URL:
<https://savannah.gnu.org/bugs/?65894>
Summary: [troff] certain man(7) input leads MTSM into
deranged state, mismanaging memory
Group: GNU roff
Submitter: gbranden
Submitted: Wed 19 Jun 2024 02:40:02 PM UTC
Category: Core
Severity: 4 - Important
Item Group: Crash/Unresponsive
Status: In Progress
Privacy: Public
Assigned to: gbranden
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Wed 19 Jun 2024 02:40:02 PM UTC By: G. Branden Robinson <gbranden>
[https://lists.gnu.org/archive/html/groff/2024-06/msg00036.html Alex Colomar
reported a core dump in GNU _troff_ affecting Git HEAD but not 1.23.0.]
Given the following input:
$ cat ATTIC/crash-grohtml.man
.TH a s d f
.SH foo
.TP
foobar
.\" Leaving the paragraph with no body can expose a GNU troff bug.
We get a crash while the formatter is cleaning up its state for exit.
$ ./build/test-groff -Thtml -man ATTIC/crash-grohtml.man
free(): double free detected in tcache 2
<!-- Creator : groff version 1.23.0.1340-cafcd1 -->
<!-- CreationDate: Wed Jun 19 09:37:08 2024 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>a</title>
</head>
<body>
<h1 align="center">a</h1>
<a href="#foo">foo</a><br>
<hr>
<h2>foo
<a name="foo"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">foobar</p>
<hr>
</body>
</html>
groff: error: troff: Aborted (core dumped)
$ gdb ./build/troff ./core
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build/troff...
[New LWP 40678]
Core was generated by `troff -man -dwww-image-template=grohtml-40671-
-Thtml'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
##(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f4dfda27537 in __GI_abort () at abort.c:79
#2 0x00007f4dfda7f3e8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f4dfdb9d390 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007f4dfda866da in malloc_printerr (str=str@entry=0x7f4dfdb9f6b0
"free(): double free detected in tcache 2")
at malloc.c:5347
#4 0x00007f4dfda87cd5 in _int_free (av=0x7f4dfdbd3b80 <main_arena>,
p=0x555d7b0b4d10, have_lock=0) at malloc.c:4201
#5 0x0000555d7aaac3d5 in sfree (ptr=<optimized out>) at
../src/libs/libgroff/string.cpp:46
#6 0x0000555d7aaacfd3 in string::~string (this=<optimized out>,
this=<optimized out>)
at ../src/libs/libgroff/string.cpp:128
#7 0x0000555d7aa928cf in string_value::~string_value (this=<optimized out>,
this=<optimized out>)
at ../src/roff/troff/mtsm.cpp:141
#8 0x0000555d7aa928f9 in statem::~statem (this=<optimized out>,
this=<optimized out>)
at ../src/roff/troff/mtsm.cpp:199
#9 0x0000555d7aa92be0 in stack::~stack (this=<optimized out>, this=<optimized
out>) at ../src/roff/troff/mtsm.cpp:357
#10 0x0000555d7aa92c49 in mtsm::~mtsm (this=<optimized out>, this=<optimized
out>) at ../src/roff/troff/mtsm.cpp:372
#11 0x0000555d7aa92c75 in output_file::~output_file (this=<optimized out>,
this=<optimized out>)
at ../src/roff/troff/node.cpp:1635
#12 0x0000555d7aa948e0 in real_output_file::~real_output_file (this=<optimized
out>, this=<optimized out>)
at ../src/roff/troff/node.cpp:1669
#13 0x0000555d7aa9496e in troff_output_file::~troff_output_file
(this=<optimized out>, this=<optimized out>)
at ../src/roff/troff/node.cpp:1590
#14 0x0000555d7aa94979 in troff_output_file::~troff_output_file
(this=<optimized out>, this=<optimized out>)
at ../src/roff/troff/node.cpp:1593
#15 0x0000555d7aa7068a in cleanup_and_exit (exit_code=exit_code@entry=0) at
../src/roff/troff/div.cpp:599
#16 0x0000555d7aa717ac in top_level_diversion::begin_page
(this=this@entry=0x555d7af13470, n=...)
at ../src/roff/troff/div.cpp:614
#17 0x0000555d7aa71d30 in top_level_diversion::space (this=0x555d7af13470,
n=..., forced=<optimized out>)
at ../src/roff/troff/hvunits.h:109
#18 0x0000555d7aa83ffe in exit_troff () at ../src/roff/troff/input.cpp:2763
#19 0x0000555d7aa961e1 in main (argc=4, argv=0x7ffcf4e978a8) at
../src/roff/troff/input.cpp:8462
As we can see above, the problem is traceable to the bespoke stack
implementation used by the "mini-troff state machine" implemented inside the
formatter but exercised only when formatting HTML.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?65894>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
