Dear Maintainer, a short addition. I got some help that AddressSanitizer and Valgrind could be squeezed to delay returning previously free'd addresses from the allocator.
Then both tools point to the mentioned first allocation directly. Kind regards, Bernhard AddressSanitizer: export ASAN_OPTIONS=quarantine_size_mb=1000 Valgrind: --freelist-vol=10000000000 Result with unmodified Debian binaries: valgrind --tool=memcheck --track-origins=yes --num-callers=100 --freelist-vol=10000000000 fontforge -script /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/debian/mergefonts.ff /usr/share/fonts/truetype/droid/DroidSansFallbackFull.ttf /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /home/benutzer/source/kodi/try1/kodi-17.6+dfsg1/media/Fonts/arial.ttf The glyph named Omega is mapped to U+03A9. But its name indicates it should be mapped to U+2126. ==74312== Invalid read of size 8 ==74312== at 0x55F6B69: gv_len (tottfgpos.c:3838) ==74312== by 0x5601DC9: ttf_math_dump_glyphvariant (tottfgpos.c:3979) ==74312== by 0x5601DC9: otf_dump_math (tottfgpos.c:4139) ==74312== by 0x56134C9: initATTables (tottf.c:5316) ==74312== by 0x5615006: initTables (tottf.c:5792) ==74312== by 0x561552A: _WriteTTFFont (tottf.c:6143) ==74312== by 0x5615A49: WriteTTFFont (tottf.c:6171) ==74312== by 0x54F5413: _DoSave (savefont.c:845) ==74312== by 0x54F7DCF: GenerateScript (savefont.c:1269) ==74312== by 0x55103FB: bGenerate (scripting.c:2061) ==74312== by 0x5512F0A: docall (scripting.c:9632) ==74312== by 0x551359D: handlename (scripting.c:9745) ==74312== by 0x55147B2: term (scripting.c:9983) ==74312== by 0x5514B37: mul (scripting.c:10128) ==74312== by 0x5514D4D: add (scripting.c:10174) ==74312== by 0x55150B8: comp (scripting.c:10249) ==74312== by 0x5515340: _and (scripting.c:10293) ==74312== by 0x55154E2: _or (scripting.c:10325) ==74312== by 0x55154E2: assign (scripting.c:10358) ==74312== by 0x55122FC: expr (scripting.c:10436) ==74312== by 0x55122FC: ff_statement (scripting.c:10649) ==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796) ==74312== by 0x5516744: _CheckIsScript (scripting.c:10890) ==74312== by 0x5516744: CheckIsScript (scripting.c:10927) ==74312== by 0x4A165B8: fontforge_main (startui.c:1099) ==74312== by 0x4C13BBA: (below main) (libc-start.c:308) ==74312== Address 0x8f6e3600 is 0 bytes inside a block of size 40 free'd ==74312== at 0x48379AB: free (vg_replace_malloc.c:540) ==74312== by 0x55C7B19: SplineCharFreeContents (splineutil.c:5963) ==74312== by 0x55C7B7D: SplineCharFree (splineutil.c:5974) ==74312== by 0x55C7B7D: SplineCharFree (splineutil.c:5970) ==74312== by 0x55CA66D: SplineFontFree (splineutil.c:6535) ==74312== by 0x55CA66D: SplineFontFree (splineutil.c:6491) ==74312== by 0x542E147: _MergeFont (fvfonts.c:1161) ==74312== by 0x542E147: __MergeFont (fvfonts.c:1179) ==74312== by 0x542E147: MergeFont (fvfonts.c:1261) ==74312== by 0x5512F0A: docall (scripting.c:9632) ==74312== by 0x551359D: handlename (scripting.c:9745) ==74312== by 0x55147B2: term (scripting.c:9983) ==74312== by 0x5514B37: mul (scripting.c:10128) ==74312== by 0x5514D4D: add (scripting.c:10174) ==74312== by 0x55150B8: comp (scripting.c:10249) ==74312== by 0x5515340: _and (scripting.c:10293) ==74312== by 0x55154E2: _or (scripting.c:10325) ==74312== by 0x55154E2: assign (scripting.c:10358) ==74312== by 0x55122FC: expr (scripting.c:10436) ==74312== by 0x55122FC: ff_statement (scripting.c:10649) ==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796) ==74312== by 0x5516744: _CheckIsScript (scripting.c:10890) ==74312== by 0x5516744: CheckIsScript (scripting.c:10927) ==74312== by 0x4A165B8: fontforge_main (startui.c:1099) ==74312== by 0x4C13BBA: (below main) (libc-start.c:308) ==74312== Block was alloc'd at ==74312== at 0x4838B65: calloc (vg_replace_malloc.c:762) ==74312== by 0x5486A1B: ttf_math_read_gvtable (parsettfatt.c:5317) ==74312== by 0x5491113: ttf_math_read_variants (parsettfatt.c:5473) ==74312== by 0x5491113: _otf_read_math (parsettfatt.c:5515) ==74312== by 0x5491113: _otf_read_math (parsettfatt.c:5493) ==74312== by 0x54A87D4: readttf (parsettf.c:5673) ==74312== by 0x54A87D4: _SFReadTTF (parsettf.c:6327) ==74312== by 0x556808E: _ReadSplineFont (splinefont.c:1141) ==74312== by 0x5569238: LoadSplineFont (splinefont.c:1379) ==74312== by 0x550B0E2: bMergeFonts (scripting.c:5600) ==74312== by 0x5512F0A: docall (scripting.c:9632) ==74312== by 0x551359D: handlename (scripting.c:9745) ==74312== by 0x55147B2: term (scripting.c:9983) ==74312== by 0x5514B37: mul (scripting.c:10128) ==74312== by 0x5514D4D: add (scripting.c:10174) ==74312== by 0x55150B8: comp (scripting.c:10249) ==74312== by 0x5515340: _and (scripting.c:10293) ==74312== by 0x55154E2: _or (scripting.c:10325) ==74312== by 0x55154E2: assign (scripting.c:10358) ==74312== by 0x55122FC: expr (scripting.c:10436) ==74312== by 0x55122FC: ff_statement (scripting.c:10649) ==74312== by 0x5516110: ProcessNativeScript (scripting.c:10796) ==74312== by 0x5516744: _CheckIsScript (scripting.c:10890) ==74312== by 0x5516744: CheckIsScript (scripting.c:10927) ==74312== by 0x4A165B8: fontforge_main (startui.c:1099) ==74312== by 0x4C13BBA: (below main) (libc-start.c:308) ==74312== ==74312== Invalid read of size 4 ...