GNU bug report logs -
#16165
24.3.50: writing beyond window matrices, heap corruption, crash
Previous Next
Reported by: Dmitry Antipov <dmantipov <at> yandex.ru>
Date: Mon, 16 Dec 2013 15:17:02 UTC
Severity: normal
Merged with 16164
Found in version 24.3.50
Done: martin rudalics <rudalics <at> gmx.at>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 16165 in the body.
You can then email your comments to 16165 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 15:17:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Dmitry Antipov <dmantipov <at> yandex.ru>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Mon, 16 Dec 2013 15:17:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
How to reproduce:
0) Compile with the default configuration ('./configure --prefix=/your/choice').
1) Change 'emacs-source-dir' in window-test.el to match your setup.
2) Run 'emacs -Q -l window-test.el -f window-test'.
3) Wait for crash.
Some backtraces:
(gdb) bt
#0 0x0000003869a7cde8 in _int_free (av=0x3869dba780 <main_arena>, p=0xf00950, have_lock=1) at malloc.c:3945
#1 0x0000003869a7efb7 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xf000a0, oldsize=oldsize <at> entry=4240,
nb=nb <at> entry=2224) at malloc.c:4304
#2 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xf000b0, bytes=2208) at malloc.c:2988
#3 0x00000000005e0481 in xrealloc (block=0xf000b0, size=2208) at ../../trunk/src/alloc.c:697
#4 0x00000000005e05ed in xnrealloc (pa=0xf000b0, nitems=46, item_size=48) at ../../trunk/src/alloc.c:750
#5 0x000000000041809c in adjust_glyph_matrix (w=0x12dfe98, matrix=0x1625700, x=0, y=0, dim=...) at ../../trunk/src/dispnew.c:492
#6 0x000000000041b47a in allocate_matrices_for_window_redisplay (w=0x12dfe98) at ../../trunk/src/dispnew.c:1729
#7 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x19667f0) at ../../trunk/src/dispnew.c:1714
#8 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x14442b8) at ../../trunk/src/dispnew.c:1714
#9 0x000000000041c00c in adjust_frame_glyphs_for_window_redisplay (f=0x12e1cd8) at ../../trunk/src/dispnew.c:2032
#10 0x000000000041b50a in adjust_frame_glyphs (f=0x12e1cd8) at ../../trunk/src/dispnew.c:1749
#11 0x00000000004b879e in apply_window_adjustment (w=0x12dfe98) at ../../trunk/src/window.c:6600
#12 0x00000000004b889f in Fset_window_margins (window=..., left_width=..., right_width=...) at ../../trunk/src/window.c:6644
(gdb) bt
#0 0x0000003869a7ef2b in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0x17e1650,
oldsize=oldsize <at> entry=2224, nb=nb <at> entry=4240) at malloc.c:4227
#1 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0x17e1660, bytes=4224) at malloc.c:2988
#2 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#3 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
at ../../trunk/src/alloc.c:750
#4 0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x11671a8, matrix=0x1676480, x=x <at> entry=0, y=y <at> entry=0, dim=...,
dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#5 0x0000000000419cd0 in allocate_matrices_for_window_redisplay (w=0x11671a8) at ../../trunk/src/dispnew.c:1729
#6 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x1164178) at ../../trunk/src/dispnew.c:1714
#7 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#8 adjust_frame_glyphs (f=f <at> entry=0x1128be8) at ../../trunk/src/dispnew.c:1749
#9 0x000000000044c748 in redisplay_internal () at ../../trunk/src/xdisp.c:13622
#10 0x000000000044e580 in redisplay_preserve_echo_area (from_where=from_where <at> entry=2) at ../../trunk/src/xdisp.c:13856
#11 0x000000000041ac1a in Fredisplay (force=12083378) at ../../trunk/src/dispnew.c:5829
(gdb) bt
#0 0x0000003869a359e9 in __GI_raise (sig=sig <at> entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x0000003869a370f8 in __GI_abort () at abort.c:90
#2 0x0000003869a75d17 in __libc_message (do_abort=do_abort <at> entry=2, fmt=fmt <at> entry=0x3869b7e568 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3 0x0000003869a7bbe7 in malloc_printerr (action=<optimized out>, str=0x3869b7bcdb "realloc(): invalid next size",
ptr=<optimized out>) at malloc.c:4937
#4 0x0000003869a7f177 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xe447e0, oldsize=oldsize <at> entry=4240,
nb=nb <at> entry=4240) at malloc.c:4184
#5 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xe447f0, bytes=4224) at malloc.c:2988
#6 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#7 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
at ../../trunk/src/alloc.c:750
#8 0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x1129bf8, matrix=0xcfda00, x=x <at> entry=0, y=y <at> entry=0, dim=...,
dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#9 0x0000000000419ce6 in allocate_matrices_for_window_redisplay (w=0x1129bf8) at ../../trunk/src/dispnew.c:1730
#10 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x17fde48) at ../../trunk/src/dispnew.c:1714
#11 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#12 adjust_frame_glyphs (f=0x1128be8) at ../../trunk/src/dispnew.c:1749
#13 0x0000000000468369 in apply_window_adjustment (w=w <at> entry=0x1129bf8) at ../../trunk/src/window.c:6600
#14 0x000000000046d8c1 in set_window_buffer (window=window <at> entry=17996797, buffer=buffer <at> entry=15071845,
run_hooks_p=run_hooks_p <at> entry=true, keep_margins_p=<optimized out>) at ../../trunk/src/window.c:3391
#15 0x000000000046e1de in Fset_window_buffer (window=<optimized out>, buffer_or_name=<optimized out>, keep_margins=12083378)
at ../../trunk/src/window.c:3455
Running:
valgrind --tool=memcheck --leak-check=full ./temacs -Q -l window-test.el -f window-test
==>
...
==8691== Invalid write of size 8
==8691== at 0x47419C: extend_face_to_end_of_line (xdisp.c:18876)
==8691== by 0x47D216: display_mode_line (xdisp.c:21165)
==8691== by 0x47CC5E: display_mode_lines (xdisp.c:21092)
==8691== by 0x4695AA: redisplay_window (xdisp.c:16337)
==8691== by 0x45FAC1: redisplay_window_0 (xdisp.c:14023)
==8691== by 0x607C95: internal_condition_case_1 (eval.c:1368)
==8691== by 0x45FA2C: redisplay_windows (xdisp.c:14003)
==8691== by 0x45F9E2: redisplay_windows (xdisp.c:13997)
==8691== by 0x45E894: redisplay_internal (xdisp.c:13602)
==8691== by 0x45F39A: redisplay_preserve_echo_area (xdisp.c:13860)
==8691== by 0x425E46: Fredisplay (dispnew.c:5829)
==8691== by 0x609E5E: eval_sub (eval.c:2175)
==8691== Address 0xf3fc0f0 is 0 bytes after a block of size 4,224 alloc'd
==8691== at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8691== by 0x5E0480: xrealloc (alloc.c:697)
==8691== by 0x5E05EC: xnrealloc (alloc.c:750)
==8691== by 0x41809B: adjust_glyph_matrix (dispnew.c:492)
==8691== by 0x41B479: allocate_matrices_for_window_redisplay (dispnew.c:1729)
==8691== by 0x41C00B: adjust_frame_glyphs_for_window_redisplay (dispnew.c:2032)
==8691== by 0x41B509: adjust_frame_glyphs (dispnew.c:1749)
==8691== by 0x4B879D: apply_window_adjustment (window.c:6600)
==8691== by 0x4B889E: Fset_window_margins (window.c:6644)
==8691== by 0x609EC0: eval_sub (eval.c:2181)
==8691== by 0x605126: Fprogn (eval.c:458)
==8691== by 0x605072: Fcond (eval.c:436)
...
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
Dmitry
[window-test.el (text/x-emacs-lisp, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 17:06:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 16165 <at> debbugs.gnu.org (full text, mbox):
> Date: Mon, 16 Dec 2013 19:15:41 +0400
> From: Dmitry Antipov <dmantipov <at> yandex.ru>
>
> I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
No, it's probably 115535. I will take a look.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 18:01:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 16165 <at> debbugs.gnu.org (full text, mbox):
> Date: Mon, 16 Dec 2013 19:05:17 +0200
> From: Eli Zaretskii <eliz <at> gnu.org>
> Cc: 16165 <at> debbugs.gnu.org
>
> > Date: Mon, 16 Dec 2013 19:15:41 +0400
> > From: Dmitry Antipov <dmantipov <at> yandex.ru>
> >
> > I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
>
> No, it's probably 115535. I will take a look.
Please try again, I think I fixed this.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 18:25:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 16165 <at> debbugs.gnu.org (full text, mbox):
> Please try again, I think I fixed this.
Was that your latest change or am I confused again?
../../src/xdisp.c: In function ‘extend_face_to_end_of_line’:
../../src/xdisp.c:18869:20: error: ‘struct frame’ has no member named ‘tool_bar_window’
../../src/xdisp.c:18870:25: error: ‘struct frame’ has no member named ‘tool_bar_window’
make[1]: *** [xdisp.o] Fehler 1
make[1]: Leaving directory `/home/martin/emacs/quickfixes/obj-gtk/src'
make: *** [src] Fehler 2
martin
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 19:33:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 16165 <at> debbugs.gnu.org (full text, mbox):
> Date: Mon, 16 Dec 2013 19:24:45 +0100
> From: martin rudalics <rudalics <at> gmx.at>
> CC: dmantipov <at> yandex.ru, 16165 <at> debbugs.gnu.org
>
> > Please try again, I think I fixed this.
>
> Was that your latest change or am I confused again?
>
> ../../src/xdisp.c: In function ‘extend_face_to_end_of_line’:
> ../../src/xdisp.c:18869:20: error: ‘struct frame’ has no member named ‘tool_bar_window’
> ../../src/xdisp.c:18870:25: error: ‘struct frame’ has no member named ‘tool_bar_window’
> make[1]: *** [xdisp.o] Fehler 1
> make[1]: Leaving directory `/home/martin/emacs/quickfixes/obj-gtk/src'
> make: *** [src] Fehler 2
Yes, my bad, now fixed (I think).
(I wish that those toolkit dependencies on the struct member level
would never have seen the light of day!)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16165; Package
emacs.
(Mon, 16 Dec 2013 19:50:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 16165 <at> debbugs.gnu.org (full text, mbox):
> Yes, my bad, now fixed (I think).
Seems to work and pass Mitya's window-test (for a couple
of minutes, at least).
> (I wish that those toolkit dependencies on the struct member level
> would never have seen the light of day!)
;-)
Thanks, martin
Reply sent
to
martin rudalics <rudalics <at> gmx.at>:
You have taken responsibility.
(Wed, 31 Dec 2014 18:39:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Dmitry Antipov <dmantipov <at> yandex.ru>:
bug acknowledged by developer.
(Wed, 31 Dec 2014 18:39:03 GMT)
Full text and
rfc822 format available.
Message #25 received at 16165-done <at> debbugs.gnu.org (full text, mbox):
> Yes, my bad, now fixed (I think).
Bug closed.
martin
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 29 Jan 2015 12:24:04 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Noam Postavsky <npostavs <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Fri, 15 Jun 2018 11:52:02 GMT)
Full text and
rfc822 format available.
Forcibly Merged 16164 16165.
Request was from
Noam Postavsky <npostavs <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Fri, 15 Jun 2018 11:52:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 14 Jul 2018 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 296 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.