment 0x4035000-0x404dfff
==2934752==
==2934752==
==2934752== HEAP SUMMARY:
==2934752== in use at exit: 29 bytes in 1 blocks
==2934752== total heap usage: 31 allocs, 31 frees, 21,419 bytes allocated
==2934752==
==2934752== LEAK SUMMARY:
==2934752== definitely lost: 0 bytes in 0 blocks
==2934752== indirectly lost: 0 bytes in 0 blocks
==2934752== possibly lost: 0 bytes in 0 blocks
==2934752== still reachable: 29 bytes in 1 blocks
==2934752== suppressed: 0 bytes in 0 blocks
==2934752== Rerun with --leak-check=full to see details of leaked memory
==2934752==
==2934752== For lists of detected and suppressed errors, rerun with: -s
==2934752== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
$ echo $?
0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment