From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.bugs Subject: bug#49066: 26.3; Segmentation fault on specific utf8 string Date: Thu, 17 Jun 2021 15:07:18 +0200 Message-ID: <878s3863nd.fsf@gmail.com> References: <871r91ikdv.fsf@gnus.org> <83czsl0z4z.fsf@gnu.org> <87czsl543c.fsf@gmail.com> <831r9029k2.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33482"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 49066@debbugs.gnu.org, larsi@gnus.org, mvsfrasson@gmail.com To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Jun 17 15:14:45 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ltrr2-0008VP-Sv for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 17 Jun 2021 15:14:44 +0200 Original-Received: from localhost ([::1]:35936 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltrr1-0004Ez-3E for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 17 Jun 2021 09:14:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:44016) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltrkY-0008VS-6J for bug-gnu-emacs@gnu.org; Thu, 17 Jun 2021 09:08:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:42393) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ltrkX-0000NK-Tz for bug-gnu-emacs@gnu.org; Thu, 17 Jun 2021 09:08:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ltrkX-0000CO-OI for bug-gnu-emacs@gnu.org; Thu, 17 Jun 2021 09:08:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Robert Pluim Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 17 Jun 2021 13:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49066 X-GNU-PR-Package: emacs Original-Received: via spool by 49066-submit@debbugs.gnu.org id=B49066.1623935252719 (code B ref 49066); Thu, 17 Jun 2021 13:08:01 +0000 Original-Received: (at 49066) by debbugs.gnu.org; 17 Jun 2021 13:07:32 +0000 Original-Received: from localhost ([127.0.0.1]:53939 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltrk3-0000BU-LQ for submit@debbugs.gnu.org; Thu, 17 Jun 2021 09:07:32 -0400 Original-Received: from mail-wm1-f52.google.com ([209.85.128.52]:38611) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltrjy-0000BE-MK for 49066@debbugs.gnu.org; Thu, 17 Jun 2021 09:07:30 -0400 Original-Received: by mail-wm1-f52.google.com with SMTP id t4-20020a1c77040000b029019d22d84ebdso6346588wmi.3 for <49066@debbugs.gnu.org>; Thu, 17 Jun 2021 06:07:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=tl0rasaIN32ly3C6vykhohvC+I6Ci8ICmUofZkh8h5o=; b=W4uIcMd/vR0pk0HjzChAu+ScRE+/DwnR2ku12umxZfn+QmCPtsaOEllipsUMg5xQ53 9GentUuNhbJSam92/lpgAHLSL4XPNe9iaDt2izetmgE8ZcgYJdvGSV3ioL5nkLh02eCk LLvMT6XZSgcMAZtQdh9cp+Wv/Ncc1NcyWqUATlc07Arr6EGWJJEKhKxIGWye9bU3mrP9 0mjf5cs+LgHn+bbJNnNKoXaQUduf4SJC/9MzNcG3Qk00NnapodNdeIXpj4utTdla4ymy kg3grzzdBZxn+Dmdr5kMSHfyZW1YsknlrosN/s2Tefq95KMBxkJt8jrBHeyi1OOYfRHZ 2qIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=tl0rasaIN32ly3C6vykhohvC+I6Ci8ICmUofZkh8h5o=; b=FYelIYpqtWQbu20sppag8Fz56LUzXFseh68qnY1HngBjKmo6VGTEJrOD177SOokxSD tUTmVlBQp4VCtKm9q4T6izkKAwj3wbwzyaOYV24W/ibNKNjYkUPcNMtuaWpfTBREW/YF ZGxfrXMAN2bF1KA36naLFSf159Hmyv88RNBlfGsCrdJL5PXD+fLgf6tU3/AUxeBX8ibM mcchAfBwIvVQUrxjcNQYvwAG6EAPohaz7X5FxOEWKOGVGk51JA9SBw7gmUP+LOeUupcb NgoUJS9rPgciAClvwgqsozplvnLYYzmyw87nZoIjA6cTHfPPbQVYA0KI3dggtwIhkzjX kRZg== X-Gm-Message-State: AOAM533LKCKaAB9KbK+cI84KX+ceipiozisLCaAfs73y92sSzuNNEhDM FC7QY+Eirci4Up2BMUP9br8= X-Google-Smtp-Source: ABdhPJx4FsjyB7Crvod0NRx5BqkaAivf9hRGzTgagnhvrr8Hpy6P95ZaLsStyx+OGC/bdQiCO5t9kw== X-Received: by 2002:a1c:5413:: with SMTP id i19mr5152055wmb.12.1623935240726; Thu, 17 Jun 2021 06:07:20 -0700 (PDT) Original-Received: from rltb ([82.66.8.55]) by smtp.gmail.com with ESMTPSA id t11sm5403906wrz.7.2021.06.17.06.07.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Jun 2021 06:07:19 -0700 (PDT) In-Reply-To: <831r9029k2.fsf@gnu.org> (Eli Zaretskii's message of "Thu, 17 Jun 2021 11:13:17 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:208663 Archived-At: >>>>> On Thu, 17 Jun 2021 11:13:17 +0300, Eli Zaretskii said: >> From: Robert Pluim >> Cc: Lars Ingebrigtsen , 49066@debbugs.gnu.org, >> mvsfrasson@gmail.com >> Date: Thu, 17 Jun 2021 09:43:03 +0200 >>=20 >> This is from an optimized build of emacs-26.1. I can redo it with a >> '-g3 -O0' if you want. Eli> That'd help. Full backtrace from an unoptimized build: Thread 1 "emacs" received signal SIGSEGV, Segmentation fault. 0x0000000000557a9d in AREF (array=3DXIL(0), idx=3D1) at lisp.h:1614 1614 return XVECTOR (array)->contents[idx]; (gdb) bt #0 0x0000000000557a9d in AREF (array=3DXIL(0), idx=3D1) at lisp.h:1614 #1 0x0000000000693602 in ftfont_shape_by_flt (lgstring=3DXIL(0xb64755), font=3D0x1308cb0 , = ft_face=3D0x340fef0, otf=3D0x342c810, matrix=3D0x1308da8 ) at ftfont.c:2573 #2 0x00000000006939c4 in ftfont_shape (lgstring=3DXIL(0xb64755)) at ftfont= .c:2615 #3 0x0000000000695ae8 in xftfont_shape (lgstring=3DXIL(0xb64755)) at xftfo= nt.c:670 #4 0x0000000000624f14 in Ffont_shape_gstring (gstring=3DXIL(0xb64755)) at = font.c:4427 #5 0x000000000060714d in funcall_subr (subr=3D0xa41d60 , numargs=3D1, args=3D0x7fffffff6830) at eval.c:2844 #6 0x0000000000606d80 in Ffuncall (nargs=3D2, args=3D0x7fffffff6828) at ev= al.c:2769 #7 0x000000000064ef3a in exec_byte_code (bytestr=3DXIL(0x81e114), vector=3DXIL(0x81e135), maxdepth=3Dmake_numbe= r(6), args_template=3DXIL(0), nargs=3D0, args=3D0x0) at bytecode.c:629 #8 0x0000000000607b03 in funcall_lambda (fun=3DXIL(0x81e0a5), nargs=3D5, a= rg_vector=3D0x81e135 ) at eval.c:3052 #9 0x0000000000606dc4 in Ffuncall (nargs=3D6, args=3D0x7fffffff6d20) at ev= al.c:2771 #10 0x000000000060392c in internal_condition_case_n (bfun=3D0x606c02 , nargs=3D6, args=3D0x7fffffff6d20, handlers=3DXIL(0xc090), hfun=3D 0x43f2a4 ) at eval.c:1412 #11 0x000000000043f519 in safe__call (inhibit_quit=3Dfalse, nargs=3D6, func= =3DXIL(0x8e6520), ap=3D0x7fffffff6e00) at xdisp.c:2617 #12 0x000000000043f60c in safe_call (nargs=3D6, func=3DXIL(0x8e6520)) at xd= isp.c:2633 #13 0x000000000067e4e6 in autocmp_chars (rule=3DXIL(0xf2b705), charpos=3D40, bytepos=3D78, limit=3D42, win=3D0x= 103bc30 , face=3D0x349d570, string=3DXIL(0)) at composite.c:928 #14 0x000000000067fad8 in composition_reseat_it (cmp_it=3D0x7fffffff8f30, charpos=3D40, bytepos=3D78, endpos=3D464, w= =3D0x103bc30 , face=3D0x349d570, string=3DXIL(0)) at composite.c:1228 #15 0x000000000044e88f in next_element_from_buffer (it=3D0x7fffffff86b0) at= xdisp.c:8483 #16 0x000000000044ab2a in get_next_display_element (it=3D0x7fffffff86b0) at= xdisp.c:7026 #17 0x00000000004715db in display_line (it=3D0x7fffffff86b0, cursor_vpos=3D= 3) at xdisp.c:21409 #18 0x0000000000466d36 in try_window (window=3DXIL(0x103bc35), pos=3D..., f= lags=3D1) at xdisp.c:17627 #19 0x00000000004648da in redisplay_window (window=3DXIL(0x103bc35), just_t= his_one_p=3Dfalse) at xdisp.c:17074 #20 0x000000000045de89 in redisplay_window_0 (window=3DXIL(0x103bc35)) at x= disp.c:14831 #21 0x00000000006037bc in internal_condition_case_1 (bfun=3D0x45de47 , arg=3DXIL(0x103bc35), handlers= =3DXIL(0xb3de33), hfun=3D0x45de0f ) at eval.c:1356 #22 0x000000000045dde4 in redisplay_windows (window=3DXIL(0x103bc35)) at xd= isp.c:14811 #23 0x000000000045cd16 in redisplay_internal () at xdisp.c:14300 #24 0x000000000045ada7 in redisplay () at xdisp.c:13518 #25 0x0000000000563326 in read_char (commandflag=3D1, map=3DXIL(0x142c4b3),= prev_event=3DXIL(0), used_mouse_menu=3D0x7fffffffdaef, end_time=3D0x0) at keyboard.c:2480 #26 0x000000000057056f in read_key_sequence (keybuf=3D0x7fffffffdc40, bufsize=3D30, prompt=3DXIL(0), dont_downcase_= last=3Dfalse, can_return_switch_frame=3Dtrue, fix_current_buffer=3Dtrue, pr= event_redisplay=3Dfalse) at keyboard.c:9147 #27 0x00000000005607c3 in command_loop_1 () at keyboard.c:1368 #28 0x0000000000603715 in internal_condition_case (bfun=3D0x5603b5 , handlers=3DXIL(0x5250), hfun=3D0x55fb97 ) at eval.c:1332 #29 0x00000000005600a6 in command_loop_2 (ignore=3DXIL(0)) at keyboard.c:11= 10 #30 0x0000000000602fed in internal_catch (tag=3DXIL(0xc6f0), func=3D0x56007= 9 , arg=3DXIL(0)) at eval.c:1097 #31 0x0000000000560045 in command_loop () at keyboard.c:1089 #32 0x000000000055f76a in recursive_edit_1 () at keyboard.c:695 #33 0x000000000055f8ea in Frecursive_edit () at keyboard.c:766 #34 0x000000000055d58e in main (argc=3D2, argv=3D0x7fffffffe128) at emacs.c= :1713 Lisp Backtrace: "font-shape-gstring" (0xffff6830) "auto-compose-chars" (0xffff6d28) "redisplay_internal (C function)" (0x0) (gdb)=20 >> Thread 1 "emacs" received signal SIGSEGV, Segmentation fault. >> ftfont_shape_by_flt (matrix=3D, otf=3D= , ft_face=3D, font=3D, lgstring=3D...) >> at ftfont.c:2573 >> 2573 g->g.to =3D LGLYPH_TO (LGSTRING_GLYPH (lgstring, g->g.to)= ); Eli> So, is 'g' a NULL pointer or something? Or is 'lgstring' faulty in Eli> some way? IOW, what is the immediate reason for the Eli> segfault? It=CA=BCs lgstring, I think this is one of those 'nil's in lgstring 0 0x0000000000557a9d in AREF (array=3DXIL(0), idx=3D1) at lisp.h:1614 1614 return XVECTOR (array)->contents[idx]; (gdb) up #1 0x0000000000693602 in ftfont_shape_by_flt (lgstring=3DXIL(0xb64755), fo= nt=3D0x1308cb0 , ft_face=3D0x340fef0,=20 otf=3D0x342c810, matrix=3D0x1308da8 ) at ftfon= t.c:2573 2573 g->g.to =3D LGLYPH_TO (LGSTRING_GLYPH (lgstring, g->g.to)); (gdb) pp lgstring [[# 2453 8204] nil [0 0 2453 20 16 -1 17 12 0 nil] [1 1 8204 658= 0 -1 1 15 4 nil] nil nil nil [5 5 0 3039 11 0 12 7 5 nil] [6 6 1606 1044 1= 1 0 11 8 3 nil] nil] (gdb) p g $2 =3D (MFLTGlyphFT *) 0x2e631e0 (gdb) p *g $3 =3D { g =3D { c =3D 2453, code =3D 20, from =3D 0, to =3D 2, xadv =3D 1024, yadv =3D 0, ascent =3D 768, descent =3D 0, lbearing =3D -64, rbearing =3D 1024, xoff =3D 0, yoff =3D 0, encoded =3D 1, measured =3D 1, adjusted =3D 0, internal =3D 0 }, libotf_positioning_type =3D 0 } >> (gdb) bt >> #0 ftfont_shape_by_fltPython Exception value ha= s been optimized out:=20 Eli> What's the story with these Python exceptions? Looks like some Eli> problem in our .gdbinit? They don=CA=BCt happen with an unoptimized build. Eli> The backtrace stops too soon. Can you show more? I'd like at the Eli> very least to see which sequence of characters causes the trouble. Eli> From the above, I can only glean that we were performing a charact= er Eli> composition. This is enough to cause the crash: =E0=A6=95=E2=80=8C Thats #x995 followed by #x200c. Why are we trying to compose a ZWNJ? Eli> It could be some problem with the shaping engine: I guess versions Eli> after Emacs 26 are built with HarfBuzz, not m17n-flt? If you forc= ibly Eli> use m17n-flt in a later Emacs, does it still not crash? emacs-27 built '--without-harfbuzz' and thus with m17n-flt crashes the same= way. Robert --=20