bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

[Ken Brown]

[-- Attachment #1: Type: text/plain, Size: 9329 bytes --]

I just tried to view an emacs window that had been idle for a long time. 
  I don't remember if I was using Alt-Tab to cycle through the open 
windows or if I clicked on the emacs icon in the task bar.  When I 
couldn't get to the window, I checked the terminal from which I had 
started emacs under gdb, and I saw that emacs had crashed:

Program received signal SIGSEGV, Segmentation fault.
0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
     at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
123       if (f->output_data.w32->old_palette)

(gdb) bt
#0  0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
     at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
#1  0x000000010068e798 in release_frame_dc (f=0x0, hdc=0x0)
     at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:154
#2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 
<bss_sbrk_buffer+6283800>, c=32) at 
/usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
#3  0x000000010047dfe5 in get_glyph_face_and_encoding (f=0x1010f3c48 
<bss_sbrk_buffer+6275016>, glyph=0x60075a850, char2b=0x4280ce L"\003腐 
B", two_byte_p=0x0)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24024
#4  0x000000010047f230 in x_get_glyph_overhangs (glyph=0x60075a850, 
f=0x1010f3c48 <bss_sbrk_buffer+6275016>, left=0x428130, right=0x42812c)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24367
#5  0x000000010047f55b in left_overwriting (s=0x4281c0)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24446
#6  0x0000000100481200 in draw_glyphs (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, x=625, row=0x600790f20, area=TEXT_AREA, 
start=77, end=78, hl=
     DRAW_NORMAL_TEXT, overlaps=0)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24945
#7  0x0000000100489ed1 in x_write_glyphs (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, updated_row=0x600790f20, start=0x60075ae20, 
updated_area=TEXT_AREA, len=1)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:26812
#8  0x000000010040a277 in update_text_area (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, updated_row=0x600790f20, vpos=23)
     at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3746
#9  0x000000010040a64d in update_window_line (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, vpos=23, mouse_face_overwritten_p=0x42878f)
     at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3848
#10 0x000000010040952b in update_window (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, force_p=true) at 
/usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3427
#11 0x0000000100408c9a in update_window_tree (w=0x1010f4c48 
<bss_sbrk_buffer+6279112>, force_p=true) at 
/usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3210
#12 0x0000000100408c63 in update_window_tree (w=0x600691538, force_p=true)
     at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3208
#13 0x00000001004088b7 in update_frame (f=0x1010f3c48 
<bss_sbrk_buffer+6275016>, force_p=true, inhibit_hairy_id_p=false)
     at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3099
#14 0x0000000100453e6c in redisplay_internal ()
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:13967
#15 0x000000010045495f in redisplay_preserve_echo_area (from_where=8)
     at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:14185
#16 0x00000001005475cc in detect_input_pending_run_timers (do_display=true)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:9897
#17 0x000000010063a6e7 in wait_reading_process_output (time_limit=0, 
nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=4306509874, 
wait_proc=0x0, just_wait_proc=0) at 
/usr/src/debug/emacs-24.3.94-1/src/process.c:4699
#18 0x0000000100538e14 in kbd_buffer_get_event (kbp=0x429b88, 
used_mouse_menu=0x42a3cf, end_time=0x0) at 
/usr/src/debug/emacs-24.3.94-1/src/keyboard.c:3906
#19 0x0000000100533cf3 in read_event_from_main_queue (end_time=0x0, 
local_getcjmp=0x429fb0, used_mouse_menu=0x42a3cf)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2246
#20 0x0000000100534030 in read_decoded_event_from_main_queue 
(end_time=0x0, local_getcjmp=0x429fb0, prev_event=4306509874, 
used_mouse_menu=0x42a3cf)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2309
#21 0x0000000100535fe4 in read_char (commandflag=1, map=25780162614, 
prev_event=4306509874, used_mouse_menu=0x42a3cf, end_time=0x0)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2895
#22 0x00000001005455af in read_key_sequence (keybuf=0x42a5e0, 
bufsize=30, prompt=4306509874, dont_downcase_last=false, 
can_return_switch_frame=true, fix_current_buffer=true, 
prevent_redisplay=false)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:9088
#23 0x0000000100531a04 in command_loop_1 ()
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1452
#24 0x00000001005dbdf0 in internal_condition_case (bfun=0x1005314ef 
<command_loop_1>, handlers=4306584322, hfun=0x100530a7a <cmd_error>)
     at /usr/src/debug/emacs-24.3.94-1/src/eval.c:1348
#25 0x00000001005310bd in command_loop_2 (ignore=4306509874)
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1177
#26 0x00000001005db141 in internal_catch (tag=4306578482, 
func=0x10053108b <command_loop_2>, arg=4306509874) at 
/usr/src/debug/emacs-24.3.94-1/src/eval.c:1112
#27 0x000000010053104c in command_loop ()
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1156
#28 0x00000001005304db in recursive_edit_1 ()
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:777
#29 0x000000010053070d in Frecursive_edit ()
     at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:848
#30 0x000000010052e3e3 in main (argc=1, argv=0x42ab00)
     at /usr/src/debug/emacs-24.3.94-1/src/emacs.c:1647

Lisp Backtrace:
"redisplay_internal (C function)" (0xaf7720)

A full backtrace of all threads is attached.

At the time of the crash, the emacs frame was split into two windows. 
One was viewing a plain text C++ file (ASCII only), and the other was a 
*grep* buffer from `M-x rgrep'.  I have no idea how that strange 
(Chinese?) character got into frame 3.

I still have the gdb session open.

Ken

In GNU Emacs 24.3.94.1 (x86_64-unknown-cygwin)
  of 2014-10-03 on desktop-new
Windowing system distributor `Microsoft Corp.', version 6.1.7601
Configured using:
  `configure
 
--srcdir=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/src/emacs-24.3.94
  --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
  --libexecdir=/usr/libexec --datadir=/usr/share --localstatedir=/var
  --sysconfdir=/etc --libdir=/usr/lib --datarootdir=/usr/share
  --docdir=/usr/share/doc/emacs --htmldir=/usr/share/doc/emacs/html -C
  --with-w32 --with-file-notification=no --enable-checking=yes,glyphs
  'CFLAGS=-ggdb -O2 -pipe -Wimplicit-function-declaration -O0 -g3
 
-fdebug-prefix-map=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/build=/usr/src/debug/emacs-24.3.94-1
 
-fdebug-prefix-map=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/src/emacs-24.3.94=/usr/src/debug/emacs-24.3.94-1'
  CPPFLAGS= LDFLAGS=-Wl,--stack,0x400000'

Important settings:
   value of $LANG: en_US.UTF-8
   locale-coding-system: utf-8-unix

Major mode: Text

Minor modes in effect:
   show-paren-mode: t
   display-time-mode: t
   delete-selection-mode: t
   tooltip-mode: t
   electric-indent-mode: t
   mouse-wheel-mode: t
   tool-bar-mode: t
   menu-bar-mode: t
   file-name-shadow-mode: t
   global-font-lock-mode: t
   font-lock-mode: t
   auto-composition-mode: t
   auto-encryption-mode: t
   auto-compression-mode: t
   temp-buffer-resize-mode: t
   buffer-read-only: t
   column-number-mode: t
   line-number-mode: t
   auto-fill-function: do-auto-fill
   transient-mark-mode: t
   view-mode: t

Load-path shadows:
None found.

Features:
(misearch multi-isearch mailalias mailclient browse-url qp help-mode pp
shadow gnus-util mail-extr emacsbug message cl-macs format-spec rfc822
mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev
gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util
mail-prsvr mail-utils view server dired edmacro kmacro solar cal-dst
planner-diary cl gv diary-lib diary-loaddefs planner-publish muse-xml
planner advice help-fns cal-menu calendar cal-loaddefs sort muse-colors
muse-latex muse-html muse-xml-common cus-edit muse-publish muse-project
muse-protocols muse-regexps wid-edit cl-loaddefs cl-lib derived muse
muse-nested-tags muse-mode gap-mode-autoloads info easymenu
muse-autoloads package epg-config preview-latex tex-site auto-loads
saveplace paren help-at-pt time delsel cus-start cus-load time-date
tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
w32-common-fns disp-table w32-win w32-vars tool-bar dnd fontset image
regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind w32
multi-tty emacs)

[-- Attachment #2: deselect_palette_bt.gz --]
[-- Type: application/gzip, Size: 5148 bytes --]

bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

[Glenn Morris]

Resembles http://debbugs.gnu.org/17688

bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

[Eli Zaretskii]

> Date: Tue, 07 Oct 2014 16:02:02 -0400
> From: Ken Brown <kbrown@cornell.edu>
> 
> I just tried to view an emacs window that had been idle for a long time. 
>   I don't remember if I was using Alt-Tab to cycle through the open 
> windows or if I clicked on the emacs icon in the task bar.  When I 
> couldn't get to the window, I checked the terminal from which I had 
> started emacs under gdb, and I saw that emacs had crashed:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> 123       if (f->output_data.w32->old_palette)

It crashes because f is a NULL pointer, and the code tries to
dereference that.

> (gdb) bt
> #0  0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> #1  0x000000010068e798 in release_frame_dc (f=0x0, hdc=0x0)
>      at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:154
> #2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 
> <bss_sbrk_buffer+6283800>, c=32) at 
> /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585

I don't understand how could this lead to a crash.  Your detailed
backtrace shows:

> #2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 <bss_sbrk_buffer+6283800>, c=32) at /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
>         context = 0x0
>         f = 0x0
>         old_font = 0x0
>         code = 3
>         ch = L" \f"
>         len = 1
>         items = 0x427fa0
>         nitems = 1
>         uniscribe_font = 0x1010f5e98 <bss_sbrk_buffer+6283800>

Note that both 'context' and 'f' are NULL pointers.  But the source
around line 585 says this:

    if (context)
      {
	SelectObject (context, old_font);
	release_frame_dc (f, context);
      }

So why release_frame_dc is being called when 'context' is NULL??
Moreover, 'old_font' is also NULL, which means we never were in this
part of the code:

          if (result == E_PENDING)
            {
              /* Use selected frame until API is updated to pass
                 the frame.  */
              f = XFRAME (selected_frame);
              context = get_frame_dc (f);
              old_font = SelectObject (context, FONT_HANDLE (font));
              result = ScriptShape (context, &(uniscribe_font->cache),
                                    ch, len, 2, &(items[0].a),
                                    glyphs, clusters, attrs, &nglyphs);
            }

which is the only part that sets these 3 variables to something
non-NULL, and requires the call to release_frame_dc to avoid leaking
GDI objects, in this case the font we opened.

What's going on here? is this another case of "bidi_check_type
crashes"?

bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

[Eli Zaretskii]

> From: Glenn Morris <rgm@gnu.org>
> Date: Tue, 07 Oct 2014 16:41:37 -0400
> Cc: 18659@debbugs.gnu.org
> 
> 
> Resembles http://debbugs.gnu.org/17688

Exactly the same, yes, and with exactly the same unexplained control
flow: release_frame_dc is called although 'context' is NULL.

bug#18659: 24.3.94; Crash in deselect_palette (Cygwin-w32 build)

[Eli Zaretskii]

> Date: Tue, 07 Oct 2014 16:02:02 -0400
> From: Ken Brown <kbrown@cornell.edu>
> 
> I have no idea how that strange (Chinese?) character got into frame
> 3.

char2b is not a character, it is a code of a font glyph that
corresponds to some character.  The character is a blank, as the call
to uniscribe_encode_char shows:

#2  0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 
    <bss_sbrk_buffer+6283800>, c=32) at 
                               ^^^^