From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#65060: 29.1.50; display_count_lines segv Date: Sat, 05 Aug 2023 09:24:01 +0300 Message-ID: <83wmyat3b2.fsf@gnu.org> References: Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="40737"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 65060@debbugs.gnu.org To: Kai Ma Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Aug 05 08:24:31 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qSAiF-000APV-2L for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 05 Aug 2023 08:24:31 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qSAhs-0007tl-CT; Sat, 05 Aug 2023 02:24:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSAhm-0007tW-DT for bug-gnu-emacs@gnu.org; Sat, 05 Aug 2023 02:24:02 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qSAhm-00070Q-1s for bug-gnu-emacs@gnu.org; Sat, 05 Aug 2023 02:24:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qSAhl-0000sw-IG for bug-gnu-emacs@gnu.org; Sat, 05 Aug 2023 02:24:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 05 Aug 2023 06:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65060 X-GNU-PR-Package: emacs Original-Received: via spool by 65060-submit@debbugs.gnu.org id=B65060.16912166383393 (code B ref 65060); Sat, 05 Aug 2023 06:24:01 +0000 Original-Received: (at 65060) by debbugs.gnu.org; 5 Aug 2023 06:23:58 +0000 Original-Received: from localhost ([127.0.0.1]:55246 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qSAhh-0000sf-Ku for submit@debbugs.gnu.org; Sat, 05 Aug 2023 02:23:57 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51340) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qSAhe-0000sQ-AW for 65060@debbugs.gnu.org; Sat, 05 Aug 2023 02:23:55 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSAhZ-0006zm-0f; Sat, 05 Aug 2023 02:23:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=Ibo9zxjpu9NB3zbIjmI4JPzPWenUiskicBt2RfFvByQ=; b=cSqLvsMcFq7f addW2SGq1i7nOjF6gJsI5s9h74R17Ki0B5M1DUsgg9YgAfZeRpjBeHEu6AU5MmhzD3VJPdnGUrcWo YrwSrhWtQMKHQ4El/cyuxDnLsSwo4p09FfXQspKTZWrc9yaOnn178vNcC10fAChcCWFsZKRi9qIQn 9lWvWUyFIE3Z2tnZqd8ljaqajUtNsjsUpbKWpiZWXkZTGZcuJ9DpC2xDWPqzUuBrk86LOdN82S4M7 1Bp7s9cX8jK9tmrGvbmcO7qK6GF+ScdbeTthwNwKoY2lfPZQ5bgHYNHHbORsanr8azUfGy66omo39 3QEw+DUi0v0Ro606bgdkAw==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSAhX-0007Bp-To; Sat, 05 Aug 2023 02:23:48 -0400 In-Reply-To: (message from Kai Ma on Sat, 05 Aug 2023 05:41:54 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:266728 Archived-At: > From: Kai Ma > Date: Sat, 05 Aug 2023 05:41:54 +0800 > > > Emacs can crash due to memchr on null pointers inside > display_count_lines: > > * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) > frame #0: 0x00007ff813c6329d libsystem_platform.dylib`_platform_memchr$VARIANT$Haswell + 29 > * frame #1: 0x000000010005c1ef emacs`display_count_lines(start_byte=1, limit_byte=650, count=17166, byte_pos_ptr=0x00007ff7bfef2ef8) at xdisp.c:28475:14 This crash is inside redisplay, which displays the mode line. That calls some Lisp (probably because some mode-line element uses :eval), which calls format-mode-line (a _really_ bad idea), which again calls Lisp (due to :eval?), which calls line-number-at-pos, which crashes. > I took a quick look at the function, and it turns out the cursor can be > null even on the first iteration. After applying the following change, > I can see "cursor is null" printed out just before the crash. > > diff --git a/src/xdisp.c b/src/xdisp.c > index 9cddcfeda27..f994021bb3c 100644 > --- a/src/xdisp.c > +++ b/src/xdisp.c > @@ -28457,6 +28457,8 @@ display_count_lines (ptrdiff_t start_byte, > ceiling = min (limit_byte - 1, ceiling); > ceiling_addr = BYTE_POS_ADDR (ceiling) + 1; > base = (cursor = BYTE_POS_ADDR (start_byte)); > + if (! cursor) > + fprintf (stderr, "cursor is null\n"); That's most probably a sign of some other bug elsewhere. BYTE_POS_ADDR returns the pointer to buffer text, so it cannot be a NULL pointer, unless something really catastrophic happened, like the current buffer was killed behind redisplay's back. Please add to the fprintf the following data: GPT_BYTE GAP_SIZE BEG_ADDR current_buffer->text->beg and show the result. My guess is that current_buffer->text->beg is NULL, which means the current buffer was killed, and then the bug is where this happens, not in display_count_lines. Most probably, dirvish does something that kills the buffer that is the current one when format-mode-line is called. > 1. Create init.el > > (require 'package) > (add-to-list 'package-archives '("melpa" . "https://melpa.org/packages/") t) > (use-package dirvish :ensure t :config (dirvish-override-dired-mode)) > (global-display-line-numbers-mode +1) > (dirvish-override-dired-mode) > > 2. emacs -q -l init.el > > 3. M-x dirvish > > 4. randomly kill dirvish buffers, and/or randomly delete dirvish windows. > > Chances are, at some point, Emacs crashes due to the above segv. I have > reproduced the crash in emacs -q, but it was not easy. I will try to > find a better recipe and post it here. I tried to use this, but couldn't cause Emacs crash. And I don't think the reproduction is really necessary, if we establish that the current buffer is dead when format-mode-line is called in this case.