seg fault after interrupting time of shell function

[Fergus Henderson]

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H   -I.  -I../. -I.././include -I.././lib  -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2
-fdebug-prefix-map=/build/bash-GTWdCm/bash-4.4.18=.
-fstack-protector-strong -Wformat -Werror=format-security -Wall
-Wno-parentheses -Wno-format-security
uname output: Linux <redacted>.google.com <redacted>-amd64 #1 SMP Debian
<redacted> (2019-05-15 > 2018) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 4.4
Patch Level: 19
Release Status: release

Description:
I found a reproducible segmentation fault in bash.
Some interaction between the "time" builtin and signals, perhaps?

The stack trace for this crash (with addresses elided) was:
#0  ... in _int_malloc (av=av@entry=... <main_arena>, bytes=bytes@entry=32)
at malloc.c:...
#1  ... in __GI___libc_malloc (bytes=32) at malloc.c:...
#2  ... in xmalloc ()
#3  ... in unwind_protect_mem ()
#4  ... in ?? ()
#5  ... in ?? ()
#6  ... in execute_command_internal ()
#7  ... in execute_command ()
#8  ... in reader_loop ()
#9  ... in main ()

Repeat-By:
1. Start a bash shell, and type the following commands:
       foo() { sleep 10; sleep 10; }
       bar() { time foo; }
       bar
2. Interrupt the command in step 1 by hitting control-C after "bar" has
  been running for a second or two.
3. Type the following commands:
       bar

Terminal log from reproducing this bug:

bash$ env - bash --noprofile --norc
bash-4.4$ ulimit -c unlimited
bash-4.4$ cd /tmp
bash-4.4$ foo() { sleep 10; sleep 10; }
bash-4.4$ bar() { time foo; }
bash-4.4$ bar
^C

real    0m0.832s
user    0m0.002s
sys     0m0.001s
bash-4.4$ bar
Segmentation fault (core dumped)

-- 
Fergus Henderson <fergus@google.com>