From: storm@cua.dk (Kim F. Storm)
Subject: Crash in malloc_consolidate (via make_gap_larger, xrealloc).
Date: 01 Jun 2004 00:22:59 +0200 [thread overview]
Message-ID: <m37jus2q4c.fsf@kfs-l.imdomain.dk> (raw)
Seems it was trying to insert a 23 byte string in an empty buffer with
a gap of 21 bytes; current command is directory-files, crash
happens during decoding into a (temporary?) buffer.
Anyone seen this before?
Program received signal SIGSEGV, Segmentation fault.
0x4207494e in malloc_consolidate () from /lib/tls/libc.so.6
(gdb) bt
#0 0x4207494e in malloc_consolidate () from /lib/tls/libc.so.6
#1 0x42073f99 in _int_malloc () from /lib/tls/libc.so.6
#2 0x42074b81 in _int_realloc () from /lib/tls/libc.so.6
#3 0x42073614 in realloc () from /lib/tls/libc.so.6
#4 0x08129eae in emacs_blocked_realloc (ptr=0x8fb4918, size=2024)
at alloc.c:1052
#5 0x4207354c in realloc () from /lib/tls/libc.so.6
#6 0x08129897 in xrealloc (block=0x8e67c70, size=1108546304) at alloc.c:549
#7 0x080ff135 in enlarge_buffer_text (b=0x42131300, delta=2002)
at buffer.c:4875
#8 0x08101a2b in make_gap_larger (nbytes_added=32) at insdel.c:534
#9 0x08102485 in insert_from_string_1 (string=148682499, pos=0, pos_byte=0,
nchars=23, nbytes=23, inherit=0, before_markers=0) at insdel.c:1115
#10 0x0810220c in insert_from_string (string=148682499, pos=0, pos_byte=0,
length=23, length_byte=23, inherit=0) at insdel.c:1060
#11 0x080a20df in run_pre_post_conversion_on_str (str=148682499,
coding=0xbfffce70, encodep=0) at coding.c:6049
#12 0x080a269a in decode_coding_string (str=148682515, coding=0xbfffce70,
nocopy=1) at coding.c:6251
#13 0x080a4196 in code_convert_string_norecord (string=148682515,
coding_system=138270673, encodep=0) at coding.c:7060
#14 0x0811250f in directory_files_internal (directory=148285827,
full=138214569, match=148285859, nosort=138214521, attrs=0,
id_format=138214521) at dired.c:293
#15 0x081126db in Fdirectory_files (directory=148285827, full=138214569,
match=148285859, nosort=138214521) at dired.c:365
---Type <return> to continue, or q <return> to quit---
#16 0x08140397 in Ffuncall (nargs=4, args=0xbfffd270) at eval.c:2726
#17 0x08169f1c in Fbyte_code (bytestr=144541249, vector=3,
maxdepth=-1073753372) at bytecode.c:689
#18 0x0814066e in funcall_lambda (fun=146521508, nargs=1,
arg_vector=0xbfffd408) at eval.c:2913
#19 0x08140277 in Ffuncall (nargs=2, args=0xbfffd404) at eval.c:2783
#20 0x08169f1c in Fbyte_code (bytestr=138566177, vector=1,
maxdepth=-1073753084) at bytecode.c:689
#21 0x0814066e in funcall_lambda (fun=146522444, nargs=1,
arg_vector=0xbfffd528) at eval.c:2913
#22 0x08140277 in Ffuncall (nargs=2, args=0xbfffd524) at eval.c:2783
#23 0x08169f1c in Fbyte_code (bytestr=138566177, vector=1,
maxdepth=-1073752796) at bytecode.c:689
#24 0x0814066e in funcall_lambda (fun=146789484, nargs=0,
arg_vector=0xbfffd644) at eval.c:2913
#25 0x08140277 in Ffuncall (nargs=1, args=0xbfffd640) at eval.c:2783
#26 0x08169f1c in Fbyte_code (bytestr=146778840, vector=0,
maxdepth=-1073752512) at bytecode.c:689
#27 0x0814066e in funcall_lambda (fun=146789676, nargs=0,
arg_vector=0xbfffd754) at eval.c:2913
#28 0x08140277 in Ffuncall (nargs=1, args=0xbfffd750) at eval.c:2783
#29 0x08169f1c in Fbyte_code (bytestr=144541513, vector=0,
maxdepth=-1073752240) at bytecode.c:689
#30 0x0814066e in funcall_lambda (fun=145866172, nargs=6,
arg_vector=0xbfffd874) at eval.c:2913
#31 0x08140277 in Ffuncall (nargs=7, args=0xbfffd870) at eval.c:2783
---Type <return> to continue, or q <return> to quit---
#32 0x08169f1c in Fbyte_code (bytestr=145695785, vector=6,
maxdepth=-1073751952) at bytecode.c:689
#33 0x0814066e in funcall_lambda (fun=145865396, nargs=7,
arg_vector=0xbfffd994) at eval.c:2913
#34 0x08140277 in Ffuncall (nargs=8, args=0xbfffd990) at eval.c:2783
#35 0x08169f1c in Fbyte_code (bytestr=145695785, vector=7,
maxdepth=-1073751664) at bytecode.c:689
#36 0x0814066e in funcall_lambda (fun=145706364, nargs=3,
arg_vector=0xbfffdab4) at eval.c:2913
#37 0x08140277 in Ffuncall (nargs=4, args=0xbfffdab0) at eval.c:2783
#38 0x08169f1c in Fbyte_code (bytestr=138566177, vector=3,
maxdepth=-1073751376) at bytecode.c:689
#39 0x0814066e in funcall_lambda (fun=146598708, nargs=1,
arg_vector=0xbfffdbf4) at eval.c:2913
#40 0x08140277 in Ffuncall (nargs=2, args=0xbfffdbf0) at eval.c:2783
#41 0x0813c022 in Fcall_interactively (function=146590289,
record_flag=17276815, keys=138271380) at callint.c:862
#42 0x080ee64b in Fcommand_execute (cmd=146590289, record_flag=138214521,
keys=138214521, special=0) at keyboard.c:9682
#43 0x080e3798 in command_loop_1 () at keyboard.c:1740
#44 0x0813e836 in internal_condition_case (bfun=0x80e33e8 <command_loop_1>,
handlers=138275449, hfun=0x80e2f68 <cmd_error>) at eval.c:1333
#45 0x080e325e in command_loop_2 () at keyboard.c:1271
#46 0x0813e3a9 in internal_catch (tag=149322864,
func=0x80e3240 <command_loop_2>, arg=138214521) at eval.c:1094
#47 0x080e3214 in command_loop () at keyboard.c:1250
---Type <return> to continue, or q <return> to quit---
#48 0x080e2d34 in recursive_edit_1 () at keyboard.c:961
#49 0x080e2e54 in Frecursive_edit () at keyboard.c:1022
#50 0x080e1760 in main (argc=3, argv=0xbfffe3a4) at emacs.c:1693
#51 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) xbacktrace
"directory-files"
"gnus-score-score-files"
"gnus-score-find-bnews"
"gnus-all-score-files"
"gnus-possibly-score-headers"
"gnus-summary-read-group-1"
"gnus-summary-read-group"
"gnus-group-read-group"
"gnus-topic-read-group"
"call-interactively"
(gdb) p current_buffer
$1 = (struct buffer *) 0x869a4a8
(gdb) p *current_buffer
$2 = {
size = 1073873011,
next = 0x8690d78,
own_text = {
beg = 0x8fb4918 "",
gpt = 1,
z = 1,
gpt_byte = 1,
z_byte = 1,
gap_size = 21,
modiff = 603761,
save_modiff = 0,
overlay_modiff = 1,
beg_unchanged = 0,
end_unchanged = 0,
unchanged_modified = 1,
overlay_unchanged_modified = 1,
intervals = 0x0,
markers = 0x0
},
text = 0x869a4b0,
pt = 1,
pt_byte = 1,
begv = 1,
begv_byte = 1,
zv = 1,
---Type <return> to continue, or q <return> to quit---
zv_byte = 1,
base_buffer = 0x0,
local_flags = '\0' <repeats 34 times>, "j\b uj\b`\200j\b`\200j\b\000",
modtime = 0,
auto_save_modified = 0,
display_error_modiff = 0,
auto_save_failure_time = -1,
last_window_start = 1,
clip_changed = 0,
newline_cache = 0x0,
width_run_cache = 0x0,
prevent_redisplay_optimizations_p = 1,
overlays_before = 0x0,
overlays_after = 0x0,
overlay_center = 1,
name = 141136379,
filename = 138214521,
directory = 152117907,
backed_up = 138214521,
save_length = 0,
auto_save_file_name = 138214521,
read_only = 138214521,
mark = 139716594,
local_var_alist = 143885701,
major_mode = 138214761,
mode_name = 138221803,
---Type <return> to continue, or q <return> to quit---
mode_line_format = 138614301,
undo_list = 138214569,
header_line_format = 138214521,
keymap = 138214521,
abbrev_table = 138307132,
syntax_table = 138251828,
category_table = 138253396,
case_fold_search = 138214569,
tab_width = 64,
fill_column = 560,
left_margin = 0,
auto_fill_function = 138214521,
buffer_file_type = 138214521,
downcase_table = 138254972,
upcase_table = 139802972,
case_canon_table = 139889652,
case_eqv_table = 139911140,
truncate_lines = 138214521,
ctl_arrow = 138214569,
direction_reversed = 138214521,
selective_display = 138214521,
selective_display_ellipses = 138214569,
minor_modes = 138214521,
overwrite_mode = 138214521,
abbrev_mode = 138214521,
display_table = 138214521,
---Type <return> to continue, or q <return> to quit---
mark_active = 138214521,
enable_multibyte_characters = 138214569,
buffer_file_coding_system = 138270673,
file_format = 138214521,
cache_long_line_scans = 138214521,
width_table = 138214521,
pt_marker = 138214521,
begv_marker = 138214521,
zv_marker = 138214521,
point_before_scroll = 138214521,
file_truename = 138214521,
invisibility_spec = 138214569,
last_selected_window = 138214521,
display_count = 0,
left_margin_cols = 0,
right_margin_cols = 0,
left_fringe_width = 138214521,
right_fringe_width = 138214521,
fringes_outside_margins = 138214521,
scroll_bar_width = 138214521,
vertical_scroll_bar_type = 138214569,
indicate_empty_lines = 138214521,
indicate_buffer_boundaries = 143820453,
display_time = 138214521,
scroll_up_aggressively = 138214521,
scroll_down_aggressively = 138214521,
---Type <return> to continue, or q <return> to quit---
cursor_type = 138413425,
extra_line_spacing = 138214521
}
(gdb) up
#9 0x08102485 in insert_from_string_1 (string=148682499, pos=0, pos_byte=0,
nchars=23, nbytes=23, inherit=0, before_markers=0) at insdel.c:1115
1115 make_gap (outgoing_nbytes - GAP_SIZE);
(gdb) p string
$3 = 148682499
(gdb) pr
"gnu.emacs.sources.SCORE"
(gdb) p outgoing_nbytes
$4 = 23
(gdb) up
#10 0x0810220c in insert_from_string (string=148682499, pos=0, pos_byte=0,
length=23, length_byte=23, inherit=0) at insdel.c:1060
1060 insert_from_string_1 (string, pos, pos_byte, length, length_byte,
(gdb) up
#11 0x080a20df in run_pre_post_conversion_on_str (str=148682499,
coding=0xbfffce70, encodep=0) at coding.c:6049
6049 insert_from_string (str, 0, 0,
(gdb) p str
$5 = 148682499
(gdb) pr
"gnu.emacs.sources.SCORE"
(gdb) p coding
$6 = (struct coding_system *) 0xbfffce70
(gdb) p *coding
$7 = {
type = coding_type_ccl,
eol_type = 3,
common_flags = 15,
flags = 0,
mode = 3,
composing = 0,
composition_rule_follows = 0,
cmp_data = 0x0,
cmp_data_start = 0,
cmp_data_index = 0,
spec = {
iso2022 = {
current_invocation = {420, 139159312},
current_designation = {419, 363, -1, 0},
initial_designation = {0, 0, 0, 158},
last_invalid_designation_register = 128,
requested_designation = "\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000\002", '\0' <repeats 27 times>, "\363\000\000\000\bnK\b\002\000\000\000\350", '\0' <repeats 47 times>, "\001", '\0' <repeats 27 times>, '\001' <repeats 123 times>,
charset_revision_number = '\001' <repeats 133 times>, '\0' <repeats 121 times>,
single_shifting = 0,
bol = 0
},
---Type <return> to continue, or q <return> to quit---
ccl = {
decoder = {
size = 420,
prog = 0x84b6710,
ic = 419,
eof_ic = 363,
reg = {-1, 0, 0, 0, 0, 158, 128, 0},
private_state = 0,
last_block = 2,
status = 0,
buf_magnification = 2,
stack_idx = 0,
eol_type = 0,
multibyte = 0,
cr_consumed = 0,
suppress_error = 0,
eight_bit_control = 0
},
encoder = {
size = 243,
prog = 0x84b6e08,
ic = 2,
eof_ic = 232,
reg = {0, 0, 0, 0, 0, 0, 0, 0},
private_state = 0,
last_block = 0,
---Type <return> to continue, or q <return> to quit---
status = 0,
buf_magnification = 1,
stack_idx = 0,
eol_type = 0,
multibyte = 0,
cr_consumed = 0,
suppress_error = 0,
eight_bit_control = 0
},
valid_codes = '\001' <repeats 256 times>,
cr_carryover = 0,
eight_bit_carryover = "\000\000\000"
}
},
category_idx = 10,
src_multibyte = 0,
dst_multibyte = 1,
heading_ascii = -1,
produced = 23,
produced_char = 23,
consumed = 23,
consumed_char = 0,
errors = 0,
result = 0,
suppress_error = 0,
symbol = 138270673,
---Type <return> to continue, or q <return> to quit---
post_read_conversion = 139140513,
pre_write_conversion = 138214521,
translation_table_for_decode = 138214521,
translation_table_for_encode = 138214521
}
(gdb)
void
make_gap_larger (nbytes_added)
int nbytes_added;
{
Lisp_Object tem;
int real_gap_loc;
int real_gap_loc_byte;
int old_gap_size;
/* If we have to get more space, get enough to last a while. */
nbytes_added += 2000;
/* Don't allow a buffer size that won't fit in an int
even if it will fit in a Lisp integer.
That won't work because so many places use `int'.
Make sure we don't introduce overflows in the calculation. */
if (Z_BYTE - BEG_BYTE + GAP_SIZE
>= (((EMACS_INT) 1 << (min (VALBITS, BITS_PER_INT) - 1)) - 1
- nbytes_added))
error ("Buffer exceeds maximum size");
enlarge_buffer_text (current_buffer, nbytes_added);
void
enlarge_buffer_text (b, delta)
struct buffer *b;
int delta;
{
POINTER_TYPE *p;
size_t nbytes = (BUF_Z_BYTE (b) - BUF_BEG_BYTE (b) + BUF_GAP_SIZE (b) + 1
+ delta);
BLOCK_INPUT;
p = xrealloc (b->text->beg, nbytes);
(gdb) p current_buffer->text
$27 = (struct buffer_text *) 0x869a4b0
(gdb) p *current_buffer->text
$28 = {
beg = 0x8fb4918 "",
gpt = 1,
z = 1,
gpt_byte = 1,
z_byte = 1,
gap_size = 21,
modiff = 603761,
save_modiff = 0,
overlay_modiff = 1,
beg_unchanged = 0,
end_unchanged = 0,
unchanged_modified = 1,
overlay_unchanged_modified = 1,
intervals = 0x0,
markers = 0x0
}
(gdb) p current_buffer->text->beg
$29 = (unsigned char *) 0x8fb4918 ""
(gdb) x/20 current_buffer->text->beg
0x8fb4918: 0x706d6f00 0x616d652e 0x532e7363 0x45524f43
0x8fb4928: 0x00000000 0x00000000 0x406e0000 0x000003f9
0x8fb4938: 0x00000036 0x0000c5ee 0x08fb43b0 0x08fb43cc
0x8fb4948: 0x08fb4244 0x08d0b8c0 0x09403fdd 0x00000043
0x8fb4958: 0x0000c571 0x08fb4970 0x08fb49a8 0x08fb498c
(gdb) x/20c current_buffer->text->beg
0x8fb4918: 0 '\0' 111 'o' 109 'm' 112 'p' 46 '.' 101 'e' 109 'm' 97 'a'
0x8fb4920: 99 'c' 115 's' 46 '.' 83 'S' 67 'C' 79 'O' 82 'R' 69 'E'
0x8fb4928: 0 '\0' 0 '\0' 0 '\0' 0 '\0'
(gdb) up
#8 0x08101a2b in make_gap_larger (nbytes_added=32) at insdel.c:534
534 enlarge_buffer_text (current_buffer, nbytes_added);
(gdb) up
#9 0x08102485 in insert_from_string_1 (string=148682499, pos=0, pos_byte=0,
nchars=23, nbytes=23, inherit=0, before_markers=0) at insdel.c:1115
1115 make_gap (outgoing_nbytes - GAP_SIZE);
(gdb) up
#10 0x0810220c in insert_from_string (string=148682499, pos=0, pos_byte=0,
length=23, length_byte=23, inherit=0) at insdel.c:1060
1060 insert_from_string_1 (string, pos, pos_byte, length, length_byte,
(gdb) p string
$30 = 148682499
(gdb) xtype
Lisp_String
(gdb) xstring
$31 = (struct Lisp_String *) 0x8dcb700
"gnu.emacs.sources.SCORE"
(gdb) x/40c current_buffer->text->beg
0x8fb4918: 0 '\0' 111 'o' 109 'm' 112 'p' 46 '.' 101 'e' 109 'm' 97 'a'
0x8fb4920: 99 'c' 115 's' 46 '.' 83 'S' 67 'C' 79 'O' 82 'R' 69 'E'
0x8fb4928: 0 '\0' 0 '\0' 0 '\0' 0 '\0' 0 '\0' 0 '\0' 0 '\0' 0 '\0'
0x8fb4930: 0 '\0' 0 '\0' 110 'n' 64 '@' -7 '\371' 3 '\003' 0 '\0' 0 '\0'
0x8fb4938: 54 '6' 0 '\0' 0 '\0' 0 '\0' -18 '\356' -59 '\305' 0 '\0' 0 '\0'
--
Kim F. Storm <storm@cua.dk> http://www.cua.dk
reply other threads:[~2004-05-31 22:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m37jus2q4c.fsf@kfs-l.imdomain.dk \
--to=storm@cua.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.