[Toybox] sh: run "command &" in background, showing "jobs" or "ps" will crash

Tue May 30 14:11:34 PDT 2023

On 5/29/23 21:33, Mingliang HU 胡明亮 wrote:
> When running apps in the background by “xxx &”and try “jobs”or “ps”sometimes, it
> will crash.
>
> It is caused by some TT.jobs arguments freed.

Hmmm, ps shouldn't care, but jobs will.

Sigh, one of my todo items is instrumenting+poisoning the heap so I can track
lifetime rules better. (In theory the llvm ASAN stuff is doing at least part of
that...)

> static void run_lines(void)
> 
> …
> 
>     // Three cases: 1) background & 2) pipeline | 3) last process in pipeline ;
> 
>     // If we ran a process and didn't pipe output, background or wait for exit
> 
>     if (pplist && TT.ff->blk->pout == -1) {
> 
>       if (ctl && !strcmp(ctl, "&")) {
> 
>         if (!TT.jobs.c) TT.jobcnt = 0;
> 
>         pplist->job = ++TT.jobcnt;
> 
>         arg_add(&TT.jobs, (void *)pplist);
> 
> -->  pplist is freed later...
>         if (TT.options&FLAG_i) dprintf(2, "[%u] %u\n", pplist->job,pplist->pid);
> 
>       } else {
> 
>         toys.exitval = wait_pipeline(pplist);
> 
>         llist_traverse(pplist, (void *)free_process);
> 
>       }
> 
>       pplist = 0;

Assigning zero to it there should make the free() be a NOP?

> }
> 
>  
> Then, in show_job(), it will use random points.

I believe you, but need a reproduction sequence.

Job control is only about 2/3 implemented. I had the design worked out at one
point, but it's one of the big branches I was working on that didn't get merged.
There's changes to "kill" and so on that go with it...

Rob