sh eval: traps: sh[200] general protection fault ip:479d76 sp:7ffd269121b8 error:0 in toybox[401000+a3000]

[vt-alt]

toybox 0.8.10 -- eval crashes.

$ gdb -q --args toybox sh -c 'eval date'
Reading symbols from toybox...
Reading symbols from /usr/lib/debug//bin/toybox.debug...
(gdb) set follow-fork-mode child
(gdb) r
Starting program: /bin/toybox sh -c eval\ date
[Attaching after process 640483 fork to child process 640489]
[New inferior 2 (process 640489)]
[Detaching after fork from parent process 640483]
[Inferior 1 (process 640483) detached]

Thread 2.1 "toybox" received signal SIGSEGV, Segmentation fault.
[Switching to process 640489]
=> 0x479d76 <get_meta+6>:       hlt
get_meta (p=p@entry=0x7ffff7ff5038 "P\215\377\367\377\177") at src/malloc/mallocng/meta.h:131
warning: Source file is more recent than executable.
131             assert(!((uintptr_t)p & 15));
(gdb) bt
#0  get_meta (p=p@entry=0x7ffff7ff5038 "P\215\377\367\377\177") at src/malloc/mallocng/meta.h:131
#1  0x000000000047a25b in __libc_free (p=0x7ffff7ff5038) at src/malloc/mallocng/free.c:105
#2  0x0000000000479d45 in free (p=<optimized out>) at src/malloc/free.c:5
#3  0x000000000040b9e0 in toy_init (which=0x4ffd80 <toy_list+1376>, argv=0x7ffff7ff7980) at /usr/src/debug/toybox-0.8.10/main.c:200
#4  0x000000000040ba81 in toy_exec_which (which=<optimized out>, argv=<optimized out>) at /usr/src/debug/toybox-0.8.10/main.c:228
#5  0x00000000004425e9 in sh_exec (argv=0x7ffff7ff7980) at toys/pending/sh.c:2744
#6  0x000000000040bc09 in xpopen_setup (argv=0x7ffff7ff7980, pipes=0x0, callback=0x4423f2 <sh_exec>) at lib/xwrap.c:291
#7  0x0000000000447a48 in run_command () at toys/pending/sh.c:2902
#8  0x000000000044ff99 in run_lines () at toys/pending/sh.c:3750
#9  do_source (name=name@entry=0x0, ff=<optimized out>) at toys/pending/sh.c:4127
#10 0x00000000004511d8 in eval_main () at toys/pending/sh.c:4578
#11 0x00000000004479ff in run_command () at toys/pending/sh.c:2893
#12 0x000000000044ff99 in run_lines () at toys/pending/sh.c:3750
#13 do_source (name=name@entry=0x7fffffffdf24 "eval date", ff=<optimized out>) at toys/pending/sh.c:4127
#14 0x000000000045113f in sh_main () at toys/pending/sh.c:4329
#15 0x000000000040ba90 in toy_exec_which (which=<optimized out>, argv=<optimized out>) at /usr/src/debug/toybox-0.8.10/main.c:229
#16 0x000000000040caae in toybox_main () at /usr/src/debug/toybox-0.8.10/main.c:255
#17 0x000000000040ba90 in toy_exec_which (which=<optimized out>, argv=<optimized out>) at /usr/src/debug/toybox-0.8.10/main.c:229
#18 0x000000000040caae in toybox_main () at /usr/src/debug/toybox-0.8.10/main.c:255
#19 0x0000000000401086 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/toybox-0.8.10/main.c:302
(gdb) list
126             return p[-3] & 31;
127     }
128
129     static inline struct meta *get_meta(const unsigned char *p)
130     {
131             assert(!((uintptr_t)p & 15));
132             int offset = *(const uint16_t *)(p - 2);
133             int index = get_slot_index(p);
134             if (p[-4]) {
135                     assert(!offset);
(gdb)

Compiled with musl 1.2.4.