==20355== Memcheck, a memory error detector
==20355== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==20355== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==20355== Command: ./crawl-bug -name Roll
==20355== Parent PID: 15521
==20355== 
==20355== Warning: ignored attempt to set SIGRT32 handler in sigaction();
==20355==          the SIGRT32 signal is used internally by Valgrind
==20355== Invalid read of size 1
==20355==    at 0x87BEAB1: InventoryRegion::pack_buffers() (tilereg-inv.cc:56)
==20355==    by 0x87BE2F2: GridRegion::render() (tilereg-grid.cc:159)
==20355==    by 0x87C9CF7: TabbedRegion::render() (tilereg-tab.cc:285)
==20355==    by 0x87CB9EC: TilesFramework::redraw() (tilesdl.cc:1433)
==20355==    by 0x87CE806: TilesFramework::getch_ck() (tilesdl.cc:651)
==20355==    by 0x87AE9E2: getch_ck() (libgui.cc:151)
==20355==    by 0x87AE9EE: getchk() (libgui.cc:156)
==20355==    by 0x87AE9FA: m_getch() (libgui.cc:28)
==20355==    by 0x8441613: _getch_mul(int (*)()) (macro.cc:714)
==20355==    by 0x84447D9: getch_with_command_macros() (macro.cc:776)
==20355==    by 0x8822ACA: _get_next_keycode() (main.cc:2656)
==20355==    by 0x882401A: _get_next_cmd() (main.cc:2616)
==20355==  Address 0xcd8a030 is 0 bytes after a block of size 72 alloc'd
==20355==    at 0x4029DFC: operator new[](unsigned int) (vg_replace_malloc.c:383)
==20355==    by 0x87BDEEE: GridRegion::on_resize() (tilereg-grid.cc:60)
==20355==    by 0x87B227D: Region::recalculate() (tilereg.cc:99)
==20355==    by 0x87B229E: Region::resize(int, int) (tilereg.cc:35)
==20355==    by 0x87C96A8: TabbedRegion::on_resize() (tilereg-tab.cc:321)
==20355==    by 0x87B227D: Region::recalculate() (tilereg.cc:99)
==20355==    by 0x87B22E8: Region::place(int, int) (tilereg.cc:67)
==20355==    by 0x87CB7D3: TilesFramework::resize_inventory() (tilesdl.cc:1236)
==20355==    by 0x87CD50A: TilesFramework::layout_statcol() (tilesdl.cc:1327)
==20355==    by 0x87CDAB7: TilesFramework::do_layout() (tilesdl.cc:1043)
==20355==    by 0x87CDB32: TilesFramework::resize() (tilesdl.cc:552)
==20355==    by 0x86BFB8E: _post_init(bool) (startup.cc:328)
==20355== 
==20355== Invalid write of size 4
==20355==    at 0x87CAA20: TextRegion::addstr_aux(unsigned int const*, int) (tilereg-text.cc:119)
==20355==    by 0x87CACDF: TextRegion::addstr(char const*) (tilereg-text.cc:90)
==20355==    by 0x87AE915: cprintf(char const*, ...) (libgui.cc:86)
==20355==    by 0x8308247: formatted_string::fs_op::display() const (format.cc:495)
==20355==    by 0x83082C5: formatted_string::display(int, int) const (format.cc:392)
==20355==    by 0x849F03A: MenuDisplayText::draw_more() (menu.cc:129)
==20355==    by 0x849F1A7: Menu::draw_menu() (menu.cc:1284)
==20355==    by 0x84A0A97: Menu::do_menu() (menu.cc:358)
==20355==    by 0x84A4662: Menu::show(bool) (menu.cc:342)
==20355==    by 0x84A4745: formatted_scroller::show(bool) (menu.cc:2049)
==20355==    by 0x85BE9B5: _get_overview_screen_results() (output.cc:2495)
==20355==    by 0x85BEAFD: print_overview_screen() (output.cc:2530)
==20355==  Address 0xc268b40 is 0 bytes after a block of size 26,600 alloc'd
==20355==    at 0x4029DFC: operator new[](unsigned int) (vg_replace_malloc.c:383)
==20355==    by 0x87CA88F: TextRegion::on_resize() (tilereg-text.cc:39)
==20355==    by 0x87B6399: CRTRegion::on_resize() (tilereg-crt.cc:41)
==20355==    by 0x87B227D: Region::recalculate() (tilereg.cc:99)
==20355==    by 0x87B2370: Region::resize_to_fit(int, int) (tilereg.cc:86)
==20355==    by 0x87CDADF: TilesFramework::do_layout() (tilesdl.cc:1046)
==20355==    by 0x87CDB32: TilesFramework::resize() (tilesdl.cc:552)
==20355==    by 0x87CEB99: TilesFramework::getch_ck() (tilesdl.cc:810)
==20355==    by 0x87AE9E2: getch_ck() (libgui.cc:151)
==20355==    by 0x87AE9EE: getchk() (libgui.cc:156)
==20355==    by 0x87AE9FA: m_getch() (libgui.cc:28)
==20355==    by 0x8441613: _getch_mul(int (*)()) (macro.cc:714)
==20355== 
==20355== Invalid write of size 1
==20355==    at 0x87CAA2D: TextRegion::addstr_aux(unsigned int const*, int) (tilereg-text.cc:120)
==20355==    by 0x87CACDF: TextRegion::addstr(char const*) (tilereg-text.cc:90)
==20355==    by 0x87AE915: cprintf(char const*, ...) (libgui.cc:86)
==20355==    by 0x8308247: formatted_string::fs_op::display() const (format.cc:495)
==20355==    by 0x83082C5: formatted_string::display(int, int) const (format.cc:392)
==20355==    by 0x849F03A: MenuDisplayText::draw_more() (menu.cc:129)
==20355==    by 0x849F1A7: Menu::draw_menu() (menu.cc:1284)
==20355==    by 0x84A0A97: Menu::do_menu() (menu.cc:358)
==20355==    by 0x84A4662: Menu::show(bool) (menu.cc:342)
==20355==    by 0x84A4745: formatted_scroller::show(bool) (menu.cc:2049)
==20355==    by 0x85BE9B5: _get_overview_screen_results() (output.cc:2495)
==20355==    by 0x85BEAFD: print_overview_screen() (output.cc:2530)
==20355==  Address 0xe9c94e2 is 0 bytes after a block of size 6,650 alloc'd
==20355==    at 0x4029DFC: operator new[](unsigned int) (vg_replace_malloc.c:383)
==20355==    by 0x87CA89A: TextRegion::on_resize() (tilereg-text.cc:40)
==20355==    by 0x87B6399: CRTRegion::on_resize() (tilereg-crt.cc:41)
==20355==    by 0x87B227D: Region::recalculate() (tilereg.cc:99)
==20355==    by 0x87B2370: Region::resize_to_fit(int, int) (tilereg.cc:86)
==20355==    by 0x87CDADF: TilesFramework::do_layout() (tilesdl.cc:1046)
==20355==    by 0x87CDB32: TilesFramework::resize() (tilesdl.cc:552)
==20355==    by 0x87CEB99: TilesFramework::getch_ck() (tilesdl.cc:810)
==20355==    by 0x87AE9E2: getch_ck() (libgui.cc:151)
==20355==    by 0x87AE9EE: getchk() (libgui.cc:156)
==20355==    by 0x87AE9FA: m_getch() (libgui.cc:28)
==20355==    by 0x8441613: _getch_mul(int (*)()) (macro.cc:714)
==20355== 

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 44, hi = 32.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==20355==    at 0x3804CD20: show_sched_status_wrk (m_libcassert.c:319)
==20355==    by 0x3804CE31: report_and_quit (m_libcassert.c:390)
==20355==    by 0x3804CF50: vgPlain_assert_fail (m_libcassert.c:455)
==20355==    by 0x3805765C: get_bszB_as_is (m_mallocfree.c:302)
==20355==    by 0x3805765C: get_bszB (m_mallocfree.c:312)
==20355==    by 0x3805765C: mergeWithFreeNeighbours (m_mallocfree.c:2001)
==20355==    by 0x38096AAA: vgPlain_cli_free (replacemalloc_core.c:101)
==20355==    by 0x3802369D: release_oldest_block (mc_malloc_wrappers.c:165)
==20355==    by 0x3802369D: create_MC_Chunk (mc_malloc_wrappers.c:208)
==20355==    by 0x3802389B: vgMemCheck_new_block (mc_malloc_wrappers.c:366)
==20355==    by 0x38023A8E: vgMemCheck___builtin_vec_new (mc_malloc_wrappers.c:405)
==20355==    by 0x38099493: do_client_request (scheduler.c:1840)
==20355==    by 0x38099493: vgPlain_scheduler (scheduler.c:1409)
==20355==    by 0x380A6F11: thread_wrapper (syswrap-linux.c:103)
==20355==    by 0x380A6F11: run_a_thread_NORETURN (syswrap-linux.c:156)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==20355==    at 0x4029DFC: operator new[](unsigned int) (vg_replace_malloc.c:383)
==20355==    by 0x87526A5: crawl_view_buffer::resize(coord_def const&) (viewgeom.cc:247)
==20355==    by 0x87527E5: crawl_view_buffer::operator=(crawl_view_buffer const&) (viewgeom.cc:257)
==20355==    by 0x87B7019: DungeonRegion::load_dungeon(crawl_view_buffer const&, coord_def const&) (tilereg-dgn.cc:86)
==20355==    by 0x87CB506: TilesFramework::load_dungeon(crawl_view_buffer const&, coord_def const&) (tilesdl.cc:526)
==20355==    by 0x8751462: viewwindow(bool, bool, animation*) (view.cc:1351)
==20355==    by 0x85BBC9F: redraw_screen() (output.cc:1523)
==20355==    by 0x85BEB65: print_overview_screen() (output.cc:2539)
==20355==    by 0x882CFA8: process_command(command_type) (main.cc:2193)
==20355==    by 0x882D9FE: _input() (main.cc:1507)
==20355==    by 0x882DF05: _launch_game() (main.cc:479)
==20355==    by 0x882DFBA: _launch_game_loop() (main.cc:380)
==20355==    by 0x882E1AE: main (main.cc:336)

Thread 2: status = VgTs_WaitSys
==20355==    at 0x4676F98: sem_timedwait (sem_timedwait.S:111)
==20355==    by 0x4280215: ??? (in /usr/lib/i386-linux-gnu/libSDL2-2.0.so.0.2.0)
==20355==    by 0x422C136: ??? (in /usr/lib/i386-linux-gnu/libSDL2-2.0.so.0.2.0)
==20355==    by 0x422BC49: ??? (in /usr/lib/i386-linux-gnu/libSDL2-2.0.so.0.2.0)
==20355==    by 0x427FD37: ??? (in /usr/lib/i386-linux-gnu/libSDL2-2.0.so.0.2.0)
==20355==    by 0x4670EFA: start_thread (pthread_create.c:309)
==20355==    by 0x476FDFD: clone (clone.S:129)

Thread 3: status = VgTs_WaitSys
==20355==    at 0x4674C4B: pthread_cond_wait@@GLIBC_2.3.2 (pthread_cond_wait.S:188)
==20355==    by 0x66D6FEC: ??? (in /usr/lib/i386-linux-gnu/dri/r600_dri.so)
==20355==    by 0x66D6704: ??? (in /usr/lib/i386-linux-gnu/dri/r600_dri.so)
==20355==    by 0x4670EFA: start_thread (pthread_create.c:309)
==20355==    by 0x476FDFD: clone (clone.S:129)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.