segv inside _XReply / get_x11_windis / mch_settitle / win_close
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| vim (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: vim
In Jaunty's vim, running inside screen running in gnome-terminal, I had an empty grep window open, and typed :q there. It said "Vim: Caught deadly signal SEGV", and then hung. I can attach with gdb and get this backtrace. I'm not sure this is where the segv actually happened
(gdb) bt full
#0 __lll_lock_
No locals.
#1 0x00007f54adb2b025 in _L_lock_4783 () from /lib/libc.so.6
No symbol table info available.
#2 0x00007f54adb2726b in *__GI___libc_free (mem=0x7f54ade1
ignore1 = 128
ignore2 = 21550944
ignore3 = -512
ar_ptr = (mstate) 0x7f54ade1aa00
p = (mchunkptr) 0xffffffffffffffff
hook = <value optimized out>
#3 0x00007f54ad7ef9a6 in ?? () from /usr/lib/
No symbol table info available.
#4 0x00007f54ad7effd8 in _XReply () from /usr/lib/
No symbol table info available.
#5 0x00007f54ad7cd246 in XGetWindowProperty () from /usr/lib/
No symbol table info available.
#6 0x00007f54ad7cdad8 in XGetTextProperty () from /usr/lib/
No symbol table info available.
#7 0x00000000005206d2 in test_x11_window (dpy=0x148cd20) at os_unix.c:1513
text_prop = {value = 0x145e440 "vim (~/bzr/
#8 0x0000000000522dcd in get_x11_windis () at os_unix.c:1613
winid = <value optimized out>
result = 1
x11_display_from = 3
did_set_
#9 0x0000000000523325 in mch_settitle (title=
type = 1
recursive = 1
#10 0x00000000005236c9 in mch_exit (r=1) at os_unix.c:3009
No locals.
#11 <signal handler called>
No locals.
#12 0x00007f54adb26c78 in _int_free (av=0x7f54ade1aa00, mem=0x1517790) at malloc.c:4726
p = (mchunkptr) 0x1517780
size = 1696
nextchunk = (mchunkptr) 0x1517e20
nextsize = 65536
prevsize = <value optimized out>
bck = (mchunkptr) 0x20092227295d5c5b
fwd = (mchunkptr) 0x47
errstr = 0x7f54adbe9590 "double free or corruption (!prev)"
#13 0x00007f54adb27276 in *__GI___libc_free (mem=0x1517790) at malloc.c:3625
ar_ptr = (mstate) 0x7f54ade1aa00
p = <value optimized out>
hook = <value optimized out>
#14 0x000000000058d471 in win_free_mem (win=0x15848f0, dirp=0x7fffb94a
frp = (frame_T *) 0x14c0dd0
wp = (win_T *) 0x14e0b60
#15 0x000000000058d9e7 in win_close (win=0x15848f0, free_buf=1) at window.c:2158
wp = <value optimized out>
other_buffer = 0
close_curwin = 0
dir = <value optimized out>
help_window = 0
prev_curtab = <value optimized out>
#16 0x000000000058de9c in close_others (message=1, forceit=0) at window.c:3132
wp = (win_T *) 0x15848f0
nextwp = <value optimized out>
r = <value optimized out>
#17 0x000000000048fe00 in do_one_cmd (cmdlinep=
p = (char_u *) 0x1576264 ""
lnum = 1
n = 1
errormsg = (char_u *) 0x0
ea = {arg = 0x1576264 "", nextcmd = 0x0, cmd = 0x1576260 "only", cmdlinep = 0x7fffb94abd38, cmdidx = CMD_only, argt = 258, skip = 0, forceit = 0,
addr_count = 0, line1 = 65, line2 = 65, flags = 0, do_ecmd_cmd = 0x0, do_ecmd_lnum = 0, append = 0, usefilter = 0, amount = 0, regname = 0, force_bin = 0,
read_edit = 0, force_ff = 0, force_enc = 0, bad_char = 0, useridx = 0, errmsg = 0x0, getline = 0, cookie = 0x0, cstack = 0x7fffb94abd40}
verbose_save = -1
save_msg_scroll = 0
did_silent = 0
did_esilent = 0
---Type <return> to continue, or q <return> to quit---
did_sandbox = 0
ni = 0
#18 0x000000000048e0b5 in do_cmdline (cmdline=0x1576260 "only", getline=0, cookie=0x0, flags=11) at ex_docmd.c:1096
next_cmdline = (char_u *) 0x1576260 "only"
cmdline_copy = (char_u *) 0x1576260 "only"
used_getline = 0
msg_didout_
did_inc = 0
retval = <value optimized out>
cstack = {cs_flags = {0, 0, 0, 0, 0, 0, 0, 0, 9332, 330, 4, 0, 4096, 0, 0, 0, 0, 330, 0, 0, 0, 0, 0, 0, 13520, 330, 0, 0, -16976, -18102, 32767, 0,
9280, 330, 0, 0, 0, 0, 0, 0, 9340, 330, 0, 0, 13504, 330, 0, 0, -1, -1},
cs_pending = "\000\000\
0x7f54af6
0xfffffff
0x7f54ade
0x7fffb94
0x7f54adb
0x0, 0x0, 0x0, 0x4ffffffff, 0x14b62e1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x7f54af4e6be7, 0xffffffff, 0x0, 0x48, 0x7f54ade18a20, 0x0, 0x7f54af6f8260,
0x10, 0x6, 0x7f54af6f8260, 0x14b62e0, 0x0, 0x83034a, 0x1, 0x7f54adba9500, 0x3000000028}}, cs_forinfo = {0x7fffb94ac040, 0x7fffb94abf80,
0x7f54adb8b750, 0x0, 0x0, 0x7fffb94ac060, 0x0, 0x6, 0x7f54af6f8260, 0x0, 0x7f54af4e6d98, 0x0, 0x7f54af4ed230, 0x10, 0x83033c, 0x7fffb94ac16c,
0x7fffb94ac100, 0xffffffff, 0x14b62e1, 0x0, 0x7fffb94ac110, 0x7fffb94ac020, 0x20082bd11, 0xb94abf00, 0x7fffb94ac100, 0x10, 0x7f54af4e6be7, 0x0, 0x0,
0x48, 0x7f54af4e75ff, 0x0, 0x7f54af6f8260, 0x10, 0x14b62e1, 0x82bd00, 0x0, 0x4716, 0x4b1f34, 0x14b62e0, 0x83033c, 0x40, 0x6, 0x14b6677, 0x7f54af4e894e,
0x100000000
0, 5, 0, 0, 0, 101, 0, 0, 0, 1528, 0, 3056, 0, 5996282, 0, 1528, 0}, cs_idx = -1, cs_looplevel = 0, cs_trylevel = 0, cs_emsg_silent_list = 0x0,
cs_lflags = 0 '\0'}
lines_ga = {ga_len = 0, ga_maxlen = 0, ga_itemsize = 16, ga_growsize = 10, ga_data = 0x0}
current_line = 0
fname = (char_u *) 0x0
breakpoint = (linenr_T *) 0x0
dbg_tick = (int *) 0x0
debug_saved = {trylevel = 21718528, force_abort = 0, caught_stack = 0x1, vv_exception = 0x7fffb94abe10 "`�J��\177", vv_throwpoint = 0x14b62e0 "%d",
did_emsg = -1351646624, got_int = 32596, did_throw = -1380280903, need_rethrow = 32596, check_cstack = -72515583, current_exception = 0x14b6675}
initial_trylevel = 0
saved_msg_list = (struct msglist **) 0x0
private_msg_list = (struct msglist *) 0x0
cmd_getline = (char_u *(*)(int, void *, int)) 0
cmd_cookie = (void *) 0x0
cmd_loop_cookie = {lines_gap = 0x36360000014b6675, current_line = 21718645, repeating = 0, getline = 0x14b6675, cookie = 0x14b6677}
real_cookie = (void *) 0x0
getline_is_func = <value optimized out>
recursive = 1
call_depth = 1
#19 0x000000000058f779 in do_window (nchar=111, Prenum=0, xchar=0) at window.c:253
Prenum1 = <value optimized out>
wp = <value optimized out>
ptr = <value optimized out>
lnum = -1
type = <value optimized out>
len = <value optimized out>
cbuf = "\000\000\
#20 0x0000000000507a6f in normal_cmd (oap=0x7fffb94a
ca = {oap = 0x7fffb94ac3a0, prechar = 0, cmdchar = 23, nchar = 111, ncharC1 = 0, ncharC2 = 0, extra_char = 0, opcount = 0, count0 = 0, count1 = 1,
arg = 0, retval = 0, searchbuf = 0x0}
c = <value optimized out>
ctrl_w = <value optimized out>
need_flushbuf = 1
mapped_len = <value optimized out>
idx = <value optimized out>
set_prevcount = <value optimized out>
old_mapped_len = 0
#21 0x00000000004c75cb in main_loop (cmdwin=0, noexmode=0) at main.c:1183
oa = {op_type = 0, regname = 0, motion_type = 1, motion_force = 0, use_reg_one = 0, inclusive = 1, end_adjusted = 0, start = {lnum = 115, col = 12,
coladd = 0}, end = {lnum = 115, col = 27, coladd = 0}, cursor_start = {lnum = 48, col = 2, coladd = 0}, line_count = 1, empty = 0, is_VIsual = 0,
block_mode = 0, start_vcol = 0, end_vcol = 0, prev_opcount = 0, prev_count0 = 0}
previous_got_int = 0
#22 0x00000000004ca56b in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:942
fname = <value optimized out>
params = {argc = 1, argv = 0x7fffb94ac728, evim_mode = 0, use_vimrc = 0x0, n_commands = 0, commands = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, cmds_tofree = "\000\000\
edit_type = 0, tagname = 0x0, use_ef = 0x0, want_full_screen = 1, stdout_isatty = 1, term = 0x0, ask_for_key = 0, no_swap_file = 0,
---Type <return> to continue, or q <return> to quit---
use_debug_
servername = 0x13b3be0 "VIM", diff_mode = 0, vi_mode = 0}
ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelMo
Package: vim-gnome 2:7.2.079-1ubuntu5
ProcEnviron:
PATH=(custom, user)
LANG=en_AU.UTF-8
SHELL=/bin/zsh
SourcePackage: vim
Uname: Linux 2.6.28-11-generic x86_64
| Martin Pool (mbp) wrote | #1 |
| Dominique Pellé (dominique-pelle) wrote | #2 |
| Martin Pool (mbp) wrote Re: [Bug 390603] Re: segv inside _XReply / get_x11_windis / mch_settitle / win_close | #3 |
Is this crash reproducible?
If so can you give the step by step instructions to reproduce it?