Fix 'typeset -T' regression involving subshells (re: 1f5287c)

The issue 704 regression test added to types.sh in the referenced commit crashes on some systems. ASan traced the problem to a use after free in nv_restore() in subshell.c, so the problem looked like a problem with virtual subshells right off the bat. Further tracing led me to the probable root cause in nv_settype() in nvdisc.c. That function contains some hackery that temporarily disables the virtual subshell handling by setting sh.subshell to 0. It was added in ksh 93t+ 2010-05-27. This commit replaces that with a sh_subfork() call that makes a virtual subshell fork before a variable changes types in one.
ksh93 · Feb 18, 2024 · b8e3d2a · b8e3d2a
1 parent 0aeea1f
commit b8e3d2a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,11 @@ This documents significant changes in the dev branch of ksh 93u+m.
 For full details, see the git log at: https://github.com/ksh93/ksh
 Uppercase BUG_* IDs are shell bug IDs as used by the Modernish shell library.
 
+2024-02-17:
+
+- Fixed a crash that could occur when using 'typeset -T' typed variables
+  in a virtual subshell.
+
 2024-02-11:
 
 - Added SHOPT_PRINTF_LEGACY compile-time option for compatibility with

diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h
@@ -18,7 +18,7 @@
 
 #define SH_RELEASE_FORK	"93u+m"		/* only change if you develop a new ksh93 fork */
 #define SH_RELEASE_SVER	"1.1.0-alpha"	/* semantic version number: https://semver.org */
-#define SH_RELEASE_DATE	"2024-02-12"	/* must be in this format for $((.sh.version)) */
+#define SH_RELEASE_DATE	"2024-02-17"	/* must be in this format for $((.sh.version)) */
 #define SH_RELEASE_CPYR	"(c) 2020-2024 Contributors to ksh " SH_RELEASE_FORK
 
 /* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */

diff --git a/src/cmd/ksh93/sh/nvtype.c b/src/cmd/ksh93/sh/nvtype.c
@@ -1273,7 +1273,6 @@ int nv_settype(Namval_t* np, Namval_t *tp, int flags)
 	char		*val=0;
 	Namarr_t	*ap=0;
 	int		nelem = 0;
-	unsigned int	subshell = sh.subshell;
 	Namval_t	*tq;
 	if(nv_type(np)==tp)
 		return 0;
@@ -1284,6 +1283,8 @@ int nv_settype(Namval_t* np, Namval_t *tp, int flags)
 		errormsg(SH_DICT,ERROR_exit(1),e_redef,nv_name(np));
 		UNREACHABLE();
 	}
+	if(sh.subshell && !sh.subshare)
+		sh_subfork();
 	if((ap=nv_arrayptr(np)) && ap->nelem>0)
 	{
 		nv_putsub(np,NULL,ARRAY_SCAN);
@@ -1299,11 +1300,6 @@ int nv_settype(Namval_t* np, Namval_t *tp, int flags)
 		flags &= ~NV_APPEND;
 		if(!ap)
 		{
-			if(subshell)
-			{
-				sh_assignok(np,1);
-				sh.subshell = 0;
-			}
 			nv_putsub(np,"0",ARRAY_FILL);
 			ap = nv_arrayptr(np);
 			nelem = 1;
@@ -1345,7 +1341,6 @@ int nv_settype(Namval_t* np, Namval_t *tp, int flags)
 			nv_putsub(np,"0",0);
 			_nv_unset(np,NV_RDONLY|NV_TYPE);
 			ap->nelem--;
-			sh.subshell = subshell;
 		}
 	}
 	type_init(np);