GNU bug report logs - #16165
24.3.50: writing beyond window matrices, heap corruption, crash

Previous Next

Package: emacs;

Reported by: Dmitry Antipov <dmantipov <at> yandex.ru>

Date: Mon, 16 Dec 2013 15:17:02 UTC

Severity: normal

Merged with 16164

Found in version 24.3.50

Done: martin rudalics <rudalics <at> gmx.at>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Dmitry Antipov <dmantipov <at> yandex.ru>
Subject: bug#16165: closed (Re: bug#16165: 24.3.50: writing beyond window
 matrices, heap corruption, crash)
Date: Wed, 31 Dec 2014 18:39:03 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#16165: 24.3.50: writing beyond window matrices, heap corruption, crash

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 16165 <at> debbugs.gnu.org.

-- 
16165: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16165
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: martin rudalics <rudalics <at> gmx.at>
To: eliz <at> gnu.org, 16165-done <at> debbugs.gnu.org
Subject: Re: bug#16165: 24.3.50: writing beyond window matrices,
 heap corruption, crash
Date: Wed, 31 Dec 2014 19:38:13 +0100

> Yes, my bad, now fixed (I think).

Bug closed.

martin

[Message part 3 (message/rfc822, inline)]

From: Dmitry Antipov <dmantipov <at> yandex.ru>
To: bug-gnu-emacs <at> gnu.org
Cc: martin rudalics <rudalics <at> gmx.at>
Subject: 24.3.50: writing beyond window matrices, heap corruption, crash
Date: Mon, 16 Dec 2013 19:15:41 +0400

[Message part 4 (text/plain, inline)]

How to reproduce:

0) Compile with the default configuration ('./configure --prefix=/your/choice').
1) Change 'emacs-source-dir' in window-test.el to match your setup.
2) Run 'emacs -Q -l window-test.el -f window-test'.
3) Wait for crash.

Some backtraces:

(gdb) bt
#0  0x0000003869a7cde8 in _int_free (av=0x3869dba780 <main_arena>, p=0xf00950, have_lock=1) at malloc.c:3945
#1  0x0000003869a7efb7 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xf000a0, oldsize=oldsize <at> entry=4240,
    nb=nb <at> entry=2224) at malloc.c:4304
#2  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xf000b0, bytes=2208) at malloc.c:2988
#3  0x00000000005e0481 in xrealloc (block=0xf000b0, size=2208) at ../../trunk/src/alloc.c:697
#4  0x00000000005e05ed in xnrealloc (pa=0xf000b0, nitems=46, item_size=48) at ../../trunk/src/alloc.c:750
#5  0x000000000041809c in adjust_glyph_matrix (w=0x12dfe98, matrix=0x1625700, x=0, y=0, dim=...) at ../../trunk/src/dispnew.c:492
#6  0x000000000041b47a in allocate_matrices_for_window_redisplay (w=0x12dfe98) at ../../trunk/src/dispnew.c:1729
#7  0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x19667f0) at ../../trunk/src/dispnew.c:1714
#8  0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x14442b8) at ../../trunk/src/dispnew.c:1714
#9  0x000000000041c00c in adjust_frame_glyphs_for_window_redisplay (f=0x12e1cd8) at ../../trunk/src/dispnew.c:2032
#10 0x000000000041b50a in adjust_frame_glyphs (f=0x12e1cd8) at ../../trunk/src/dispnew.c:1749
#11 0x00000000004b879e in apply_window_adjustment (w=0x12dfe98) at ../../trunk/src/window.c:6600
#12 0x00000000004b889f in Fset_window_margins (window=..., left_width=..., right_width=...) at ../../trunk/src/window.c:6644

(gdb) bt
#0  0x0000003869a7ef2b in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0x17e1650,
    oldsize=oldsize <at> entry=2224, nb=nb <at> entry=4240) at malloc.c:4227
#1  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0x17e1660, bytes=4224) at malloc.c:2988
#2  0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#3  0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
    at ../../trunk/src/alloc.c:750
#4  0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x11671a8, matrix=0x1676480, x=x <at> entry=0, y=y <at> entry=0, dim=...,
    dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#5  0x0000000000419cd0 in allocate_matrices_for_window_redisplay (w=0x11671a8) at ../../trunk/src/dispnew.c:1729
#6  0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x1164178) at ../../trunk/src/dispnew.c:1714
#7  0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#8  adjust_frame_glyphs (f=f <at> entry=0x1128be8) at ../../trunk/src/dispnew.c:1749
#9  0x000000000044c748 in redisplay_internal () at ../../trunk/src/xdisp.c:13622
#10 0x000000000044e580 in redisplay_preserve_echo_area (from_where=from_where <at> entry=2) at ../../trunk/src/xdisp.c:13856
#11 0x000000000041ac1a in Fredisplay (force=12083378) at ../../trunk/src/dispnew.c:5829

(gdb) bt
#0  0x0000003869a359e9 in __GI_raise (sig=sig <at> entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x0000003869a370f8 in __GI_abort () at abort.c:90
#2  0x0000003869a75d17 in __libc_message (do_abort=do_abort <at> entry=2, fmt=fmt <at> entry=0x3869b7e568 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x0000003869a7bbe7 in malloc_printerr (action=<optimized out>, str=0x3869b7bcdb "realloc(): invalid next size",
    ptr=<optimized out>) at malloc.c:4937
#4  0x0000003869a7f177 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xe447e0, oldsize=oldsize <at> entry=4240,
    nb=nb <at> entry=4240) at malloc.c:4184
#5  0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xe447f0, bytes=4224) at malloc.c:2988
#6  0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#7  0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
    at ../../trunk/src/alloc.c:750
#8  0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x1129bf8, matrix=0xcfda00, x=x <at> entry=0, y=y <at> entry=0, dim=...,
    dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#9  0x0000000000419ce6 in allocate_matrices_for_window_redisplay (w=0x1129bf8) at ../../trunk/src/dispnew.c:1730
#10 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x17fde48) at ../../trunk/src/dispnew.c:1714
#11 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#12 adjust_frame_glyphs (f=0x1128be8) at ../../trunk/src/dispnew.c:1749
#13 0x0000000000468369 in apply_window_adjustment (w=w <at> entry=0x1129bf8) at ../../trunk/src/window.c:6600
#14 0x000000000046d8c1 in set_window_buffer (window=window <at> entry=17996797, buffer=buffer <at> entry=15071845,
    run_hooks_p=run_hooks_p <at> entry=true, keep_margins_p=<optimized out>) at ../../trunk/src/window.c:3391
#15 0x000000000046e1de in Fset_window_buffer (window=<optimized out>, buffer_or_name=<optimized out>, keep_margins=12083378)
    at ../../trunk/src/window.c:3455

Running:

valgrind --tool=memcheck --leak-check=full ./temacs -Q -l window-test.el -f window-test

==>

...
==8691== Invalid write of size 8
==8691==    at 0x47419C: extend_face_to_end_of_line (xdisp.c:18876)
==8691==    by 0x47D216: display_mode_line (xdisp.c:21165)
==8691==    by 0x47CC5E: display_mode_lines (xdisp.c:21092)
==8691==    by 0x4695AA: redisplay_window (xdisp.c:16337)
==8691==    by 0x45FAC1: redisplay_window_0 (xdisp.c:14023)
==8691==    by 0x607C95: internal_condition_case_1 (eval.c:1368)
==8691==    by 0x45FA2C: redisplay_windows (xdisp.c:14003)
==8691==    by 0x45F9E2: redisplay_windows (xdisp.c:13997)
==8691==    by 0x45E894: redisplay_internal (xdisp.c:13602)
==8691==    by 0x45F39A: redisplay_preserve_echo_area (xdisp.c:13860)
==8691==    by 0x425E46: Fredisplay (dispnew.c:5829)
==8691==    by 0x609E5E: eval_sub (eval.c:2175)
==8691==  Address 0xf3fc0f0 is 0 bytes after a block of size 4,224 alloc'd
==8691==    at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8691==    by 0x5E0480: xrealloc (alloc.c:697)
==8691==    by 0x5E05EC: xnrealloc (alloc.c:750)
==8691==    by 0x41809B: adjust_glyph_matrix (dispnew.c:492)
==8691==    by 0x41B479: allocate_matrices_for_window_redisplay (dispnew.c:1729)
==8691==    by 0x41C00B: adjust_frame_glyphs_for_window_redisplay (dispnew.c:2032)
==8691==    by 0x41B509: adjust_frame_glyphs (dispnew.c:1749)
==8691==    by 0x4B879D: apply_window_adjustment (window.c:6600)
==8691==    by 0x4B889E: Fset_window_margins (window.c:6644)
==8691==    by 0x609EC0: eval_sub (eval.c:2181)
==8691==    by 0x605126: Fprogn (eval.c:458)
==8691==    by 0x605072: Fcond (eval.c:436)
...
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

I didn't bisect, but the first suspect is pixelwise-resize change (r115301).

Dmitry

[window-test.el (text/x-emacs-lisp, attachment)]

This bug report was last modified 6 years and 347 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #16165 24.3.50: writing beyond window matrices, heap corruption, crash

GNU bug report logs - #16165
24.3.50: writing beyond window matrices, heap corruption, crash