[Mutt] #3401: crash on searching index
#3401: crash on searching index
--------------------+-------------------------------------------------------
Reporter: ossi | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version:
Keywords: |
--------------------+-------------------------------------------------------
why is there no "current tip" version value? oh, well.
i tried searching for "~s Amarok ~b ^\+.*foreach". i have no idea whether
this is a valid expression, but this is most definitely not an acceptable
result:
#0 0xa7833424 in __kernel_vsyscall ()
#1 0xa73668e0 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xa7369e15 in *__GI_abort () at abort.c:88
#3 0xa739d6c5 in __libc_message (do_abort=2, fmt=0xa74640e8 "*** glibc
detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:173
#4 0xa73a7824 in malloc_printerr (action=2, str=0xa7460e28 "realloc():
invalid pointer", ptr=0xafd1f1fc) at malloc.c:6239
#5 0xa73ad64f in realloc_check (oldmem=0xafd1f1fc, bytes=1493765296,
caller=0x8097a2e) at hooks.c:330
#6 0xa73ad411 in *__GI___libc_realloc (oldmem=0xafd1f1fc,
bytes=1493765296) at malloc.c:3757
#7 0x08097a2e in safe_realloc (ptr=0xafd1f490, siz=6) at lib.c:176
#8 0x08098461 in mutt_buffer_printf (buf=0xafd1f490, fmt=0x80b1fd7 "'%s':
%s") at muttlib.c:1697
#9 0x08082949 in eat_regexp (pat=0x8fe7870, s=0xafd1ed98, err=0xafd1f490)
at pattern.c:297
#10 0x08081f72 in mutt_pattern_comp (s=0xafd1edfc "~s Amarok ~b
^\\+.*foreach", flags=1, err=0xafd1f490) at pattern.c:919
#11 0x0808222b in mutt_search_command (cur=24, op=154) at pattern.c:1440
#12 0x0805d551 in mutt_index_menu () at curs_main.c:909
#13 0x08070c38 in main (argc=1, argv=0xafd205c4) at main.c:1020
prior to the crash, valgrind spits out the following:
==30046== Conditional jump or move depends on uninitialised value(s)
==30046== at 0x80983F3: mutt_buffer_printf (muttlib.c:1678)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046==
==30046== Conditional jump or move depends on uninitialised value(s)
==30046== at 0x8098406: mutt_buffer_printf (muttlib.c:1684)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046==
==30046== Conditional jump or move depends on uninitialised value(s)
==30046== at 0x4437625: vsnprintf (vsnprintf.c:110)
==30046== by 0x8098435: mutt_buffer_printf (muttlib.c:1691)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046==
==30046== Use of uninitialised value of size 4
==30046== at 0x4437681: vsnprintf (vsnprintf.c:118)
==30046== by 0x8098435: mutt_buffer_printf (muttlib.c:1691)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046==
==30046== Conditional jump or move depends on uninitialised value(s)
==30046== at 0x4441EE2: _IO_str_init_static_internal (strops.c:44)
==30046== by 0x443769D: vsnprintf (vsnprintf.c:119)
==30046== by 0x8098435: mutt_buffer_printf (muttlib.c:1691)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046==
==30046== Conditional jump or move depends on uninitialised value(s)
==30046== at 0x4440E03: _IO_default_xsputn (genops.c:460)
==30046== by 0x4414848: vfprintf (vfprintf.c:1333)
==30046== by 0x44376B3: vsnprintf (vsnprintf.c:120)
==30046== by 0x8098435: mutt_buffer_printf (muttlib.c:1691)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
[... a lot more stuff cut - it gets boring]
==30046== Invalid free() / delete / delete[]
==30046== at 0x4024C77: realloc (vg_replace_malloc.c:476)
==30046== by 0x8097A2D: safe_realloc (lib.c:176)
==30046== by 0x8098460: mutt_buffer_printf (muttlib.c:1697)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046== Address 0xaede91bc is on thread 1's stack
==30046==
==30046== Invalid read of size 2
==30046== at 0x40506EB: ??? (in /lib/libncursesw.so.5.7)
==30046== by 0x4051218: _nc_waddch_nosync (in /lib/libncursesw.so.5.7)
==30046== by 0x4051CAF: waddnstr (in /lib/libncursesw.so.5.7)
==30046== by 0x805BA8F: curses_message (curs_lib.c:316)
==30046== by 0x805BB02: mutt_curses_error (curs_lib.c:333)
==30046== by 0x8097A4F: safe_realloc (lib.c:185)
==30046== by 0x8098460: mutt_buffer_printf (muttlib.c:1697)
==30046== by 0x8082948: eat_regexp (pattern.c:297)
==30046== by 0x8081F71: mutt_pattern_comp (pattern.c:919)
==30046== by 0x808222A: mutt_search_command (pattern.c:1440)
==30046== by 0x805D550: mutt_index_menu (curs_main.c:909)
==30046== by 0x8070C37: main (main.c:1020)
==30046== Address 0x707866d4 is not stack'd, malloc'd or (recently)
free'd
==30046==
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3401>
Mutt <http://www.mutt.org/>
The Mutt mail user agent