* bug#12026: 24.1.50; crash in tooltip
@ 2012-07-22 23:51 Sam Steingold
2012-07-23 16:56 ` Johan Bockgård
0 siblings, 1 reply; 3+ messages in thread
From: Sam Steingold @ 2012-07-22 23:51 UTC (permalink / raw)
To: 12026
In GNU Emacs 24.1.50.3 (x86_64-unknown-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2012-07-22 on t520sds
Bzr revision: 109186 dmantipov@yandex.ru-20120722053724-alrlxd0ksvr6a2et
Windowing system distributor `The X.Org Foundation', version 11.0.11103000
Configured using:
`configure '--with-wide-int''
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3f303e1 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) where
#0 0x00007ffff3f303e1 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000000000580ab5 in strout (ptr=0x560000000000b6db <Address 0x560000000000b6db out of bounds>, size=-5692549928996306943,
size_byte=-5692549928996306943, printcharfun=11983826) at /home/sds/src/emacs/trunk/src/print.c:277
#2 0x0000000000582316 in print_string (string=<optimized out>, printcharfun=11983826) at /home/sds/src/emacs/trunk/src/print.c:410
#3 0x00000000005844b3 in print_object (obj=49942269, printcharfun=11983826, escapeflag=0) at /home/sds/src/emacs/trunk/src/print.c:1903
#4 0x00000000005837bc in print_object (obj=40357574, printcharfun=11983826, escapeflag=0) at /home/sds/src/emacs/trunk/src/print.c:1676
#5 0x0000000000585a3d in Fprin1_to_string (object=40357542, noescape=11983874) at /home/sds/src/emacs/trunk/src/print.c:610
#6 0x000000000055ed94 in Fformat (nargs=2, args=0x7fffffffb300) at /home/sds/src/emacs/trunk/src/editfns.c:3815
#7 0x000000000055f890 in Fmessage (nargs=<optimized out>, args=<optimized out>) at /home/sds/src/emacs/trunk/src/editfns.c:3468
#8 0x00000000005687b9 in Ffuncall (nargs=3, args=0x7fffffffb2f8) at /home/sds/src/emacs/trunk/src/eval.c:2777
#9 0x000000000059fd03 in exec_byte_code (bytestr=6196953087261849307, vector=140737488335608, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:898
#10 0x0000000000567c13 in eval_sub (form=<optimized out>) at /home/sds/src/emacs/trunk/src/eval.c:2152
#11 0x0000000000567fa5 in Fprogn (args=10373414) at /home/sds/src/emacs/trunk/src/eval.c:362
#12 0x000000000056a8ad in internal_lisp_condition_case (var=12035602, bodyform=10373118, handlers=10373382)
at /home/sds/src/emacs/trunk/src/eval.c:1257
#13 0x00000000005a15e8 in exec_byte_code (bytestr=6196953087261849307, vector=140737488336456, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:1094
#14 0x000000000056822f in funcall_lambda (fun=10372917, nargs=<optimized out>, arg_vector=0x7fffffffb800)
at /home/sds/src/emacs/trunk/src/eval.c:3028
#15 0x000000000056856b in Ffuncall (nargs=3, args=0x7fffffffb7f8) at /home/sds/src/emacs/trunk/src/eval.c:2857
#16 0x000000000059fd03 in exec_byte_code (bytestr=6196953087261849307, vector=140737488336888, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:898
#17 0x000000000056822f in funcall_lambda (fun=10375445, nargs=<optimized out>, arg_vector=0x7fffffffbaa8)
at /home/sds/src/emacs/trunk/src/eval.c:3028
#18 0x000000000056856b in Ffuncall (nargs=2, args=0x7fffffffbaa0) at /home/sds/src/emacs/trunk/src/eval.c:2857
#19 0x0000000000566ffc in run_hook_with_args (nargs=2, args=0x7fffffffbaa0, funcall=0x568370 <Ffuncall>) at /home/sds/src/emacs/trunk/src/eval.c:2505
#20 0x00000000005687b9 in Ffuncall (nargs=3, args=0x7fffffffba98) at /home/sds/src/emacs/trunk/src/eval.c:2777
#21 0x000000000059fd03 in exec_byte_code (bytestr=6196953087261849307, vector=140737488337560, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:898
#22 0x000000000056822f in funcall_lambda (fun=10372557, nargs=<optimized out>, arg_vector=0x7fffffffbd78)
at /home/sds/src/emacs/trunk/src/eval.c:3028
#23 0x000000000056856b in Ffuncall (nargs=2, args=0x7fffffffbd70) at /home/sds/src/emacs/trunk/src/eval.c:2857
#24 0x000000000056976f in Fapply (nargs=2, args=0x7fffffffbd70) at /home/sds/src/emacs/trunk/src/eval.c:2251
#25 0x00000000005687b9 in Ffuncall (nargs=3, args=0x7fffffffbd68) at /home/sds/src/emacs/trunk/src/eval.c:2777
#26 0x000000000059fd03 in exec_byte_code (bytestr=6196953087261849307, vector=140737488338280, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:898
---Type <return> to continue, or q <return> to quit---
#27 0x0000000000567c13 in eval_sub (form=<optimized out>) at /home/sds/src/emacs/trunk/src/eval.c:2152
#28 0x000000000056a932 in internal_lisp_condition_case (var=11983826, bodyform=9983270, handlers=8758398)
at /home/sds/src/emacs/trunk/src/eval.c:1274
#29 0x00000000005a15e8 in exec_byte_code (bytestr=6196953087261849307, vector=140737488339128, maxdepth=-5692549928996306943,
args_template=4611686018695757824, nargs=4611686018430533632, args=0x1) at /home/sds/src/emacs/trunk/src/bytecode.c:1094
#30 0x000000000056822f in funcall_lambda (fun=9982957, nargs=<optimized out>, arg_vector=0x7fffffffc278) at /home/sds/src/emacs/trunk/src/eval.c:3028
#31 0x000000000056856b in Ffuncall (nargs=2, args=0x7fffffffc270) at /home/sds/src/emacs/trunk/src/eval.c:2857
#32 0x00000000005689ea in call1 (fn=<optimized out>, arg1=<optimized out>) at /home/sds/src/emacs/trunk/src/eval.c:2568
#33 0x00000000004f41d6 in timer_check_2 () at /home/sds/src/emacs/trunk/src/keyboard.c:4457
#34 0x00000000004f72dd in timer_check () at /home/sds/src/emacs/trunk/src/keyboard.c:4502
#35 0x00000000004f73f9 in readable_events (flags=<optimized out>) at /home/sds/src/emacs/trunk/src/keyboard.c:3398
#36 0x00000000004f9a25 in get_input_pending (flags=1, addr=0xb5c830) at /home/sds/src/emacs/trunk/src/keyboard.c:6725
#37 0x00000000004fc04a in detect_input_pending_run_timers (do_display=1) at /home/sds/src/emacs/trunk/src/keyboard.c:10358
#38 0x00000000005a7ff1 in wait_reading_process_output (time_limit=<optimized out>, nsecs=0, read_kbd=-1, do_display=1, wait_for_cell=11983826,
wait_proc=<optimized out>, just_wait_proc=0) at /home/sds/src/emacs/trunk/src/process.c:4721
#39 0x000000000041af74 in sit_for (timeout=<optimized out>, reading=1, do_display=1) at /home/sds/src/emacs/trunk/src/dispnew.c:6000
#40 0x00000000004fe1c9 in read_char (commandflag=1, nmaps=3, maps=0x7fffffffcc90, prev_event=11983826, used_mouse_menu=0x7fffffffce20, end_time=0x0)
at /home/sds/src/emacs/trunk/src/keyboard.c:2701
#41 0x00000000004fefd5 in read_key_sequence (keybuf=0x7fffffffce80, prompt=11983826, dont_downcase_last=0, can_return_switch_frame=1,
fix_current_buffer=1, bufsize=30) at /home/sds/src/emacs/trunk/src/keyboard.c:9316
#42 0x0000000000500bf8 in command_loop_1 () at /home/sds/src/emacs/trunk/src/keyboard.c:1449
#43 0x0000000000566ac8 in internal_condition_case (bfun=0x500a30 <command_loop_1>, handlers=12035602, hfun=0x4f5d10 <cmd_error>)
at /home/sds/src/emacs/trunk/src/eval.c:1320
#44 0x00000000004f38ee in command_loop_2 (ignore=<optimized out>) at /home/sds/src/emacs/trunk/src/keyboard.c:1152
#45 0x00000000005669a8 in internal_catch (tag=<error reading variable: Cannot access memory at address 0x560000000000b6bb>,
func=0x4f38d0 <command_loop_2>, arg=11983826) at /home/sds/src/emacs/trunk/src/eval.c:1077
#46 0x00000000004f57d7 in command_loop () at /home/sds/src/emacs/trunk/src/keyboard.c:1131
#47 recursive_edit_1 () at /home/sds/src/emacs/trunk/src/keyboard.c:752
#48 0x00000000004f5b14 in Frecursive_edit () at /home/sds/src/emacs/trunk/src/keyboard.c:816
#49 0x000000000041004d in main (argc=1, argv=<optimized out>) at /home/sds/src/emacs/trunk/src/emacs.c:1677
Lisp Backtrace:
"message" (0xffffb300)
"byte-code" (0xffffb3e0)
"tooltip-show" (0xffffb800)
"tooltip-help-tips" (0xffffbaa8)
"run-hook-with-args-until-success" (0xffffbaa0)
---Type <return> to continue, or q <return> to quit---
"tooltip-timeout" (0xffffbd78)
"apply" (0xffffbd70)
"byte-code" (0xffffbe60)
"timer-event-handler" (0xffffc278)
(gdb) up
#1 0x0000000000580ab5 in strout (ptr=0x560000000000b6db <Address 0x560000000000b6db out of bounds>, size=-5692549928996306943,
size_byte=-5692549928996306943, printcharfun=11983826) at /home/sds/src/emacs/trunk/src/print.c:277
277 size_byte = size = strlen (ptr);
(gdb) up
#2 0x0000000000582316 in print_string (string=<optimized out>, printcharfun=11983826) at /home/sds/src/emacs/trunk/src/print.c:410
410 strout (SSDATA (string), chars, SBYTES (string), printcharfun);
(gdb) c
Continuing.
Fatal error (11)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3e05727 in kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) c
Continuing.
ptrace: No such process.
(gdb) c
Continuing.
Cannot execute this command while the selected thread is running.
(gdb) run
Cannot access memory at address 0x8370a0
(gdb) bt full
Target is executing.
(gdb) xbacktrace
Cannot access memory at address 0xb480b0
(gdb)
--
Sam Steingold (http://sds.podval.org/) on Ubuntu 12.04 (precise) X 11.0.11103000
http://www.childpsy.net/ http://mideasttruth.com http://ffii.org
http://www.memritv.org http://openvotingconsortium.org http://pmw.org.il
Every day above ground is a good day.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#12026: 24.1.50; crash in tooltip
2012-07-22 23:51 bug#12026: 24.1.50; crash in tooltip Sam Steingold
@ 2012-07-23 16:56 ` Johan Bockgård
2012-07-23 17:51 ` Eli Zaretskii
0 siblings, 1 reply; 3+ messages in thread
From: Johan Bockgård @ 2012-07-23 16:56 UTC (permalink / raw)
To: sds; +Cc: 12026
Sam Steingold <sds@gnu.org> writes:
> Lisp Backtrace:
> "message" (0xffffb300)
> "byte-code" (0xffffb3e0)
> "tooltip-show" (0xffffb800)
> "tooltip-help-tips" (0xffffbaa8)
> "run-hook-with-args-until-success" (0xffffbaa0)
1.
I can reproduce it by
(setq x-gtk-use-system-tooltips nil)
Move the mouse over a tooltip area in the mode line.
=> Crash
The recent change to decode_any_window
CHECK_LIVE_FRAME (w->frame);
signals an error in x_create_tip_frame since f->terminal is still NULL
at this point
[x_create_tip_frame]
f = make_frame (1);
...
buffer = Fget_buffer_create (build_string (" *tip*"));
Fset_window_buffer (FRAME_ROOT_WINDOW (f), buffer, Qnil); <<<<
...
f->terminal = dpyinfo->terminal;
The error is caught by tooltip-show
(condition-case error
...
(x-show-tip ...))
(error
(message "Error while displaying tooltip: %s" error)
...
which crashes while trying to print "(wrong-type-argument frame-live-p
#<dead ...", since f->name is nil.
The problem can be fixed (error in decode_any_window avoided) by moving
the initialization of f->terminal earlier:
=== modified file 'src/xfns.c'
--- src/xfns.c 2012-07-20 07:29:04 +0000
+++ src/xfns.c 2012-07-23 15:14:17 +0000
@@ -4591,6 +4591,8 @@ x_create_tip_frame (struct x_display_inf
f = make_frame (1);
XSETFRAME (frame, f);
+ f->terminal = dpyinfo->terminal;
+
buffer = Fget_buffer_create (build_string (" *tip*"));
Fset_window_buffer (FRAME_ROOT_WINDOW (f), buffer, Qnil);
old_buffer = current_buffer;
@@ -4605,8 +4607,6 @@ x_create_tip_frame (struct x_display_inf
FRAME_CAN_HAVE_SCROLL_BARS (f) = 0;
record_unwind_protect (unwind_create_tip_frame, frame);
- f->terminal = dpyinfo->terminal;
-
/* By setting the output method, we're essentially saying that
the frame is live, as per FRAME_LIVE_P. If we get a signal
from this point on, x_destroy_window might screw up reference
2.
But the late initialisation of f->name is a problem in its own right:
(setq x-gtk-use-system-tooltips nil)
(defun foo (win pos) (message "%S" (window-frame win)))
(add-hook 'window-scroll-functions 'foo)
Move the mouse over a tooltip area in the mode line.
=> Crash
(Also crashes in Emacs 23.)
3.
The same problem with f->name also exists in
Fx_create_frame/make_minibuffer_frame:
(defun foo (win pos) (message "%S" (window-frame win)))
(add-hook 'window-scroll-functions 'foo)
(make-frame '((minibuffer . only)))
=> Crash
(Also crashes in Emacs 23.)
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#12026: 24.1.50; crash in tooltip
2012-07-23 16:56 ` Johan Bockgård
@ 2012-07-23 17:51 ` Eli Zaretskii
0 siblings, 0 replies; 3+ messages in thread
From: Eli Zaretskii @ 2012-07-23 17:51 UTC (permalink / raw)
To: Johan Bockgård; +Cc: 12026, sds
> From: Johan Bockgård <bojohan@gnu.org>
> Date: Mon, 23 Jul 2012 18:56:45 +0200
> Cc: 12026@debbugs.gnu.org
>
> The recent change to decode_any_window
>
> CHECK_LIVE_FRAME (w->frame);
>
> signals an error in x_create_tip_frame since f->terminal is still NULL
> at this point
>
> [x_create_tip_frame]
>
> f = make_frame (1);
> ...
> buffer = Fget_buffer_create (build_string (" *tip*"));
> Fset_window_buffer (FRAME_ROOT_WINDOW (f), buffer, Qnil); <<<<
> ...
> f->terminal = dpyinfo->terminal;
>
>
> The error is caught by tooltip-show
>
> (condition-case error
> ...
> (x-show-tip ...))
> (error
> (message "Error while displaying tooltip: %s" error)
> ...
>
> which crashes while trying to print "(wrong-type-argument frame-live-p
> #<dead ...", since f->name is nil.
Where were you an hour ago, when I started working on this, and made
the same way (sans the GTK stuff) to the root cause? ;-)
> The problem can be fixed (error in decode_any_window avoided) by moving
> the initialization of f->terminal earlier:
>
> === modified file 'src/xfns.c'
> --- src/xfns.c 2012-07-20 07:29:04 +0000
> +++ src/xfns.c 2012-07-23 15:14:17 +0000
> @@ -4591,6 +4591,8 @@ x_create_tip_frame (struct x_display_inf
> f = make_frame (1);
> XSETFRAME (frame, f);
>
> + f->terminal = dpyinfo->terminal;
> +
> buffer = Fget_buffer_create (build_string (" *tip*"));
> Fset_window_buffer (FRAME_ROOT_WINDOW (f), buffer, Qnil);
> old_buffer = current_buffer;
> @@ -4605,8 +4607,6 @@ x_create_tip_frame (struct x_display_inf
> FRAME_CAN_HAVE_SCROLL_BARS (f) = 0;
> record_unwind_protect (unwind_create_tip_frame, frame);
>
> - f->terminal = dpyinfo->terminal;
> -
I don't think this is the right fix. It's not right to have frame
creation code be so fragile as to break badly when a single line is
moved around.
Perhaps we could have a smarter test in decode_any_window instead of
CHECK_LIVE_FRAME. For example, it could somehow detect that the frame
is just being created (e.g., if its name is nil?) and let it pass.
> But the late initialisation of f->name is a problem in its own right:
>
> (setq x-gtk-use-system-tooltips nil)
> (defun foo (win pos) (message "%S" (window-frame win)))
> (add-hook 'window-scroll-functions 'foo)
>
> Move the mouse over a tooltip area in the mode line.
> => Crash
This no longer crashes in revno 109194 and later.
> The same problem with f->name also exists in
> Fx_create_frame/make_minibuffer_frame:
>
> (defun foo (win pos) (message "%S" (window-frame win)))
> (add-hook 'window-scroll-functions 'foo)
>
> (make-frame '((minibuffer . only)))
> => Crash
Neither does this.
But the issue with CHECK_LIVE_FRAME is still there. I just disabled
the test for now.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-07-23 17:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-22 23:51 bug#12026: 24.1.50; crash in tooltip Sam Steingold
2012-07-23 16:56 ` Johan Bockgård
2012-07-23 17:51 ` Eli Zaretskii
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).