bug#23522: 25.0.93; SEGFAULT when displaying HELLO

[Eli Zaretskii <eliz@gnu.org>]

> From: Michael Welsh Duggan <mwd@md5i.com>
> Cc: Michael Welsh Duggan <mwd@cert.org>,  <rgm@gnu.org>,  <23522@debbugs.gnu.org>
> Date: Thu, 12 May 2016 16:49:15 -0400
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> >> From: Michael Welsh Duggan <mwd@cert.org>
> >> Cc: <rgm@gnu.org>, <23522@debbugs.gnu.org>
> >> Date: Thu, 12 May 2016 15:58:43 -0400
> >> 
> >> (gdb) up
> >> #4  0x00000000006b47e2 in ftfont_shape_by_flt (lgstring=14496901, 
> >>     font=0x17b3660, ft_face=0x1739f10, otf=0x16df8d0, matrix=0x17b3758)
> >>     at ../../../git/emacs/src/ftfont.c:2655
> >> (gdb) pp lgstring
> >> [[#<font-object "-unknown-Lohit
> >> Gujarati-normal-normal-normal-*-13-*-*-*-*-0-iso10646-1"> 2744 2765
> >> 2724 2759] nil [0 0 2744 98 10 0 9 8 0 nil] [1 1 2765 115 0 -4 3 0 4
> >> nil] [2 2 2724 81 9 0 8 8 0 nil] [3 3 2759 110 0 -7 -1 12 -7 nil]
> >> nil nil nil nil]
> >> (gdb) 
> >
> > In the above stack frame, what is the value of g->g (it's a
> > structure)?
> 
> (gdb) p g->g
> $3 = {
>   c = 0, 
>   code = 175, 
>   from = 0, 
>   to = 115, <<<<<<<<<<<<<<<<<<<<<<

This value of 'to' looks bogus (too large) to me.  The line that
segfaults is

      g->g.to = LGLYPH_TO (LGSTRING_GLYPH (lgstring, g->g.to));

and the LGSTRING_GLYPH macro expands to AREF (lgstring, g->g.to+2), so
we are indexing an lgstring with an index that's 117, too large.  The
value of lgstring shown above has only 10 elements, which is
consistent with the definition of an lgstring (see composite.h, around
line 270).

So the question becomes: where did that value of 'to' come from, and
how come its value is bogus?  Can you look at the code before the
faulting line and figure that out?

I'm CC'ing Handa-san, who might have insight for this problem.

> > The crash seems to happen when Emacs tries to display line #10 of
> > HELLO, which begins with " South Asia:".  The first word after that is
> > the one that causes the crash.  Can you look at another system, where
> > there's no crash, and tell which font is used for that word?
> 
> Looking at previous frames, it looks like the character is char 383:

That's right.

>              position: 383 of 3322 (11%), column: 16
>             character: સ (displayed as સ) (codepoint 2744, #o5270, #xab8)
>     preferred charset: mule-unicode-0100-24ff (Unicode characters of the range U+0100..U+24FF.)
> code point in charset: 0x3978
>                script: gujarati
>                syntax: w 	which means: word
>              category: .:Base, L:Left-to-right (strong)
>              to input: type "C-x 8 RET ab8" or "C-x 8 RET GUJARATI LETTER SA"
>           buffer code: #xE0 #xAA #xB8
>             file code: ESC #x24 #x2C #x31 #x39 #x78 (encoded by coding system iso-2022-7bit-unix)
>               display: composed to form "સ્તે" (see below)
> 
> Composed with the following character(s) "્તે" using this font:
>   xft:-unknown-FreeSerif-normal-normal-normal-*-15-*-*-*-*-0-iso10646-1
> by these glyphs:
>   [0 3 0 10195 9 0 10 10 0 nil]
>   [0 3 2724 2103 10 1 10 10 1 nil]
>   [0 3 2759 2132 0 -8 -2 13 -10 [-1 0 0]]

So why does Emacs use FreeSerif on this system and Lohit Gujarati on
the faulting one?  Are both fonts installed on both systems?  Is Lohit
Gujarati a bad font, by any chance?

Also, do both systems have the same version of libm17n-flt and m17n-db
libraries?