Crash with malloc abort "corrupted size vs. prev_size"

YaLTeR commented 4 years ago

nvim --version: v0.4.4
Operating system/version: Fedora 33
Terminal name/version: Tilix
$TERM: xterm-256color

I was editing in a 3-column layout with a preview window on the bottom. Neovim crashed when I was in a different Tilix tab.

[Current thread is 1 (Thread 0x7ffb2c8bd640 (LWP 33052))]
>>> bt
#0  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffb39e5d8a4 in __GI_abort () at abort.c:79
#2  0x00007ffb39eb7127 in __libc_message (action=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffb39ebee1c in malloc_printerr (str=str@entry=0x7ffb39fc7d32 "corrupted size vs. prev_size") at malloc.c:5389
#4  0x00007ffb39ebfd16 in unlink_chunk (p=p@entry=0x7ffb280a5940, av=0x7ffb28000020) at malloc.c:1466
#5  0x00007ffb39ec056b in _int_free (av=0x7ffb28000020, p=0x7ffb28039c40, have_lock=<optimized out>) at malloc.c:4375
#6  0x00005584e5a82e36 in xfree (ptr=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/memory.c:119
#7  0x00005584e5b52a9f in destroy_cells (grid=grid@entry=0x7ffb28011808) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ugrid.c:98
#8  0x00005584e5b54d47 in ugrid_resize (grid=0x7ffb28011808, width=255, height=60) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ugrid.c:30
#9  0x00005584e5b51634 in tui_grid_resize (ui=0x5584e5e1ecf0, g=<optimized out>, width=255, height=60) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/tui/tui.c:887
#10 0x00005584e5b528f2 in ui_bridge_grid_resize_event (argv=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/x86_64-redhat-linux-gnu/src/nvim/auto/ui_events_bridge.generated.h:159
#11 0x00005584e5a0be6e in multiqueue_process_events (this=0x7ffb28000d80) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/event/multiqueue.c:157
#12 0x00005584e5a0bf2e in loop_poll_events (loop=0x7ffb2c8bc820, ms=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/event/loop.c:70
#13 0x00005584e5b51a46 in tui_main (bridge=0x5584e5e1ee10, ui=0x5584e5e1ecf0) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/tui/tui.c:441
#14 0x00005584e5b5298a in ui_thread_run (data=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ui_bridge.c:104
#15 0x00007ffb39e173f9 in start_thread (arg=0x7ffb2c8bd640) at pthread_create.c:463
#16 0x00007ffb39f38b03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>>> thread 2
[Switching to thread 2 (Thread 0x7ffb39dee740 (LWP 33051))]
#0  0x00005584e5b0264b in number_width (wp=0x5584e8ed2c00) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:7187
7187      if (wp->w_p_rnu && !wp->w_p_nu) {
>>> bt
#0  0x00005584e5b0264b in number_width (wp=0x5584e8ed2c00) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:7187
#1  0x00005584e5a90a10 in win_col_off (wp=0x5584e8ed2c00) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/move.c:694
#2  0x00005584e59bfbae in win_lbr_chartabsize (wp=wp@entry=0x5584e8ed2c00, line=line@entry=0x5584e81c4c72 ' ' <repeats 50 times>, "output);", s=<optimized out>, s@entry=0x5584e81c4c7e ' ' <repeats 38 times>, "output);", col=col@entry=12, headp=headp@entry=0x0) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/charset.c:1063
#3  0x00005584e59bfd97 in win_linetabsize (wp=0x5584e8ed2c00, line=0x5584e81c4c72 ' ' <repeats 50 times>, "output);", len=2147483647) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/charset.c:800
#4  0x00005584e5a90ace in plines_win_nofold (wp=wp@entry=0x5584e8ed2c00, lnum=lnum@entry=328) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/misc1.c:415
#5  0x00005584e5a90bb4 in plines_win_nofill (wp=wp@entry=0x5584e8ed2c00, lnum=lnum@entry=328, winheight=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/misc1.c:395
#6  0x00005584e5a90bdf in plines_win (wp=0x5584e8ed2c00, lnum=328, winheight=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/misc1.c:368
#7  0x00005584e5b71d4a in scroll_to_fraction (wp=wp@entry=0x5584e8ed2c00, prev_height=prev_height@entry=49) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:5619
#8  0x00005584e5b72027 in win_set_inner_size (wp=0x5584e8ed2c00) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:5728
#9  0x00005584e5b72311 in win_new_height (wp=<optimized out>, height=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:5592
#10 0x00005584e5b72345 in frame_new_height (topfrp=topfrp@entry=0x5584e8d74ac0, height=height@entry=48, topfirst=topfirst@entry=0, wfh=wfh@entry=1) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:3041
#11 0x00005584e5b723cd in frame_new_height (topfrp=topfrp@entry=0x5584e6717bc0, height=48, topfirst=topfirst@entry=0, wfh=wfh@entry=1) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:3047
#12 0x00005584e5b7241c in frame_new_height (topfrp=topfrp@entry=0x5584e5dfe100, height=height@entry=57, topfirst=topfirst@entry=0, wfh=wfh@entry=1) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:3086
#13 0x00005584e5b724f9 in shell_new_rows () at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/window.c:4789
#14 0x00005584e5b041c2 in win_new_shellsize () at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:7352
#15 0x00005584e5b0040b in screenalloc () at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:6096
#16 0x00005584e5b0053c in screenclear () at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:6233
#17 0x00005584e5b0408d in screen_resize (width=<optimized out>, height=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/screen.c:7258
#18 0x00005584e5b56ef8 in ui_refresh () at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ui.c:213
#19 0x00005584e5b56f50 in ui_refresh_event (argv=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ui.c:240
#20 0x00005584e5a0be6e in multiqueue_process_events (this=0x5584e5de9400) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/event/multiqueue.c:157
#21 0x00005584e5aa73c5 in nv_event (cap=0x7ffcd1607c58) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/normal.c:8009
#22 0x00005584e5aa2eb9 in normal_execute (state=0x7ffcd1607bd0, key=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/normal.c:1131
#23 0x00005584e5b35167 in state_enter (s=0x7ffcd1607bd0) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/state.c:69
#24 0x00005584e5a9db85 in normal_enter (cmdwin=<optimized out>, noexmode=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/normal.c:463
#25 0x00005584e5a7939f in main (argc=-782205648, argv=<optimized out>) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/main.c:583

bt full

``` #0 __GI_raise (sig=) at ../sysdeps/unix/sysv/linux/raise.c:49 set = { __val = {[0] = 0, [1] = 0, [2] = 0, [3] = 0, [4] = 94029280832752, [5] = 1408640232611055360, [6] = 9122, [7] = 140716684611104, [8] = 94029280832752, [9] = 140716684701644, [10] = 0, [11] = 140716684679176, [12] = 140716684676888, [13] = 94029277854051, [14] = 0, [15] = 0} } pid = tid = ret = #1 0x00007ffb39e5d8a4 in __GI_abort () at abort.c:79 save_stage = 1 act = { __sigaction_handler = { sa_handler = 0x0, sa_sigaction = 0x0 }, sa_mask = { __val = {[0] = 0, [1] = 0, [2] = 0, [3] = 0, [4] = 140716985743026, [5] = 0, [6] = 16, [7] = 140716760876528, [8] = 12884901888, [9] = 0, [10] = 140716988915482, [11] = 0, [12] = 0, [13] = 140716760876080, [14] = 140716760876080, [15] = 0} }, sa_flags = 152766208, sa_restorer = 0x4 } sigs = { __val = {[0] = 32, [1] = 0 } } #2 0x00007ffb39eb7127 in __libc_message (action=, fmt=) at ../sysdeps/posix/libc_fatal.c:155 ap = {[0] = { gp_offset = 24, fp_offset = 32763, overflow_arg_area = 0x7ffb2c8bc580, reg_save_area = 0x7ffb2c8bc510 }} fd = list = nlist = cp = #3 0x00007ffb39ebee1c in malloc_printerr (str=str@entry=0x7ffb39fc7d32 "corrupted size vs. prev_size") at malloc.c:5389 No locals. #4 0x00007ffb39ebfd16 in unlink_chunk (p=p@entry=0x7ffb280a5940, av=0x7ffb28000020) at malloc.c:1466 fd = bk = #5 0x00007ffb39ec056b in _int_free (av=0x7ffb28000020, p=0x7ffb28039c40, have_lock=) at malloc.c:4375 size = fb = nextchunk = 0x7ffb280a5940 nextsize = 9200 nextinuse = prevsize = bck = fwd = __PRETTY_FUNCTION__ = "_int_free" #6 0x00005584e5a82e36 in xfree (ptr=) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/memory.c:119 No locals. #7 0x00005584e5b52a9f in destroy_cells (grid=grid@entry=0x7ffb28011808) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ugrid.c:98 i = 47 #8 0x00005584e5b54d47 in ugrid_resize (grid=0x7ffb28011808, width=255, height=60) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ugrid.c:30 No locals. #9 0x00005584e5b51634 in tui_grid_resize (ui=0x5584e5e1ecf0, g=, width=255, height=60) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/tui/tui.c:887 data = 0x7ffb28000e20 grid = 0x7ffb28011808 #10 0x00005584e5b528f2 in ui_bridge_grid_resize_event (argv=) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/x86_64-redhat-linux-gnu/src/nvim/auto/ui_events_bridge.generated.h:159 ui = #11 0x00005584e5a0be6e in multiqueue_process_events (this=0x7ffb28000d80) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/event/multiqueue.c:157 event = { handler = 0x5584e5b528cf , argv = {[0] = 0x5584e5e1ee10, [1] = 0x1, [2] = 0xff, [3] = 0x3c, [4] = 0x5584e5b88e4b, [5] = 0x0, [6] = 0x5584e5a0b44a , [7] = 0x5584e5b5289f , [8] = 0x5584e5e1ee10, [9] = 0xc7ccd1} } __PRETTY_FUNCTION__ = "multiqueue_process_events" #12 0x00005584e5a0bf2e in loop_poll_events (loop=0x7ffb2c8bc820, ms=) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/event/loop.c:70 mode = timeout_expired = false #13 0x00005584e5b51a46 in tui_main (bridge=0x5584e5e1ee10, ui=0x5584e5e1ecf0) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/tui/tui.c:441 tui_loop = { uv = { data = 0x7ffb2c8bc820, active_handles = 4, handle_queue = {[0] = 0x7ffb2c8bcaa8, [1] = 0x7ffb28010f50}, active_reqs = { unused = {[0] = 0x0, [1] = 0x7ffb28000b60}, count = 0 }, stop_flag = 0, flags = 0, backend_fd = 15, pending_queue = {[0] = 0x7ffb2c8bc868, [1] = 0x7ffb2c8bc868}, watcher_queue = {[0] = 0x7ffb2c8bc878, [1] = 0x7ffb2c8bc878}, watchers = 0x7ffb28000bb0, nwatchers = 30, nfds = 3, wq = {[0] = 0x7ffb2c8bc898, [1] = 0x7ffb2c8bc898}, wq_mutex = { __data = { __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = { __prev = 0x0, __next = 0x0 } }, __size = '\000' , __align = 0 }, wq_async = { data = 0x0, loop = 0x7ffb2c8bc820, type = UV_ASYNC, close_cb = 0x0, handle_queue = {[0] = 0x7ffb2c8bcd78, [1] = 0x7ffb2c8bcaa8}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 20, async_cb = 0x7ffb3a2293f0 , queue = {[0] = 0x7ffb2c8bcdc0, [1] = 0x7ffb2c8bc9d0}, pending = 0 }, cloexec_lock = { __data = { __readers = 0, __writers = 0, __wrphase_futex = 0, __writers_futex = 0, __pad3 = 0, __pad4 = 0, __cur_writer = 0, __shared = 0, __rwelision = 0 '\000', __pad1 = "\000\000\000\000\000\000", __pad2 = 0, __flags = 0 }, __size = '\000' , __align = 0 }, closing_handles = 0x0, process_handles = {[0] = 0x7ffb2c8bc990, [1] = 0x7ffb2c8bc990}, prepare_handles = {[0] = 0x7ffb2c8bc9a0, [1] = 0x7ffb2c8bc9a0}, check_handles = {[0] = 0x7ffb2c8bc9b0, [1] = 0x7ffb2c8bc9b0}, idle_handles = {[0] = 0x7ffb2c8bc9c0, [1] = 0x7ffb2c8bc9c0}, async_handles = {[0] = 0x7ffb2c8bc938, [1] = 0x7ffb2c8bcdc0}, async_unused = 0x0, async_io_watcher = { cb = 0x7ffb3a222040 , pending_queue = {[0] = 0x7ffb2c8bc9f0, [1] = 0x7ffb2c8bc9f0}, watcher_queue = {[0] = 0x7ffb2c8bca00, [1] = 0x7ffb2c8bca00}, pevents = 1, events = 1, fd = 18 }, async_wfd = -1, timer_heap = { min = 0x0, nelts = 0 }, timer_counter = 167, time = 7789613, signal_pipefd = {[0] = 16, [1] = 17}, signal_io_watcher = { cb = 0x7ffb3a231170 , pending_queue = {[0] = 0x7ffb2c8bca58, [1] = 0x7ffb2c8bca58}, watcher_queue = {[0] = 0x7ffb2c8bca68, [1] = 0x7ffb2c8bca68}, pevents = 1, events = 1, fd = 16 }, child_watcher = { data = 0x0, loop = 0x7ffb2c8bc820, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {[0] = 0x7ffb2c8bc8f0, [1] = 0x7ffb2c8bc830}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 16, signal_cb = 0x0, signum = 0, tree_entry = { rbe_left = 0x0, rbe_right = 0x0, rbe_parent = 0x0, rbe_color = 0 }, caught_signals = 0, dispatched_signals = 0 }, emfile_fd = 19, inotify_read_watcher = { cb = 0x0, pending_queue = {[0] = 0x0, [1] = 0x0}, watcher_queue = {[0] = 0x0, [1] = 0x0}, pevents = 0, events = 0, fd = 0 }, inotify_watchers = 0x0, inotify_fd = -1 }, events = 0x7ffb28000d40, thread_events = 0x7ffb28000dc0, fast_events = 0x7ffb28000d80, children = 0x7ffb28000cc0, children_watcher = { data = 0x0, loop = 0x7ffb2c8bc820, type = UV_SIGNAL, close_cb = 0x0, handle_queue = {[0] = 0x7ffb2c8bcc48, [1] = 0x7ffb2c8bcd78}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 8, signal_cb = 0x0, signum = 0, tree_entry = { rbe_left = 0x0, rbe_right = 0x0, rbe_parent = 0x0, rbe_color = 0 }, caught_signals = 0, dispatched_signals = 0 }, children_kill_timer = { data = 0x0, loop = 0x7ffb2c8bc820, type = UV_TIMER, close_cb = 0x0, handle_queue = {[0] = 0x7ffb2c8bcce0, [1] = 0x7ffb2c8bcbb0}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 8, timer_cb = 0x0, heap_node = {[0] = 0x0, [1] = 0x0, [2] = 0x0}, timeout = 0, repeat = 0, start_id = 0 }, poll_timer = { data = 0x7ffb28000e00, loop = 0x7ffb2c8bc820, type = UV_TIMER, close_cb = 0x0, handle_queue = {[0] = 0x7ffb280116b0, [1] = 0x7ffb2c8bcc48}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 8, timer_cb = 0x5584e5a0ab14 , heap_node = {[0] = 0x0, [1] = 0x0, [2] = 0x0}, timeout = 2097418, repeat = 20, start_id = 81 }, async = { data = 0x0, loop = 0x7ffb2c8bc820, type = UV_ASYNC, close_cb = 0x0, handle_queue = {[0] = 0x7ffb2c8bcbb0, [1] = 0x7ffb2c8bc8f0}, u = { fd = 0, reserved = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0} }, next_closing = 0x0, flags = 12, async_cb = 0x5584e5a0ca0a , queue = {[0] = 0x7ffb2c8bc9d0, [1] = 0x7ffb2c8bc938}, pending = 0 }, mutex = { __data = { __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = { __prev = 0x0, __next = 0x0 } }, __size = '\000' , __align = 0 }, recursive = 0 } data = 0x7ffb28000e20 #14 0x00005584e5b5298a in ui_thread_run (data=) at /usr/src/debug/neovim-0.4.4-3.fc33.x86_64/src/nvim/ui_bridge.c:104 bridge = #15 0x00007ffb39e173f9 in start_thread (arg=0x7ffb2c8bd640) at pthread_create.c:463 ret = pd = 0x7ffb2c8bd640 unwind_buf = { cancel_jmp_buf = {[0] = { jmp_buf = {[0] = 140716760880704, [1] = 222086306575035977, [2] = 140723821247166, [3] = 140723821247167, [4] = 0, [5] = 140716760880704, [6] = -224235199559225783, [7] = -224210678885241271}, mask_was_saved = 0 }}, priv = { pad = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0}, data = { prev = 0x0, cleanup = 0x0, canceltype = 0 } } } not_first_call = 0 #16 0x00007ffb39f38b03 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 No locals. ```

erw7 commented 4 years ago

Related to #12500?

glacambre commented 3 years ago

@YaLTeR have you encountered this crash again since you firt reported it? If yes, were there any common circumstances that would help with building a reproducer?

YaLTeR commented 3 years ago

I haven't unfortunately.

glacambre commented 3 years ago

Well I'd say that's pretty fortunate :D. I'm going to close this issue since it's unlikely we'll ever be able to confirm whether we fixed it - but if you (or anyone else) is encountering something similar again please let us know and we'll try to figure out what's happening :).

neovim / neovim

Crash with malloc abort "corrupted size vs. prev_size" #13072