bug#27504: 25.1; segfault when org-ellipsis is empty

bug#27504: 25.1; segfault when org-ellipsis is empty

[Michael Ax]

[-- Attachment #1: Type: text/plain, Size: 4399 bytes --]



(setq org-ellipsis "") C-x C-e
(org-mode)  C-x C-e
* asd
** def C-p tab  < and boom



In GNU Emacs 25.1.1 (x86_64-pc-linux-gnu, GTK+ Version 3.22.12)
  of 2017-04-23, modified by Debian built on trouble
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description:    Debian GNU/Linux 9.0 (stretch)

Configured using:
  'configure --build x86_64-linux-gnu --prefix=/usr
  --sharedstatedir=/var/lib --libexecdir=/usr/lib
  --localstatedir=/var/lib --infodir=/usr/share/info
  --mandir=/usr/share/man --with-pop=yes
  --enable-locallisppath=/etc/emacs25:/etc/emacs:/usr/local/share/emacs/25.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/25.1/site-lisp:/usr/share/emacs/site-lisp
  --with-sound=alsa --build x86_64-linux-gnu --prefix=/usr
  --sharedstatedir=/var/lib --libexecdir=/usr/lib
  --localstatedir=/var/lib --infodir=/usr/share/info
  --mandir=/usr/share/man --with-pop=yes
  --enable-locallisppath=/etc/emacs25:/etc/emacs:/usr/local/share/emacs/25.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/25.1/site-lisp:/usr/share/emacs/site-lisp
  --with-sound=alsa --with-x=yes --with-x-toolkit=gtk3
  --with-toolkit-scroll-bars 'CFLAGS=-g -O2
  -fdebug-prefix-map=/build/emacs25-d2FC1K/emacs25-25.1+1=. 
-fstack-protector-strong
  -Wformat -Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time
  -D_FORTIFY_SOURCE=2' LDFLAGS=-Wl,-z,relro'

Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GCONF GSETTINGS
NOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11

Important settings:
   value of $LC_ALL: en_US.UTF-8
   value of $LC_TIME: de_DE.UTF-8
   value of $LANG: en_US.UTF-8
   locale-coding-system: utf-8-unix

Major mode: Org

Minor modes in effect:
   tooltip-mode: t
   global-eldoc-mode: t
   electric-indent-mode: t
   mouse-wheel-mode: t
   tool-bar-mode: t
   menu-bar-mode: t
   file-name-shadow-mode: t
   global-font-lock-mode: t
   font-lock-mode: t
   blink-cursor-mode: t
   auto-composition-mode: t
   auto-encryption-mode: t
   auto-compression-mode: t
   line-number-mode: t
   transient-mark-mode: t

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Mark set
"…"
nil
user-error: Beginning of history; no preceding item [4 times]
delete-forward-char: Text is read-only [2 times]
Quit

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rfc822 mml mml-sec
password-cache epg epg-config mm-decode mm-bodies mm-encode mail-parse
rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045
ietf-drums mm-util help-fns help-mode mail-prsvr mail-utils org-element
disp-table org-rmail org-mhe org-irc org-info org-gnus gnus-util
org-docview doc-view subr-x jka-compr image-mode dired cl-loaddefs pcase
cl-lib org-bibtex bibtex org-bbdb org-w3m org org-macro org-footnote
org-pcomplete pcomplete org-list org-faces org-entities noutline outline
easy-mmode org-version ob-emacs-lisp ob ob-tangle ob-ref ob-lob ob-table
ob-exp org-src ob-keys ob-comint comint ansi-color ring ob-core ob-eval
org-compat org-macs org-loaddefs format-spec find-func cal-menu easymenu
calendar cal-loaddefs time-date mule-util tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win
term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
dbusbind inotify dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 139246 7278)
  (symbols 48 26409 0)
  (miscs 40 78 162)
  (strings 32 36282 5847)
  (string-bytes 1 1109341)
  (vectors 16 18242)
  (vector-slots 8 498343 4390)
  (floats 8 211 148)
  (intervals 56 295 0)
  (buffers 976 17))


[-- Attachment #2: Type: text/html, Size: 5809 bytes --]

bug#27504: 25.1; segfault when org-ellipsis is empty

[npostavs]

tags 27504 + confirmed
quit

Michael Ax <michaelax@gmail.com> writes:

> (setq org-ellipsis "") C-x C-e
> (org-mode)  C-x C-e
> * asd
> ** def C-p tab  < and boom

I can confirm also with emacs-master.  Below is some debug info, it
looks like next_element_from_display_vector assumes a non-empty ellipsis
display string.

Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.
0x00000000005823a3 in GLYPH_CODE_P (gc=XIL(0x3)) at ../../emacs-master/src/dispextern.h:1872
1872		  ? (CHARACTERP (XCAR (gc))
(gdb) bt
#0  0x00000000005823a3 in GLYPH_CODE_P (gc=XIL(0x3)) at ../../emacs-master/src/dispextern.h:1872
#1  0x00000000004552b0 in next_element_from_display_vector (it=0x7fffffff8dc0) at ../../emacs-master/src/xdisp.c:7760
#2  0x000000000045705e in next_element_from_buffer (it=0x7fffffff8dc0) at ../../emacs-master/src/xdisp.c:8368
#3  0x0000000000452fc8 in get_next_display_element (it=0x7fffffff8dc0) at ../../emacs-master/src/xdisp.c:6959
#4  0x000000000048601e in display_line (it=0x7fffffff8dc0, cursor_vpos=0) at ../../emacs-master/src/xdisp.c:20840
#5  0x0000000000477a39 in try_window (window=XIL(0x157dc35), pos=..., flags=1) at ../../emacs-master/src/xdisp.c:17482
#6  0x00000000004740a2 in redisplay_window (window=XIL(0x157dc35), just_this_one_p=true) at ../../emacs-master/src/xdisp.c:16929
#7  0x000000000046b3b7 in redisplay_window_1 (window=XIL(0x157dc35)) at ../../emacs-master/src/xdisp.c:14697
#8  0x000000000063dcfe in internal_condition_case_1 (bfun=0x46b375 <redisplay_window_1>, arg=XIL(0x157dc35), handlers=XIL(0xe82dd3), hfun=0x46b2ef <redisplay_window_error>) at ../../emacs-master/src/eval.c:1350
#9  0x000000000046a2c4 in redisplay_internal () at ../../emacs-master/src/xdisp.c:14269
#10 0x0000000000467557 in redisplay () at ../../emacs-master/src/xdisp.c:13378
#11 0x000000000058d580 in read_char (commandflag=1, map=XIL(0x36821b3), prev_event=XIL(0), used_mouse_menu=0x7fffffffe33f, end_time=0x0) at ../../emacs-master/src/keyboard.c:2484
#12 0x000000000059e02b in read_key_sequence (keybuf=0x7fffffffe4d0, bufsize=30, prompt=XIL(0), dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at ../../emacs-master/src/keyboard.c:9124
#13 0x000000000058a0d0 in command_loop_1 () at ../../emacs-master/src/keyboard.c:1372
#14 0x000000000063dc27 in internal_condition_case (bfun=0x589c9d <command_loop_1>, handlers=XIL(0x4e00), hfun=0x5892f3 <cmd_error>) at ../../emacs-master/src/eval.c:1326
#15 0x00000000005898a2 in command_loop_2 (ignore=XIL(0)) at ../../emacs-master/src/keyboard.c:1114
#16 0x000000000063d164 in internal_catch (tag=XIL(0xbd60), func=0x589879 <command_loop_2>, arg=XIL(0))
    at ../../emacs-master/src/eval.c:1091
#17 0x0000000000589844 in command_loop () at ../../emacs-master/src/keyboard.c:1093
#18 0x0000000000588e08 in recursive_edit_1 () at ../../emacs-master/src/keyboard.c:699
#19 0x0000000000588fe7 in Frecursive_edit () at ../../emacs-master/src/keyboard.c:770
#20 0x0000000000586c74 in main (argc=2, argv=0x7fffffffe9a8) at ../../emacs-master/src/emacs.c:1706

Lisp Backtrace:
"redisplay_internal (C function)" (0x0)
(gdb) p gc
$1 = XIL(0x3)
(gdb) xpr
Lisp_Cons
$2 = (struct Lisp_Cons *) 0x0
Cannot access memory at address 0x0
(gdb) up 1
#1  0x00000000004552b0 in next_element_from_display_vector (it=0x7fffffff8dc0) at ../../emacs-master/src/xdisp.c:7760
7760	  if (GLYPH_CODE_P (gc))
(gdb) p it->dpvec
$3 = (Lisp_Object *) 0x9d4a88 <pure+104>
(gdb) p it->current.dpvec_index 
$4 = 0
(gdb) p it->dpvec[0]
$5 = XIL(0x3)
(gdb) p it->dpvec[1]
$6 = XIL(0xffffffffffffffff)
(gdb) p it->dpend
$7 = (Lisp_Object *) 0x9d4a88 <pure+104>
(gdb) p it->dpvec_char_len 
$8 = 0

bug#27504: 25.1; segfault when org-ellipsis is empty

[Eli Zaretskii]

> From: npostavs@users.sourceforge.net
> Date: Tue, 27 Jun 2017 08:10:58 -0400
> Cc: 27504@debbugs.gnu.org
> 
> > (setq org-ellipsis "") C-x C-e
> > (org-mode)  C-x C-e
> > * asd
> > ** def C-p tab  < and boom
> 
> I can confirm also with emacs-master.  Below is some debug info, it
> looks like next_element_from_display_vector assumes a non-empty ellipsis
> display string.
> 
> Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.
> 0x00000000005823a3 in GLYPH_CODE_P (gc=XIL(0x3)) at ../../emacs-master/src/dispextern.h:1872
> 1872		  ? (CHARACTERP (XCAR (gc))
> (gdb) bt
> #0  0x00000000005823a3 in GLYPH_CODE_P (gc=XIL(0x3)) at ../../emacs-master/src/dispextern.h:1872
> #1  0x00000000004552b0 in next_element_from_display_vector (it=0x7fffffff8dc0) at ../../emacs-master/src/xdisp.c:7760

Thanks, should be fixed now.

bug#27504: 25.1; segfault when org-ellipsis is empty

[Kaushal Modi]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

Hi Noam,

I have a meta-question that originated from this bug. I was able to
reproduce this bug on an emacs session run in gdb and I even used the
-ggdb3 -O3 switches when building emacs. But I was unable to get any
backtrace[1] like you do here[2].

Any tips to what I am doing wrong here? [1] has details on what I tried to
do in gdb to get the backtrace.

[1]: http://lists.gnu.org/archive/html/emacs-devel/2017-06/msg00629.html
[2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27504#8
-- 

Kaushal Modi

[-- Attachment #2: Type: text/html, Size: 854 bytes --]

bug#27504: 25.1; segfault when org-ellipsis is empty

[Kaushal Modi]

[-- Attachment #1: Type: text/plain, Size: 419 bytes --]

>> Eli
> Can you tell the details?  Solved where and how?

It wasn't 'solved' per say.. just that org-ellipsis is now not allowed to
be any empty string.

http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=6c498f13375574db873d3d5da100235cfe09a190

Thread on org mode mailing list:
http://lists.gnu.org/archive/html/emacs-orgmode/2017-06/msg00508.html

Thanks for fixing the root cause of this issue.
-- 

Kaushal Modi

[-- Attachment #2: Type: text/html, Size: 861 bytes --]

bug#27504: 25.1; segfault when org-ellipsis is empty

[npostavs]

tags 27504 fixed
close 27504 26.1
quit

Kaushal Modi <kaushal.modi@gmail.com> writes:

>> Can you tell the details?  Solved where and how?
>
> It wasn't 'solved' per say.. just that org-ellipsis is now not allowed to
> be any empty string.
>
> http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=6c498f13375574db873d3d5da100235cfe09a190
>
> Thread on org mode mailing list:
> http://lists.gnu.org/archive/html/emacs-orgmode/2017-06/msg00508.html
>
> Thanks for fixing the root cause of this issue.

Yup, I can confirm no segfault after updating to [1: 4a5653cd28].

[1: 4a5653cd28]: 2017-06-27 11:45:22 -0400
  Avoid segfaults when some display vector is an empty string
  http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=4a5653cd2859308ada4bbf5ffc9fb9b283eef31a