[Bug 1213353] New: bash crash during autocompletion: systemctmalloc_consolidate(): unaligned fastbin chunk detected
https://bugzilla.suse.com/show_bug.cgi?id=1213353 Bug ID: 1213353 Summary: bash crash during autocompletion: systemctmalloc_consolidate(): unaligned fastbin chunk detected Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: werner@suse.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 868226 --> https://bugzilla.suse.com/attachment.cgi?id=868226&action=edit bash screendump and coredumpctl output with intact linebreaks I just had the following bash crash during autocompletion: Unfortunately I don't remember exactly what I did when bash crashed. The only hint that I can offer is that my prompt starts with $? if it's non-zero. The last propmt line indicates that $? was [INT] ====================================================================== cb@tux:~/isotopp.github.io/content/posts cboltz-typo52 L …4> systemctl enable -- --after --defaults --firmware-setup --help --legend=no --no-ask-password --now --plain --recursive --show-types --timestamp --version --all --dry-run --force --host --lines --no-block --no-wall --preset-mode --reverse --signal --type --wait --before --fail --full --job-mode --machine --no-pager --no-warn --property --root --state --user --check-inhibitors --failed --global --kill-whom --message --no-reload --output --quiet --runtime --system --value cb@tux:~/isotopp.github.io/content/posts cboltz-typo52 L …4> systemctl enable --no --no-ask-password --no-block --no-pager --no-reload --now --no-wall --no-warn cb@tux:~/isotopp.github.io/content/posts cboltz-typo52 L …4> systemctl e [INT] cb@tux:~/isotopp.github.io/content/posts cboltz-typo52 L …4> systemctmalloc_consolidate(): unaligned fastbin chunk detected Achtung: Das Programm „/bin/bash“ ist abgestürzt. ====================================================================== ====================================================================== # coredumpctl dump bash PID: 13069 (bash) UID: 1000 (cb) GID: 100 (users) Signal: 6 (ABRT) Timestamp: Fri 2023-07-14 19:58:42 CEST (8min ago) Command Line: /bin/bash Executable: /usr/bin/bash Control Group: /user.slice/user-1000.slice/user@1000.service/app.slice/app-kde_autostart@autostart.service Unit: user@1000.service User Unit: app-kde_autostart@autostart.service Slice: user-1000.slice Owner UID: 1000 (cb) Boot ID: c4b7162d927340e9995cb85273857589 Machine ID: abf06ac46e2e487ea0edd474065e8b87 Hostname: tux.boltz Storage: /var/lib/systemd/coredump/core.bash.1000.c4b7162d927340e9995cb85273857589.13069.1689357522000000.zst (present) Size on Disk: 722.5K Message: Process 13069 (bash) of user 1000 dumped core. Stack trace of thread 13069: #0 0x00007fe721781a7c __pthread_kill_implementation (libc.so.6 + 0x8fa7c) #1 0x00007fe721730226 raise (libc.so.6 + 0x3e226) #2 0x00007fe721718921 abort (libc.so.6 + 0x26921) #3 0x00007fe721719611 __libc_message.cold (libc.so.6 + 0x27611) #4 0x00007fe72178c417 malloc_printerr (libc.so.6 + 0x9a417) #5 0x00007fe72178d03c malloc_consolidate (libc.so.6 + 0x9b03c) #6 0x00007fe72178f6b8 _int_malloc (libc.so.6 + 0x9d6b8) #7 0x00007fe721790aba __libc_malloc (libc.so.6 + 0x9eaba) #8 0x000055ff5a6938ee xmalloc (bash + 0x758ee) #9 0x000055ff5a69fd61 n/a (bash + 0x81d61) #10 0x000055ff5a6b98cf map_over_funcs (bash + 0x9b8cf) #11 0x000055ff5a6818f6 all_visible_functions (bash + 0x638f6) #12 0x000055ff5a68dc6a command_word_completion_function (bash + 0x6fc6a) #13 0x00007fe72190cddb rl_completion_matches (libreadline.so.8 + 0x1dddb) #14 0x000055ff5a68c7a0 bash_default_completion (bash + 0x6e7a0) #15 0x00007fe72190cef3 n/a (libreadline.so.8 + 0x1def3) #16 0x00007fe72191579c rl_complete_internal (libreadline.so.8 + 0x2679c) #17 0x00007fe72190d178 _rl_dispatch_subseq (libreadline.so.8 + 0x1e178) #18 0x00007fe72190dfa6 readline_internal_char (libreadline.so.8 + 0x1efa6) #19 0x00007fe721916f65 readline (libreadline.so.8 + 0x27f65) #20 0x000055ff5a65ce67 n/a (bash + 0x3ee67) #21 0x000055ff5a69904e n/a (bash + 0x7b04e) #22 0x000055ff5a697394 n/a (bash + 0x79394) #23 0x000055ff5a696be7 yyparse (bash + 0x78be7) #24 0x000055ff5a696821 parse_command (bash + 0x78821) #25 0x000055ff5a6a2c8e read_command (bash + 0x84c8e) #26 0x000055ff5a6a2919 reader_loop (bash + 0x84919) #27 0x000055ff5a6b5f04 main (bash + 0x97f04) #28 0x00007fe721719bb0 __libc_start_call_main (libc.so.6 + 0x27bb0) #29 0x00007fe721719c79 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x27c79) #30 0x000055ff5a6b4fe5 _start (bash + 0x96fe5) ELF object binary architecture: AMD x86-64 Refusing to dump core to tty (use shell redirection or specify --output). ====================================================================== I can provide the full coredump on request. Unfortunately it contains private data (for example filenames from the bash history), therefore I don't want to attach it to a public bugreport. However, I can send it by mail if needed. [Note to myself: the coredump is in ~/susebeta/2023-07-14-*.zst] The attached file contains the above bash screendump and coredumpctl output, just in case bugzilla inserts funny linebreaks. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de Flags| |needinfo?(suse-beta@cboltz. | |de) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c2 --- Comment #2 from Dr. Werner Fink <werner@suse.com> --- Please also include the current version of libreadline8 as well as of bash via rpm -qi libreadline8 rpm -qi bash -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(suse-beta@cboltz. | |de) | --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- bash and libreadline8 are from current Tumbleweed. Details: # rpm -qi libreadline8 bash Name : libreadline8 Version : 8.2 Release : 2.3 Architecture: x86_64 Install Date: Do 22 Jun 2023 23:48:38 CEST Group : System/Libraries Size : 446078 License : GPL-3.0-or-later Signature : RSA/SHA512, Mi 14 Jun 2023 17:16:26 CEST, Key ID 35a2f86e29b700a4 Source RPM : readline-8.2-2.3.src.rpm Build Date : Mi 14 Jun 2023 17:13:06 CEST Build Host : hurricane3 Packager : https://bugs.opensuse.org Vendor : openSUSE URL : https://www.gnu.org/software/readline/ Summary : The Readline Library Description : The readline library is used by the Bourne Again Shell (bash, the standard command interpreter) for easy editing of command lines. This includes history and search functionality. Distribution: openSUSE Tumbleweed Name : bash Version : 5.2.15 Release : 8.4 Architecture: x86_64 Install Date: Do 22 Jun 2023 23:48:49 CEST Group : System/Shells Size : 1094000 License : GPL-3.0-or-later Signature : RSA/SHA512, Mi 14 Jun 2023 20:53:06 CEST, Key ID 35a2f86e29b700a4 Source RPM : bash-5.2.15-8.4.src.rpm Build Date : Mi 14 Jun 2023 20:43:18 CEST Build Host : lamb59 Packager : https://bugs.opensuse.org Vendor : openSUSE URL : https://www.gnu.org/software/bash/bash.html Summary : The GNU Bourne-Again Shell Description : Bash is an sh-compatible command interpreter that executes commands read from standard input or from a file. Bash incorporates useful features from the Korn and C shells (ksh and csh). Bash is intended to be a conformant implementation of the IEEE Posix Shell and Tools specification (IEEE Working Group 1003.2). Distribution: openSUSE Tumbleweed -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c5 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- Just to be sure ... you have installed bash-completion as well ... do you have something in path which is named `systemct` (not `systemctl`) ... shell function, further command, or an alias? The other problem is that I do not have a glibc-debuginfo-2.37-4.4.x86_64 anymore around to see the specific malloc_printerr() -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c6 --- Comment #6 from Dr. Werner Fink <werner@suse.com> --- Also I'd lik eto see your prompts PS0, PS1, PS2, PS3, and PS4 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c7 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |schwab@suse.de --- Comment #7 from Dr. Werner Fink <werner@suse.com> --- The crash is caused by abort called via malloc_printerr() here in malloc_consolidate() of glibc-2.37/malloc/malloc.c do { { if (__glibc_unlikely (misaligned_chunk (p))) malloc_printerr ("malloc_consolidate(): " "unaligned fastbin chunk detected"); unsigned int idx = fastbin_index (chunksize (p)); if ((&fastbin (av, idx)) != fb) malloc_printerr ("malloc_consolidate(): invalid chunk size"); } and as static void malloc_printerr (const char *str) { #if IS_IN (libc) __libc_message ("%s\n", str); #else __libc_fatal (str); #endif __builtin_unreachable (); } both __libc_message() and __libc_fatal() (via __libc_message()) call abort() ... AFAICS glibc-2.37/sysdeps/posix/libc_fatal.c ...note sure if this is a bash/libreadline problem here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c9 --- Comment #9 from Dr. Werner Fink <werner@suse.com> --- (In reply to Andreas Schwab from comment #8)
Which means you have a memory corruption.
OK ... that is what we already know ... the real reason/cause would be a win. Error in bash/libreadline ... or in (g)libc ... or overheated system -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c11 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |werner@suse.com Assignee|werner@suse.com |schwab@suse.de --- Comment #11 from Dr. Werner Fink <werner@suse.com> --- (In reply to Andreas Schwab from comment #10)
That *is* the real reason.
OK means glibc stumble over 2608 bytes (gdb) down #9 0x000055ff5a69fd61 in vlist_alloc (nentries=325) at /usr/src/debug/bash-5.2/variables.c:4172 4172 vlist->list = (SHELL_VAR **)xmalloc ((nentries + 1) * sizeof (SHELL_VAR *)); (gdb) print (nentries + 1) * sizeof (SHELL_VAR *) $2 = 2608 (gdb) down #8 0x000055ff5a6938ee in xmalloc (bytes=2608) at /usr/src/debug/bash-5.2/xmalloc.c:114 114 temp = malloc (bytes); (gdb) print bytes $3 = 2608 (gdb) down #7 0x00007fe721790aba in malloc () from /lib64/libc.so.6 (gdb) down #6 0x00007fe72178f6b8 in _int_malloc () from /lib64/libc.so.6 (gdb) down #5 0x00007fe72178d03c in malloc_consolidate () from /lib64/libc.so.6 (gdb) down #4 0x00007fe72178c417 in malloc_printerr () from /lib64/libc.so.6 (gdb) down #3 0x00007fe721719611 in __libc_message.cold () from /lib64/libc.so.6 (gdb) down #2 0x00007fe721718921 in abort () from /lib64/libc.so.6 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c13 --- Comment #13 from Dr. Werner Fink <werner@suse.com> --- (In reply to Andreas Schwab from comment #12)
I'm not going to debug your program.
IMHO bash does nothing wrong with its list used for completion if (varlist) free (varlist); varlist = all_visible_functions (); the only thing which could trigger anything is that there is beside systemctl also a systemct in ~/bin/ .. and ~/bin/ is listed several times in PATH but even with this I can not trigger an abort(). #13 0x000055ff5a68dc6a in command_word_completion_function (hint_text=0x55ff5c85cd30 "systemct", state=0) at /usr/src/debug/bash-5.2/bashline.c:2099 temp = <optimized out> cval = <optimized out> inner = <optimized out> dequoted_hint = 0x55ff5c7de7d0 "\360:\202\\\377U" hint = 0x55ff5c7de7d0 "\360:\202\\\377U" searching_path = 0 mapping_over = 0 hint_is_dir = 0 val = 0x0 igncase = 0 old_glob_ignore_case = 0 glob_matches = 0x0 globpat = 0 directory_part = 0x0 hint_len = 8 filename_hint = 0x55ff5c6baee0 "/home/cb/bin/systemct" fnhint = 0x55ff5c6baee0 "/home/cb/bin/systemct" istate = 0 path = 0x55ff5c6090d0 "/home/cb/bin:/usr/local/bin:/usr/bin:/bin:/home/cb/bin:/home/cb/bin" path_index = 0 local_index = 0 varlist = 0x55ff5c859150 alias_list = 0x55ff5c933e50 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c14 --- Comment #14 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Dr. Werner Fink from comment #5)
Just to be sure ... you have installed bash-completion as well ...
Right, bash-completion-2.11-7.1.noarch
do you have something in path which is named `systemct` (not `systemctl`) ... shell function, further command, or an alias?
No, systemc<tab> only results in systemctl (for both user and root) (In reply to Dr. Werner Fink from comment #6)
Also I'd lik eto see your prompts PS0, PS1, PS2, PS3, and PS4
cb@tux:~> echo $PS0 cb@tux:~> echo $PS1 \u\[\e[0m\]@\h:\[\e[1;37;44m\]\w\[\033[0;0m\]> cb@tux:~> echo $PS2
cb@tux:~> echo $PS3 cb@tux:~> echo $PS4 + I also have a PROMPT_COMMAND: cb@tux:~> echo $PROMPT_COMMAND setLastCommandState;setGitPrompt which is from git@github.com:cboltz/bash-git-prompt.git (actually a version from 2019, 148d502b666a0d62ecc83680817596b097a70f2a) (In reply to Dr. Werner Fink from comment #9)
OK ... that is what we already know ... the real reason/cause would be a win. Error in bash/libreadline ... or in (g)libc ... or overheated system
Given the hot weather in the last days, I wouldn't rule out overheated system. However, this was the only strange issue I noticed during these hot days. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c15 --- Comment #15 from Dr. Werner Fink <werner@suse.com> --- (In reply to Christian Boltz from comment #14)
(In reply to Dr. Werner Fink from comment #9)
OK ... that is what we already know ... the real reason/cause would be a win. Error in bash/libreadline ... or in (g)libc ... or overheated system
Given the hot weather in the last days, I wouldn't rule out overheated system. However, this was the only strange issue I noticed during these hot days.
If the autocomplete of the bash/libreadline is the reason the dump is not that useful as the abort() of the glibc had detected an error which had already happen (IMHO) and in the dump the backtrace (even with full option) shows an other action which belongs to the executable systemct below /home/cb/bin/ ... note the missing `l' to get a complete systemctl located in /usr/bin/ In bash mailing list Grisha Levit had found via AddressSanitizer of the gcc some bug e.g. in parse.y but this was for current devel version not bash 5.2 ... nevertheless the e.g. the use-after-free of ttok is also in 5.2 AFAICS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|bash crash during |bash crash during |autocompletion: |autocompletion: |systemctmalloc_consolidate( |systemct<TAB> with |): unaligned fastbin chunk |malloc_consolidate(): |detected |unaligned fastbin chunk | |detected -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c16 --- Comment #16 from Dr. Werner Fink <werner@suse.com> --- Created attachment 868317 --> https://bugzilla.suse.com/attachment.cgi?id=868317&action=edit bash-asan.tar.xz A version of bash and libreadline compiled and linked wit address sanitizer ... warning could be dangerous tar tf bash-asan.tar.xz bin/bash.asan lib64/bash/libhistory.so.8 lib64/bash/libhistory.so.8.2 lib64/bash/libreadline.so.8 lib64/bash/libreadline.so.8.2 here it works in a chroot environent ... noether:~ # mount -t proc proc /abuild/oscbuild/standard/proc noether:~ # chroot /abuild/oscbuild/standard/ /bin/bash.asan noether:/ # ll /proc/$$/exe lrwxrwxrwx 1 root root 0 Jul 19 12:42 /proc/11752/exe -> /usr/bin/bash.asan noether:/ # exit noether:~ # umount /abuild/oscbuild/standard/proc ... the problem could be libreadline which might also poison /bin/bash via runtime linker -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c17 --- Comment #17 from Dr. Werner Fink <werner@suse.com> --- Just tried a local user cb here with your prompt as well as a systemct in ~/bin/ ... the Asan only reports some smaller leaks nothing to worry about ... the git prompt shell functions seems to scan the a git repository (I'm using a local clone git@github.com:cboltz/bash-git-prompt.git) ... no corrupted memory -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c18 --- Comment #18 from Dr. Werner Fink <werner@suse.com> --- AFAICS from source code those two leaks are false positive as there are checks if the allocated strings/character arrays are already allocated -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c19 --- Comment #19 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Dr. Werner Fink from comment #17)
Just tried a local user cb here with your prompt as well as a systemct in ~/bin/ .
Just to clarify: cb@tux:~> ls -l ~/bin/syst* ls: cannot access '/home/cb/bin/syst*': No such file or directory I don't have a "systemct" binary - not in ~/bin/, and also not somewhere else in $PATH. (Also no function or alias with that name.) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c20 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #868317|0 |1 is obsolete| | Flags| |needinfo?(suse-beta@cboltz. | |de) --- Comment #20 from Dr. Werner Fink <werner@suse.com> --- Created attachment 868418 --> https://bugzilla.suse.com/attachment.cgi?id=868418&action=edit bash-asan.tar.xz ... with disables leak check and Please try this one ... install below root aka / via cd / tar xf /<pathto>/bash-asan.tar.xz edit /etc/passwd to use /bin/bash.asan for user cb. Content: tar tf /usr/src/werner/bash/bash/bash-asan.tar.xz usr/bin/bash.asan usr/lib64/libhistory_asan.so usr/lib64/libhistory_asan.so.8 usr/lib64/libhistory_asan.so.8.2 usr/lib64/libreadline_asan.so usr/lib64/libreadline_asan.so.8 usr/lib64/libreadline_asan.so.8.2 note that /bin should be a link to /usr/bin -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c21 --- Comment #21 from Dr. Werner Fink <werner@suse.com> --- Any news here? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c22 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(suse-beta@cboltz. | |de) | --- Comment #22 from Christian Boltz <suse-beta@cboltz.de> --- The good news is that I never had bash crashing since then. The "bad" news is that this means that single crash will stay a mystery - with no way to reproduce it, finding out what happened is more or less impossible. On the positive side, let's assume it really was a one-time issue and hopefully won't happen again. To sum it up: feel free to close as "worksforme" ;-) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213353 https://bugzilla.suse.com/show_bug.cgi?id=1213353#c23 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo? | Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #23 from Dr. Werner Fink <werner@suse.com> --- OK -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com