[tex-live] mf segfault
Thorsten Dahlheimer
tdahlheim at gmx.net
Tue Dec 28 15:00:16 CET 2004
Hello,
I've had a look into this problem and found out what is going on:
The example Metafont code uses so many independent variables
(at least 2^25) that the serial number counter (the serial_no
variable) overflows and becomes negative. But Metafont's internal
routines assume that serial numbers are positive.
> In mf.web:
>
> 12790 @p function
p_with_x_becoming_q(@!p,@!x,@!q:pointer;@!t:small_number):pointer;
> 12791 var @!r,@!s:pointer; {for list manipulation}
> 12792 @!v:integer; {coefficient of |x|}
> 12793 @!sx:integer; {serial number of |x|}
> 12794 begin s:=p; r:=temp_head; sx:=value(x);
> * 12795 while value(info(s))>sx do
> 12796 begin r:=s; s:=link(s);
> 12797 end;
> 12798 if info(s)<>x then p_with_x_becoming_q:=p
> 12799 else begin link(temp_head):=p; link(r):=link(s); v:=value(s);
> 12800 free_node(s,dep_node_size);
> 12801 p_with_x_becoming_q:=p_plus_fq(link(temp_head),v,q,t,dependent);
> 12802 end;
> 12803 end;
Specifically, the above while loop will run beyond the end of the
dependency list p if sx is negative and p contains no variables
with serial numbers less than sx. Then s will eventually point to
the value node of another dependent variable, which doesn't have a
valid pointer in its info field but the (type,name_type) codes, and
the attempt to access value(info(s)) is what causes the segfault.
Regards,
Thorsten Dahlheimer
More information about the tex-live
mailing list