port-mips: bash malloc problem

Subject: bash malloc problem
To: None <port-mips@NetBSD.org>
From: TAKEMURA Shin Takemura <takemura@ca2.so-net.ne.jp>
List: port-mips
Date: 08/17/2003 18:21:10
Hi,

I found that pkgsrc/shells/bash2 does not work at all on current 
NetBSD/hpcmips. This problem seems to be the same one which was
reported on port-hpcmips ML by taka_hpcmips@hotmail.com.

I feel that the problem is related with toolchain and MIPS generic.
Because I'm not a toolchain expert, I have no idea to address the problem.
Did anyone see the same problem on other MIPS ports?

From: "taka" <taka_hpcmips@hotmail.com>
Subject: Hello!
Date: Fri, 20 Jun 2003 00:22:32 -0400

> I just installed NetBSD 1.6.1 on my Intermec 6651, 
> and finished re-compile kernel and userland (NetBSD 1.6T). Then, I got
> some problems. 

> When I type "bash", a following error massage comes up.
> >malloc: unknown:0: assertion botched
> >free: called with unallocated block argument
> >last command: (null)
> >Stopped myself...Abort trap (core dumped)

bash has it's own malloc, realloc and free functions in
bash/lib/malloc/mallo.c.

when the problem occur, the call tree is,

tgetent
  t_getstr (in libtermcap)
    cgetstr (in libc)
      malloc (in libc)
      realloc (in libc)
    free (bash version)
      xbotch()

t_getstr call bash own free() with memory pointer which was allocated
by libc and the free() detect the corruption.

libtermcap and libc are dynamic linked.

% ldd bash
bash:
         -ltermcap.0 => /usr/lib/libtermcap.so.0
         -lintl.0 => /usr/lib/libintl.so.0
         -lc.12 => /usr/lib/libc.so.12

build process seems not to be special.

gcc  -I. -I../.. -I../.. -I../../include -I../../lib -DHAVE_CONFIG_H -DSHELL
  -g -DRCHECK -Dbotch=programming_error   -c malloc.c
rm -f libmalloc.a
ar cr libmalloc.a malloc.o  trace.o stats.o table.o watch.o
test -n "ranlib" && ranlib libmalloc.a
rm -f bash
gcc -L./builtins -L./lib/readline -L./lib/readline -L./lib/glob  -L./lib/tilde
 -L./lib/malloc -L./lib/sh    -g -o bash shell.o eval.o y.tab.o general.o
 make_cmd.o print_cmd.o   dispose_cmd.o execute_cmd.o variables.o copy_cmd.o
  error.o  expr.o flags.o jobs.o subst.o hashcmd.o hashlib.o mailcheck.o  
  trap.o input.o unwind_prot.o pathexp.o sig.o test.o version.o  alias.o
  array.o arrayfunc.o braces.o bracecomp.o bashhist.o  bashline.o  list.o
  stringlib.o locale.o findcmd.o redir.o  pcomplete.o pcomplib.o syntax.o
  xmalloc.o termcap.o -lbuiltins -lsh -lreadline -lhistory -ltermcap -lglob
  -ltilde -lmalloc  -lintl

here is gdb output,
with this, you can see there are two version of malloc in one bash process.
(there are two free also)

(gdb) disass 0x30167318
Dump of assembler code for function malloc:	# libc version
0x30167318 <malloc>:    lui     gp,0x6		# cgetstr calls this
0x3016731c <malloc+4>:  addiu   gp,gp,-28504
0x30167320 <malloc+8>:  addu    gp,gp,t9
0x30167324 <malloc+12>: addiu   sp,sp,-56
0x30167328 <malloc+16>: sw      gp,16(sp)
0x3016732c <malloc+20>: lw      v0,-31220(gp)

(gdb) disas malloc
Dump of assembler code for function malloc:	# bash version
0x51f71c <malloc>:      lui     gp,0xfaf
0x51f720 <malloc+4>:    addiu   gp,gp,-6908
0x51f724 <malloc+8>:    addu    gp,gp,t9
0x51f728 <malloc+12>:   addiu   sp,sp,-40
0x51f72c <malloc+16>:   sw      gp,16(sp)
0x51f730 <malloc+20>:   sw      ra,32(sp)

TAKEMURA