Summary: pdfLaTeX coredumps on OpenBSD

Initial Comment:
I've found, that pdfLaTeX coredumps on OpenBSD if I use
amsmath and microtype in some math environments. Here
is a minimal latex document for showing the bug:

> cat minidump.tex
% end of minidump.tex

> pdflatex minidump
This is pdfeTeX, Version 3.141592-1.30.6-2.2 (Web2C 7.5.5)
entering extended mode
LaTeX2e <2003/12/01>
Babel <v3.8d> and hyphenation patterns for american,
french, german, ngerman, b
ahasa, basque, bulgarian, catalan, croatian, czech,
danish, dutch, esperanto, e
stonian, finnish, greek, icelandic, irish, italian,
latin, magyar, norsk, polis
h, portuges, romanian, russian, serbian, slovak,
slovene, spanish, swedish, tur
kish, ukrainian, nohyphenation, loaded.
Document Class: article 2004/02/16 v1.4f Standard LaTeX
document class
For additional information on amsmath, use the `?' option.
fault (core dumped) 

A quick look with gdb shows, that it hangs in line 4396
 of pdfetex2.c:
  c = getrpcode ( f , mem [p ].hh.b1 ) ;

Here p=999996 and f=-4096

Since f seems to be a table index to pdffontrbase a
negative value does not make sense to my mind.

I've tryed the same on a LINUX machine. There pdfLaTeX
does not crash, but p and f have the same values as
under OpenBSD.

As the most bad work around after taking *Word I've
added a line of code which leaves the routine if f
becomes negative. This seems to work in the sense, that
there isn't any more a core dump.



>Comment By: Taco Hoekwater (taco)
Date: 2006-07-26 14:08

Logged In: YES 

FWIW, I looked at it and agree with Hartmut. 

--- pdftex.web.orig     2006-07-25 20:22:54.000000000 +0200
+++ pdftex.web  2006-07-26 14:19:35.514413422 +0200
@@ -24600,9 +24600,9 @@
         p := q;
         ptmp := p;
     end else begin
-        p := prev_rightmost(temp_head, q); {get |link(p) = q|}
+        p := prev_rightmost(link(temp_head), q); {get
|link(p) = q|}
         ptmp := p;
-        p := find_protchar_right(temp_head, p);
+        p := find_protchar_right(link(temp_head), p);
     short_display_n(p, 1);


Comment By: Hartmut Henkel (hhenkel)
Date: 2006-07-26 00:04

Logged In: YES 

the value of temp_head seems to be right, but maybe it must be

p := prev_rightmost(link(temp_head), q); {get |link(p) = q|}
p := find_protchar_right(link(temp_head), p);

with link(temp_head) instead of temp_head, as "The current
line to be justified appears in a horizontal list starting
at |link(temp_head)| and ending at |cur_break(cur_p)|."

wild guess only, seems to work.

Regards, Hartmut


Comment By: Hartmut Henkel (hhenkel)
Date: 2006-07-25 23:33

Logged In: YES 

seems it happens at this line in pdftex.web:

p := prev_rightmost(temp_head, q); {get |link(p) = q|}

the temp_head before this call is 1499996 which seems to be
wrong. Then after the call p = 1499996, and there is font
f=-4096 attached to this node which is also wrong. So it
seems that somehow temp_head got lost before call of
prev_rightmost(). No clue how.

Regards, Hartmut


Comment By: Taco Hoekwater (taco)
Date: 2006-07-25 23:06

Logged In: YES 

ok, will check tomorrow


Comment By: Martin Schröder (oneiros)
Date: 2006-07-25 21:30

Logged In: YES 

This still happens with the latest beta (I've got an OpenBSD
machine now myself):
Program received signal SIGSEGV, Segmentation fault.
0x1c048f03 in zcharpw (p=999996, side=1 '\001') at
3191        c = getrpcode ( f , mem [p ].hh.b1 ) ;
(gdb) bt
#0  0x1c048f03 in zcharpw (p=999996, side=1 '\001') at
#1  0x1c053d53 in zpostlinebreak (d=1) at pdftex2.c:7715
#2  0x1c007659 in zlinebreak (d=1) at pdftexini.c:2136
#3  0x1c05bb11 in initmath () at pdftex3.c:141
#4  0x1c065091 in maincontrol () at pdftex3.c:4582
#5  0x1c0130a2 in mainbody () at pdftexini.c:5647
#6  0x1c069d9e in main (ac=2, av=0xcfbd239c) at
(gdb) l pdftex2.c:3191
3186        c = getlpcode ( f , mem [p ].hh.b1 ) ;
3187        lastleftmostchar = p ;
3188      } 
3189      else {
3191        c = getrpcode ( f , mem [p ].hh.b1 ) ;
3192        lastrightmostchar = p ;
3193      } 
3194      if ( c == 0 ) 
3195      return Result ;
(gdb) p f
$1 = -4096
(gdb) p p    
$2 = 999996
(gdb) p mem[p].hh   
$3 = {v = {LH = -268435455, RH = 675}, u = {B1 = 1, B0 = -4096}}


