Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

icat crashes kitty while trying to display large number of pictures #1825

Closed
JanczarKurek opened this issue Jul 22, 2019 · 7 comments
Closed

Comments

@JanczarKurek
Copy link

JanczarKurek commented Jul 22, 2019

Output of kitty --version

kitty 0.14.2 created by Kovid Goyal

Description

As in the title, after trying to display large number of files, kitty displays some of them, and then crashes.

Reproduction

  1. Clone https://github.com/boyEstrogen/Anime-Girls-Holding-Programming-Books
  2. call kitty +kitten icat **/*
  3. Should crash after a while.
@kovidgoyal
Copy link
Owner

Works for me with kitty from master. I suggest you try it from there, or
wait for the next release.

@JanczarKurek
Copy link
Author

I tried master version, got this message:

"corrupted size vs. prev_size while consolidating
fish: “python3 .” terminated by signal SIGABRT (Abort)"

Tested also on python3.6, got:

"munmap_chunk(): invalid pointer
fish: “python3.6 .” terminated by signal SIGABRT (Abort)"

Looks suspicious to me.

@kovidgoyal
Copy link
Owner

Well without a way to replicate it there is not much I can do. You can
build kitty in debug mode with make debug and produce a backtrace of the
crash you get. Or better build it with make asan which should detect any
memory related issues.

@v3ctor
Copy link

v3ctor commented Jul 22, 2019

Also raporting this issue. I tried with master version and python 3.7.3, got double free or corruption (out) and free(): corrupted unsorted chunks.

I tried it on fresh install of arch linux in virtual machine, got same results.

@kasprzyckit
Copy link

Tested on Fedora, with python 3.7.3 and master.
Errors: munmap_chunk(): invalid pointer and free(): corrupted unsorted chunks.

@Luflosi
Copy link
Contributor

Luflosi commented Jul 22, 2019

Those error messages aren't very helpful. Is there some more verbose output that you guys didn't post?

@v3ctor
Copy link

v3ctor commented Jul 22, 2019

No, but I have built kitty with sanitizers:

[arch@arch bin]$ ./kitty 
[arch@arch bin]$ LD_PRELOAD=/usr/lib/libasan.so ./kitty 

=================================================================
==29217==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 824096 byte(s) in 204 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f491508 in PyObject_Malloc (/usr/lib/libpython3.7m.so.1.0+0xe7508)

Direct leak of 1560 byte(s) in 3 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f492c27  (/usr/lib/libpython3.7m.so.1.0+0xe8c27)

Direct leak of 1554 byte(s) in 4 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f491fc6 in PyMem_Malloc (/usr/lib/libpython3.7m.so.1.0+0xe7fc6)

Direct leak of 96 byte(s) in 3 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f495735 in PyThread_allocate_lock (/usr/lib/libpython3.7m.so.1.0+0xeb735)

Indirect leak of 78525 byte(s) in 82 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f491508 in PyObject_Malloc (/usr/lib/libpython3.7m.so.1.0+0xe7508)

Indirect leak of 544 byte(s) in 1 object(s) allocated from:
    #0 0x7fc46f9faada in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fc46f492c27  (/usr/lib/libpython3.7m.so.1.0+0xe8c27)

SUMMARY: AddressSanitizer: 906375 byte(s) leaked in 297 allocation(s).
=================================================================
==29189==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900029b478 at pc 0x7f83b1209308 bp 0x7ffe62892f90 sp 0x7ffe62892f80
READ of size 4 at 0x61900029b478 thread T0
    #0 0x7f83b1209307 in scroll_filter_func kitty/graphics.c:614
    #1 0x7f83b1221fe1 in filter_refs kitty/graphics.c:601
    #2 0x7f83b1221fe1 in grman_scroll_images kitty/graphics.c:661
    #3 0x7f83b12d1755 in screen_scroll kitty/screen.c:882
    #4 0x7f83b12d4c85 in screen_handle_graphics_command kitty/screen.c:579
    #5 0x7f83b129a969 in parse_graphics_code kitty/parse-graphics-command.h:318
    #6 0x7f83b12b24e8 in dispatch_apc kitty/parser.c:872
    #7 0x7f83b12b24e8 in _parse_bytes_watching_for_pending kitty/parser.c:1108
    #8 0x7f83b12b7cf0 in do_parse_bytes kitty/parser.c:1226
    #9 0x7f83b12b7cf0 in parse_worker kitty/parser.c:1281
    #10 0x7f83b1187c3f in do_parse kitty/child-monitor.c:307
    #11 0x7f83b1187c3f in parse_input kitty/child-monitor.c:379
    #12 0x7f83b118832e in process_global_state kitty/child-monitor.c:914
    #13 0x7f83b1189921 in do_state_check kitty/child-monitor.c:900
    #14 0x7f83af1dce2b in dispatchTimers glfw/backend_utils.c:215
    #15 0x7f83af1dd6d3 in pollForEvents glfw/backend_utils.c:315
    #16 0x7f83af1b9295 in handleEvents glfw/x11_window.c:66
    #17 0x7f83af1b936a in _glfwPlatformWaitEvents glfw/x11_window.c:2531
    #18 0x7f83af199744 in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #19 0x7f83af17a540 in glfwRunMainLoop glfw/init.c:344
    #20 0x7f83b1206192 in run_main_loop kitty/glfw.c:1142
    #21 0x7f83b117bc8f in main_loop kitty/child-monitor.c:954
    #22 0x7f83b5fc50c9 in _PyMethodDef_RawFastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x10b0c9)
    #23 0x7f83b5ffdb7e in _PyMethodDescr_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x143b7e)
    #24 0x7f83b5ffdd13  (/usr/lib/libpython3.7m.so.1.0+0x143d13)
    #25 0x7f83b603af8f in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180f8f)
    #26 0x7f83b5fe9d17 in _PyEval_EvalCodeWithName (/usr/lib/libpython3.7m.so.1.0+0x12fd17)
    #27 0x7f83b5feada2 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130da2)
    #28 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #29 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #30 0x7f83b5fe9d17 in _PyEval_EvalCodeWithName (/usr/lib/libpython3.7m.so.1.0+0x12fd17)
    #31 0x7f83b5feada2 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130da2)
    #32 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #33 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #34 0x7f83b5feac02 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130c02)
    #35 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #36 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #37 0x7f83b5feac02 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130c02)
    #38 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #39 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #40 0x7f83b5feac02 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130c02)
    #41 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #42 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #43 0x7f83b5fe9d17 in _PyEval_EvalCodeWithName (/usr/lib/libpython3.7m.so.1.0+0x12fd17)
    #44 0x7f83b5feaac9 in PyEval_EvalCodeEx (/usr/lib/libpython3.7m.so.1.0+0x130ac9)
    #45 0x7f83b5feaaeb in PyEval_EvalCode (/usr/lib/libpython3.7m.so.1.0+0x130aeb)
    #46 0x7f83b6035429  (/usr/lib/libpython3.7m.so.1.0+0x17b429)
    #47 0x7f83b5fc5067 in _PyMethodDef_RawFastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x10b067)
    #48 0x7f83b5fc5393 in _PyCFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x10b393)
    #49 0x7f83b5ffdd4b  (/usr/lib/libpython3.7m.so.1.0+0x143d4b)
    #50 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #51 0x7f83b5fe9d17 in _PyEval_EvalCodeWithName (/usr/lib/libpython3.7m.so.1.0+0x12fd17)
    #52 0x7f83b5feada2 in _PyFunction_FastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x130da2)
    #53 0x7f83b5ffdc2f  (/usr/lib/libpython3.7m.so.1.0+0x143c2f)
    #54 0x7f83b603aef6 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.7m.so.1.0+0x180ef6)
    #55 0x7f83b5fe9d17 in _PyEval_EvalCodeWithName (/usr/lib/libpython3.7m.so.1.0+0x12fd17)
    #56 0x7f83b5feb44e in _PyFunction_FastCallDict (/usr/lib/libpython3.7m.so.1.0+0x13144e)
    #57 0x7f83b60c2c73  (/usr/lib/libpython3.7m.so.1.0+0x208c73)
    #58 0x7f83b60c414f  (/usr/lib/libpython3.7m.so.1.0+0x20a14f)
    #59 0x7f83b5f97515 in Py_Main (/usr/lib/libpython3.7m.so.1.0+0xdd515)
    #60 0x564cf4c002fe in main (/home/v3ct0r/kitty/linux-package/bin/kitty+0x12fe)
    #61 0x7f83b5d1dee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)
    #62 0x564cf4c0042d in _start (/home/v3ct0r/kitty/linux-package/bin/kitty+0x142d)

0x61900029b478 is located 248 bytes inside of 1088-byte region [0x61900029b380,0x61900029b7c0)
freed by thread T0 here:
    #0 0x7f83b650a6c0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7f83b1222346 in free_refs_data kitty/graphics.c:45
    #2 0x7f83b1222346 in free_image kitty/graphics.c:61
    #3 0x7f83b1222346 in remove_image kitty/graphics.c:98
    #4 0x7f83b1222346 in filter_refs kitty/graphics.c:605
    #5 0x7f83b1222346 in grman_scroll_images kitty/graphics.c:661
    #6 0x7f83b12d1755 in screen_scroll kitty/screen.c:882
    #7 0x7f83b12d4c85 in screen_handle_graphics_command kitty/screen.c:579
    #8 0x7f83b129a969 in parse_graphics_code kitty/parse-graphics-command.h:318
    #9 0x7f83b12b24e8 in dispatch_apc kitty/parser.c:872
    #10 0x7f83b12b24e8 in _parse_bytes_watching_for_pending kitty/parser.c:1108
    #11 0x7f83b12b7cf0 in do_parse_bytes kitty/parser.c:1226
    #12 0x7f83b12b7cf0 in parse_worker kitty/parser.c:1281
    #13 0x7f83b1187c3f in do_parse kitty/child-monitor.c:307
    #14 0x7f83b1187c3f in parse_input kitty/child-monitor.c:379
    #15 0x7f83b118832e in process_global_state kitty/child-monitor.c:914
    #16 0x7f83b1189921 in do_state_check kitty/child-monitor.c:900
    #17 0x7f83af1dce2b in dispatchTimers glfw/backend_utils.c:215
    #18 0x7f83af1dd6d3 in pollForEvents glfw/backend_utils.c:315
    #19 0x7f83af1b9295 in handleEvents glfw/x11_window.c:66
    #20 0x7f83af1b936a in _glfwPlatformWaitEvents glfw/x11_window.c:2531
    #21 0x7f83af199744 in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #22 0x7f83af17a540 in glfwRunMainLoop glfw/init.c:344
    #23 0x7f83b1206192 in run_main_loop kitty/glfw.c:1142
    #24 0x7f83b117bc8f in main_loop kitty/child-monitor.c:954
    #25 0x7f83b5fc50c9 in _PyMethodDef_RawFastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x10b0c9)

previously allocated by thread T0 here:
    #0 0x7f83b650af40 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x7f83b120b4a4 in handle_put_command kitty/graphics.c:483
    #2 0x7f83b12248da in grman_handle_command kitty/graphics.c:780
    #3 0x7f83b12d4566 in screen_handle_graphics_command kitty/screen.c:574
    #4 0x7f83b129a969 in parse_graphics_code kitty/parse-graphics-command.h:318
    #5 0x7f83b12b24e8 in dispatch_apc kitty/parser.c:872
    #6 0x7f83b12b24e8 in _parse_bytes_watching_for_pending kitty/parser.c:1108
    #7 0x7f83b12b7cf0 in do_parse_bytes kitty/parser.c:1226
    #8 0x7f83b12b7cf0 in parse_worker kitty/parser.c:1281
    #9 0x7f83b1187c3f in do_parse kitty/child-monitor.c:307
    #10 0x7f83b1187c3f in parse_input kitty/child-monitor.c:379
    #11 0x7f83b118832e in process_global_state kitty/child-monitor.c:914
    #12 0x7f83b1189921 in do_state_check kitty/child-monitor.c:900
    #13 0x7f83af1dce2b in dispatchTimers glfw/backend_utils.c:215
    #14 0x7f83af1dd6d3 in pollForEvents glfw/backend_utils.c:315
    #15 0x7f83af1b9295 in handleEvents glfw/x11_window.c:66
    #16 0x7f83af1b936a in _glfwPlatformWaitEvents glfw/x11_window.c:2531
    #17 0x7f83af199744 in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #18 0x7f83af17a540 in glfwRunMainLoop glfw/init.c:344
    #19 0x7f83b1206192 in run_main_loop kitty/glfw.c:1142
    #20 0x7f83b117bc8f in main_loop kitty/child-monitor.c:954
    #21 0x7f83b5fc50c9 in _PyMethodDef_RawFastCallKeywords (/usr/lib/libpython3.7m.so.1.0+0x10b0c9)

SUMMARY: AddressSanitizer: heap-use-after-free kitty/graphics.c:614 in scroll_filter_func
Shadow bytes around the buggy address:
  0x0c328004b630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b650: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328004b660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328004b670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c328004b680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c328004b690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328004b6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29189==ABORTING

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants