From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)
Date: Wed, 08 Oct 2014 11:17:16 +0300
Message-ID: <83tx3fj7qr.fsf@gnu.org>
References: <543446BA.7030800@cornell.edu>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1412756309 9888 80.91.229.3 (8 Oct 2014 08:18:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 8 Oct 2014 08:18:29 +0000 (UTC)
Cc: 18659@debbugs.gnu.org
To: Ken Brown <kbrown@cornell.edu>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Oct 08 10:18:21 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1XbmRv-0006ke-P7
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 08 Oct 2014 10:18:19 +0200
Original-Received: from localhost ([::1]:34824 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1XbmRv-0003IW-2n
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 08 Oct 2014 04:18:19 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XbmRm-0003IG-VJ
	for bug-gnu-emacs@gnu.org; Wed, 08 Oct 2014 04:18:16 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XbmRe-0005AC-TI
	for bug-gnu-emacs@gnu.org; Wed, 08 Oct 2014 04:18:10 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:45772)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XbmRe-00059W-Px
	for bug-gnu-emacs@gnu.org; Wed, 08 Oct 2014 04:18:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XbmRe-0004d0-0m
	for bug-gnu-emacs@gnu.org; Wed, 08 Oct 2014 04:18:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 08 Oct 2014 08:18:01 +0000
Resent-Message-ID: <handler.18659.B18659.141275623417733@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 18659
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 18659-submit@debbugs.gnu.org id=B18659.141275623417733
	(code B ref 18659); Wed, 08 Oct 2014 08:18:01 +0000
Original-Received: (at 18659) by debbugs.gnu.org; 8 Oct 2014 08:17:14 +0000
Original-Received: from localhost ([127.0.0.1]:37336 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1XbmQr-0004bw-Ca
	for submit@debbugs.gnu.org; Wed, 08 Oct 2014 04:17:13 -0400
Original-Received: from mtaout23.012.net.il ([80.179.55.175]:57567)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <eliz@gnu.org>) id 1XbmQo-0004bm-Nk
	for 18659@debbugs.gnu.org; Wed, 08 Oct 2014 04:17:12 -0400
Original-Received: from conversion-daemon.a-mtaout23.012.net.il by
	a-mtaout23.012.net.il (HyperSendmail v2007.08) id
	<0ND4005009BK4X00@a-mtaout23.012.net.il> for 18659@debbugs.gnu.org;
	Wed, 08 Oct 2014 11:17:08 +0300 (IDT)
Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout23.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0ND40057I9OJ5G00@a-mtaout23.012.net.il>;
	Wed, 08 Oct 2014 11:17:08 +0300 (IDT)
In-reply-to: <543446BA.7030800@cornell.edu>
X-012-Sender: halo1@inter.net.il
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:94275

> Date: Tue, 07 Oct 2014 16:02:02 -0400
> From: Ken Brown <kbrown@cornell.edu>
> 
> I just tried to view an emacs window that had been idle for a long time. 
>   I don't remember if I was using Alt-Tab to cycle through the open 
> windows or if I clicked on the emacs icon in the task bar.  When I 
> couldn't get to the window, I checked the terminal from which I had 
> started emacs under gdb, and I saw that emacs had crashed:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> 123       if (f->output_data.w32->old_palette)

It crashes because f is a NULL pointer, and the code tries to
dereference that.

> (gdb) bt
> #0  0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> #1  0x000000010068e798 in release_frame_dc (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:154
> #2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 
> <bss_sbrk_buffer+6283800>, c=32) at 
> /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585

I don't understand how could this lead to a crash.  Your detailed
backtrace shows:

> #2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 <bss_sbrk_buffer+6283800>, c=32) at /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
>         context = 0x0
>         f = 0x0
>         old_font = 0x0
>         code = 3
>         ch = L" \f"
>         len = 1
>         items = 0x427fa0
>         nitems = 1
>         uniscribe_font = 0x1010f5e98 <bss_sbrk_buffer+6283800>

Note that both 'context' and 'f' are NULL pointers.  But the source
around line 585 says this:

    if (context)
      {
	SelectObject (context, old_font);
	release_frame_dc (f, context);
      }

So why release_frame_dc is being called when 'context' is NULL??
Moreover, 'old_font' is also NULL, which means we never were in this
part of the code:

          if (result == E_PENDING)
            {
              /* Use selected frame until API is updated to pass
                 the frame.  */
              f = XFRAME (selected_frame);
              context = get_frame_dc (f);
              old_font = SelectObject (context, FONT_HANDLE (font));
              result = ScriptShape (context, &(uniscribe_font->cache),
                                    ch, len, 2, &(items[0].a),
                                    glyphs, clusters, attrs, &nglyphs);
            }

which is the only part that sets these 3 variables to something
non-NULL, and requires the call to release_frame_dc to avoid leaking
GDI objects, in this case the font we opened.

What's going on here? is this another case of "bidi_check_type
crashes"?