From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Pip Cet <pipcet@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#21380: 25.0.50; GTK-induced segfault when scheduling timer from
	window-configuration-change-hook
Date: Sun, 30 Aug 2015 15:27:38 +0000
Message-ID: <CAOqdjBcg5-Y=kQDxVmCtV-UsnZgqr9z=anzL31MBVEES99p1LQ@mail.gmail.com>
References: <CAOqdjBcHpNB4vqfybnXszDKSmzuqnEvHTxbEhGy-R0STy-ma4Q@mail.gmail.com>
	<83mvx8252m.fsf@gnu.org>
	<CAOqdjBd5TLUNBcukB9Vt6UhYu1577Bry4CvSsBeB0OuXMbk3kg@mail.gmail.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=089e0102f83e0213e2051e88f582
X-Trace: ger.gmane.org 1440948500 9166 80.91.229.3 (30 Aug 2015 15:28:20 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 30 Aug 2015 15:28:20 +0000 (UTC)
Cc: 21380@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Aug 30 17:28:12 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1ZW4Wh-00036v-NG
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 30 Aug 2015 17:28:11 +0200
Original-Received: from localhost ([::1]:58999 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1ZW4Wh-0007Vb-Lh
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 30 Aug 2015 11:28:11 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47600)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZW4Wd-0007US-A4
	for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:28:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZW4WY-0005nF-En
	for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:28:07 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:50644)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZW4WY-0005n9-Ba
	for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:28:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ZW4WY-0006ck-3U
	for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:28:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Pip Cet <pipcet@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 30 Aug 2015 15:28:02 +0000
Resent-Message-ID: <handler.21380.B21380.144094846225436@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 21380
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 21380-submit@debbugs.gnu.org id=B21380.144094846225436
	(code B ref 21380); Sun, 30 Aug 2015 15:28:02 +0000
Original-Received: (at 21380) by debbugs.gnu.org; 30 Aug 2015 15:27:42 +0000
Original-Received: from localhost ([127.0.0.1]:42854 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ZW4WD-0006cC-AD
	for submit@debbugs.gnu.org; Sun, 30 Aug 2015 11:27:41 -0400
Original-Received: from mail-ig0-f180.google.com ([209.85.213.180]:34550)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <pipcet@gmail.com>) id 1ZW4WB-0006c4-3h
	for 21380@debbugs.gnu.org; Sun, 30 Aug 2015 11:27:39 -0400
Original-Received: by igui7 with SMTP id i7so42650374igu.1
	for <21380@debbugs.gnu.org>; Sun, 30 Aug 2015 08:27:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=FgO7+UWSEoOq3UPtoAnHSbzwODGunTW3OV6/eMBqlFY=;
	b=hFDZjxBY6upjL29imHdT4NTqqROZy8KAxMU05FAmkp09hP7gw6QzqwEh+91F8ExqQO
	FjHULoKgR6o/PdsEiM2t3WpQQeRIBpd/DSUxOIFnURmgN8x9aWlGlLWmFC+6upGWInba
	jqxSBDZP1vbeDKoA11r2E72iugNNjuRKjnWU9fm8/OHKvxNjgqZbT+yWU4zkQ8oReKAI
	gUnltS6KbOPYycJqJq3dAJBCrKzyT+w/SUK4Bj8y0s6dabCxi63DPVDhSsa0ZLEsMjqm
	+NRDe7I96ke658D+bskuZ/uCUH32wIgw+dlALd/J86vp+XMVeCTajZc4N/JjmaDbYItV
	TnzQ==
X-Received: by 10.50.112.227 with SMTP id it3mr11233151igb.93.1440948458490;
	Sun, 30 Aug 2015 08:27:38 -0700 (PDT)
Original-Received: by 10.79.78.66 with HTTP; Sun, 30 Aug 2015 08:27:38 -0700 (PDT)
In-Reply-To: <CAOqdjBd5TLUNBcukB9Vt6UhYu1577Bry4CvSsBeB0OuXMbk3kg@mail.gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:105982
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/105982>

--089e0102f83e0213e2051e88f582
Content-Type: text/plain; charset=UTF-8

I forgot to make clear that I verified with gdb that args[0] ==
Vtimer_list. And if there's anything else you would like me to debug,
please let me know. It's very unfortunate I can't reproduce it with emacs
-Q and I realize that makes it impossible for you to deal with this bug
except through information I provide.

Thanks for trying anyway,
Pip

On Sun, Aug 30, 2015 at 3:24 PM, Pip Cet <pipcet@gmail.com> wrote:

>
>
> On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii <eliz@gnu.org> wrote:
>
>> > Date: Sun, 30 Aug 2015 12:51:26 +0000
>> > From: Pip Cet <pipcet@gmail.com>
>> > Somehow, the argument to Fcopy_sequence was changed while concat was
>> > underway.
>>
>> How do you see that?
>>
>
> I originally concluded it was the only way to trigger the bug, but I just
> managed to trigger it again and have it open in a GDB session:
>
> #1  0x00000000005efdb3 in concat (nargs=1, args=0x7fffffff76e8,
> target_type=Lisp_Cons, last_special=false) at fns.c:747
> 747                     XSETCAR (tail, elt);
> (gdb) p result_len
> $22 = 4
> (gdb) p debug_print(Flength(args[0]))
> 5
> $23 = void
> (gdb)
>
>
>> > Further investigation indicates that
>> > window-configuration-change-hook was called in the middle of concat:
>>
>> Did you understand how this fact is related to the segfault?
>>
>
> I _think_ I do.
>
> 1. concat called with args[0] == Vtimer_list
> 2. concat stores result_len (=4)
> 3. concat calls make_list (4)
> 4. make_list interrupted by QUIT
> 5. see stack trace
> 6. window-configuration-change-hook modifies Vtimer_list, which now has
> length 5
> 7. control returns to concat
> 8. concat tries to write 5 elements into a 4-element list, which causes
> the segfault because `tail' is unexpectedly NULL.
>
> Does that make sense to you?
>
> Thanks,
> Pip
>

--089e0102f83e0213e2051e88f582
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>I forgot to make clear that I verified with gdb =
that args[0] =3D=3D Vtimer_list. And if there&#39;s anything else you would=
 like me to debug, please let me know. It&#39;s very unfortunate I can&#39;=
t reproduce it with emacs -Q and I realize that makes it impossible for you=
 to deal with this bug except through information I provide.<br><br></div>T=
hanks for trying anyway,<br></div>Pip<br></div><div class=3D"gmail_extra"><=
br><div class=3D"gmail_quote">On Sun, Aug 30, 2015 at 3:24 PM, Pip Cet <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:pipcet@gmail.com" target=3D"_blank">pip=
cet@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div =
dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"><=
span class=3D"">On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii <span dir=3D=
"ltr">&lt;<a href=3D"mailto:eliz@gnu.org" target=3D"_blank">eliz@gnu.org</a=
>&gt;</span> wrote:<br></span><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><span class=3D"">&gt; Date: Sun, 30 Aug 2015 12:51:26 +0000<br>
&gt; From: Pip Cet &lt;<a href=3D"mailto:pipcet@gmail.com" target=3D"_blank=
">pipcet@gmail.com</a>&gt;<br></span><span class=3D"">
&gt; Somehow, the argument to Fcopy_sequence was changed while concat was<b=
r>
&gt; underway.<br>
<br>
How do you see that?<br></span></blockquote><div><br></div><div>I originall=
y concluded it was the only way to trigger the bug, but I just managed to t=
rigger it again and have it open in a GDB session:<br></div><div><br></div>=
<div>#1=C2=A0 0x00000000005efdb3 in concat (nargs=3D1, args=3D0x7fffffff76e=
8, target_type=3DLisp_Cons, last_special=3Dfalse) at fns.c:747<br>747=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 XSETCAR (tail, elt);<br>(gdb) p res=
ult_len<br>$22 =3D 4<br>(gdb) p debug_print(Flength(args[0]))<br>5<br>$23 =
=3D void<br>(gdb) <br></div><span class=3D""><div>=C2=A0</div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex">

&gt; Further investigation indicates that<br>
&gt; window-configuration-change-hook was called in the middle of concat:<b=
r>
<br>
Did you understand how this fact is related to the segfault?<br></blockquot=
e><div><br></div></span><div>I _think_ I do.<br></div><div><br></div><div>1=
. concat called with args[0] =3D=3D Vtimer_list<br></div><div>2. concat sto=
res result_len (=3D4)<br></div><div>3. concat calls make_list (4)<br></div>=
<div>4. make_list interrupted by QUIT<br></div><div>5. see stack trace<br><=
/div><div>6. window-configuration-change-hook modifies Vtimer_list, which n=
ow has length 5<br></div><div>7. control returns to concat<br></div><div>8.=
 concat tries to write 5 elements into a 4-element list, which causes the s=
egfault because `tail&#39; is unexpectedly NULL.<br></div><div><br></div><d=
iv>Does that make sense to you?<br><br></div><div>Thanks,<br></div><div>Pip=
<br></div></div></div></div>
</blockquote></div><br></div>

--089e0102f83e0213e2051e88f582--