segfault caused by rmail-delete-backward

segfault caused by rmail-delete-backward

[Jay Pfaffman]

This bug report will be sent to the Free Software Foundation,
not to your local site managers!
Please write in English, because the Emacs maintainers do not have
translators to read other languages for them.

Your bug report will be posted to the bug-gnu-emacs@gnu.org mailing list,
and to the gnu.emacs.bug news group.

In GNU Emacs 21.2.1 (i386-redhat-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2002-04-08 on porky.devel.redhat.com
configured using `configure  i386-redhat-linux --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --with-gcc --with-pop --with-sound'
Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: nil
  locale-coding-system: nil
  default-enable-multibyte-characters: t

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

sometimes when doing a rmail-delete-backward will cause a seg fault.
I've currently got C-d mapped to my own function which calls
rmail-delete-backward (and copies messages into a folder used by a
baysian spam filter), but it did this before I started doing that.
It's been difficult to report this error because often it won't happen
again when I do a restart.

I was unable to get it to happen when I did an "emacs -q".  I might be
able to provide the errant RMAIL file, but it looks like the segfault
might be dependent on BBDB or something else (and obviously don't want
it to go out to the whole world).  Still, emacs should *never*
segfault (this is the first time in my memory that it's done so).
This happens a couple times a week.  Not quite sure when this problem
started.  I'll be glad to provide whatever info I've omitted.

I guess you can see that I'm running RedHat Linux 7.3.

Here's the end of an strace:

stat64("/home/pfaffman/mail/ham", {st_mode=S_IFREG|0644, st_size=8991436, ...}) = 0
lstat64("/home/pfaffman/mail/.#ham", {st_mode=S_IFLNK|0777, st_size=44, ...}) = 0
readlink("/home/pfaffman/mail/.#ham", "pfaffman@aaalab.stanford.edu.8242:1051634887", 100) = 44
getpid()                                = 8242
unlink("/home/pfaffman/mail/.#ham")     = 0
write(4, "\2\0\4\0\36\0@\0\0@\0\0)\0@\0", 16) = 16
gettimeofday({1055538198, 294959}, NULL) = 0
gettimeofday({1055538198, 295319}, NULL) = 0
stat64("/home/pfaffman/.bbdb", {st_mode=S_IFREG|0644, st_size=647906, ...}) = 0
stat64("/home/pfaffman/.bbdb", {st_mode=S_IFREG|0644, st_size=647906, ...}) = 0
stat64("/home/pfaffman/.bbdb", {st_mode=S_IFREG|0644, st_size=647906, ...}) = 0
--- SIGSEGV (Segmentation fault) ---
rt_sigaction(SIGSEGV, {SIG_DFL}, {0x80d6230, [], SA_RESTART|0x4000000}, 8) = 0
getpgid(0)                              = 8242
ioctl(0, 0x540f, [8241])                = 0
kill(-8262, SIGHUP)                     = 0
--- SIGCHLD (Child exited) ---
wait4(-1, [WIFSIGNALED(s) && WTERMSIG(s) == SIGHUP], WNOHANG|WUNTRACED, NULL) = 8262
wait4(-1, 0xbfffb544, WNOHANG|WUNTRACED, NULL) = 0
sigreturn()                             = ? (mask now [SEGV])
kill(-8243, SIGHUP)                     = 0
--- SIGCHLD (Child exited) ---
wait4(-1, [WIFSIGNALED(s) && WTERMSIG(s) == SIGHUP], WNOHANG|WUNTRACED, NULL) = 8243
wait4(-1, 0xbfffb544, WNOHANG|WUNTRACED, NULL) = -1 ECHILD (No child processes)
sigreturn()                             = ? (mask now [SEGV])
open("/home/pfaffman/.emacs.d/auto-save-list/.saves-8242-aaalab.stanford.edu~", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 6
fstat64(6, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x400f8000
write(6, "/home/pfaffman/.bbdb\n/home/pfaff"..., 100) = 100
close(6)                                = 0
munmap(0x400f8000, 4096)                = 0
rt_sigaction(SIGIO, {SIG_IGN}, {0x80deb50, [], SA_RESTART|0x4000000}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [SEGV], [SEGV], 8) = 0
getpid()                                = 8242
kill(8242, SIGSEGV)                     = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

Thanks.  I hope this helps.


Recent input: Not relevant

Recent messages:
For information about the GNU Project and its goals, type C-h C-p.
call-interactively: Quit
Loading apropos...done
Loading view...done
Type C-x 4 b RET to restore the other window.  C-M-v to scroll the help.
call-interactively: Quit
Mark set
Mark saved where search started [2 times]
Making completion list...
Loading emacsbug...done


-- 
Jay Pfaffman                           pfaffman@relaxpc.com
+1-415-821-7507 (H)                    +1-415-812-5047 (M)

Re: segfault caused by rmail-delete-backward

[Richard Stallman]

    Here's the end of an strace:

People probably got in the habit of using strace because, with
non-free software, that was all they could do to get any information
about what it was doing.  strace is not useful for debugging except in
unusual circumstances.  The information it provides is not relevant to
this bug, or most bugs.

What you need to do is recompile with debugging info if necessary,
then debug with GDB.  See etc/DEBUG for more information.

Re: segfault caused by rmail-delete-backward

[Jay Pfaffman]

On Sun, 15 Jun 2003 11:59:12 -0400, Richard Stallman <rms@gnu.org> said:

> What you need to do is recompile with debugging info if necessary,
> then debug with GDB.  See etc/DEBUG for more information.

OK, you shamed me into downloading & compiling emacs 21.2.  The error
is in xdisp.c, line 14291:

     while (*cursor != '\n' && ++cursor != ceiling_addr)

My best guess is that the error is here, or in whatever sets ceiling. 

   ceiling_addr = BYTE_POS_ADDR (ceiling) + 1; 

For a while I fantasized about being able to contribute a useful
patch, but I don't see that happening.

This bug causes emacs to segfault when doing an rmail-delete-backward.
It happens infrequently and is difficult to reproduce reliably.  In
the 10 or so years I've been using emacs, it's the *only* time I
remember seeing emacs seg-fault--which makes this line from etc/DEBUG,
seem quite absurd:

     It is a good idea to run Emacs under GDB (or some other suitable
     debugger) *all the time*.  Then, when Emacs crashes, you will be
     able to debug the live process, not just a core dump.

Does anyone really run emacs under GDB *all the time*?!  This seems
analogous to wearing a condom *all the time* regardless of whether one
might be engaged in risky behavior (and would make it rather difficult
to pee).

But I digress.

I hope that the suggestion that there is a problem with this line will
make it possible for someone who's familiar with the code to recognize
how it might be that ceiling_addr is improperly instantiated.

Thanks.

-- 
Jay Pfaffman                           pfaffman@relaxpc.com
+1-415-821-7507 (H)                    +1-415-812-5047 (M)

Re: segfault caused by rmail-delete-backward

[Richard Stallman]

    OK, you shamed me into downloading & compiling emacs 21.2.  The error
    is in xdisp.c, line 14291:

It would be more useful to debug it in the current development
sources, because that way we could see if it is fixed already.
However, this line

     while (*cursor != '\n' && ++cursor != ceiling_addr)

still exists, so it is possible the problem is unchanged.

To start to understand, I need more info.

What is the value of ceiling_addr?  What was the initial value
of cursor?  What is the value of cursor when it crashes?
What is the value of ceiling?

    Does anyone really run emacs under GDB *all the time*?!

I do.