Hm, I can reliably reproduce it with or without bash-malloc.

$ base64 -d <<< 'MBgFEBAQMBgFEBAfEA==' > 53

$ cat -v 53
0^X^E^P^P^P0^X^E^P^P^_^P

$ CC=clang CFLAGS='-O0 -ggdb' ./configure && make -j4
(...)

$ ./bash --noprofile --norc -c 'PATH=; set -o emacs; IFS= read -re < 53'
0
./bash: vim: No such file or directory
0rl_maybe_unsave_line: rl_undo_list=0x236c848
rl_maybe_unsave_line: rl_undo_list->next=(nil)
rl_maybe_unsave_line: rl_undo_list=0x236c848
rl_maybe_unsave_line: rl_undo_list->next=(nil)
0
./bash: vim: No such file or directory
rl_do_undo: rl_undo_list = (nil)
rl_do_undo: xfree(release = 0x236c848)
rl_maybe_unsave_line: rl_undo_list=0x2360188
rl_maybe_unsave_line: rl_undo_list->next=0x236c848
rl_do_undo: rl_undo_list = 0x236c848
rl_do_undo: xfree(release = 0x2360188)
rl_do_undo: rl_undo_list = 0x23601c0
rl_do_undo: xfree(release = 0x236c848)

malloc: unknown:0: assertion botched
malloc: 0x236c848: allocated: last allocated from unknown:0
free: called with already freed block argument
Aborting...Aborted


My interpretation of the issue is that the `^_' triggers an `undo', which then
causes bash to release that entry (i.e. `0x236c848' in the example above). Then
the `^P' somehow restores that free'd rl_undo_list entry and bash tries to free
it again during readline_internal_teardown.


Under GDB:

***@ubuntu:~/src/gnu/bash$ gdb --args ./bash --noprofile --norc -c 'PATH=; set -o emacs; IFS= read -re < 53'
GNU gdb (Ubuntu 8.2-0ubuntu1) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bash...done.
(gdb) b rl_maybe_unsave_line
Breakpoint 1 at 0x526128: file misc.c, line 354.
(gdb) b rl_do_undo
Breakpoint 2 at 0x51e6a8: file undo.c, line 175.
(gdb) r
Starting program: /home/dualbus/src/gnu/bash/bash --noprofile --norc -c PATH=\;\ set\ -o\ emacs\;\ IFS=\ read\ -re\ \<\ 53
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0
[Detaching after fork from child process 20660]
/home/dualbus/src/gnu/bash/bash: vim: No such file or directory
0
Breakpoint 1, rl_maybe_unsave_line () at misc.c:354
354 if (_rl_saved_line_for_history)
(gdb) bt
#0 rl_maybe_unsave_line () at misc.c:354
#1 0x00000000005266ea in rl_get_previous_history (count=1, key=16) at misc.c:618
#2 0x00000000004fb350 in _rl_dispatch_subseq (key=16, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#3 0x00000000004face9 in _rl_dispatch (key=16, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#4 0x00000000004fac59 in readline_internal_char () at readline.c:632
#5 0x00000000004fc282 in readline_internal_charloop () at readline.c:659
#6 0x00000000004fa5ae in readline_internal () at readline.c:671
#7 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#8 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#9 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#10 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#11 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#12 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#13 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#14 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#15 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#16 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#17 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#18 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_maybe_unsave_line: rl_undo_list=0x630868
rl_maybe_unsave_line: rl_undo_list->next=(nil)

Breakpoint 1, rl_maybe_unsave_line () at misc.c:354
354 if (_rl_saved_line_for_history)
(gdb) bt
#0 rl_maybe_unsave_line () at misc.c:354
#1 0x00000000005266ea in rl_get_previous_history (count=1, key=16) at misc.c:618
#2 0x00000000004fb350 in _rl_dispatch_subseq (key=16, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#3 0x00000000004face9 in _rl_dispatch (key=16, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#4 0x00000000004fac59 in readline_internal_char () at readline.c:632
#5 0x00000000004fc282 in readline_internal_charloop () at readline.c:659
#6 0x00000000004fa5ae in readline_internal () at readline.c:671
#7 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#8 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#9 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#10 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#11 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#12 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#13 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#14 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#15 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#16 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#17 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#18 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_maybe_unsave_line: rl_undo_list=0x630868
rl_maybe_unsave_line: rl_undo_list->next=(nil)
0
[Detaching after fork from child process 20661]
/home/dualbus/src/gnu/bash/bash: vim: No such file or directory

Breakpoint 2, rl_do_undo () at undo.c:175
175 start = end = waiting_for_begin = 0;
(gdb) bt
#0 rl_do_undo () at undo.c:175
#1 0x000000000051ec08 in rl_undo_command (count=1, key=31) at undo.c:333
#2 0x00000000004fb350 in _rl_dispatch_subseq (key=31, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#3 0x00000000004face9 in _rl_dispatch (key=31, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#4 0x00000000004fac59 in readline_internal_char () at readline.c:632
#5 0x00000000004fc282 in readline_internal_charloop () at readline.c:659
#6 0x00000000004fa5ae in readline_internal () at readline.c:671
#7 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#8 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#9 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#10 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#11 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#12 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#13 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#14 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#15 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#16 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#17 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#18 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_do_undo: rl_undo_list = (nil)
rl_do_undo: xfree(release = 0x630868)

Breakpoint 1, rl_maybe_unsave_line () at misc.c:354
354 if (_rl_saved_line_for_history)
(gdb) bt
#0 rl_maybe_unsave_line () at misc.c:354
#1 0x00000000005266ea in rl_get_previous_history (count=1, key=16) at misc.c:618
#2 0x00000000004fb350 in _rl_dispatch_subseq (key=16, map=0x575db0 <emacs_standard_keymap>, got_subseq=0) at readline.c:852
#3 0x00000000004face9 in _rl_dispatch (key=16, map=0x575db0 <emacs_standard_keymap>) at readline.c:798
#4 0x00000000004fac59 in readline_internal_char () at readline.c:632
#5 0x00000000004fc282 in readline_internal_charloop () at readline.c:659
#6 0x00000000004fa5ae in readline_internal () at readline.c:671
#7 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#8 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#9 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#10 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#11 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#12 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#13 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#14 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#15 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#16 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#17 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#18 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_maybe_unsave_line: rl_undo_list=0x6295c8
rl_maybe_unsave_line: rl_undo_list->next=0x630868

Breakpoint 2, rl_do_undo () at undo.c:175
175 start = end = waiting_for_begin = 0;
(gdb) bt
#0 rl_do_undo () at undo.c:175
#1 0x000000000051eb93 in rl_revert_line (count=1, key=0) at undo.c:314
#2 0x00000000004fa829 in readline_internal_teardown (eof=1) at readline.c:471
#3 0x00000000004fa5c1 in readline_internal () at readline.c:672
#4 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#5 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#6 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#7 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#8 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#9 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#10 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#11 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#12 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#13 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#14 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#15 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_do_undo: rl_undo_list = 0x630868
rl_do_undo: xfree(release = 0x6295c8)

Breakpoint 2, rl_do_undo () at undo.c:175
175 start = end = waiting_for_begin = 0;
(gdb) bt
#0 rl_do_undo () at undo.c:175
#1 0x000000000051eb93 in rl_revert_line (count=1, key=0) at undo.c:314
#2 0x00000000004fa829 in readline_internal_teardown (eof=1) at readline.c:471
#3 0x00000000004fa5c1 in readline_internal () at readline.c:672
#4 0x00000000004fa470 in readline (prompt=0x5546af "") at readline.c:377
#5 0x00000000004caa46 in edit_line (p=0x5546af "", itext=0x0) at ./read.def:1104
#6 0x00000000004c94ea in read_builtin (list=0x0) at ./read.def:563
#7 0x000000000044b599 in execute_builtin (builtin=0x4c8590 <read_builtin>, words=0x629428, flags=0, subshell=0) at execute_cmd.c:4677
#8 0x000000000044a96f in execute_builtin_or_function (words=0x629428, builtin=0x4c8590 <read_builtin>, var=0x0, redirects=0x628d08, fds_to_close=0x628dc8, flags=0) at execute_cmd.c:5185
#9 0x00000000004437c9 in execute_simple_command (simple_command=0x628c08, pipe_in=-1, pipe_out=-1, async=0, fds_to_close=0x628dc8) at execute_cmd.c:4449
#10 0x00000000004412ab in execute_command_internal (command=0x628bc8, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:840
#11 0x0000000000445208 in execute_connection (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:2689
#12 0x0000000000441681 in execute_command_internal (command=0x628d88, asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x628dc8) at execute_cmd.c:1013
#13 0x00000000004bf557 in parse_and_execute (string=0x628408 "PATH=; set -o emacs; IFS= read -re < 53", from_file=0x5353fb "-c", flags=4) at evalstring.c:436
#14 0x0000000000423845 in run_one_command (command=0x7fffffffea8d "PATH=; set -o emacs; IFS= read -re < 53") at shell.c:1416
#15 0x0000000000421920 in main (argc=5, argv=0x7fffffffe758, env=0x7fffffffe788) at shell.c:735
(gdb) c
Continuing.
rl_do_undo: rl_undo_list = 0x629600
rl_do_undo: xfree(release = 0x630868)

malloc: unknown:0: assertion botched
malloc: 0x630868: allocated: last allocated from unknown:0
free: called with already freed block argument
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=***@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.


$ git diff
diff --git a/builtins/read.def b/builtins/read.def
index a73905c3..0451266f 100644
--- a/builtins/read.def
+++ b/builtins/read.def
@@ -390,7 +390,7 @@ read_builtin (list)
sync_buffered_stream (default_buffered_input);
#endif

-#if 1
+#if 0
input_is_tty = isatty (fd);
#else
input_is_tty = 1;
diff --git a/lib/readline/misc.c b/lib/readline/misc.c
index 64b1457d..38e1d40e 100644
--- a/lib/readline/misc.c
+++ b/lib/readline/misc.c
@@ -357,6 +357,10 @@ rl_maybe_unsave_line (void)
list from a history entry, as in rl_replace_from_history() below. */
rl_replace_line (_rl_saved_line_for_history->line, 0);
rl_undo_list = (UNDO_LIST *)_rl_saved_line_for_history->data;
+ fprintf(stderr, "rl_maybe_unsave_line: rl_undo_list=%p\n", rl_undo_list);
+ if(rl_undo_list) {
+ fprintf(stderr, "rl_maybe_unsave_line: rl_undo_list->next=%p\n", rl_undo_list->next);
+ }
_rl_free_history_entry (_rl_saved_line_for_history);
_rl_saved_line_for_history = (HIST_ENTRY *)NULL;
rl_point = rl_end; /* rl_replace_line sets rl_end */
diff --git a/lib/readline/undo.c b/lib/readline/undo.c
index 75874e5d..4c06483e 100644
--- a/lib/readline/undo.c
+++ b/lib/readline/undo.c
@@ -237,6 +237,8 @@ rl_do_undo (void)

_hs_replace_history_data (-1, (histdata_t *)release, (histdata_t *)rl_undo_list);

+ fprintf(stderr, "rl_do_undo: rl_undo_list = %p\n", rl_undo_list);
+ fprintf(stderr, "rl_do_undo: xfree(release = %p)\n", release);
xfree (release);
}
while (waiting_for_begin);