emacs-pretest-bug
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heap corruption?

From: Gerd Moellmann
Subject: Heap corruption?
Date: Mon, 18 Aug 2003 19:35:13 +0200 (CEST) 
In GNU Emacs 21.3.50.1 (i386-unknown-freebsd4.8, X toolkit, Xaw3d scroll bars)
 of 2003-08-17

In an Emacs compiled with GC_MCHECK=1 (malloc checks), and
ENABLE_CHECKING=1 (eassert):

mcheck: memory clobbered before allocated block

Breakpoint 1, abort () at emacs.c:417
417       kill (getpid (), SIGABRT);
(gdb) back 10
#0  abort () at emacs.c:417
#1  0x821b163 in mabort (status=MCHECK_HEAD) at gmalloc.c:1947
#2  0x821af48 in checkhdr (hdr=0x10001bf8) at gmalloc.c:1836
#3  0x821af6f in freehook (ptr=0x10001c00) at gmalloc.c:1850
#4  0x821aac5 in free (ptr=0x10001c00) at gmalloc.c:1228
#5  0x818fb36 in lisp_align_malloc (nbytes=1020, type=MEM_TYPE_CONS)
    at alloc.c:801
#6  0x8191164 in Fcons (car={i = 1610557408, s = {val = -55328, type = 5}, 
      u = {val = 268380128, type = 5}, gu = {val = 268380128, 
        type = Lisp_Cons, markbit = 0}}, cdr={i = 406654988, s = {
        val = -130215924, type = 1}, u = {val = 138219532, type = 1}, gu = {
        val = 138219532, type = Lisp_Symbol, markbit = 0}}) at alloc.c:2342
#7  0x8191462 in Flist (nargs=3, args=0xbfbfe7d8) at alloc.c:2410
#8  0x81ef4ee in Fbyte_code (bytestr={i = 943125548, s = {val = -130616276, 
        type = 3}, u = {val = 137819180, type = 3}, gu = {val = 137819180, 
        type = Lisp_String, markbit = 0}}, vector={i = 1211561060, s = {
        val = -130616220, type = 4}, u = {val = 137819236, type = 4}, gu = {
        val = 137819236, type = Lisp_Vectorlike, markbit = 0}}, maxdepth={
      i = 4, s = {val = 4, type = 0}, u = {val = 4, type = 0}, gu = {val = 4, 
        type = Lisp_Int, markbit = 0}}) at bytecode.c:997
#9  0x81b3049 in funcall_lambda (fun={i = 1211560972, s = {val = -130616308, 
        type = 4}, u = {val = 137819148, type = 4}, gu = {val = 137819148, 
        type = Lisp_Vectorlike, markbit = 0}}, nargs=1, arg_vector=0xbfbfe91c)
(gdb) f 5
#5  0x818fb36 in lisp_align_malloc (nbytes=1020, type=MEM_TYPE_CONS)
    at alloc.c:801
801               free (val);

The code in question is 

  /* If the memory just allocated cannot be addressed thru a Lisp
     object's pointer, and it needs to be,
     that's equivalent to running out of memory.  */
  if (val && type != MEM_TYPE_NON_LISP)
    {
      Lisp_Object tem;
      XSETCONS (tem, (char *) val + nbytes - 1);
      if ((char *) XCONS (tem) != (char *) val + nbytes - 1)
        {
          lisp_malloc_loser = val;
          free (val);
          val = 0;
        }
    }

Strange thing is that the Emacs process where this happened was only
lightly loaded: a small ChangeLog, a couple of small source files,
and a shell buffer with about 1Mb contents.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]