TeXmacs crashes after closing the `Replace` window

#1

I wonder how to debug TeXmacs when I catch an error: free(): invalid size. This looks like a C language problem.

The rest of this post is devoted to the description of the crash, and if others suffer from the same issue, I will have a try to report a bug.

Steps to reproduce:

  1. Edit->Replace...
  2. Open tool in separate window
  3. Input $[X]$ in the Replace... window.
  4. Click cross to close the Replace... window: it usually crashes with free(): invalid size or double free or corruption (out) (not every time, but it crashes about 8 out of 10 times).

Search

Sample code:

<TeXmacs|1.99.12>

<style|generic>

<\body>
  <\math>
    \<bbb-Z\><around*|[|X|]>
  </math>

  and

  <math|\<bbb-Q\><around*|[|X|]>>

  and

  <math|\<bbb-R\><around*|[|X|]>>

  and

  <math|\<bbb-C\><around*|[|X|]>>
</body>

<\initial>
  <\collection>
    <associate|page-height|auto>
    <associate|page-type|letter>
    <associate|page-width|auto>
  </collection>
</initial>
#2

It seems not happen on Mac. On which OS are you? and which TeXmacs?

#3

Debian Stable. TeXmacs 1.99.12 installed as in http://www.texmacs.org/tmweb/download/linux-repos.en.html#debian (it might depend on how it is compiled, the compiler, seemingly being gcc instead of clang for the Mac version, the parameters of the compiler and how it is packaged).

#4

I caught the backtrace. Unfortunately no debug symbol is available. I searched some characteristic codes and succeeded to locate the last two functions on the callstack before calling free(). The following assembly code is obtained from objdump -d. The last function (calling free() on 289738):

  2896f0:	55                   	push   %rbp
  2896f1:	48 8d 6f f8          	lea    -0x8(%rdi),%rbp
  2896f5:	53                   	push   %rbx
  2896f6:	48 83 ec 08          	sub    $0x8,%rsp
  2896fa:	48 8b 5f f8          	mov    -0x8(%rdi),%rbx
  2896fe:	48 81 fb 07 01 00 00 	cmp    $0x107,%rbx
  289705:	77 21                	ja     289728 <FT_Select_Charmap@plt+0x1ab7a8>
  289707:	48 8d 05 12 10 f4 00 	lea    0xf41012(%rip),%rax        # 11ca720 <_ZN9QListData11shared_nullE+0x500>
  28970e:	48 8b 14 d8          	mov    (%rax,%rbx,8),%rdx
  289712:	48 89 57 f8          	mov    %rdx,-0x8(%rdi)
  289716:	48 89 2c d8          	mov    %rbp,(%rax,%rbx,8)
  28971a:	48 83 c4 08          	add    $0x8,%rsp
  28971e:	5b                   	pop    %rbx
  28971f:	5d                   	pop    %rbp
  289720:	c3                   	retq   
  289721:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  289728:	83 3d d1 0f f4 00 02 	cmpl   $0x2,0xf40fd1(%rip)        # 11ca700 <_ZN9QListData11shared_nullE+0x4e0>
  28972f:	0f 8f ab 00 00 00    	jg     2897e0 <FT_Select_Charmap@plt+0x1ab860>
  289735:	48 89 ef             	mov    %rbp,%rdi
  289738:	e8 d3 47 e5 ff       	callq  ddf10 <free@plt>
  28973d:	29 1d c1 0f f4 00    	sub    %ebx,0xf40fc1(%rip)        # 11ca704 <_ZN9QListData11shared_nullE+0x4e4>
  289743:	83 3d b6 0f f4 00 02 	cmpl   $0x2,0xf40fb6(%rip)        # 11ca700 <_ZN9QListData11shared_nullE+0x4e0>
  28974a:	7e ce                	jle    28971a <FT_Select_Charmap@plt+0x1ab79a>
  28974c:	48 8b 3d b5 ed ed 00 	mov    0xededb5(%rip),%rdi        # 1168508 <_ZTSSt9bad_alloc@@Base+0x28b558>
  289753:	48 8d 35 b9 86 c4 00 	lea    0xc486b9(%rip),%rsi        # ed1e13 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0xc2b243>
  28975a:	e8 c1 f9 ff ff       	callq  289120 <FT_Select_Charmap@plt+0x1ab1a0>
  28975f:	8b 35 a3 0f f4 00    	mov    0xf40fa3(%rip),%esi        # 11ca708 <_ZN9QListData11shared_nullE+0x4e8>
  289765:	b9 08 00 00 00       	mov    $0x8,%ecx
  28976a:	44 8b 15 9f 0f f4 00 	mov    0xf40f9f(%rip),%r10d        # 11ca710 <_ZN9QListData11shared_nullE+0x4f0>
  289771:	4c 8d 05 e8 0f f4 00 	lea    0xf40fe8(%rip),%r8        # 11ca760 <_ZN9QListData11shared_nullE+0x540>
  289778:	c1 e6 10             	shl    $0x10,%esi
  28977b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  289780:	4d 89 c1             	mov    %r8,%r9
  289783:	ba ff ff ff ff       	mov    $0xffffffff,%edx
  289788:	4d 85 c0             	test   %r8,%r8
  28978b:	74 0e                	je     28979b <FT_Select_Charmap@plt+0x1ab81b>
  28978d:	0f 1f 00             	nopl   (%rax)
  289790:	4d 8b 09             	mov    (%r9),%r9
  289793:	83 c2 01             	add    $0x1,%edx
  289796:	4d 85 c9             	test   %r9,%r9
  289799:	75 f5                	jne    289790 <FT_Select_Charmap@plt+0x1ab810>
  28979b:	0f af d1             	imul   %ecx,%edx
  28979e:	83 c1 08             	add    $0x8,%ecx
  2897a1:	49 83 c0 40          	add    $0x40,%r8
  2897a5:	41 01 d2             	add    %edx,%r10d
  2897a8:	81 f9 08 01 00 00    	cmp    $0x108,%ecx
  2897ae:	75 d0                	jne    289780 <FT_Select_Charmap@plt+0x1ab800>
  2897b0:	44 29 d6             	sub    %r10d,%esi
  2897b3:	48 89 c7             	mov    %rax,%rdi
  2897b6:	03 35 48 0f f4 00    	add    0xf40f48(%rip),%esi        # 11ca704 <_ZN9QListData11shared_nullE+0x4e4>
  2897bc:	e8 3f f7 ff ff       	callq  288f00 <FT_Select_Charmap@plt+0x1aaf80>
  2897c1:	48 83 c4 08          	add    $0x8,%rsp
  2897c5:	48 8d 35 3f 86 c4 00 	lea    0xc4863f(%rip),%rsi        # ed1e0b <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0xc2b23b>
  2897cc:	5b                   	pop    %rbx
  2897cd:	48 89 c7             	mov    %rax,%rdi
  2897d0:	5d                   	pop    %rbp
  2897d1:	e9 4a f9 ff ff       	jmpq   289120 <FT_Select_Charmap@plt+0x1ab1a0>
  2897d6:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  2897dd:	00 00 00 
  2897e0:	48 8b 3d 21 ed ed 00 	mov    0xeded21(%rip),%rdi        # 1168508 <_ZTSSt9bad_alloc@@Base+0x28b558>
  2897e7:	48 8d 35 33 86 c4 00 	lea    0xc48633(%rip),%rsi        # ed1e21 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0xc2b251>
  2897ee:	e8 2d f9 ff ff       	callq  289120 <FT_Select_Charmap@plt+0x1ab1a0>
  2897f3:	48 89 de             	mov    %rbx,%rsi
  2897f6:	48 89 c7             	mov    %rax,%rdi
  2897f9:	e8 a2 f7 ff ff       	callq  288fa0 <FT_Select_Charmap@plt+0x1ab020>
  2897fe:	48 8d 35 06 86 c4 00 	lea    0xc48606(%rip),%rsi        # ed1e0b <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0xc2b23b>
  289805:	48 89 c7             	mov    %rax,%rdi
  289808:	e8 13 f9 ff ff       	callq  289120 <FT_Select_Charmap@plt+0x1ab1a0>
  28980d:	e9 23 ff ff ff       	jmpq   289735 <FT_Select_Charmap@plt+0x1ab7b5>

and this function is called by 342b7e:

  342b2d:	0f 1f 00             	nopl   (%rax)
  342b30:	41 56                	push   %r14
  342b32:	48 8d 05 17 35 e7 00 	lea    0xe73517(%rip),%rax        # 11b6050 <_ZTISt9bad_alloc@@Base+0x41ec0>
  342b39:	31 f6                	xor    %esi,%esi
  342b3b:	41 55                	push   %r13
  342b3d:	41 54                	push   %r12
  342b3f:	55                   	push   %rbp
  342b40:	53                   	push   %rbx
  342b41:	48 89 fb             	mov    %rdi,%rbx
  342b44:	48 83 ec 20          	sub    $0x20,%rsp
  342b48:	48 89 07             	mov    %rax,(%rdi)
  342b4b:	48 05 e0 01 00 00    	add    $0x1e0,%rax
  342b51:	48 89 47 10          	mov    %rax,0x10(%rdi)
  342b55:	bf 07 00 00 00       	mov    $0x7,%edi
  342b5a:	e8 31 67 0a 00       	callq  3e9290 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0x1426c0>
  342b5f:	84 c0                	test   %al,%al
  342b61:	75 4d                	jne    342bb0 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0x9bfe0>
  342b63:	48 8b 6b 50          	mov    0x50(%rbx),%rbp
  342b67:	48 85 ed             	test   %rbp,%rbp
  342b6a:	74 17                	je     342b83 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0x9bfb3>
  342b6c:	83 6d 08 01          	subl   $0x1,0x8(%rbp)
  342b70:	75 11                	jne    342b83 <_ZNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEED0Ev@@Base+0x9bfb3>
  342b72:	48 8b 45 00          	mov    0x0(%rbp),%rax
  342b76:	48 89 ef             	mov    %rbp,%rdi
  342b79:	ff 10                	callq  *(%rax)
  342b7b:	48 89 ef             	mov    %rbp,%rdi
  342b7e:	e8 6d 6b f4 ff       	callq  2896f0 <FT_Select_Charmap@plt+0x1ab770>
  342b83:	48 8d 05 e6 2c e7 00 	lea    0xe72ce6(%rip),%rax        # 11b5870 <_ZTISt9bad_alloc@@Base+0x416e0>
  342b8a:	48 89 df             	mov    %rbx,%rdi
  342b8d:	48 89 03             	mov    %rax,(%rbx)
  342b90:	48 05 e0 01 00 00    	add    $0x1e0,%rax
  342b96:	48 89 43 10          	mov    %rax,0x10(%rbx)
  342b9a:	e8 41 b1 d9 ff       	callq  ddce0 <_ZN19QAbstractScrollAreaD2Ev@plt>
  342b9f:	48 83 c4 20          	add    $0x20,%rsp
  342ba3:	5b                   	pop    %rbx
  342ba4:	5d                   	pop    %rbp
  342ba5:	41 5c                	pop    %r12
  342ba7:	41 5d                	pop    %r13
  342ba9:	41 5e                	pop    %r14
  342bab:	c3                   	retq

I don’t know whether this is enough to find the original crashing code.

#5

I can reproduce the bug using the replace windows via input method on Linux.

It seems they are the similar bugs. I will fix it as soon as possible.

#6

The bug is not related to input method, and I’ve fixed now on Linux:

#7

The fix for the replace window bug is now shipped to v1.2.5.3. Using v1.2.5.3, I can not reproduce the bug reported by @re4zuaFe .

1 Like