Debian Bug report logs - #881624
vim: Random crashes due to some memory corruption

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Konstantin Khomoutov <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: vim: Random crashes due to some memory corruption

Date: Mon, 13 Nov 2017 19:56:30 +0300

[Message part 1 (text/plain, inline)]

Package: vim
Version: 2:8.0.0197-4+deb9u1
Severity: normal
Tags: upstream

I use console Vim at an rxvt-unicode console with the support of 256
colors.  (I use the "Zenburn" colour theme with Vim, FWIW.)
That is, I have:

  $ echo $TERM
  rxvt-unicode-256color


I'm experience sporadic (but rare) crashes which basically come in two
flavours:

- One manifestation is that the output at the lower part of the window
  becomes garbled when scrolling (upwards).
  Pressin Ctrl-L fixes the problem.

  When I start seeing this, this is a symptom of an imminent crash which
  will happen withing minutes to a hour or two.

- Invoking Vim from a stopped background job using the "fg" command
  of my shell (which is bash).


No matter what the apparent cause, the crash always looks like Vim
getting the SIGABRT signal:

  Vim: Caught deadly signal ABRT
  
  Vim: Finished.
  Aborted.

In either case, I think this problem looks like some slow memory
corruption so the real trigger can be any action.


I have arranger for Vim to drop the core when crashing, and installed
the debug symbols package, so I have the output of the "bt" command in
a post-mortem GDB session, attached.


Please let me know if I can help more (it's okay for me to install
an instrumented version of Vim if needed.)


-- Package-specific info:

--- real paths of main Vim binaries ---
/usr/bin/vi is /usr/bin/vim.basic
/usr/bin/vim is /usr/bin/vim.basic

-- System Information:
Debian Release: 9.1
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vim depends on:
ii  libacl1      2.2.52-3+b1
ii  libc6        2.24-11+deb9u1
ii  libgpm2      1.20.4-6.2+b1
ii  libselinux1  2.6-3+b3
ii  libtinfo5    6.0+20161126-1+deb9u1
ii  vim-common   2:8.0.0197-4+deb9u1
ii  vim-runtime  2:8.0.0197-4+deb9u1

vim recommends no packages.

Versions of packages vim suggests:
pn  ctags        <none>
pn  vim-doc      <none>
pn  vim-scripts  <none>

-- no debconf information

[crash.txt (text/plain, attachment)]

Message #10 received at [email protected] (full text, mbox, reply):

From: Konstantin Khomoutov <[email protected]>

To: [email protected]

Subject: Another crash: corrupted size vs. prev_size

Date: Tue, 26 Dec 2017 21:16:08 +0300

I've just hit another case of this crash in the same environment.

This time I was able to recover the post-mortem printout Vim itself
generated; may be it will be of use; especially, it appears we now have
the exact reason for the crash formulated by Vim:

--------------------------------8<--------------------------------
*** Error in `vim': corrupted size vs. prev_size: 0x0000555d0da308a0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f92f94b3bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f92f94b9f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x78091)[0x7f92f94bb091]
vim(+0x1ad485)[0x555d0b1bb485]
vim(+0x14e358)[0x555d0b15c358]
vim(+0x14ec22)[0x555d0b15cc22]
vim(+0x1996ec)[0x555d0b1a76ec]
vim(+0x11e07c)[0x555d0b12c07c]
vim(+0x11e39c)[0x555d0b12c39c]
vim(+0x11e580)[0x555d0b12c580]
vim(+0x11e6d8)[0x555d0b12c6d8]
vim(+0x19e753)[0x555d0b1ac753]
vim(+0xba534)[0x555d0b0c8534]
vim(+0xbc464)[0x555d0b0ca464]
vim(+0xbcd68)[0x555d0b0cad68]
vim(+0xbd199)[0x555d0b0cb199]
vim(+0x102089)[0x555d0b110089]
vim(+0x1c5585)[0x555d0b1d3585]
vim(+0x1c63ab)[0x555d0b1d43ab]
vim(+0x2803d)[0x555d0b03603d]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f92f94632b1]
vim(+0x28fba)[0x555d0b036fba]
======= Memory map: ========
555d0b00e000-555d0b238000 r-xp 00000000 08:01 17563693                   /usr/bin/vim.basic
555d0b438000-555d0b444000 r--p 0022a000 08:01 17563693                   /usr/bin/vim.basic
555d0b444000-555d0b45b000 rw-p 00236000 08:01 17563693                   /usr/bin/vim.basic
555d0b45b000-555d0b465000 rw-p 00000000 00:00 0
555d0d2e2000-555d0df66000 rw-p 00000000 00:00 0                          [heap]
7f92f3de3000-7f92f3df9000 r-xp 00000000 08:01 8912909                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92f3df9000-7f92f3ff8000 ---p 00016000 08:01 8912909                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92f3ff8000-7f92f3ff9000 r--p 00015000 08:01 8912909                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92f3ff9000-7f92f3ffa000 rw-p 00016000 08:01 8912909                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92f4000000-7f92f4021000 rw-p 00000000 00:00 0
7f92f4021000-7f92f8000000 ---p 00000000 00:00 0
7f92f8083000-7f92f8085000 r-xp 00000000 08:01 17576227                   /usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so
7f92f8085000-7f92f8284000 ---p 00002000 08:01 17576227                   /usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so
7f92f8284000-7f92f8285000 r--p 00001000 08:01 17576227                   /usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so
7f92f8285000-7f92f8286000 rw-p 00002000 08:01 17576227                   /usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so
7f92f828b000-7f92f8295000 r-xp 00000000 08:01 8916135                    /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f92f8295000-7f92f8495000 ---p 0000a000 08:01 8916135                    /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f92f8495000-7f92f8496000 r--p 0000a000 08:01 8916135                    /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f92f8496000-7f92f8497000 rw-p 0000b000 08:01 8916135                    /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f92f8497000-7f92f849d000 rw-p 00000000 00:00 0
7f92f84a3000-7f92f84ae000 r-xp 00000000 08:01 8916159                    /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f92f84ae000-7f92f86ad000 ---p 0000b000 08:01 8916159                    /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f92f86ad000-7f92f86ae000 r--p 0000a000 08:01 8916159                    /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f92f86ae000-7f92f86af000 rw-p 0000b000 08:01 8916159                    /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f92f86b3000-7f92f86c7000 r-xp 00000000 08:01 8916132                    /lib/x86_64-linux-gnu/libnsl-2.24.so
7f92f86c7000-7f92f88c7000 ---p 00014000 08:01 8916132                    /lib/x86_64-linux-gnu/libnsl-2.24.so
7f92f88c7000-7f92f88c8000 r--p 00014000 08:01 8916132                    /lib/x86_64-linux-gnu/libnsl-2.24.so
7f92f88c8000-7f92f88c9000 rw-p 00015000 08:01 8916132                    /lib/x86_64-linux-gnu/libnsl-2.24.so
7f92f88c9000-7f92f88cb000 rw-p 00000000 00:00 0
7f92f88cb000-7f92f88d2000 r-xp 00000000 08:01 8916133                    /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f92f88d2000-7f92f8ad1000 ---p 00007000 08:01 8916133                    /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f92f8ad1000-7f92f8ad2000 r--p 00006000 08:01 8916133                    /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f92f8ad2000-7f92f8ad3000 rw-p 00007000 08:01 8916133                    /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f92f8ad3000-7f92f8d9e000 r--p 00000000 08:01 17580799                   /usr/lib/locale/locale-archive
7f92f8da3000-7f92f8dbb000 r-xp 00000000 08:01 8916165                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f92f8dbb000-7f92f8fba000 ---p 00018000 08:01 8916165                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f92f8fba000-7f92f8fbb000 r--p 00017000 08:01 8916165                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f92f8fbb000-7f92f8fbc000 rw-p 00018000 08:01 8916165                    /lib/x86_64-linux-gnu/libpthread-2.24.so
7f92f8fbc000-7f92f8fc0000 rw-p 00000000 00:00 0
7f92f8fc3000-7f92f8fc7000 r-xp 00000000 08:01 8912925                    /lib/x86_64-linux-gnu/libattr.so.1.1.0
7f92f8fc7000-7f92f91c6000 ---p 00004000 08:01 8912925                    /lib/x86_64-linux-gnu/libattr.so.1.1.0
7f92f91c6000-7f92f91c7000 r--p 00003000 08:01 8912925                    /lib/x86_64-linux-gnu/libattr.so.1.1.0
7f92f91c7000-7f92f91c8000 rw-p 00004000 08:01 8912925                    /lib/x86_64-linux-gnu/libattr.so.1.1.0
7f92f91cb000-7f92f923d000 r-xp 00000000 08:01 8912933                    /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f92f923d000-7f92f943c000 ---p 00072000 08:01 8912933                    /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f92f943c000-7f92f943d000 r--p 00071000 08:01 8912933                    /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f92f943d000-7f92f943e000 rw-p 00072000 08:01 8912933                    /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f92f9443000-7f92f95d8000 r-xp 00000000 08:01 8916066                    /lib/x86_64-linux-gnu/libc-2.24.so
7f92f95d8000-7f92f97d8000 ---p 00195000 08:01 8916066                    /lib/x86_64-linux-gnu/libc-2.24.so
7f92f97d8000-7f92f97dc000 r--p 00195000 08:01 8916066                    /lib/x86_64-linux-gnu/libc-2.24.so
7f92f97dc000-7f92f97de000 rw-p 00199000 08:01 8916066                    /lib/x86_64-linux-gnu/libc-2.24.so
7f92f97de000-7f92f97e2000 rw-p 00000000 00:00 0
7f92f97e3000-7f92f97e6000 r-xp 00000000 08:01 8916127                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f92f97e6000-7f92f99e5000 ---p 00003000 08:01 8916127                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f92f99e5000-7f92f99e6000 r--p 00002000 08:01 8916127                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f92f99e6000-7f92f99e7000 rw-p 00003000 08:01 8916127                    /lib/x86_64-linux-gnu/libdl-2.24.so
7f92f99eb000-7f92f99f0000 r-xp 00000000 08:01 17572901                   /usr/lib/x86_64-linux-gnu/libgpm.so.2
7f92f99f0000-7f92f9bef000 ---p 00005000 08:01 17572901                   /usr/lib/x86_64-linux-gnu/libgpm.so.2
7f92f9bef000-7f92f9bf0000 r--p 00004000 08:01 17572901                   /usr/lib/x86_64-linux-gnu/libgpm.so.2
7f92f9bf0000-7f92f9bf1000 rw-p 00005000 08:01 17572901                   /usr/lib/x86_64-linux-gnu/libgpm.so.2
7f92f9bf3000-7f92f9bfa000 r-xp 00000000 08:01 8912929                    /lib/x86_64-linux-gnu/libacl.so.1.1.0
7f92f9bfa000-7f92f9dfa000 ---p 00007000 08:01 8912929                    /lib/x86_64-linux-gnu/libacl.so.1.1.0
7f92f9dfa000-7f92f9dfb000 r--p 00007000 08:01 8912929                    /lib/x86_64-linux-gnu/libacl.so.1.1.0
7f92f9dfb000-7f92f9dfc000 rw-p 00008000 08:01 8912929                    /lib/x86_64-linux-gnu/libacl.so.1.1.0
7f92f9e03000-7f92f9e28000 r-xp 00000000 08:01 8913009                    /lib/x86_64-linux-gnu/libselinux.so.1
7f92f9e28000-7f92fa027000 ---p 00025000 08:01 8913009                    /lib/x86_64-linux-gnu/libselinux.so.1
7f92fa027000-7f92fa028000 r--p 00024000 08:01 8913009                    /lib/x86_64-linux-gnu/libselinux.so.1
7f92fa028000-7f92fa029000 rw-p 00025000 08:01 8913009                    /lib/x86_64-linux-gnu/libselinux.so.1
7f92fa029000-7f92fa02b000 rw-p 00000000 00:00 0
7f92fa02b000-7f92fa051000 r-xp 00000000 08:01
--------------------------------8<--------------------------------


The backtrace from GDB is as follows:
--------------------------------8<--------------------------------
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f92f94762e7 in kill () at ../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0  0x00007f92f94762e7 in kill () at ../sysdeps/unix/syscall-template.S:84
#1  0x0000555d0b12c113 in may_core_dump () at os_unix.c:3357
#2  0x0000555d0b12ddf3 in may_core_dump () at os_unix.c:3314
#3  mch_exit (r=1) at os_unix.c:3323
#4  0x0000555d0b1d2b7c in getout (exitval=1) at main.c:1495
#5  <signal handler called>
#6  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#7  0x00007f92f94773fa in __GI_abort () at abort.c:89
#8  0x00007f92f94b3bd0 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7f92f95a8dd0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#9  0x00007f92f94b9f96 in malloc_printerr (action=3, str=0x7f92f95a58fe "corrupted size vs. prev_size",
    ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#10 0x00007f92f94bb091 in _int_free (av=0x7f92f97dcb00 <main_arena>, p=0x555d0da301a0, have_lock=0) at malloc.c:4052
#11 0x0000555d0b1bb485 in win_free_lsize (wp=wp@entry=0x555d0da3bd70) at window.c:4814
#12 0x0000555d0b15c358 in screenalloc (doclear=doclear@entry=0) at screen.c:8597
#13 0x0000555d0b15cc22 in screenclear () at screen.c:8868
#14 0x0000555d0b1a76ec in set_shellsize (width=0, height=0, mustset=0) at term.c:3016
#15 0x0000555d0b12c07c in handle_resize () at os_unix.c:521
#16 RealWaitForChar (fd=0, msec=msec@entry=-1, check_for_gpm=check_for_gpm@entry=0x7fff39ca867c,
    interrupted=interrupted@entry=0x7fff39ca873c) at os_unix.c:5850
#17 0x0000555d0b12c39c in WaitForCharOrMouse (msec=msec@entry=-1, interrupted=interrupted@entry=0x7fff39ca873c)
    at os_unix.c:5565
#18 0x0000555d0b12c580 in WaitForCharOrMouse (interrupted=0x7fff39ca873c, msec=-1) at os_unix.c:5529
#19 WaitForChar (msec=msec@entry=-1, interrupted=interrupted@entry=0x7fff39ca873c) at os_unix.c:5495
#20 0x0000555d0b12c6d8 in mch_inchar (buf=buf@entry=0x555d0b45c26e <typebuf_init+78> "", maxlen=62, wtime=-1,
    tb_change_cnt=68551) at os_unix.c:475
#21 0x0000555d0b1ac753 in ui_inchar (buf=buf@entry=0x555d0b45c26e <typebuf_init+78> "", maxlen=maxlen@entry=62,
    wtime=wtime@entry=-1, tb_change_cnt=tb_change_cnt@entry=68551) at ui.c:195
#22 0x0000555d0b0c8534 in inchar (buf=0x555d0b45c26e <typebuf_init+78> "", maxlen=186, wait_time=-1,
    tb_change_cnt=68551) at getchar.c:3056
#23 0x0000555d0b0ca464 in vgetorpeek (advance=advance@entry=1) at getchar.c:2832
#24 0x0000555d0b0cad68 in vgetc () at getchar.c:1605
#25 0x0000555d0b0cb199 in safe_vgetc () at getchar.c:1801
#26 0x0000555d0b110089 in normal_cmd (oap=0x7fff39ca8a90, toplevel=1) at normal.c:627
#27 0x0000555d0b1d3585 in main_loop (cmdwin=0, noexmode=0) at main.c:1311
#28 0x0000555d0b1d43ab in vim_main2 () at main.c:877
#29 0x0000555d0b03603d in main (argc=<optimized out>, argv=<optimized out>) at main.c:415
--------------------------------8<--------------------------------


I have saved the core file, so I now have them both in case they may
come in handy -- just let me know.

Message #15 received at [email protected] (full text, mbox, reply):

From: Konstantin Khomoutov <[email protected]>

To: [email protected]

Subject: The crashes

Date: Tue, 26 Dec 2017 22:32:42 +0300

Oh, after closer examniation it appears the crashes are actually
different: the former has "double free or corruption (!prev)" as its
reason and has happened in garbage_collect() while the second has
"corrupted size vs. prev_size" and happened in win_free_lsize().

Still, both appear to relate to memory management.

Send a report that this bug log contains spam.