qemacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemacs-devel] [bug] memory used after being freed

From: Charles Gordon
Subject: Re: [Qemacs-devel] [bug] memory used after being freed
Date: Tue, 21 Jan 2014 23:15:34 +0100 
Good find!

I am going to change the logic for buffer creation, charset detection, mode 
selection, window attach and detach.
This is a good example.  There is actually quite a few of these lurking in the 
current code.
I am stll puzzled at the first report you made with valgrind: qe_mallocz should 
clear the whole area, thus refcount should be tagged as set.

Thanks.

Chqrlie

On 21 janv. 2014, at 23:05, François Revol <address@hidden> wrote:

> I had an odd crash when loading an org file, which only happened with my
> X11 clipboard changes, I didn't see how it was related, so I ended up
> trying valgrind:
> 
> ==30454== Invalid read of size 8
> ==30454==    at 0x417817: eb_free_callback (buffer.c:724)
> ==30454==    by 0x40E67C: set_colorize_func (qe.c:3220)
> ==30454==    by 0x40E86A: text_mode_close (qe.c:7170)
> ==30454==    by 0x40F75C: edit_set_mode_full (qe.c:1659)
> ==30454==    by 0x410EBD: switch_to_buffer (qe.c:1736)
> ==30454==    by 0x411156: edit_close (qe.c:4722)
> ==30454==    by 0x413BA8: do_minibuffer_exit (qe.c:5130)
> ==30454==    by 0x4118C2: parse_args (qe.c:3911)
> ==30454==    by 0x411E29: qe_key_process (qe.c:4404)
> ==30454==    by 0x42E2A1: x11_handle_event (x11.c:1296)
> ==30454==    by 0x41F1BF: url_block (unix.c:269)
> ==30454==    by 0x41F684: url_main_loop (unix.c:309)
> ==30454==  Address 0x6848d40 is 192 bytes inside a block of size 1,544
> free'd
> ==30454==    at 0x4C2A70C: free (vg_replace_malloc.c:468)
> ==30454==    by 0x410EA6: switch_to_buffer (qe.c:4577)
> ==30454==    by 0x411156: edit_close (qe.c:4722)
> ==30454==    by 0x413BA8: do_minibuffer_exit (qe.c:5130)
> ==30454==    by 0x4118C2: parse_args (qe.c:3911)
> ==30454==    by 0x411E29: qe_key_process (qe.c:4404)
> ==30454==    by 0x42E2A1: x11_handle_event (x11.c:1296)
> ==30454==    by 0x41F1BF: url_block (unix.c:269)
> ==30454==    by 0x41F684: url_main_loop (unix.c:309)
> ==30454==    by 0x409028: main (qe.c:8040)
> ==30454==
> 
> In fact switch_to_buffer() calls eb_free(), sets the local pointer to
> NULL, but not s->b, which is of course used through edit_set_mode() by
> eb_free_callback().
> 
> I'm not exactly sure how to fix it (move the call to eb_free() after
> edit_set_mode() or set s->b to NULL and add a test in eb_free_callback...).
> 
> But it's definitely pure luck it doesn't crash by default.
> 
> François.
> 
> _______________________________________________
> Qemacs-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/qemacs-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]