Package: emacs;
Reported by: Dmitry Antipov <dmantipov <at> yandex.ru>
Date: Mon, 16 Dec 2013 15:17:02 UTC
Severity: normal
Merged with 16164
Found in version 24.3.50
Done: martin rudalics <rudalics <at> gmx.at>
Bug is archived. No further changes may be made.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Dmitry Antipov <dmantipov <at> yandex.ru> To: bug-gnu-emacs <at> gnu.org Cc: martin rudalics <rudalics <at> gmx.at> Subject: 24.3.50: writing beyond window matrices, heap corruption, crash Date: Mon, 16 Dec 2013 19:15:41 +0400
[Message part 1 (text/plain, inline)]
How to reproduce:
0) Compile with the default configuration ('./configure --prefix=/your/choice').
1) Change 'emacs-source-dir' in window-test.el to match your setup.
2) Run 'emacs -Q -l window-test.el -f window-test'.
3) Wait for crash.
Some backtraces:
(gdb) bt
#0 0x0000003869a7cde8 in _int_free (av=0x3869dba780 <main_arena>, p=0xf00950, have_lock=1) at malloc.c:3945
#1 0x0000003869a7efb7 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xf000a0, oldsize=oldsize <at> entry=4240,
nb=nb <at> entry=2224) at malloc.c:4304
#2 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xf000b0, bytes=2208) at malloc.c:2988
#3 0x00000000005e0481 in xrealloc (block=0xf000b0, size=2208) at ../../trunk/src/alloc.c:697
#4 0x00000000005e05ed in xnrealloc (pa=0xf000b0, nitems=46, item_size=48) at ../../trunk/src/alloc.c:750
#5 0x000000000041809c in adjust_glyph_matrix (w=0x12dfe98, matrix=0x1625700, x=0, y=0, dim=...) at ../../trunk/src/dispnew.c:492
#6 0x000000000041b47a in allocate_matrices_for_window_redisplay (w=0x12dfe98) at ../../trunk/src/dispnew.c:1729
#7 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x19667f0) at ../../trunk/src/dispnew.c:1714
#8 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x14442b8) at ../../trunk/src/dispnew.c:1714
#9 0x000000000041c00c in adjust_frame_glyphs_for_window_redisplay (f=0x12e1cd8) at ../../trunk/src/dispnew.c:2032
#10 0x000000000041b50a in adjust_frame_glyphs (f=0x12e1cd8) at ../../trunk/src/dispnew.c:1749
#11 0x00000000004b879e in apply_window_adjustment (w=0x12dfe98) at ../../trunk/src/window.c:6600
#12 0x00000000004b889f in Fset_window_margins (window=..., left_width=..., right_width=...) at ../../trunk/src/window.c:6644
(gdb) bt
#0 0x0000003869a7ef2b in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0x17e1650,
oldsize=oldsize <at> entry=2224, nb=nb <at> entry=4240) at malloc.c:4227
#1 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0x17e1660, bytes=4224) at malloc.c:2988
#2 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#3 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
at ../../trunk/src/alloc.c:750
#4 0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x11671a8, matrix=0x1676480, x=x <at> entry=0, y=y <at> entry=0, dim=...,
dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#5 0x0000000000419cd0 in allocate_matrices_for_window_redisplay (w=0x11671a8) at ../../trunk/src/dispnew.c:1729
#6 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x1164178) at ../../trunk/src/dispnew.c:1714
#7 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#8 adjust_frame_glyphs (f=f <at> entry=0x1128be8) at ../../trunk/src/dispnew.c:1749
#9 0x000000000044c748 in redisplay_internal () at ../../trunk/src/xdisp.c:13622
#10 0x000000000044e580 in redisplay_preserve_echo_area (from_where=from_where <at> entry=2) at ../../trunk/src/xdisp.c:13856
#11 0x000000000041ac1a in Fredisplay (force=12083378) at ../../trunk/src/dispnew.c:5829
(gdb) bt
#0 0x0000003869a359e9 in __GI_raise (sig=sig <at> entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x0000003869a370f8 in __GI_abort () at abort.c:90
#2 0x0000003869a75d17 in __libc_message (do_abort=do_abort <at> entry=2, fmt=fmt <at> entry=0x3869b7e568 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3 0x0000003869a7bbe7 in malloc_printerr (action=<optimized out>, str=0x3869b7bcdb "realloc(): invalid next size",
ptr=<optimized out>) at malloc.c:4937
#4 0x0000003869a7f177 in _int_realloc (av=av <at> entry=0x3869dba780 <main_arena>, oldp=oldp <at> entry=0xe447e0, oldsize=oldsize <at> entry=4240,
nb=nb <at> entry=4240) at malloc.c:4184
#5 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xe447f0, bytes=4224) at malloc.c:2988
#6 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size <at> entry=4224) at ../../trunk/src/alloc.c:697
#7 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems <at> entry=88, item_size=item_size <at> entry=48)
at ../../trunk/src/alloc.c:750
#8 0x00000000004197a9 in adjust_glyph_matrix (w=w <at> entry=0x1129bf8, matrix=0xcfda00, x=x <at> entry=0, y=y <at> entry=0, dim=...,
dim <at> entry=...) at ../../trunk/src/dispnew.c:492
#9 0x0000000000419ce6 in allocate_matrices_for_window_redisplay (w=0x1129bf8) at ../../trunk/src/dispnew.c:1730
#10 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x17fde48) at ../../trunk/src/dispnew.c:1714
#11 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#12 adjust_frame_glyphs (f=0x1128be8) at ../../trunk/src/dispnew.c:1749
#13 0x0000000000468369 in apply_window_adjustment (w=w <at> entry=0x1129bf8) at ../../trunk/src/window.c:6600
#14 0x000000000046d8c1 in set_window_buffer (window=window <at> entry=17996797, buffer=buffer <at> entry=15071845,
run_hooks_p=run_hooks_p <at> entry=true, keep_margins_p=<optimized out>) at ../../trunk/src/window.c:3391
#15 0x000000000046e1de in Fset_window_buffer (window=<optimized out>, buffer_or_name=<optimized out>, keep_margins=12083378)
at ../../trunk/src/window.c:3455
Running:
valgrind --tool=memcheck --leak-check=full ./temacs -Q -l window-test.el -f window-test
==>
...
==8691== Invalid write of size 8
==8691== at 0x47419C: extend_face_to_end_of_line (xdisp.c:18876)
==8691== by 0x47D216: display_mode_line (xdisp.c:21165)
==8691== by 0x47CC5E: display_mode_lines (xdisp.c:21092)
==8691== by 0x4695AA: redisplay_window (xdisp.c:16337)
==8691== by 0x45FAC1: redisplay_window_0 (xdisp.c:14023)
==8691== by 0x607C95: internal_condition_case_1 (eval.c:1368)
==8691== by 0x45FA2C: redisplay_windows (xdisp.c:14003)
==8691== by 0x45F9E2: redisplay_windows (xdisp.c:13997)
==8691== by 0x45E894: redisplay_internal (xdisp.c:13602)
==8691== by 0x45F39A: redisplay_preserve_echo_area (xdisp.c:13860)
==8691== by 0x425E46: Fredisplay (dispnew.c:5829)
==8691== by 0x609E5E: eval_sub (eval.c:2175)
==8691== Address 0xf3fc0f0 is 0 bytes after a block of size 4,224 alloc'd
==8691== at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8691== by 0x5E0480: xrealloc (alloc.c:697)
==8691== by 0x5E05EC: xnrealloc (alloc.c:750)
==8691== by 0x41809B: adjust_glyph_matrix (dispnew.c:492)
==8691== by 0x41B479: allocate_matrices_for_window_redisplay (dispnew.c:1729)
==8691== by 0x41C00B: adjust_frame_glyphs_for_window_redisplay (dispnew.c:2032)
==8691== by 0x41B509: adjust_frame_glyphs (dispnew.c:1749)
==8691== by 0x4B879D: apply_window_adjustment (window.c:6600)
==8691== by 0x4B889E: Fset_window_margins (window.c:6644)
==8691== by 0x609EC0: eval_sub (eval.c:2181)
==8691== by 0x605126: Fprogn (eval.c:458)
==8691== by 0x605072: Fcond (eval.c:436)
...
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
Dmitry
[window-test.el (text/x-emacs-lisp, attachment)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.