[Qemacs-devel] [bug] memory used after being freed

qemacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemacs-devel] [bug] memory used after being freed

From:	François Revol
Subject:	[Qemacs-devel] [bug] memory used after being freed
Date:	Tue, 21 Jan 2014 23:05:53 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7

I had an odd crash when loading an org file, which only happened with my
X11 clipboard changes, I didn't see how it was related, so I ended up
trying valgrind:

==30454== Invalid read of size 8
==30454==    at 0x417817: eb_free_callback (buffer.c:724)
==30454==    by 0x40E67C: set_colorize_func (qe.c:3220)
==30454==    by 0x40E86A: text_mode_close (qe.c:7170)
==30454==    by 0x40F75C: edit_set_mode_full (qe.c:1659)
==30454==    by 0x410EBD: switch_to_buffer (qe.c:1736)
==30454==    by 0x411156: edit_close (qe.c:4722)
==30454==    by 0x413BA8: do_minibuffer_exit (qe.c:5130)
==30454==    by 0x4118C2: parse_args (qe.c:3911)
==30454==    by 0x411E29: qe_key_process (qe.c:4404)
==30454==    by 0x42E2A1: x11_handle_event (x11.c:1296)
==30454==    by 0x41F1BF: url_block (unix.c:269)
==30454==    by 0x41F684: url_main_loop (unix.c:309)
==30454==  Address 0x6848d40 is 192 bytes inside a block of size 1,544
free'd
==30454==    at 0x4C2A70C: free (vg_replace_malloc.c:468)
==30454==    by 0x410EA6: switch_to_buffer (qe.c:4577)
==30454==    by 0x411156: edit_close (qe.c:4722)
==30454==    by 0x413BA8: do_minibuffer_exit (qe.c:5130)
==30454==    by 0x4118C2: parse_args (qe.c:3911)
==30454==    by 0x411E29: qe_key_process (qe.c:4404)
==30454==    by 0x42E2A1: x11_handle_event (x11.c:1296)
==30454==    by 0x41F1BF: url_block (unix.c:269)
==30454==    by 0x41F684: url_main_loop (unix.c:309)
==30454==    by 0x409028: main (qe.c:8040)
==30454==

In fact switch_to_buffer() calls eb_free(), sets the local pointer to
NULL, but not s->b, which is of course used through edit_set_mode() by
eb_free_callback().

I'm not exactly sure how to fix it (move the call to eb_free() after
edit_set_mode() or set s->b to NULL and add a test in eb_free_callback...).

But it's definitely pure luck it doesn't crash by default.

François.

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemacs-devel] [bug] memory used after being freed, François Revol <=
- Re: [Qemacs-devel] [bug] memory used after being freed, Charles Gordon, 2014/01/21
- Re: [Qemacs-devel] [bug] memory used after being freed, Charles Gordon, 2014/01/23

Prev by Date: [Qemacs-devel] [PATCH] Shut up valgrind
Next by Date: Re: [Qemacs-devel] [bug] memory used after being freed
Previous by thread: [Qemacs-devel] [PATCH] Shut up valgrind
Next by thread: Re: [Qemacs-devel] [bug] memory used after being freed
Index(es):
- Date
- Thread