After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 754897 - catting binary files causes a crash
catting binary files causes a crash
Status: RESOLVED DUPLICATE of bug 738504
Product: vte
Classification: Core
Component: general
git master
Other Linux
: Normal critical
: vte-0-42
Assigned To: VTE Maintainers
VTE Maintainers
Depends on:
Blocks:
 
 
Reported: 2015-09-11 16:30 UTC by Mantas Mikulėnas (grawity)
Modified: 2015-09-12 06:07 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
example file (2.80 KB, application/octet-stream)
2015-09-11 16:30 UTC, Mantas Mikulėnas (grawity) 		Details

Description Mantas Mikulėnas (grawity) 2015-09-11 16:30:12 UTC 
Created attachment 311166 [details]
example file

vte often crashes when a non-utf8 file is dumped to the terminal. (/usr/bin/vte tends to crash faster, gnome-terminal sometimes needs 2-3 'cat's.)

(vte-app:3434480): Vte-CRITICAL **: int _vte_unistr_strlen(vteunistr): assertion 's < unistr_next' failed
(vte-app:3434480): Vte-CRITICAL **: void _vte_unistr_append_to_string(vteunistr, GString*): assertion 's < unistr_next' failed
(vte-app:3434480): Vte-CRITICAL **: int _vte_unistr_strlen(vteunistr): assertion 's < unistr_next' failed
(vte-app:3434480): Vte-CRITICAL **: void _vte_unistr_append_to_string(vteunistr, GString*): assertion 's < unistr_next' failed
Segmentation fault (core dumped)

vte 0.41.90.r5.g2477ae1 (today's git master)
gtk 3.17.8.r116.g4993b02 (same)
glib 2.45.7.r37.gee6740a (same)
Comment 1 Mantas Mikulėnas (grawity) 2015-09-11 16:35:22 UTC 
(gdb) bt full

+ Trace 235436

  • #0 _vte_unistr_strlen
    at vteunistr.cc line 171
  • #1 _vte_ring_freeze_row
    at ring.cc line 182
  • #2 _vte_ring_freeze_one_row
    at ring.cc line 384
  • #3 _vte_ring_maybe_freeze_one_row
    at ring.cc line 430
  • #4 _vte_ring_insert
    at ring.cc line 567
  • #5 _vte_terminal_ring_insert
    at vte.cc line 343
  • #6 _vte_terminal_ring_append
    at vte.cc line 352
  • #7 vte_terminal_insert_rows
    at vte.cc line 2125
  • #8 _vte_terminal_update_insert_delta
    at vte.cc line 2185
  • #9 _vte_terminal_cursor_down
    at vte.cc line 3015
  • #10 vte_terminal_process_incoming
    at vte.cc line 3839
  • #11 time_process_incoming
    at vte.cc line 12847
  • #12 process_timeout
    at vte.cc line 12896
  • #13 ??
    from /usr/lib/libglib-2.0.so.0
  • #14 g_main_context_dispatch
    from /usr/lib/libglib-2.0.so.0
  • #15 ??
    from /usr/lib/libglib-2.0.so.0
  • #16 g_main_context_iteration
    from /usr/lib/libglib-2.0.so.0
  • #17 g_application_run
    from /usr/lib/libgio-2.0.so.0
  • #18 test_app_main
    at app.c line 1902
  • #19 __libc_start_main
    from /usr/lib/libc.so.6
  • #20 _start 
(gdb)
Comment 2 Christian Persch 2015-09-11 16:56:56 UTC 
Can you try running vte-2.91 under valgrind to see if anything turns up? I cannot repro here, and valgrind doesn't complain about anything inside vte.
Comment 3 Mantas Mikulėnas (grawity) 2015-09-11 17:37:03 UTC 
Got the log below.

Though, also noticed another odd thing – /usr/bin/vte belonging to the *old* vte 0.28.2 package (not vte3) *also* crashes in the same way... And then I have bug 754887. So maybe it's something else, e.g. glib-git, or Arch's glibc 2.22?

(vte-app:3451657): Vte-CRITICAL **: void _vte_unistr_append_to_string(vteunistr, GString*): assertion 's < unistr_next' failed
==3451657== Invalid read of size 4
==3451657==    at 0x4E6B7CB: _vte_unistr_strlen (vteunistr.cc:171)
==3451657==    by 0x4E427AC: _vte_ring_freeze_row (ring.cc:182)
==3451657==    by 0x4E427AC: _vte_ring_freeze_one_row(_VteRing*) (ring.cc:384)
==3451657==    by 0x4E42DF4: _vte_ring_maybe_freeze_one_row (ring.cc:430)
==3451657==    by 0x4E42DF4: _vte_ring_insert (ring.cc:567)
==3451657==    by 0x4E4C19A: _vte_terminal_ring_insert (vte.cc:343)
==3451657==    by 0x4E4EDC8: _vte_terminal_ring_append (vte.cc:352)
==3451657==    by 0x4E4EDC8: vte_terminal_insert_rows (vte.cc:2125)
==3451657==    by 0x4E4EDC8: _vte_terminal_update_insert_delta (vte.cc:2185)
==3451657==    by 0x4E501B8: _vte_terminal_cursor_down (vte.cc:3015)
==3451657==    by 0x4E54093: vte_terminal_process_incoming(_VteTerminal*) (vte.cc:3839)
==3451657==    by 0x4E54ABE: time_process_incoming(_VteTerminal*) (vte.cc:12847)
==3451657==    by 0x4E5A14E: process_timeout(void*) (vte.cc:12896)
==3451657==    by 0x657FB36: ??? (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==    by 0x657EF87: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==    by 0x657F357: ??? (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==  Address 0x4136d8348 is not stack'd, malloc'd or (recently) free'd
==3451657== 
==3451657== 
==3451657== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3451657==  Access not within mapped region at address 0x4136D8348
==3451657==    at 0x4E6B7CB: _vte_unistr_strlen (vteunistr.cc:171)
==3451657==    by 0x4E427AC: _vte_ring_freeze_row (ring.cc:182)
==3451657==    by 0x4E427AC: _vte_ring_freeze_one_row(_VteRing*) (ring.cc:384)
==3451657==    by 0x4E42DF4: _vte_ring_maybe_freeze_one_row (ring.cc:430)
==3451657==    by 0x4E42DF4: _vte_ring_insert (ring.cc:567)
==3451657==    by 0x4E4C19A: _vte_terminal_ring_insert (vte.cc:343)
==3451657==    by 0x4E4EDC8: _vte_terminal_ring_append (vte.cc:352)
==3451657==    by 0x4E4EDC8: vte_terminal_insert_rows (vte.cc:2125)
==3451657==    by 0x4E4EDC8: _vte_terminal_update_insert_delta (vte.cc:2185)
==3451657==    by 0x4E501B8: _vte_terminal_cursor_down (vte.cc:3015)
==3451657==    by 0x4E54093: vte_terminal_process_incoming(_VteTerminal*) (vte.cc:3839)
==3451657==    by 0x4E54ABE: time_process_incoming(_VteTerminal*) (vte.cc:12847)
==3451657==    by 0x4E5A14E: process_timeout(void*) (vte.cc:12896)
==3451657==    by 0x657FB36: ??? (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==    by 0x657EF87: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==    by 0x657F357: ??? (in /usr/lib/libglib-2.0.so.0.4508.0)
==3451657==  If you believe this happened as a result of a stack
==3451657==  overflow in your program's main thread (unlikely but
==3451657==  possible), you can try to increase the size of the
==3451657==  main thread stack using the --main-stacksize= flag.
==3451657==  The main thread stack size used in this run was 8388608.
==3451657== 
==3451657== HEAP SUMMARY:
==3451657==     in use at exit: 4,959,531 bytes in 50,385 blocks
==3451657==   total heap usage: 292,073 allocs, 241,688 frees, 27,004,100 bytes allocated
==3451657== 
==3451657== LEAK SUMMARY:
==3451657==    definitely lost: 7,176 bytes in 15 blocks
==3451657==    indirectly lost: 29,414 bytes in 1,140 blocks
==3451657==      possibly lost: 73,311 bytes in 401 blocks
==3451657==    still reachable: 4,667,510 bytes in 47,406 blocks
==3451657==         suppressed: 0 bytes in 0 blocks
==3451657== Rerun with --leak-check=full to see details of leaked memory
==3451657== 
==3451657== For counts of detected and suppressed errors, rerun with: -v
==3451657== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Killed
(returned 137 or SIGKILL)
Comment 4 Mantas Mikulėnas (grawity) 2015-09-11 17:41:22 UTC 
Hmm, yes, it seems to actually be a glib2 thing.
Comment 5 Mantas Mikulėnas (grawity) 2015-09-11 18:00:46 UTC 
Bisected down to 3188b8e in glib:

commit 3188b8ee791a38ac3dd7e477f30761344442f745
Author: Mikhail Zabaluev <mikhail.zabaluev@gmail.com>
Date:   Tue Oct 14 01:18:57 2014 +0300

    Optimized branching in g_utf8_validate()
Comment 6 Mikhail Zabaluev 2015-09-11 19:56:35 UTC 
Can you isolate the sequence passed to g_utf8_validate() that's causing a crash?
Comment 7 Christian Persch 2015-09-12 06:07:39 UTC 
Moved the discussion to bug 738504.

*** This bug has been marked as a duplicate of bug 738504 ***