From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.bugs Subject: bug#9401: 24.0.50; Crash during fontification Date: Mon, 29 Aug 2011 12:10:12 -0400 Message-ID: <87obz8i4gr.fsf@stupidchicken.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1314634273 9426 80.91.229.12 (29 Aug 2011 16:11:13 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 29 Aug 2011 16:11:13 +0000 (UTC) To: 9401@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Aug 29 18:11:06 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Qy4QT-0001MK-Kq for geb-bug-gnu-emacs@m.gmane.org; Mon, 29 Aug 2011 18:11:05 +0200 Original-Received: from localhost ([::1]:52056 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4QT-0005AH-05 for geb-bug-gnu-emacs@m.gmane.org; Mon, 29 Aug 2011 12:11:05 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:39641) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4QP-00059q-CD for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:11:02 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qy4QO-0000Vc-4w for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:11:01 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:34744) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4QO-0000VY-3H for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:11:00 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1Qy4TK-0003tm-8n; Mon, 29 Aug 2011 12:14:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Chong Yidong Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 29 Aug 2011 16:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 9401 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.131463440814929 (code B ref -1); Mon, 29 Aug 2011 16:14:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 29 Aug 2011 16:13:28 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qy4Sl-0003sj-VD for submit@debbugs.gnu.org; Mon, 29 Aug 2011 12:13:28 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qy4Sj-0003sb-6U for submit@debbugs.gnu.org; Mon, 29 Aug 2011 12:13:26 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qy4Pk-0000SK-Oo for submit@debbugs.gnu.org; Mon, 29 Aug 2011 12:10:22 -0400 Original-Received: from lists.gnu.org ([140.186.70.17]:38915) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4Pk-0000S3-N3 for submit@debbugs.gnu.org; Mon, 29 Aug 2011 12:10:20 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:39537) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4Pj-00050s-FE for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:10:20 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Qy4Ph-0000Rd-Fp for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:10:19 -0400 Original-Received: from vm-emlprdomr-02.its.yale.edu ([130.132.50.143]:53591) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Qy4Ph-0000RO-Dq for bug-gnu-emacs@gnu.org; Mon, 29 Aug 2011 12:10:17 -0400 Original-Received: from furball (dhcp-128-36-14-41.central.yale.edu [128.36.14.41]) (authenticated bits=0) by vm-emlprdomr-02.its.yale.edu (8.14.4/8.14.4) with ESMTP id p7TGADXm004599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Mon, 29 Aug 2011 12:10:16 -0400 X-Scanned-By: MIMEDefang 2.71 on 130.132.50.143 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Mon, 29 Aug 2011 12:14:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 1) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:50404 Archived-At: I can trigger this crash about 50 percent of the time by doing emacs -q trunk/src/buffer.h C-s defvar Emacs then crashes with a segfault. The problem involves a call to scan_sexps_forward (frame#4) with from_byte larger than the byte size of the buffer. In GNU Emacs 24.0.50.6 (x86_64-unknown-linux-gnu, GTK+ Version 2.20.1) of 2011-08-28 on furball Windowing system distributor `The X.Org Foundation', version 11.0.10706000 configured using `configure 'CC=gcc' 'CFLAGS=-g'' #0 0x00000000004d339e in sub_char_table_ref (table=12557029, c=7077888, is_uniprop=0) at chartab.c:214 #1 0x00000000004d3583 in char_table_ref (table=12555781, c=7077888) at chartab.c:238 #2 0x00000000004d3603 in char_table_ref (table=13980037, c=7077888) at chartab.c:244 #3 0x00000000004d3603 in char_table_ref (table=20726293, c=7077888) at chartab.c:244 #4 0x00000000006300a5 in scan_sexps_forward (stateptr=0x7fffffff30b0, from=26298, from_byte=48082, end=38471, targetdepth=-10000, stopbefore=0, oldstate=12552834, commentstop=0) at syntax.c:3133 #5 0x000000000061e721 in back_comment (from=38165, from_byte=38165, stop=1, comnested=0, comstyle=0, charpos_ptr=0x7fffffff3418, bytepos_ptr=0x7fffffff3420) at syntax.c:733 #6 0x000000000062c7ec in scan_lists (from=38471, count=-1, depth=0, sexpflag=1) at syntax.c:2768 #7 0x000000000062d78c in Fscan_sexps (from=153900, count=-4) at syntax.c:2879 #8 0x00000000005e9321 in Ffuncall (nargs=3, args=0x7fffffff35a0) at eval.c:2993 #9 0x000000000063632a in exec_byte_code (bytestr=16912593, vector=16668517, maxdepth=12, args_template=12552834, nargs=0, args=0x0) at bytecode.c:785 #10 0x00000000006358e7 in Fbyte_code (bytestr=16912593, vector=16668517, maxdepth=12) at bytecode.c:423 #11 0x00000000005e7c59 in eval_sub (form=13302582) at eval.c:2344 #12 0x00000000005e5ce9 in internal_lisp_condition_case (var=12552834, bodyform=13302582, handlers=13301958) at eval.c:1445 #13 0x0000000000636ff1 in exec_byte_code (bytestr=14879841, vector=16442533, maxdepth=36, args_template=12552834, nargs=0, args=0x0) at bytecode.c:981 #14 0x00000000006358e7 in Fbyte_code (bytestr=14879841, vector=16442533, maxdepth=36) at bytecode.c:423 #15 0x00000000005e7c59 in eval_sub (form=13181174) at eval.c:2344 #16 0x00000000005e57f3 in internal_catch (tag=13108082, func=0x5e7559 , arg=13181174) at eval.c:1248 #17 0x0000000000636f81 in exec_byte_code (bytestr=16475201, vector=16727461, maxdepth=108, args_template=12552834, nargs=0, args=0x0) at bytecode.c:966 #18 0x00000000005e9d9f in funcall_lambda (fun=16837253, nargs=3, arg_vector=0xff3da5) at eval.c:3221 #19 0x00000000005e950c in Ffuncall (nargs=4, args=0x7fffffff4900) at eval.c:3039 #20 0x000000000063632a in exec_byte_code (bytestr=20878529, vector=17068181, maxdepth=24, args_template=12552834, nargs=0, args=0x0) at bytecode.c:785 #21 0x00000000006358e7 in Fbyte_code (bytestr=20878529, vector=17068181, maxdepth=24) at bytecode.c:423 #22 0x00000000005e7c59 in eval_sub (form=14631046) at eval.c:2344 #23 0x00000000005e57f3 in internal_catch (tag=13339906, func=0x5e7559 , arg=14631046) at eval.c:1248 #24 0x0000000000636f81 in exec_byte_code (bytestr=20878657, vector=17068613, maxdepth=8, args_template=12552834, nargs=0, args=0x0) at bytecode.c:966 #25 0x00000000005e9d9f in funcall_lambda (fun=17068853, nargs=0, arg_vector=0x1047245) at eval.c:3221 .... #55 0x0000000000432aae in safe_call1 (fn=15752850, arg=158376) at xdisp.c:2218 #56 0x00000000004352b0 in handle_fontified_prop (it=0x7fffffff8b50) at xdisp.c:3332 #57 0x00000000004344ab in handle_stop (it=0x7fffffff8b50) at xdisp.c:2923 #58 0x000000000043c10e in reseat (it=0x7fffffff8b50, pos=..., force_p=1) at xdisp.c:5828 #59 0x0000000000433af8 in init_iterator (it=0x7fffffff8b50, w=0x1296430, charpos=39594, bytepos=39594, row=0x0, base_face_id=DEFAULT_FACE_ID) at xdisp.c:2633 #60 0x0000000000454c5b in redisplay_window (window=19489845, just_this_one_p=0) at xdisp.c:15265 #61 0x000000000044f05a in redisplay_window_0 (window=19489845) at xdisp.c:13320 #62 0x00000000005e5fa3 in internal_condition_case_1 ( bfun=0x44f01b , arg=19489845, handlers=12523142, hfun=0x44efec ) at eval.c:1529 #63 0x000000000044efcd in redisplay_windows (window=19489845) at xdisp.c:13300 #64 0x000000000044dfa5 in redisplay_internal () at xdisp.c:12877 #65 0x000000000044e7f7 in redisplay_preserve_echo_area (from_where=2) at xdisp.c:13128 #66 0x000000000041ffdb in Fredisplay (force=12552834) at dispnew.c:5991 #67 0x00000000005e92fa in Ffuncall (nargs=1, args=0x7fffffffb7b0) at eval.c:2990 #68 0x000000000063632a in exec_byte_code (bytestr=9404985, vector=9405021, maxdepth=20, args_template=12552834, nargs=0, args=0x0) at bytecode.c:785 #69 0x00000000005e9d9f in funcall_lambda (fun=9404869, nargs=1, arg_vector=0x8f825d) at eval.c:3221 ... #93 0x000000000055b370 in Fcommand_execute (cmd=15676706, record_flag=12552834, keys=12552834, special=12552834) at keyboard.c:10271 #94 0x00000000005497a8 in command_loop_1 () at keyboard.c:1572 #95 0x00000000005e5e3c in internal_condition_case ( bfun=0x548f00 , handlers=12604850, hfun=0x5487db ) at eval.c:1491 #96 0x0000000000548bf7 in command_loop_2 (ignore=12552834) at keyboard.c:1156 #97 0x00000000005e57f3 in internal_catch (tag=12600642, func=0x548bd1 , arg=12552834) at eval.c:1248 #98 0x0000000000548baa in command_loop () at keyboard.c:1135 #99 0x0000000000548329 in recursive_edit_1 () at keyboard.c:756 #100 0x00000000005484c5 in Frecursive_edit () at keyboard.c:820 #101 0x000000000054666b in main (argc=2, argv=0x7fffffffe708) at emacs.c:1698 Lisp Backtrace: "scan-sexps" (0xffff35a8) "byte-code" (0xffff39a0) "byte-code" (0xffff40c0) "c-beginning-of-statement-1" (0xffff4908) "byte-code" (0xffff4d10) "c-beginning-of-decl-1" (0xffff5488) "c-font-lock-enclosing-decls" (0xffff5968) "font-lock-fontify-keywords-region" (0xffff5e68) "font-lock-default-fontify-region" (0xffff6348) "font-lock-fontify-region" (0xffff69c0) "run-hook-with-args" (0xffff69b8) "byte-code" (0xffff6db0) "jit-lock-fontify-now" (0xffff7598) "jit-lock-function" (0xffff7c78) "redisplay" (0xffffb7b8) "sit-for" (0xffffbc98) "isearch-lazy-highlight-new-loop" (0xffffc168) "isearch-update" (0xffffc648) "isearch-search-and-update" (0xffffcb18) "isearch-process-search-string" (0xffffcfd8) "isearch-process-search-char" (0xffffd4a8) "isearch-printing-char" (0xffffd980) "call-interactively" (0xffffdd38) (gdb) f 4 #4 0x00000000006300a5 in scan_sexps_forward (stateptr=0x7fffffff30b0, from=26298, from_byte=48082, end=38471, targetdepth=-10000, stopbefore=0, oldstate=12552834, commentstop=0) at syntax.c:3133 3133 temp = SYNTAX (temp); (gdb) p temp $1 = 7077888 (gdb) p from_byte $2 = 48082 (gdb) p current_buffer->zv $3 = 41396 (gdb) p current_buffer->zv_byte $4 = 41396 (gdb) f 5 #5 0x000000000061e721 in back_comment (from=38165, from_byte=38165, stop=1, comnested=0, comstyle=0, charpos_ptr=0x7fffffff3418, bytepos_ptr=0x7fffffff3420) at syntax.c:733 733 scan_sexps_forward (&state, (gdb) p &state $5 = (struct lisp_parse_state *) 0x7fffffff30b0 (gdb) p defun_start $6 = 17891 (gdb) p defun_start_byte $7 = 38163