bug#16502: segmentation fault with org-capture

[Dmitry Antipov]

On 01/20/2014 01:15 AM, Nathan Froyd wrote:

> Given this initialization file, bug-init:
[...skip...]

Reproduced in trunk (as of r116077). Could you please run undumped (temacs)
under valgrind? With your recipe, I'm seeing nasty memory management error:

valgrind --tool=memcheck ./src/temacs -Q -l /tmp/bug16502.el

==>

==10951== Invalid read of size 8
==10951==    at 0x56142D: PSEUDOVECTOR_TYPEP (lisp.h:2377)
==10951==    by 0x56149C: PSEUDOVECTORP (lisp.h:2391)
==10951==    by 0x561575: BUFFERP (lisp.h:2437)
==10951==    by 0x673C47: find_interval (intervals.c:669)
==10951==    by 0x6796F7: validate_interval_range (textprop.c:212)
==10951==    by 0x67B190: Ftext_properties_at (textprop.c:601)
==10951==    by 0x67B245: Fget_text_property (textprop.c:621)
==10951==    by 0x51FAD4: face_at_buffer_position (xfaces.c:5987)
==10951==    by 0x4439FD: handle_face_prop (xdisp.c:3815)
==10951==    by 0x4427D0: handle_stop (xdisp.c:3319)
==10951==    by 0x44C416: reseat (xdisp.c:6359)
==10951==    by 0x441789: init_iterator (xdisp.c:2975)
==10951==  Address 0x763cb10 is 0 bytes inside a block of size 960 free'd
==10951==    at 0x4A07577: free (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10951==    by 0x5E1470: lisp_free (alloc.c:931)
==10951==    by 0x5EA618: gc_sweep (alloc.c:6637)
==10951==    by 0x5E8181: Fgarbage_collect (alloc.c:5572)
==10951==    by 0x562277: maybe_gc (lisp.h:4518)
==10951==    by 0x60A36B: eval_sub (eval.c:2075)
==10951==    by 0x6084A3: internal_lisp_condition_case (eval.c:1314)
==10951==    by 0x656A46: exec_byte_code (bytecode.c:1169)
==10951==    by 0x60C8DD: funcall_lambda (eval.c:2974)
==10951==    by 0x60C275: Ffuncall (eval.c:2855)
==10951==    by 0x60AE7C: Fapply (eval.c:2292)
==10951==    by 0x60BF66: Ffuncall (eval.c:2787)

I.e. the buffer is swept by GC and then (de)referenced in find_interval.

Dmitry