[bug #67139] .di / .box sequence terminates with fatal signal

Mon, 19 May 2025 18:29:37 -0700 

Follow-up Comment #3, bug #67139 (group groff):

An invariant about the state of the node list corresponding to the pending
input line appears to be getting violated.


$ cat ATTIC/67139gbr.groff
.di x
.box
.pm x
.pline
$ ./build/test-groff -a ATTIC/67139gbr.groff
{"name": "x", "file name": "ATTIC\/67139gbr.groff", "starting line number": 1,
"length": 0}
/home/branden/src/GIT/groff/build/groff: error: troff: Segmentation fault
(core dumped)
$ gdb ./build/troff ./core
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
[...snip...]
Core was generated by `troff -b -ww -a -Tps ATTIC/67139gbr.groff'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000560f7d1b5963 in dump_node_list_in_reverse (nlist=<optimized out>) at
../src/roff/troff/node.cpp:2801
2801        n = n->next;
##(gdb) bt
#0  0x0000560f7d1b5963 in dump_node_list_in_reverse (nlist=<optimized out>) at
../src/roff/troff/node.cpp:2801
#1  0x0000560f7d174e47 in environment::dump_pending_nodes (this=<optimized
out>) at ../src/roff/troff/env.cpp:2458
#2  print_nodes_from_input_line () at ../src/roff/troff/env.cpp:3636
#3  0x0000560f7d19d342 in process_input_stack () at
../src/roff/troff/input.cpp:3159
#4  0x0000560f7d16f0ec in main (argc=6, argv=0x7ffc3c14cb08) at
../src/roff/troff/input.cpp:9458


We're not chasing a null pointer, and the value doesn't look like random
garbage.


##(gdb) list
2797      std::stack<node *> reversed_node_list;
2798      node *n = nlist;
2799
2800      while (n != 0 /* nullptr */) {
2801        reversed_node_list.push(n);
2802        n = n->next;
2803      }
2804      fputc('[', stderr);
2805      bool need_comma = false;
2806      while (!reversed_node_list.empty()) {
##(gdb) p n
$1 = (node *) 0x6e5c3a5d462e5b6e
##(gdb) p n->next
Cannot access memory at address 0x6e5c3a5d462e5b76


Possibly the `box` request, which discards the contents of any pending output
line in the diversion, isn't checking to see that it's working on a box
diversion, and is discarding something it shouldn't.


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?67139>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to