From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#5856: 24.0.50; Crash in redisplay Date: Fri, 09 Apr 2010 00:29:26 +0300 Message-ID: <83aatd1vm1.fsf@gnu.org> References: <4BBCD8D1.1060400@swipnet.se> <83hbnn1000.fsf@gnu.org> <4BBD74AD.2080305@swipnet.se> <4BBD851C.201@swipnet.se> <4BBE00A0.9070005@swipnet.se> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Trace: dough.gmane.org 1270765115 3549 80.91.229.12 (8 Apr 2010 22:18:35 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 8 Apr 2010 22:18:35 +0000 (UTC) Cc: 5856@debbugs.gnu.org To: Jan =?UTF-8?Q?Dj=C3=A4rv?= Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Apr 09 00:18:33 2010 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1O003S-0006Qm-NJ for geb-bug-gnu-emacs@m.gmane.org; Fri, 09 Apr 2010 00:18:31 +0200 Original-Received: from localhost ([127.0.0.1]:51720 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1O003S-0002DP-3z for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Apr 2010 18:18:30 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NzzkR-0003d4-2T for bug-gnu-emacs@gnu.org; Thu, 08 Apr 2010 17:58:51 -0400 Original-Received: from [140.186.70.92] (port=34582 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NzzkN-0003bc-Hy for bug-gnu-emacs@gnu.org; Thu, 08 Apr 2010 17:58:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1NzzkL-0006Hl-MV for bug-gnu-emacs@gnu.org; Thu, 08 Apr 2010 17:58:47 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:57011) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1NzzkL-0006Hh-Js for bug-gnu-emacs@gnu.org; Thu, 08 Apr 2010 17:58:45 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1NzzIZ-0007cS-9r; Thu, 08 Apr 2010 17:30:03 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 08 Apr 2010 21:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 5856 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 5856-submit@debbugs.gnu.org id=B5856.127076219329263 (code B ref 5856); Thu, 08 Apr 2010 21:30:03 +0000 Original-Received: (at 5856) by debbugs.gnu.org; 8 Apr 2010 21:29:53 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1NzzIP-0007bw-Gk for submit@debbugs.gnu.org; Thu, 08 Apr 2010 17:29:53 -0400 Original-Received: from mtaout22.012.net.il ([80.179.55.172]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1NzzIN-0007br-I2 for 5856@debbugs.gnu.org; Thu, 08 Apr 2010 17:29:52 -0400 Original-Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0L0K00400U03YX00@a-mtaout22.012.net.il> for 5856@debbugs.gnu.org; Fri, 09 Apr 2010 00:29:29 +0300 (IDT) Original-Received: from HOME-C4E4A596F7 ([77.124.92.42]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0L0K004EZUD14Q50@a-mtaout22.012.net.il>; Fri, 09 Apr 2010 00:29:26 +0300 (IDT) In-reply-to: <4BBE00A0.9070005@swipnet.se> X-012-Sender: halo1@inter.net.il X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Thu, 08 Apr 2010 17:30:03 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:36103 Archived-At: > Date: Thu, 08 Apr 2010 18:13:20 +0200 > From: Jan Dj=C3=A4rv > CC: 5856@debbugs.gnu.org >=20 > > How many of these "C-x b"s caused the list of possible completion= s to > > exceed one screen line? If the answer is "many" or "all", then c= ould > > you try to figure out or recall if there was anything special abo= ut > > the ones that caused crashes? >=20 > Somewhere between "many" and "all". It is the same list of files I= was=20 > editing. They mostly start on x (xsettings, xtern, xfns, xlwmenu, = and so on),=20 > so it probably looked pretty much the same each time. >=20 > There was nothing special about the one that caused a crash I can t= hink of. > It seems it just takes time. I just got a crash again, but this tim= e I hadn't=20 > started it from gdb, unfortunately. Also, about 3-5 hours before i= t crashed=20 > this time. I think I found the problem. The invalid glyph that caused the crash was not supposed to be dereferenced. Its pointer is exactly the same as `end', as your backtrace shows: #0 0x000000000044d2f1 in set_cursor_from_row (w=3D0x1378d60, row= =3D0x1fbf550,=20 matrix=3D0x18217a0, delta=3D0, delta_bytes=3D0, dy=3D0, dvpos=3D0) = at=20 /home/jhd/src/emacs/fixes/src/xdisp.c:12775 =09 glyph =3D 0x1fa5cd0 =09 end =3D 0x1fa5cd0 But `end' points beyond the last glyph in the TEXT_AREA of the glyph row: struct glyph *end =3D glyph + row->used[TEXT_AREA]; If we dereference this pointer, we could be referencing uninitialized memory, e.g. if there are no margins (i.e. no glyphs in the row after TEXT_AREA). The old code was careful not to dereference such a pointer, but when = I rewrote set_cursor_from_row, I failed to copy those precautions. I installed a fix. Please see if it stops these crashes, and if so, please close the bug report. Thanks.