set -lx LC_ALL C segfaults fish on alpine linux

[xsteadfastx]

running makefile completions results in a segfault in alpine linux edge.
reproduce:

root@fd57004ee111 ~# cat Makefile
foo:
        echo "foo"

root@fd57004ee111 ~# fish
Welcome to fish, the friendly interactive shell

root@fd57004ee111 ~# make <tab>fish: 'fish' terminated by signal SIGILL (Illegal instruction)

root@fd57004ee111 ~#

recorded: https://asciinema.org/a/HNYMR4Qo7Zlcdc8ZTjbMbCegc

here some infos:

root@fd57004ee111 ~# uname -a
Linux fd57004ee111 4.10.0-21-generic #23-Ubuntu SMP Fri Apr 28 16:14:22 UTC 2017 x86_64 Linux

root@fd57004ee111 ~# echo $version
2.6.0

root@fd57004ee111 ~# fish --version
fish, version 2.6.0

[faho]

Okay, let's try to figure out where exactly the issue happens. This should be executing __fish_print_make_targets, so I'd suggest running that.

If that still crashes, try make -C . -pn >/dev/null ^/dev/null - we do that to figure out if you're using GNU make or BSD make. If that returns 0 without crashing, try

make -C . -prRn | awk -v RS= -F: '/^# Files/,/^# Finished Make data base/ {if ($1 !~ "^[#.]") {print $1}}' ^/dev/null

If it returns something else without crashing, try

make -C $directory -d g1 -rn >/dev/null ^| awk -F, '/^#\*\*\* Input graph:/,/^$/ {if ($1 !~ "^#... ") {gsub(/# /,"",$1); print $1}}' ^/dev/null

[xsteadfastx]

i think the second make command didnt worked

/ # fish
Welcome to fish, the friendly interactive shell
root@d780fe3db693 /# make -C . -pn >/dev/null ^/dev/null
root@d780fe3db693 /# make -C . -prRn | awk -v RS= -F: '/^# Files/,/^# Finished Make data base/ {if ($1 !~ "^[#.]") {print $1}}' ^/dev/null
make: *** No targets specified and no makefile found.  Stop.
root@d780fe3db693 /# make -C $directory -d g1 -rn >/dev/null ^| awk -F, '/^#\*\*\* Input graph:/,/^$/ {if ($1 !~ "^#... ") {gsub(/# /,"",$1); print $1}}' ^/dev/null
root@d780fe3db693 /#

[faho]

Sorry, for the second also use "." instead of $directory.

[faho]

Sorry, complete red herring.

This crashes in set -lx LC_ALL C.

[faho]

Yeah... it's a PaX thing. Running fish -c 'set LC_ALL C' under GDB (on Alpine) prints:

warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages!

[faho]

Nope, that's normal when running gdb under PaX.

[faho]

Okay, now I have managed to

• Install Alpine (thankfully a rather quick process) in a VM

• Reproduce the issue (with set -lx LC_ALL C) with the fish package

• Clone fish

• Not managed to reproduce the issue with that, not even with 2.6.0.

That PaX stuff is still throwing me off. Ideally I'd love to have a fish with debug information that I can reproduce this on. The package either doesn't have that or PaX is blocking it.

[faho]

Okay, I have figured out how to build a fish package with debug symbols (add option=!strip to the package build file thingamajig).

However, I have then failed at installing that package - it constantly tells me about how it's untrusted. The documentation seems to be near-nonexistent (no man pages, the wiki is ... sparse), so I'm giving up on this for the time being.

@xsteadfastx: Please build a fish with debug info attached, and run gdb --args fish -c 'set -lx LC_ALL C'. Then tell us where it's crashing.

[xsteadfastx]

ok i try it. i built some alpine packages before... i will try to get it going

[xsteadfastx]

built it and installed it but gdb --args fish -c 'set -lx LC_ALL C' starts some kind of gdb shell that doesnt have completions at all.

~/fish $ gdb --args fish -c 'set -lx LC_ALL C'
GNU gdb (GDB) 7.12.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from fish...done.

[faho]

You want run.

[xsteadfastx]

(gdb) run
Starting program: /usr/bin/fish -c set\ -lx\ LC_ALL\ C
warning: Error disabling address space randomization: Operation not permitted
During startup program exited normally.
``

[xsteadfastx]

and guess what... if i run that version the make completions work.... without a segfault. all i did was... using the same APKBUILD as the package with that problem and added the option=!strip

[faho]

Please report a bug to the alpine people. I'm assuming fish needs to be rebuilt.

[xsteadfastx]

a dev is testing it right now. i keep you updated

[awilfox]

The Alpine documentation is a mess (and I am personally trying to fix it).

You need to use --allow-untrusted to apk, or else put the public key that you signed the package with into /etc/apk/keys.

SIGILL is generated by fortify-headers (the musl libc equivalent of glibc's -D_FORTIFY_SOURCE), not PaX. This means that a buffer has overrun somewhere (not necessarily in fish) or that a function has been called with an unsafe parameter.

My local machine is set up for debugging packages and never strips them. Unfortunately I cannot duplicate on it either :( What platform are you using? x86_64?

[xsteadfastx]

im here on x86_64

[awilfox]

No line information, but I did pull this out of the x86_64 fish APK from Alpine Edge:

Thread 1 "fish" received signal SIGILL, Illegal instruction.
0x00005555555a2422 in ?? ()
(gdb) bt
#0  0x00005555555a2422 in ?? ()
#1  0x00005555555a27e4 in fish_setlocale() ()
#2  0x00005555555ae86f in ?? ()
#3  0x00005555555adefc in ?? ()
#4  0x00005555555adb15 in env_set(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, wchar_t const*, unsigned int) ()
#5  0x000055555558a481 in ?? ()
#6  0x000055555559b233 in builtin_set(parser_t&, io_streams_t&, wchar_t**) ()
#7  0x00005555555905cc in builtin_run(parser_t&, wchar_t const* const*, io_streams_t&) ()
#8  0x00005555555b6f93 in exec_job(parser_t&, job_t*) ()
#9  0x00005555555d4ecb in parse_execution_context_t::run_1_job(parse_node_t const&, block_t const*) ()
#10 0x00005555555d4fd6 in parse_execution_context_t::run_job_list(parse_node_t const&, block_t const*) ()
#11 0x00005555555d5d21 in parse_execution_context_t::eval_node_at_offset(unsigned int, block_t const*, io_chain_t const&) ()
#12 0x00005555555dd6da in parser_t::eval_block_node(unsigned int, io_chain_t const&, block_type_t) ()
#13 0x00005555555de2b6 in parser_t::eval(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, io_chain_t const&, block_type_t, parse_node_tree_t) ()
#14 0x00005555555de44b in parser_t::eval(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, io_chain_t const&, block_type_t) ()
#15 0x00005555555e5aff in reader_run_command(parser_t&, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ()
#16 0x00005555555ea6b1 in reader_read(int, io_chain_t const&) ()
#17 0x000055555558c45f in main ()

[awilfox]

fish_setlocale determines if a symbol can be used by calling can_be_encoded, a thin wrapper around wcrtomb.

This crash is caused by the POSIX conformance bug I filed against fortify-headers some time ago. This should be fixed on the next Alpine build cycle.

[faho]

@awilfox: Thanks for your assistance! Since there is nothing for us to do, I'll close this issue.