bug#54859: Crash in marking of input events with devices

bug#54859: Crash in marking of input events with devices

[martin rudalics]

commit c4921d1157a2e3e15b1d779a6bdf768e307275dd
Author: Po Lu <luangruo@yahoo.com>
Date:   Fri Apr 8 17:00:37 2022 +0800

     Fix GC marking of input events with devices

     * src/keyboard.c (mark_kboards):
     * src/pgtkterm.c (mark_pgtkterm): Mark `device' as well.

reliably segfaults my patched version of Emacs.  Note that the line
numbers of backtraces are not those of master since I have made local
changes to many of the involved files.  I have not tried to reproduce
the crashes on master itself because the program to produce the crashes
uses too many constructs that are not available on master.

A typical crash produced the backtrace below in an -Og -g3 build (-O0
builds hardly crash that way, if ever).  Note that in my keyboard.c line
13102 actually is

	  mark_object (event->ie.device);

The associated event is always a HELP_EVENT.  If you need further
information, please tell me.

martin


Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.
0x0000000000596e69 in symbol_marked_p (s=s@entry=0x800000a971a0) at ../../src/pdumper.h:166
166	  return dump_public.start <= obj_addr && obj_addr < dump_public.end;
(gdb) bt
#0  0x0000000000596e69 in symbol_marked_p (s=s@entry=0x800000a971a0) at ../../src/pdumper.h:166
#1  0x000000000059ba10 in process_mark_stack (base_sp=base_sp@entry=0) at ../../src/alloc.c:6928
#2  0x000000000059bc44 in mark_object (obj=XIL(0x7fffffffcc40)) at ../../src/alloc.c:7020
#3  0x000000000054358e in mark_kboards () at ../../src/keyboard.c:13102
#4  0x000000000059c0d2 in garbage_collect () at ../../src/alloc.c:6181
#5  0x000000000059c402 in maybe_garbage_collect () at ../../src/alloc.c:6085
#6  0x00000000005c1ee8 in maybe_gc () at ../../src/lisp.h:5523
#7  0x00000000005c1ee8 in eval_sub (form=form@entry=XIL(0x7ffff422645b)) at ../../src/eval.c:2288
#8  0x00000000005c5201 in Feval (form=form@entry=XIL(0x7ffff422645b), lexical=lexical@entry=XIL(0)) at ../../src/eval.c:2240
#9  0x000000000052d4a5 in eval_dyn (form=form@entry=XIL(0x7ffff422645b)) at ../../src/lisp.h:1161
#10 0x00000000005bdc65 in internal_condition_case_1 (bfun=bfun@entry=0x52d497 <eval_dyn>, arg=arg@entry=XIL(0x7ffff422645b), handlers=handlers@entry=XIL(0x90), hfun=hfun@entry=0x52d599 <menu_item_eval_property_1>) at ../../src/eval.c:1474
#11 0x0000000000537182 in menu_item_eval_property (sexpr=sexpr@entry=XIL(0x7ffff422645b)) at ../../src/lisp.h:1161
#12 0x0000000000538856 in parse_tool_bar_item (key=<optimized out>, item=<optimized out>) at ../../src/lisp.h:1925
#13 0x0000000000538ac3 in process_tool_bar_item (key=<optimized out>, def=<optimized out>, data=<optimized out>, args=<optimized out>) at ../../src/keyboard.c:8840
#14 0x0000000000544685 in map_keymap_item (fun=fun@entry=0x53888d <process_tool_bar_item>, args=args@entry=XIL(0), key=<optimized out>, val=<optimized out>, data=data@entry=0x0) at ../../src/keymap.c:507
#15 0x00000000005467be in map_keymap_internal (map=map@entry=XIL(0x1990b23), fun=fun@entry=0x53888d <process_tool_bar_item>, args=args@entry=XIL(0), data=data@entry=0x0) at ../../src/lisp.h:1498
#16 0x0000000000547fa0 in map_keymap (map=XIL(0x1990b23), fun=fun@entry=0x53888d <process_tool_bar_item>, args=args@entry=XIL(0), data=data@entry=0x0, autoload=autoload@entry=true) at ../../src/keymap.c:599
#17 0x000000000053a136 in tool_bar_items (reuse=<optimized out>, nitems=nitems@entry=0x7fffffffc27c) at ../../src/lisp.h:1161
#18 0x0000000000437b04 in update_tool_bar (f=f@entry=0x170e088, save_match_data=save_match_data@entry=false) at ../../src/xdisp.c:14151
#19 0x00000000004636c7 in prepare_menu_bars () at ../../src/xdisp.c:13068
#20 0x0000000000466867 in redisplay_internal () at ../../src/xdisp.c:15814
#21 0x0000000000467f57 in redisplay_preserve_echo_area (from_where=from_where@entry=2) at ../../src/xdisp.c:16554
#22 0x000000000041bd4f in Fredisplay (force=XIL(0x30)) at ../../src/dispnew.c:6215
#23 0x00000000005c22cd in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#24 0x00000000005c2a85 in Fprogn (body=XIL(0)) at ../../src/eval.c:451
#25 0x00000000005c4c69 in FletX (args=XIL(0xea3433)) at ../../src/lisp.h:1504
#26 0x00000000005c20ce in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#27 0x00000000005c2a85 in Fprogn (body=XIL(0)) at ../../src/eval.c:451
#28 0x00000000005c20ce in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#29 0x00000000005c2ac8 in Fif (args=XIL(0xea2413)) at ../../src/lisp.h:1504
#30 0x00000000005c20ce in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#31 0x00000000005c2a85 in Fprogn (body=XIL(0)) at ../../src/eval.c:451
#32 0x00000000005c1b0a in funcall_lambda (fun=XIL(0xea2683), nargs=nargs@entry=0, arg_vector=arg_vector@entry=0x7fffffffdb18) at ../../src/lisp.h:1504
#33 0x00000000005bf2bc in funcall_general (fun=<optimized out>, numargs=numargs@entry=0, args=args@entry=0x7fffffffdb18) at ../../src/eval.c:2835
#34 0x00000000005bf484 in Ffuncall (nargs=1, args=0x7fffffffdb10) at ../../src/eval.c:2873
#35 0x00000000005c21ba in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#36 0x00000000005c2a85 in Fprogn (body=XIL(0x103afd3), body@entry=XIL(0x103ab13)) at ../../src/eval.c:451
#37 0x00000000005c2aa0 in prog_ignore (body=body@entry=XIL(0x103ab13)) at ../../src/eval.c:462
#38 0x00000000005c3259 in Fwhile (args=<optimized out>) at ../../src/eval.c:1030
#39 0x00000000005c20ce in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#40 0x00000000005c2a85 in Fprogn (body=XIL(0)) at ../../src/eval.c:451
#41 0x00000000005c4894 in Flet (args=XIL(0x103abb3)) at ../../src/lisp.h:1504
#42 0x00000000005c20ce in eval_sub (form=<optimized out>) at ../../src/lisp.h:2183
#43 0x00000000005c2a85 in Fprogn (body=XIL(0)) at ../../src/eval.c:451
#44 0x00000000005c1b0a in funcall_lambda (fun=XIL(0x103abd3), nargs=nargs@entry=0, arg_vector=arg_vector@entry=0x7fffffffe160) at ../../src/lisp.h:1504
#45 0x00000000005bf2bc in funcall_general (fun=<optimized out>, numargs=numargs@entry=0, args=args@entry=0x7fffffffe160) at ../../src/eval.c:2835
#46 0x00000000005bf484 in Ffuncall (nargs=nargs@entry=1, args=args@entry=0x7fffffffe158) at ../../src/eval.c:2873
#47 0x00000000005b98a4 in Ffuncall_interactively (nargs=1, args=0x7fffffffe158) at ../../src/callint.c:260
#48 0x00000000005c10eb in funcall_subr (subr=0xa20900 <Sfuncall_interactively>, numargs=numargs@entry=1, args=args@entry=0x7fffffffe158) at ../../src/eval.c:2938
#49 0x00000000005bf06f in funcall_general (fun=<optimized out>, numargs=numargs@entry=1, args=args@entry=0x7fffffffe158) at ../../src/lisp.h:2183
#50 0x00000000005bf484 in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7fffffffe150) at ../../src/eval.c:2873
#51 0x00000000005bffbc in Fapply (nargs=nargs@entry=3, args=args@entry=0x7fffffffe150) at ../../src/eval.c:2503
#52 0x00000000005ba4dc in Fcall_interactively (function=XIL(0x201a90), record_flag=XIL(0), keys=XIL(0x7ffff452ec85)) at ../../src/lisp.h:1161
#53 0x00000000005c103a in funcall_subr (subr=0xa208c0 <Scall_interactively>, numargs=numargs@entry=3, args=args@entry=0x7ffff36c3070) at ../../src/eval.c:2915
#54 0x0000000000608355 in exec_byte_code (fun=<optimized out>, fun@entry=XIL(0x7ffff3e5254d), args_template=<optimized out>, args_template@entry=1025, nargs=<optimized out>, nargs@entry=1, args=<optimized out>, args@entry=0x7fffffffe4e8) at ../../src/lisp.h:2183
#55 0x00000000005c0b78 in fetch_and_exec_byte_code (fun=fun@entry=XIL(0x7ffff3e5254d), args_template=args_template@entry=1025, nargs=nargs@entry=1, args=args@entry=0x7fffffffe4e8) at ../../src/eval.c:2960
#56 0x00000000005c159f in funcall_lambda (fun=XIL(0x7ffff3e5254d), nargs=nargs@entry=1, arg_vector=arg_vector@entry=0x7fffffffe4e8) at ../../src/lisp.h:1280
#57 0x00000000005bf119 in funcall_general (fun=<optimized out>, numargs=numargs@entry=1, args=args@entry=0x7fffffffe4e8) at ../../src/eval.c:2823
#58 0x00000000005bf484 in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7fffffffe4e0) at ../../src/eval.c:2873
#59 0x0000000000540a33 in call1 (arg1=<optimized out>, fn=XIL(0x4740)) at ../../src/lisp.h:3216
#60 0x0000000000540a33 in command_loop_1 () at ../../src/keyboard.c:1515
#61 0x00000000005bdbef in internal_condition_case (bfun=bfun@entry=0x54043e <command_loop_1>, handlers=handlers@entry=XIL(0x90), hfun=hfun@entry=0x53378a <cmd_error>) at ../../src/eval.c:1450
#62 0x000000000052d3a9 in command_loop_2 (handlers=handlers@entry=XIL(0x90)) at ../../src/keyboard.c:1142
#63 0x00000000005bdb66 in internal_catch (tag=tag@entry=XIL(0xf360), func=func@entry=0x52d38f <command_loop_2>, arg=arg@entry=XIL(0x90)) at ../../src/eval.c:1180
#64 0x000000000052d371 in command_loop () at ../../src/lisp.h:1161
#65 0x000000000053331e in recursive_edit_1 () at ../../src/keyboard.c:729
#66 0x00000000005336b6 in Frecursive_edit () at ../../src/keyboard.c:812
#67 0x000000000052c93a in main (argc=4, argv=0x7fffffffe788) at ../../src/emacs.c:2447
[Thread 0x7ffff0990700 (LWP 20915) exited]

Lisp Backtrace:
"Automatic GC" (0x0)
"redisplay_internal (C function)" (0x0)
"redisplay" (0xffffd6e0)
"let*" (0xffffd848)
"progn" (0xffffd918)
"if" (0xffffd9d8)
"chaos-11" (0xffffdb18)
"funcall" (0xffffdb10)
"while" (0xffffdc88)
"let" (0xffffddc8)
"chaos-run" (0xffffe160)
"funcall-interactively" (0xffffe158)
"call-interactively" (0xf36c3070)
"command-execute" (0xffffe4e8)
(gdb) frame 3
#3  0x000000000054358e in mark_kboards () at ../../src/keyboard.c:13102
13102		  mark_object (event->ie.device);
(gdb) p event->kind
$1 = HELP_EVENT
(gdb) p event->ie.device
$1 = XIL(0x7fffffffcab0)
(gdb) xpr
Lisp_Symbol
$2 = (struct Lisp_Symbol *) 0x800000a97010
Cannot access memory at address 0x800000a97018
(gdb)

bug#54859: Crash in marking of input events with devices

[Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors]

martin rudalics <rudalics@gmx.at> writes:

> commit c4921d1157a2e3e15b1d779a6bdf768e307275dd
> Author: Po Lu <luangruo@yahoo.com>
> Date:   Fri Apr 8 17:00:37 2022 +0800
>
>     Fix GC marking of input events with devices
>
>     * src/keyboard.c (mark_kboards):
>     * src/pgtkterm.c (mark_pgtkterm): Mark `device' as well.
>
> reliably segfaults my patched version of Emacs.  Note that the line
> numbers of backtraces are not those of master since I have made local
> changes to many of the involved files.  I have not tried to reproduce
> the crashes on master itself because the program to produce the crashes
> uses too many constructs that are not available on master.
>
> A typical crash produced the backtrace below in an -Og -g3 build (-O0
> builds hardly crash that way, if ever).  Note that in my keyboard.c line
> 13102 actually is
>
> 	  mark_object (event->ie.device);
>
> The associated event is always a HELP_EVENT.  If you need further
> information, please tell me.

That was fixed a while back, would you please try with a newer revision?

The problem was that the code to store help events didn't call
EVENT_INIT, so device was left uninitialised.

Thanks.

bug#54859: Crash in marking of input events with devices

[martin rudalics]

close 54859 29.1
quit

 > That was fixed a while back, would you please try with a newer revision?
 >
 > The problem was that the code to store help events didn't call
 > EVENT_INIT, so device was left uninitialised.

Seems to be fixed indeed.

Thanks, martin