Hi,
Ludovic Courtès
While investigating luatex crashes in the TeX Live 2020 package of GNU Guix¹, we identified the following heap corruption reported by Valgrind (this is on GNU/Linux, with glibc 2.33):
This time with debug info for luatex: --8<---------------cut here---------------start------------->8--- sh-5.0$ ~ludo/.guix-profile/bin/valgrind --extra-debuginfo-path=/gnu/store/f933bvd6ab6l2lg6xl6k1a6jwvcls0z6-glibc-2.33-debug/lib/debug "/gnu/store/00addvl34y6qj8k9k0bnx9jrgxqwry6q-texlive-bin-20200406/bin/luatex" "-interaction=nonstopmode" "-output-directory=build" "&luatex" "amsbsy.dtx" ==21562== Memcheck, a memory error detector ==21562== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==21562== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==21562== Command: /gnu/store/00addvl34y6qj8k9k0bnx9jrgxqwry6q-texlive-bin-20200406/bin/luatex -interaction=nonstopmode -output-directory=build &luatex amsbsy.dtx ==21562== This is LuaTeX, Version 1.12.0 (TeX Live 2020) restricted system commands enabled. ==21562== Invalid write of size 8 ==21562== at 0x485C691: lua_pushlstring (lapi.c:483) ==21562== by 0x568E03: load_hyphenation (texlang.c:306) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) ==21562== by 0x45118D: main (luatex.c:609) ==21562== Address 0xac0fc30 is 0 bytes after a block of size 1,168 alloc'd ==21562== at 0x483EBE1: realloc (in /gnu/store/jlmh0jbgr6zn4iyvhfbvxps8pykzj5ry-valgrind-3.16.1/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21562== by 0x46695D: my_luaalloc (luastuff.c:115) ==21562== by 0x486D932: luaM_realloc_ (lmem.c:86) ==21562== by 0x48660F2: luaD_reallocstack (ldo.c:182) ==21562== by 0x4868BE7: traversethread (lgc.c:549) ==21562== by 0x4868BE7: propagatemark (lgc.c:588) ==21562== by 0x4868FCF: singlestep (lgc.c:1057) ==21562== by 0x486988B: luaC_step (lgc.c:1137) ==21562== by 0x485C6BB: lua_pushlstring (lapi.c:485) ==21562== by 0x568E03: load_hyphenation (texlang.c:306) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) ==21562== ==21562== Invalid write of size 4 ==21562== at 0x485C6A2: lua_pushlstring (lapi.c:483) ==21562== by 0x568E03: load_hyphenation (texlang.c:306) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) ==21562== by 0x45118D: main (luatex.c:609) ==21562== Address 0xac0fc38 is 8 bytes after a block of size 1,168 alloc'd ==21562== at 0x483EBE1: realloc (in /gnu/store/jlmh0jbgr6zn4iyvhfbvxps8pykzj5ry-valgrind-3.16.1/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21562== by 0x46695D: my_luaalloc (luastuff.c:115) ==21562== by 0x486D932: luaM_realloc_ (lmem.c:86) ==21562== by 0x48660F2: luaD_reallocstack (ldo.c:182) ==21562== by 0x4868BE7: traversethread (lgc.c:549) ==21562== by 0x4868BE7: propagatemark (lgc.c:588) ==21562== by 0x4868FCF: singlestep (lgc.c:1057) ==21562== by 0x486988B: luaC_step (lgc.c:1137) ==21562== by 0x485C6BB: lua_pushlstring (lapi.c:485) ==21562== by 0x568E03: load_hyphenation (texlang.c:306) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) ==21562== ==21562== Invalid read of size 16 ==21562== at 0x485D269: lua_rawset (lapi.c:809) ==21562== by 0x568E14: load_hyphenation (texlang.c:307) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) ==21562== by 0x45118D: main (luatex.c:609) ==21562== Address 0xac0fc30 is 0 bytes after a block of size 1,168 alloc'd ==21562== at 0x483EBE1: realloc (in /gnu/store/jlmh0jbgr6zn4iyvhfbvxps8pykzj5ry-valgrind-3.16.1/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21562== by 0x46695D: my_luaalloc (luastuff.c:115) ==21562== by 0x486D932: luaM_realloc_ (lmem.c:86) ==21562== by 0x48660F2: luaD_reallocstack (ldo.c:182) ==21562== by 0x4868BE7: traversethread (lgc.c:549) ==21562== by 0x4868BE7: propagatemark (lgc.c:588) ==21562== by 0x4868FCF: singlestep (lgc.c:1057) ==21562== by 0x486988B: luaC_step (lgc.c:1137) ==21562== by 0x485C6BB: lua_pushlstring (lapi.c:485) ==21562== by 0x568E03: load_hyphenation (texlang.c:306) ==21562== by 0x56B41C: undump_one_language (texlang.c:1259) ==21562== by 0x56B41C: undump_language_data (texlang.c:1272) ==21562== by 0x4DFB9F: load_fmt_file (dumpdata.c:520) ==21562== by 0x4EF0ED: main_body (mainbody.c:530) --8<---------------cut here---------------end--------------->8--- Ludo’.