Shane Ambler <[EMAIL PROTECTED]> writes: > Tom Lane wrote: >> Hm, so the question is: is it our bug or Apple's? If you kept the >> busted history file, would you be willing to send me a copy?
> The zip file attached has the psql_history file that crashes when > quiting but doesn't appear to contain the steps I done when it first > crashed. So the answer is: it's Apple's bug, or at least not ours. libedit contains a typo that causes it to potentially fail when saving strings exceeding 256 bytes. Check out this code (around line 730 in history.c): len = strlen(ev.str) * 4; if (len >= max_size) { char *nptr; max_size = (len + 1023) & 1023; nptr = h_realloc(ptr, max_size); I think the intent of the max_size recalculation is to select the next 1K boundary larger than "len", but it actually produces a number *less* than 1K. Probably "(len + 1023) & ~1023" was meant ... but even that is wrong if len is exactly a multiple of 1024, because it will fail to round up. So the buffer is realloc'd too small, and that results in a potential memory clobber if the history entry is less than 1K, and a guaranteed clobber if it's more. The source code available from Apple shows that they got this code from NetBSD originally /* $NetBSD: history.c,v 1.25 2003/10/18 23:48:42 christos Exp $ */ so this may well be a pretty generic *BSD bug. Anyone clear on who to report it to? I have no idea if libedit is an independent project... regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend