From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Pip Cet via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#71744: 29.4; SIGSEGV during completion-at-point in lsp-mode with corfu and cape Date: Fri, 16 Aug 2024 15:08:39 +0000 Message-ID: <87h6bkjyj1.fsf@protonmail.com> References: <86mslf8axb.fsf@gnu.org> <86ed6r8535.fsf@gnu.org> <86cymb846o.fsf@gnu.org> <87jzgi17dy.fsf@protonmail.com> Reply-To: Pip Cet Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34752"; mail-complaints-to="usenet@ciao.gmane.io" Cc: sigve.indregard@pm.me, Paul Eggert , 71744@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Aug 16 17:09:47 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1seyaI-0008sG-VF for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 16 Aug 2024 17:09:47 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1seya0-0002Py-T3; Fri, 16 Aug 2024 11:09:29 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1seyZx-0002PR-MX for bug-gnu-emacs@gnu.org; Fri, 16 Aug 2024 11:09:26 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1seyZx-0006al-63 for bug-gnu-emacs@gnu.org; Fri, 16 Aug 2024 11:09:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:From:Date:To:Subject; bh=rCJ5BLZRdAV86g0EhudTQXuZWrEAz1GpDR9QtSMxjpE=; b=ET1AyDqbKoTkOeqz1v1Isxiwg3fxpc5VFI3NEctZAgQdgc434AKymajpu2HoAzXQMbGds83vzfZ/UUdamy45GNn3jhnCUM9l1e2g2vxjyel2SDAi7cFJjjFXFGHqCVHaZnJd1NlnUknSoVCVlDURD0u43PHNZOHfxt2LsyHh1rZWMehqSBMj1ODSrOb3ifQrqKIcLOZR5mdueVxcAZHJeeHH996mmXg6DnRdk5ZaBv4p9IBsACoZLxO46EZV9cCzcMAcY/OPVfr+9BtYwqHdh5XV/0HY1NYyEryC5Z9sL1v2Q+L7YQspKBwJEHSA9YIMuDHKseucYQERYgrMaev1jA==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1seyaY-0006J6-BN for bug-gnu-emacs@gnu.org; Fri, 16 Aug 2024 11:10:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Pip Cet Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 16 Aug 2024 15:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71744 X-GNU-PR-Package: emacs Original-Received: via spool by 71744-submit@debbugs.gnu.org id=B71744.172382097224198 (code B ref 71744); Fri, 16 Aug 2024 15:10:02 +0000 Original-Received: (at 71744) by debbugs.gnu.org; 16 Aug 2024 15:09:32 +0000 Original-Received: from localhost ([127.0.0.1]:52689 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1seya3-0006IE-VV for submit@debbugs.gnu.org; Fri, 16 Aug 2024 11:09:32 -0400 Original-Received: from mail-4316.protonmail.ch ([185.70.43.16]:57897) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1seya1-0006HU-FB for 71744@debbugs.gnu.org; Fri, 16 Aug 2024 11:09:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1723820925; x=1724080125; bh=rCJ5BLZRdAV86g0EhudTQXuZWrEAz1GpDR9QtSMxjpE=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=g8E8LyP5jySyq6NQgFAtcMgooWcgNRZ55kUgvvoy9hEHQ6aJKa+WqdzOZbepN8US1 siasY8JKSC7wrzzA/hNALj6upPhe40wTYSY02uPb2ELon3JVVAySoeQz0jNJEYa40b ZwdcYH0XqitaIdyk3qmZM/Ee4JHqiWlNM8f35GlB3RK/6JfQMtu0bCLlhlzmWyEaLG yZxBI8wX8dWJLc6sARWQ4nx47aSdIXutpmqMW3DK2lRA14QyFUNwQ0EbSWb5vcCwNq HJnBPCPUfsDzVbOYjVFXv923pSCpHrJqyIZRSADAgH0Ss+CWbEG7voHSPzBEwWeMhX vk+vV5GOqiEmA== In-Reply-To: <87jzgi17dy.fsf@protonmail.com> Feedback-ID: 112775352:user:proton X-Pm-Message-ID: ef5e67598db1182bb1fb88215855df9ee646bff6 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:290200 Archived-At: "Pip Cet" writes: > Pip Cet writes: > >> "Eli Zaretskii" writes: >> >>>> Cc: 71744@debbugs.gnu.org >>>> Date: Wed, 14 Aug 2024 19:03:10 +0300 >>>> From: Eli Zaretskii >>>> >>>> > Date: Wed, 14 Aug 2024 15:40:34 +0000 >>>> > From: Sigve Indregard >>>> > Cc: 71744@debbugs.gnu.org >>>> > >>>> > (gdb) frame 3 >>>> > #3 parse_modifiers (symbol=3DXIL(0x5555564e3dc0)) at /usr/src/debug= /emacs/emacs-29.4-wayland/src/keyboard.c:6888 >>>> > 6888=09parse_modifiers (Lisp_Object symbol) >>>> > (gdb) print symbol >>>> > $11 =3D XIL(0x5555564e3dc0) >>>> > (gdb) xsymbol >>>> > $12 =3D (struct Lisp_Symbol *) 0xaaaaac1f1640 >>>> > Cannot access memory at address 0xaaaaac1f1648 >>> >>> Btw, this 0x5555564e3dc0 value is the same as the pointer to old_kbd >>> inside read_char: >>> >>> #7 read_char (commandflag=3D0, map=3D0x0, prev_event=3D0x0, used_mou= se_menu=3D0x0, end_time=3D0x7fffffffb5b0) at /usr/src/debug/emacs/emacs-29.= 4-wayland/src/keyboard.c:3018 >>> =09 c =3D >>> =09 local_getcjmp =3D {{__jmpbuf =3D {93825000405056, -514732466174953= 7557, 1, 4611686019484352512, 5, 0, -5147324661946669845, -1313834696378178= 325}, __mask_was_saved =3D 0, __saved_mask =3D {__val =3D {0, 9382501026948= 8, 93825104789632, 140737488335792, 18446744073709550936, 11, 9382510478961= 6, 140737488335856, 140737279378894, 140737488335856, 140737488335920, 0, 1= 40737488335920, 0, 93825010269488, 140737488336000}}}} >>> =09 save_jump =3D {{__jmpbuf =3D {12048, 140737188459256, 140737488335= 856, 93825095637120, 16, -7692597586030666240, 48, 1}, __mask_was_saved =3D= 1453957408, __saved_mask =3D {__val =3D {140737488335776, 2, 1407374883358= 24, 140737488335760, 140737321006214, 1, 140737321006651, 14319535557742690= 304, 6, 140737488335696, 140737279373914, 93825000331312, 0, 1, 1, 93823560= 581122}}}} >>> =09 tem =3D >>> =09 save =3D 0x0 >>> =09 previous_echo_area_message =3D 0x0 >>> =09 also_record =3D 0x0 >>> =09 reread =3D false >>> =09 recorded =3D false >>> =09 polling_stopped_here =3D false >>> =09 orig_kboard =3D 0x5555564e3dc0 <<<<<<<<<<<<<<<<<<<<<<< >>> >>> So either the value of orig_kboard here is bogus (perhaps due to >>> optimizations), or somehow the variable C, which is supposed to hold >>> an input event, holds something very different instead, and then it's >>> a small surprise that we crash. >> >> I think this looks like a setjmp-related bug. If this sys_setjmp in >> read_char: >> >> specpdl_ref jmpcount =3D SPECPDL_INDEX (); >> if (sys_setjmp (local_getcjmp)) >> { >> /* Handle quits while reading the keyboard. */ >> >> returns true, we goto non_reread, where we test NILP (c). However, 'c' >> is not declared volatile, and it might have changed, which would lead to >> undefined behavior, including the possibility of holding another value >> like orig_kboard. >> >> I'm afraid the only way to know for sure whether there's anything to >> that theory is to look at the output of "disass/rs read_char" in gdb, >> using the exact same binary that crashed, and check it line by line >> (about 3,000 lines here...) > > I've done that now, and the bug is as I've described: the location > -0x4e8(%rbp) sometimes holds orig_kboard, but is assumed to hold 'c' > after a longjmp. > > This should fix it: > > diff --git a/src/keyboard.c b/src/keyboard.c > index b312d529e59..148b9ee4dbf 100644 > --- a/src/keyboard.c > +++ b/src/keyboard.c > @@ -2522,7 +2522,7 @@ read_char (int commandflag, Lisp_Object map, > =09 Lisp_Object prev_event, > =09 bool *used_mouse_menu, struct timespec *end_time) > { > - Lisp_Object c; > + volatile Lisp_Object c; > sys_jmp_buf local_getcjmp; > sys_jmp_buf save_jump; > Lisp_Object tem, save; > > > But it'd be really nice to recreate the buggy build and apply just this > patch and see whether that fixes things. Unfortunately, Arch builds are > very hard to reproduce precisely, so I'm not sure I can do it. The whole thing should have resulted in a compiler warning, of course, but there's this code in keyboard.c: /* Work around GCC bug 54561. */ #if GNUC_PREREQ (4, 3, 0) # pragma GCC diagnostic ignored "-Wclobbered" #endif which means we won't get any warnings at all about such bugs. However, even with that part removed, I don't get a compiler warning about 'c'. The code is also rather weird: 0x00000000001254a0 <+5456>:=0948 8b 05 a1 17 75 00=09mov 0x7517a1(%ri= p),%rax # 0x876c48 0x00000000001254a7 <+5463>:=0948 89 85 18 fb ff ff=09mov %rax,-0x4e8(= %rbp) 0x00000000001254ae <+5470>:=0948 85 c0 =09test %rax,%rax 0x00000000001254b1 <+5473>:=090f 84 3a f5 ff ff =09je 0x1249f1 0x00000000001254b7 <+5479>:=0948 8b 85 18 fb ff ff=09mov -0x4e8(%rbp)= ,%rax (There is no branch to +5470, +5473, or +5479). What's weird about this is that the store at +5463 that's causing our problem isn't necessary, and neither is the load at +5479. The variable in question, 'kb', is not marked volatile, so it seems strange to me it's stored, then loaded, unnecessarily. Paul, do you agree that we should simply mark 'c' as volatile, or do you think this needs further investigation on the GCC side (because of the lack of a -Wclobbered warning being issued, or because of the weird code)? Pip