* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
@ 2013-12-16 15:15 Dmitry Antipov
2013-12-16 17:05 ` Eli Zaretskii
2014-12-31 18:38 ` martin rudalics
0 siblings, 2 replies; 7+ messages in thread
From: Dmitry Antipov @ 2013-12-16 15:15 UTC (permalink / raw)
To: 16165
[-- Attachment #1: Type: text/plain, Size: 7381 bytes --]
How to reproduce:
0) Compile with the default configuration ('./configure --prefix=/your/choice').
1) Change 'emacs-source-dir' in window-test.el to match your setup.
2) Run 'emacs -Q -l window-test.el -f window-test'.
3) Wait for crash.
Some backtraces:
(gdb) bt
#0 0x0000003869a7cde8 in _int_free (av=0x3869dba780 <main_arena>, p=0xf00950, have_lock=1) at malloc.c:3945
#1 0x0000003869a7efb7 in _int_realloc (av=av@entry=0x3869dba780 <main_arena>, oldp=oldp@entry=0xf000a0, oldsize=oldsize@entry=4240,
nb=nb@entry=2224) at malloc.c:4304
#2 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xf000b0, bytes=2208) at malloc.c:2988
#3 0x00000000005e0481 in xrealloc (block=0xf000b0, size=2208) at ../../trunk/src/alloc.c:697
#4 0x00000000005e05ed in xnrealloc (pa=0xf000b0, nitems=46, item_size=48) at ../../trunk/src/alloc.c:750
#5 0x000000000041809c in adjust_glyph_matrix (w=0x12dfe98, matrix=0x1625700, x=0, y=0, dim=...) at ../../trunk/src/dispnew.c:492
#6 0x000000000041b47a in allocate_matrices_for_window_redisplay (w=0x12dfe98) at ../../trunk/src/dispnew.c:1729
#7 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x19667f0) at ../../trunk/src/dispnew.c:1714
#8 0x000000000041b3f5 in allocate_matrices_for_window_redisplay (w=0x14442b8) at ../../trunk/src/dispnew.c:1714
#9 0x000000000041c00c in adjust_frame_glyphs_for_window_redisplay (f=0x12e1cd8) at ../../trunk/src/dispnew.c:2032
#10 0x000000000041b50a in adjust_frame_glyphs (f=0x12e1cd8) at ../../trunk/src/dispnew.c:1749
#11 0x00000000004b879e in apply_window_adjustment (w=0x12dfe98) at ../../trunk/src/window.c:6600
#12 0x00000000004b889f in Fset_window_margins (window=..., left_width=..., right_width=...) at ../../trunk/src/window.c:6644
(gdb) bt
#0 0x0000003869a7ef2b in _int_realloc (av=av@entry=0x3869dba780 <main_arena>, oldp=oldp@entry=0x17e1650,
oldsize=oldsize@entry=2224, nb=nb@entry=4240) at malloc.c:4227
#1 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0x17e1660, bytes=4224) at malloc.c:2988
#2 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size@entry=4224) at ../../trunk/src/alloc.c:697
#3 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems@entry=88, item_size=item_size@entry=48)
at ../../trunk/src/alloc.c:750
#4 0x00000000004197a9 in adjust_glyph_matrix (w=w@entry=0x11671a8, matrix=0x1676480, x=x@entry=0, y=y@entry=0, dim=...,
dim@entry=...) at ../../trunk/src/dispnew.c:492
#5 0x0000000000419cd0 in allocate_matrices_for_window_redisplay (w=0x11671a8) at ../../trunk/src/dispnew.c:1729
#6 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x1164178) at ../../trunk/src/dispnew.c:1714
#7 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#8 adjust_frame_glyphs (f=f@entry=0x1128be8) at ../../trunk/src/dispnew.c:1749
#9 0x000000000044c748 in redisplay_internal () at ../../trunk/src/xdisp.c:13622
#10 0x000000000044e580 in redisplay_preserve_echo_area (from_where=from_where@entry=2) at ../../trunk/src/xdisp.c:13856
#11 0x000000000041ac1a in Fredisplay (force=12083378) at ../../trunk/src/dispnew.c:5829
(gdb) bt
#0 0x0000003869a359e9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x0000003869a370f8 in __GI_abort () at abort.c:90
#2 0x0000003869a75d17 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x3869b7e568 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3 0x0000003869a7bbe7 in malloc_printerr (action=<optimized out>, str=0x3869b7bcdb "realloc(): invalid next size",
ptr=<optimized out>) at malloc.c:4937
#4 0x0000003869a7f177 in _int_realloc (av=av@entry=0x3869dba780 <main_arena>, oldp=oldp@entry=0xe447e0, oldsize=oldsize@entry=4240,
nb=nb@entry=4240) at malloc.c:4184
#5 0x0000003869a805a2 in __GI___libc_realloc (oldmem=0xe447f0, bytes=4224) at malloc.c:2988
#6 0x0000000000536b92 in xrealloc (block=<optimized out>, size=size@entry=4224) at ../../trunk/src/alloc.c:697
#7 0x0000000000536c30 in xnrealloc (pa=<optimized out>, nitems=nitems@entry=88, item_size=item_size@entry=48)
at ../../trunk/src/alloc.c:750
#8 0x00000000004197a9 in adjust_glyph_matrix (w=w@entry=0x1129bf8, matrix=0xcfda00, x=x@entry=0, y=y@entry=0, dim=...,
dim@entry=...) at ../../trunk/src/dispnew.c:492
#9 0x0000000000419ce6 in allocate_matrices_for_window_redisplay (w=0x1129bf8) at ../../trunk/src/dispnew.c:1730
#10 0x0000000000419d29 in allocate_matrices_for_window_redisplay (w=0x17fde48) at ../../trunk/src/dispnew.c:1714
#11 0x000000000041fa65 in adjust_frame_glyphs_for_window_redisplay (f=0x1128be8) at ../../trunk/src/dispnew.c:2032
#12 adjust_frame_glyphs (f=0x1128be8) at ../../trunk/src/dispnew.c:1749
#13 0x0000000000468369 in apply_window_adjustment (w=w@entry=0x1129bf8) at ../../trunk/src/window.c:6600
#14 0x000000000046d8c1 in set_window_buffer (window=window@entry=17996797, buffer=buffer@entry=15071845,
run_hooks_p=run_hooks_p@entry=true, keep_margins_p=<optimized out>) at ../../trunk/src/window.c:3391
#15 0x000000000046e1de in Fset_window_buffer (window=<optimized out>, buffer_or_name=<optimized out>, keep_margins=12083378)
at ../../trunk/src/window.c:3455
Running:
valgrind --tool=memcheck --leak-check=full ./temacs -Q -l window-test.el -f window-test
==>
...
==8691== Invalid write of size 8
==8691== at 0x47419C: extend_face_to_end_of_line (xdisp.c:18876)
==8691== by 0x47D216: display_mode_line (xdisp.c:21165)
==8691== by 0x47CC5E: display_mode_lines (xdisp.c:21092)
==8691== by 0x4695AA: redisplay_window (xdisp.c:16337)
==8691== by 0x45FAC1: redisplay_window_0 (xdisp.c:14023)
==8691== by 0x607C95: internal_condition_case_1 (eval.c:1368)
==8691== by 0x45FA2C: redisplay_windows (xdisp.c:14003)
==8691== by 0x45F9E2: redisplay_windows (xdisp.c:13997)
==8691== by 0x45E894: redisplay_internal (xdisp.c:13602)
==8691== by 0x45F39A: redisplay_preserve_echo_area (xdisp.c:13860)
==8691== by 0x425E46: Fredisplay (dispnew.c:5829)
==8691== by 0x609E5E: eval_sub (eval.c:2175)
==8691== Address 0xf3fc0f0 is 0 bytes after a block of size 4,224 alloc'd
==8691== at 0x4A082F7: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8691== by 0x5E0480: xrealloc (alloc.c:697)
==8691== by 0x5E05EC: xnrealloc (alloc.c:750)
==8691== by 0x41809B: adjust_glyph_matrix (dispnew.c:492)
==8691== by 0x41B479: allocate_matrices_for_window_redisplay (dispnew.c:1729)
==8691== by 0x41C00B: adjust_frame_glyphs_for_window_redisplay (dispnew.c:2032)
==8691== by 0x41B509: adjust_frame_glyphs (dispnew.c:1749)
==8691== by 0x4B879D: apply_window_adjustment (window.c:6600)
==8691== by 0x4B889E: Fset_window_margins (window.c:6644)
==8691== by 0x609EC0: eval_sub (eval.c:2181)
==8691== by 0x605126: Fprogn (eval.c:458)
==8691== by 0x605072: Fcond (eval.c:436)
...
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
Dmitry
[-- Attachment #2: window-test.el --]
[-- Type: text/x-emacs-lisp, Size: 1827 bytes --]
;; Window random action test.
(defconst emacs-source-dir "/home/dima/work/stuff/emacs/trunk/src")
(defun random-entry (entries)
(let ((size (length entries)))
(if (= 1 size) (car entries)
(nth (abs (% (random) (length entries))) entries))))
(defun window-test ()
(interactive)
(let ((conf (current-window-configuration))
(file-list (directory-files emacs-source-dir t "\\.[chm]")))
(while t
(let ((action (abs (% (random) 16))))
(cond ((zerop action)
(and (< 16 (window-height)) (split-window-vertically)))
((= 1 action)
(and (< 16 (window-width)) (split-window-horizontally)))
((= 2 action)
(and (< 1 (count-windows)) (delete-window)))
((= 3 action)
(balance-windows))
((= 4 action)
(delete-other-windows))
((= 5 action)
(select-window (random-entry (window-list))))
((= 6 action)
(find-file (random-entry file-list)))
((= 7 action)
(kill-buffer))
((= 8 action)
(setq conf (current-window-configuration)))
((= 9 action)
(set-window-configuration conf))
((= 10 action)
(mapcar 'kill-buffer (buffer-list)))
((= 11 action)
(goto-char (point-max)))
((= 12 action)
(and (not (eq (selected-window) (frame-root-window)))
(not (eq (selected-window) (minibuffer-window)))
(shrink-window (% (random) 3))))
((= 13 action)
(and (not (eq (selected-window) (frame-root-window)))
(not (eq (selected-window) (minibuffer-window)))
(shrink-window (% (random) 3) t)))
((= 14 action)
(set-window-fringes nil (+ 10 (random 10)) (+ 10 (random 10))))
((= 15 action)
(set-window-margins nil (+ 2 (random 4)) (+ 2 (random 4)))))
(redisplay)
(sleep-for 0.1)))))
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 15:15 bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash Dmitry Antipov
@ 2013-12-16 17:05 ` Eli Zaretskii
2013-12-16 18:01 ` Eli Zaretskii
2014-12-31 18:38 ` martin rudalics
1 sibling, 1 reply; 7+ messages in thread
From: Eli Zaretskii @ 2013-12-16 17:05 UTC (permalink / raw)
To: Dmitry Antipov; +Cc: 16165
> Date: Mon, 16 Dec 2013 19:15:41 +0400
> From: Dmitry Antipov <dmantipov@yandex.ru>
>
> I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
No, it's probably 115535. I will take a look.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 17:05 ` Eli Zaretskii
@ 2013-12-16 18:01 ` Eli Zaretskii
2013-12-16 18:24 ` martin rudalics
0 siblings, 1 reply; 7+ messages in thread
From: Eli Zaretskii @ 2013-12-16 18:01 UTC (permalink / raw)
To: dmantipov; +Cc: 16165
> Date: Mon, 16 Dec 2013 19:05:17 +0200
> From: Eli Zaretskii <eliz@gnu.org>
> Cc: 16165@debbugs.gnu.org
>
> > Date: Mon, 16 Dec 2013 19:15:41 +0400
> > From: Dmitry Antipov <dmantipov@yandex.ru>
> >
> > I didn't bisect, but the first suspect is pixelwise-resize change (r115301).
>
> No, it's probably 115535. I will take a look.
Please try again, I think I fixed this.
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 18:01 ` Eli Zaretskii
@ 2013-12-16 18:24 ` martin rudalics
2013-12-16 19:32 ` Eli Zaretskii
0 siblings, 1 reply; 7+ messages in thread
From: martin rudalics @ 2013-12-16 18:24 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: dmantipov, 16165
> Please try again, I think I fixed this.
Was that your latest change or am I confused again?
../../src/xdisp.c: In function ‘extend_face_to_end_of_line’:
../../src/xdisp.c:18869:20: error: ‘struct frame’ has no member named ‘tool_bar_window’
../../src/xdisp.c:18870:25: error: ‘struct frame’ has no member named ‘tool_bar_window’
make[1]: *** [xdisp.o] Fehler 1
make[1]: Leaving directory `/home/martin/emacs/quickfixes/obj-gtk/src'
make: *** [src] Fehler 2
martin
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 18:24 ` martin rudalics
@ 2013-12-16 19:32 ` Eli Zaretskii
2013-12-16 19:49 ` martin rudalics
0 siblings, 1 reply; 7+ messages in thread
From: Eli Zaretskii @ 2013-12-16 19:32 UTC (permalink / raw)
To: martin rudalics; +Cc: dmantipov, 16165
> Date: Mon, 16 Dec 2013 19:24:45 +0100
> From: martin rudalics <rudalics@gmx.at>
> CC: dmantipov@yandex.ru, 16165@debbugs.gnu.org
>
> > Please try again, I think I fixed this.
>
> Was that your latest change or am I confused again?
>
> ../../src/xdisp.c: In function ‘extend_face_to_end_of_line’:
> ../../src/xdisp.c:18869:20: error: ‘struct frame’ has no member named ‘tool_bar_window’
> ../../src/xdisp.c:18870:25: error: ‘struct frame’ has no member named ‘tool_bar_window’
> make[1]: *** [xdisp.o] Fehler 1
> make[1]: Leaving directory `/home/martin/emacs/quickfixes/obj-gtk/src'
> make: *** [src] Fehler 2
Yes, my bad, now fixed (I think).
(I wish that those toolkit dependencies on the struct member level
would never have seen the light of day!)
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 19:32 ` Eli Zaretskii
@ 2013-12-16 19:49 ` martin rudalics
0 siblings, 0 replies; 7+ messages in thread
From: martin rudalics @ 2013-12-16 19:49 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: dmantipov, 16165
> Yes, my bad, now fixed (I think).
Seems to work and pass Mitya's window-test (for a couple
of minutes, at least).
> (I wish that those toolkit dependencies on the struct member level
> would never have seen the light of day!)
;-)
Thanks, martin
^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash
2013-12-16 15:15 bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash Dmitry Antipov
2013-12-16 17:05 ` Eli Zaretskii
@ 2014-12-31 18:38 ` martin rudalics
1 sibling, 0 replies; 7+ messages in thread
From: martin rudalics @ 2014-12-31 18:38 UTC (permalink / raw)
To: eliz, 16165-done
> Yes, my bad, now fixed (I think).
Bug closed.
martin
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-12-31 18:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-16 15:15 bug#16165: 24.3.50: writing beyond window matrices, heap corruption, crash Dmitry Antipov
2013-12-16 17:05 ` Eli Zaretskii
2013-12-16 18:01 ` Eli Zaretskii
2013-12-16 18:24 ` martin rudalics
2013-12-16 19:32 ` Eli Zaretskii
2013-12-16 19:49 ` martin rudalics
2014-12-31 18:38 ` martin rudalics
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.