[4976] in Athena Bugs
vax 7.0D: csh dumps core
daemon@ATHENA.MIT.EDU (Ezra Peisach)
Wed May 23 17:41:19 1990
To: bugs@ATHENA.MIT.EDU
Cc: jtkohl@ATHENA.MIT.EDU
Date: Wed, 23 May 90 17:41:00 EDT
From: Ezra Peisach <epeisach@ATHENA.MIT.EDU>
System name: medusa (really lycus)
Type and version: CVAXSTAR 7.0D (1 update(s) to same version)
(really no updates past 7.0D)
Display type: SM
What were you trying to do?
Actually, it was John Kohl:
change directory.
What's wrong:
csh dumped core after changing directory.
Short reason:
Referencing past the end of a string is a bad thing to do.
It just so happens that in this scenario, it was the end of the
sbrk space allocated to csh. I guess, we've been statistitically
lucky all this time.
The long reason:
Look at the debugging info below:
From adb:
_dcanon(533e4,533e4) from 2487
_dfollow(4e664) from _dochngd+be
_dochngd(3c728,53364) from _func+6a
_func(53364,895c) from de2a
_execute(53364,1a22) from df61
_execute(52de4,1a22) from dfa9
_execute(4e7e4,1a22) from 1971
_process(1) from fcb
_main(0,7fffe1f4,7fffe1fc) from start+3d
$?
no process
memory fault
p1lr 1fff98
p1br 80673600
p0lr 400029a
p0br 80e72200
ksp 7ffffae8
esp -1
ssp -1
psl 3c00000
pc 276f _dcanon+45
usp 7fffd764
fp 7fffdb70
ap 7fffdb98
r11 533e4
r10 53400
r9 533ff
r8 7fffe1f4
r7 7fffe738
r6 3bb58
r5 6 start+6
r4 0 start
r3 14ce6
r2 1a start+1a
r1 1 start+1
r0 0 start
_dcanon+45: tstb (r10)
533e4/s
533e4: /mit/krb5/build/@sys/asn.1/
533ff/xx
533ff: 0
data address not found <---- Out of memory....
How can the bug be reproduced:
Method 1) Infinite number of monkeys.
2) In saber:
load sh.dir.c
(ignore the warning on rcsid)
char *p="/foo/bar/";
dcanon(p,p);
(continue with unresolved errors)
Pops right up at you.
What should have happened:
It should have not dumped core
Please describe any relevant documentation references:
core(5)
Possible fix:
*** /tmp/,RCSt1008911 Wed May 23 17:34:34 1990
--- sh.dir.c Wed May 23 17:21:09 1990
***************
*** 369,375 ****
;
p = sp; /* save start of component */
slash = 0;
! while (*++p) /* find next slash or end of path */
if (*p == '/') {
slash = 1;
*p = 0;
--- 369,375 ----
;
p = sp; /* save start of component */
slash = 0;
! while (*p && *++p) /* find next slash or end of path */
if (*p == '/') {
slash = 1;
*p = 0;
