[debbugs-tracker] bug#16165: closed (24.3.50: writing beyond window matr

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#16165: closed (24.3.50: writing beyond window matr

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#16165: closed (24.3.50: writing beyond window matrices, heap corruption, crash)
Date:	Wed, 31 Dec 2014 18:39:02 +0000

Your message dated Wed, 31 Dec 2014 19:38:13 +0100
with message-id <address@hidden>
and subject line Re: bug#16165: 24.3.50: writing beyond window matrices, heap 
corruption, crash
has caused the debbugs.gnu.org bug report #16165,
regarding 24.3.50: writing beyond window matrices, heap corruption, crash
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
16165: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16165
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: 24.3.50: writing beyond window matrices, heap corruption, crash Date: Mon, 16 Dec 2013 19:15:41 +0400 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

How to reproduce:

0) Compile with the default configuration ('./configure --prefix=/your/choice').
1) Change 'emacs-source-dir' in window-test.el to match your setup.
2) Run 'emacs -Q -l window-test.el -f window-test'.
3) Wait for crash.

Some backtraces:

(gdb) bt
#0  0x0000003869a7cde8 in _int_free (av=0x3869dba780 <main_arena>, p=0xf00950, 
have_lock=1) at malloc.c:3945
#1  0x0000003869a7efb7 in _int_realloc (address@hidden <main_arena>, 
address@hidden, address@hidden,
    address@hidden) at malloc.c:4304
#2  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xf000b0, bytes=2208) at 
malloc.c:2988
#3  0x00000000005e0481 in xrealloc (block=0xf000b0, size=2208) at 
../../trunk/src/alloc.c:697
#4  0x00000000005e05ed in xnrealloc (pa=0xf000b0, nitems=46, item_size=48) at 
../../trunk/src/alloc.c:750
#5  0x000000000041809c in adjust_glyph_matrix (w=0x12dfe98, matrix=0x1625700, 
x=0, y=0, dim=...) at ../../trunk/src/dispnew.c:492
#6  0x000000000041b47a in allocate_matrices_for_window_redisplay (w=0x12dfe98) 
at ../../trunk/src/dispnew.c:1729
#7  0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x19667f0) 
at ../../trunk/src/dispnew.c:1714
#8  0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x14442b8) 
at ../../trunk/src/dispnew.c:1714
#9  0x000000000041c00c in adjust_frame_glyphs_for_window_redisplay 
(f=0x12e1cd8) at ../../trunk/src/dispnew.c:2032
#10 0x000000000041b50a in adjust_frame_glyphs (f=0x12e1cd8) at 
../../trunk/src/dispnew.c:1749
#11 0x00000000004b879e in apply_window_adjustment (w=0x12dfe98) at 
../../trunk/src/window.c:6600
#12 0x00000000004b889f in Fset_window_margins (window=..., left_width=..., 
right_width=...) at ../../trunk/src/window.c:6644

(gdb) bt
#0  0x0000003869a7ef2b in _int_realloc (address@hidden <main_arena>, 
address@hidden,
    address@hidden, address@hidden) at malloc.c:4227
#1  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0x17e1660, bytes=4224) at 
malloc.c:2988
#2  0x0000000000536b92 in xrealloc (block=<optimized out>, address@hidden) at 
../../trunk/src/alloc.c:697
#3  0x0000000000536c30 in xnrealloc (pa=<optimized out>, address@hidden, 
address@hidden)
    at ../../trunk/src/alloc.c:750
#4  0x00000000004197a9 in adjust_glyph_matrix (address@hidden, 
matrix=0x1676480, address@hidden, address@hidden, dim=...,
    address@hidden) at ../../trunk/src/dispnew.c:492
#5  0x0000000000419cd0 in allocate_matrices_for_window_redisplay (w=0x11671a8) 
at ../../trunk/src/dispnew.c:1729
#6  0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x1164178) 
at ../../trunk/src/dispnew.c:1714
#7  0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay 
(f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#8  adjust_frame_glyphs (address@hidden) at ../../trunk/src/dispnew.c:1749
#9  0x000000000044c748 in redisplay_internal () at ../../trunk/src/xdisp.c:13622
#10 0x000000000044e580 in redisplay_preserve_echo_area (address@hidden) at 
../../trunk/src/xdisp.c:13856
#11 0x000000000041ac1a in Fredisplay (force=12083378) at 
../../trunk/src/dispnew.c:5829

(gdb) bt
#0  0x0000003869a359e9 in __GI_raise (address@hidden) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x0000003869a370f8 in __GI_abort () at abort.c:90
#2  0x0000003869a75d17 in __libc_message (address@hidden, address@hidden "*** Error 
in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x0000003869a7bbe7 in malloc_printerr (action=<optimized out>, str=0x3869b7bcdb 
"realloc(): invalid next size",
    ptr=<optimized out>) at malloc.c:4937
#4  0x0000003869a7f177 in _int_realloc (address@hidden <main_arena>, 
address@hidden, address@hidden,
    address@hidden) at malloc.c:4184
#5  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xe447f0, bytes=4224) at 
malloc.c:2988
#6  0x0000000000536b92 in xrealloc (block=<optimized out>, address@hidden) at 
../../trunk/src/alloc.c:697
#7  0x0000000000536c30 in xnrealloc (pa=<optimized out>, address@hidden, 
address@hidden)
    at ../../trunk/src/alloc.c:750
#8  0x00000000004197a9 in adjust_glyph_matrix (address@hidden, matrix=0xcfda00, 
address@hidden, address@hidden, dim=...,
    address@hidden) at ../../trunk/src/dispnew.c:492
#9  0x0000000000419ce6 in allocate_matrices_for_window_redisplay (w=0x1129bf8) 
at ../../trunk/src/dispnew.c:1730
#10 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x17fde48) 
at ../../trunk/src/dispnew.c:1714
#11 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay 
(f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#12 adjust_frame_glyphs (f=0x1128be8) at ../../trunk/src/dispnew.c:1749
#13 0x0000000000468369 in apply_window_adjustment (address@hidden) at 
../../trunk/src/window.c:6600
#14 0x000000000046d8c1 in set_window_buffer (address@hidden, address@hidden,
    address@hidden, keep_margins_p=<optimized out>) at 
../../trunk/src/window.c:3391
#15 0x000000000046e1de in Fset_window_buffer (window=<optimized out>, 
buffer_or_name=<optimized out>, keep_margins=12083378)
    at ../../trunk/src/window.c:3455

Running:

valgrind --tool=memcheck --leak-check=full ./temacs -Q -l window-test.el -f 
window-test

==>

...
==8691== Invalid write of size 8
==8691==    at 0x47419C: extend_face_to_end_of_line (xdisp.c:18876)
==8691==    by 0x47D216: display_mode_line (xdisp.c:21165)
==8691==    by 0x47CC5E: display_mode_lines (xdisp.c:21092)
==8691==    by 0x4695AA: redisplay_window (xdisp.c:16337)
==8691==    by 0x45FAC1: redisplay_window_0 (xdisp.c:14023)
==8691==    by 0x607C95: internal_condition_case_1 (eval.c:1368)
==8691==    by 0x45FA2C: redisplay_windows (xdisp.c:14003)
==8691==    by 0x45F9E2: redisplay_windows (xdisp.c:13997)
==8691==    by 0x45E894: redisplay_internal (xdisp.c:13602)
==8691==    by 0x45F39A: redisplay_preserve_echo_area (xdisp.c:13860)
==8691==    by 0x425E46: Fredisplay (dispnew.c:5829)
==8691==    by 0x609E5E: eval_sub (eval.c:2175)
==8691==  Address 0xf3fc0f0 is 0 bytes after a block of size 4,224 alloc'd
==8691==    at 0x4A082F7: realloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8691==    by 0x5E0480: xrealloc (alloc.c:697)
==8691==    by 0x5E05EC: xnrealloc (alloc.c:750)
==8691==    by 0x41809B: adjust_glyph_matrix (dispnew.c:492)
==8691==    by 0x41B479: allocate_matrices_for_window_redisplay (dispnew.c:1729)
==8691==    by 0x41C00B: adjust_frame_glyphs_for_window_redisplay 
(dispnew.c:2032)
==8691==    by 0x41B509: adjust_frame_glyphs (dispnew.c:1749)
==8691==    by 0x4B879D: apply_window_adjustment (window.c:6600)
==8691==    by 0x4B889E: Fset_window_margins (window.c:6644)
==8691==    by 0x609EC0: eval_sub (eval.c:2181)
==8691==    by 0x605126: Fprogn (eval.c:458)
==8691==    by 0x605072: Fcond (eval.c:436)
...
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

I didn't bisect, but the first suspect is pixelwise-resize change (r115301).

Dmitry

window-test.el
Description: Text Data

--- End Message ---

--- Begin Message --- Subject: Re: bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash Date: Wed, 31 Dec 2014 19:38:13 +0100
> Yes, my bad, now fixed (I think).

Bug closed.

martin
--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#16165: closed (24.3.50: writing beyond window matrices, heap corruption, crash), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] bug#18720: closed (25.0.50; `set-frame-size' reduces height instead of increases it, when set to larger value)
Next by Date: [debbugs-tracker] bug#19477: closed (24.4; Init script from su terminal)
Previous by thread: [debbugs-tracker] bug#18720: closed (25.0.50; `set-frame-size' reduces height instead of increases it, when set to larger value)
Next by thread: [debbugs-tracker] bug#19477: closed (24.4; Init script from su terminal)
Index(es):
- Date
- Thread