Error in `clerk': realloc(): invalid next size: 0x000000000222b780 ***

[d-e-s-o]

Given the following todo file:

{
"DJKASJL": [
{
"text": "dasjlkdajskldjalsjdg: EHHDJAKSS, DKAJSSJ, DNMASNN, JKDAJSKDJD, DAJSLJASJJ, UDIOPSIPD, DJKASJLSJLSL, DJKS",
"state": 0
},
]
}

When I start up clerk with this file, edit the only todo, and press ',' the program crashes in realloc. It seems like a memory corruption/overflow somewhere in the clrk_input code.

[robem]

Couldn't reproduce it. Would you mind trying again?

[d-e-s-o]

I can still reproduce it with the steps described. Looking a bit further I was at least able to create a core dump (problem is that the entire shell [or gdb, if attached] freezes after the problem occurs). Apparently, the process stays alive for some reason but after killing it using kill -s SIGSEGV I got a core. The backtrace looks like this:

#0 __lll_lock_wait_private () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
#1 0x00007f61410f1e9c in __GI___libc_malloc (bytes=140055683307072, bytes@entry=53) at malloc.c:2888
#2 0x00007f6141426fda in __strdup (s=0x7ffc2e9275a0 "/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libgcc_s.so.1")
at strdup.c:42
#3 0x00007f614142467b in _dl_load_cache_lookup (name=name@entry=0x7f61411d5586 "libgcc_s.so.1") at dl-cache.c:305
#4 0x00007f614141739f in _dl_map_object (loader=loader@entry=0x7f614162e658,
name=name@entry=0x7f61411d5586 "libgcc_s.so.1", type=type@entry=2, trace_mode=trace_mode@entry=0,
mode=mode@entry=-1879048191, nsid=) at dl-load.c:2054
#5 0x00007f6141421b2a in dl_open_worker (a=a@entry=0x7ffc2e927c58) at dl-open.c:226
#6 0x00007f614141d9d4 in _dl_catch_error (objname=objname@entry=0x7ffc2e927c48,
errstring=errstring@entry=0x7ffc2e927c50, mallocedp=mallocedp@entry=0x7ffc2e927c47,
operate=operate@entry=0x7f6141421a80 <dl_open_worker>, args=args@entry=0x7ffc2e927c58) at dl-error.c:187
#7 0x00007f614142154b in _dl_open (file=0x7f61411d5586 "libgcc_s.so.1", mode=-2147483647,
caller_dlopen=, nsid=-2, argc=5, argv=0x7ffc2e928ba8, env=0x7ffc2e928bd8) at dl-open.c:652
#8 0x00007f614118f2d2 in do_dlopen (ptr=ptr@entry=0x7ffc2e927e80) at dl-libc.c:87
#9 0x00007f614141d9d4 in _dl_catch_error (objname=0x7ffc2e927e60, errstring=0x7ffc2e927e68,
mallocedp=0x7ffc2e927e5f, operate=0x7f614118f290 <do_dlopen>, args=0x7ffc2e927e80) at dl-error.c:187
#10 0x00007f614118f36f in dlerror_run (operate=operate@entry=0x7f614118f290 <do_dlopen>,
args=args@entry=0x7ffc2e927e80) at dl-libc.c:46
#11 0x00007f614118f3e1 in __GI___libc_dlopen_mode (name=name@entry=0x7f61411d5586 "libgcc_s.so.1",
mode=mode@entry=-2147483647) at dl-libc.c:163
#12 0x00007f614116b685 in init () at ../sysdeps/x86_64/backtrace.c:52
#13 0x00007f614116b7d5 in __GI___backtrace (array=array@entry=0x7ffc2e927f00, size=size@entry=64)
at ../sysdeps/x86_64/backtrace.c:103
#14 0x00007f6141097ab7 in backtrace_and_maps (do_abort=, do_abort@entry=2, written=,
fd=fd@entry=6) at ../sysdeps/unix/sysv/linux/libc_fatal.c:47
#15 0x00007f61410e92df in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7f61411da968 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:172
#16 0x00007f61410ee72e in malloc_printerr (action=3, str=0x7f61411d6cab "realloc(): invalid next size",
ptr=) at malloc.c:4960
#17 0x00007f61410f150b in _int_realloc (av=av@entry=0x7f6141409640 <main_arena>, oldp=oldp@entry=0x78d480,
oldsize=oldsize@entry=112, nb=nb@entry=224) at malloc.c:4216
#18 0x00007f61410f26a7 in __GI___libc_realloc (oldmem=0x78d490, bytes=205) at malloc.c:3020
#19 0x0000000000401aeb in clrk_input (
text=0x78dac0 "dasjlkdajskldjalsjdg: EHHDJAKSS, DKAJSSJ, DNMASNN, JKDAJSKDJD, DAJSLJASJJ, UDIOPSIPD, DJKASJLSJLSL, DJKS") at src/clerk.c:112
#20 0x000000000040242f in clrk_todo_edit_current () at src/clerk.c:409
#21 0x0000000000402e70 in clrk_loop_normal () at src/clerk.c:768
#22 0x0000000000401633 in main (argc=5, argv=0x7ffc2e928ba8) at src/main.c:65

but it is likely of little or no use, since the problem is some corruption in the malloc data structures, so it happened earlier.