Re: 23.0.60: segfault in syntax.c: char_quoted

[Adrian Robert <adrian.b.robert@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 7750 bytes --]


This crash bug also occurs when running under X11 on OS X -- it's not  
related to Emacs.app.  It cannot be triggered deterministically -- may  
depend on where emacs resides in memory.  However here is a test case  
that reproduces reliably:

emacs -Q syntaxDecBoth.el (attached)
M-x show-paren-mode
C-M-x C-g C-_

repeat the last key sequence a few times to get the crash.

The C backtrace is similar to posted below, but the lisp backtrace  
differs:

"scan-sexps" (0xbfffbe08)
"byte-code" (0xbfffc0c4)
"show-paren-function" (0xbfffc9a8)
"apply" (0xbfffc9a4)
"byte-code" (0xbfffcc64)
"timer-event-handler" (0xbfffd42c)

It would be interesting to know if this can be reproduced on other  
systems.



On Jun 9, 2008, at 1:22 PM, Adrian Robert wrote:

> I have for a long time received a segfault in syntax.c char_quoted()  
> function DEC_BOTH() line as detailed in stack traces below.  This is  
> in Emacs.app (the "Cocoa" port), and I am not 100% certain that it's  
> not due to something there, though I'm uncertain how any code in  
> this port could affect GUI syntax, or due to  some elisp in my  
> environment, or due to the files involved.  Unfortunately it is not  
> reliably reproducible.
>
> Examining the definition of DEC_BOTH, it seems that calling it when  
> charpos or bytepos < 2 will always cause segv.  In the crashes below  
> they are called when they are 0, from back_comment().
>
> I have patched in Emacs.app by a check for charpos/bytepos<2 in  
> char_quoted, but I'm wondering if anyone familiar with the syntax  
> code might spot something anomalous in the call stack leading there?
>
>
>
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x17054fff
> 0x002065b8 in char_quoted (charpos=0, bytepos=0) at syntax.c:302
> 302	  DEC_BOTH (charpos, bytepos);
> (gdb) bt
> #0  0x002065b8 in char_quoted (charpos=0, bytepos=0) at syntax.c:302
> #1  0x00209430 in back_comment (from=1, from_byte=1, stop=1,  
> comnested=0, comstyle=0, charpos_ptr=0xbfffbca4,  
> bytepos_ptr=0xbfffbca0) at syntax.c:587
> #2  0x0021dedc in scan_lists (from=1153, count=-1, depth=1,  
> sexpflag=0) at syntax.c:2740
> #3  0x0021f010 in Fscan_lists (from=472480, count=-8, depth=8) at  
> syntax.c:2833
> #4  0x001c4d58 in Ffuncall (nargs=4, args=0xbfffc2a0) at eval.c:3054
> #5  0x0022b7f8 in Fbyte_code (bytestr=3538459, vector=3538476,  
> maxdepth=40) at bytecode.c:678
> #6  0x001c58a0 in funcall_lambda (fun=3538412, nargs=1,  
> arg_vector=0xbfffc624) at eval.c:3239
> #7  0x001c5048 in Ffuncall (nargs=2, args=0xbfffc620) at eval.c:3094
> #8  0x0022b7f8 in Fbyte_code (bytestr=3538355, vector=3538372,  
> maxdepth=16) at bytecode.c:678
> #9  0x001c58a0 in funcall_lambda (fun=3538308, nargs=1,  
> arg_vector=0xbfffc994) at eval.c:3239
> #10 0x001c5048 in Ffuncall (nargs=2, args=0xbfffc990) at eval.c:3094
> #11 0x0022b7f8 in Fbyte_code (bytestr=54021875, vector=400887652,  
> maxdepth=16) at bytecode.c:678
> #12 0x001c3398 in Feval (form=382482037) at eval.c:2385
> #13 0x001c0cd8 in internal_lisp_condition_case (var=25165833,  
> bodyform=382482037, handlers=382481989) at eval.c:1460
> #14 0x0022c914 in Fbyte_code (bytestr=53895747, vector=54275588,  
> maxdepth=64) at bytecode.c:868
> #15 0x001c58a0 in funcall_lambda (fun=400887940, nargs=0,  
> arg_vector=0xbfffd414) at eval.c:3239
> #16 0x001c5048 in Ffuncall (nargs=1, args=0xbfffd410) at eval.c:3094
> #17 0x0022b7f8 in Fbyte_code (bytestr=54413427, vector=401236900,  
> maxdepth=48) at bytecode.c:678
> #18 0x001c58a0 in funcall_lambda (fun=401237188, nargs=0,  
> arg_vector=0xbfffd794) at eval.c:3239
> #19 0x001c5048 in Ffuncall (nargs=1, args=0xbfffd790) at eval.c:3094
> #20 0x0022b7f8 in Fbyte_code (bytestr=3407483, vector=3407500,  
> maxdepth=16) at bytecode.c:678
> #21 0x001c58a0 in funcall_lambda (fun=3407452, nargs=0,  
> arg_vector=0xbfffdb04) at eval.c:3239
> #22 0x001c5048 in Ffuncall (nargs=1, args=0xbfffdb00) at eval.c:3094
> #23 0x0022b7f8 in Fbyte_code (bytestr=54480403, vector=401191604,  
> maxdepth=48) at bytecode.c:678
> #24 0x001c58a0 in funcall_lambda (fun=401191844, nargs=1,  
> arg_vector=0xbfffde84) at eval.c:3239
> #25 0x001c5048 in Ffuncall (nargs=2, args=0xbfffde80) at eval.c:3094
> #26 0x0022b7f8 in Fbyte_code (bytestr=54493075, vector=400949860,  
> maxdepth=24) at bytecode.c:678
> #27 0x001c58a0 in funcall_lambda (fun=400949988, nargs=2,  
> arg_vector=0xbfffe1f4) at eval.c:3239
> #28 0x001c5048 in Ffuncall (nargs=3, args=0xbfffe1f0) at eval.c:3094
> #29 0x001c3be4 in Fapply (nargs=2, args=0xbfffe2ac) at eval.c:2536
> #30 0x001c42d0 in apply1 (fn=54483113, arg=392999317) at eval.c:2797
> warning: .o file "/Users/arobert/src/EmacsApp/emacs/branches/emacs- 
> app/src/callint.o" more recent than executable timestamp
> #31 0x001bb188 in Fcall_interactively (function=54483113,  
> record_flag=25165833, keys=55200260) at callint.c:389
> #32 0x001c4d58 in Ffuncall (nargs=4, args=0xbfffe578) at eval.c:3054
> #33 0x001c447c in call3 (fn=25276825, arg1=54483113, arg2=25165833,  
> arg3=25165833) at eval.c:2874
> #34 0x0010f24c in Fcommand_execute (cmd=54483113,  
> record_flag=25165833, keys=25165833, special=25165833) at keyboard.c: 
> 10451
> #35 0x000f9810 in command_loop_1 () at keyboard.c:1915
> #36 0x001c0eb4 in internal_condition_case (bfun=0xf7450  
> <command_loop_1>, handlers=25205449, hfun=0xf68e0 <cmd_error>) at  
> eval.c:1515
> #37 0x000f6f44 in command_loop_2 () at keyboard.c:1372
> #38 0x001c06d0 in internal_catch (tag=25201521, func=0xf6f04  
> <command_loop_2>, arg=25165833) at eval.c:1251
> #39 0x000f6ea8 in command_loop () at keyboard.c:1351
> #40 0x000f60cc in recursive_edit_1 () at keyboard.c:960
> #41 0x000f63ac in Frecursive_edit () at keyboard.c:1022
> #42 0x000f3e44 in main (argc=1, argv=0xbffff1d4) at emacs.c:1808
>
> Lisp Backtrace:
> "scan-lists" (0xbfffc2a4)
> "up-list" (0xbfffc624)
> "backward-up-list" (0xbfffc994)
> "byte-code" (0xbfffcc54)
> "c-guess-basic-syntax" (0xbfffd414)
> "c-indent-line" (0xbfffd794)
> 0x33fe5c warning: .o file "/Users/arobert/src/EmacsApp/emacs/ 
> branches/emacs-app/src/image.o" more recent than executable timestamp
> PVEC_COMPILED
> "c-indent-command" (0xbfffde84)
> "c-indent-line-or-region" (0xbfffe1f4)
> "call-interactively" (0xbfffe57c)
>
>
> -------------------------------------
>
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_INVALID_ADDRESS at address: 0x02f12fff
> 0x002065b8 in char_quoted (charpos=0, bytepos=0) at syntax.c:302
> 302	  DEC_BOTH (charpos, bytepos);
> (gdb) bt
> #0  0x002065b8 in char_quoted (charpos=0, bytepos=0) at syntax.c:302
> #1  0x00209430 in back_comment (from=1, from_byte=1, stop=1,  
> comnested=0, comstyle=0, charpos_ptr=0xbfff9744,  
> bytepos_ptr=0xbfff9748) at syntax.c:587
> #2  0x00216ef4 in Fforward_comment (count=-8) at syntax.c:2376
> #3  0x001c4cc0 in Ffuncall (nargs=2, args=0xbfff9a60) at eval.c:3048
> ...
> #69 0x000f3e44 in main (argc=1, argv=0xbffff1d4) at emacs.c:1808
>
> Lisp Backtrace:
> "forward-comment" (0xbfff9a64)
> "c-backward-sws" (0xbfff9de4)
> "c-font-lock-complex-decl-prepare" (0xbfffa164)
> "font-lock-fontify-keywords-region" (0xbfffa4f4)
> "font-lock-default-fontify-region" (0xbfffa874)
> "font-lock-fontify-region" (0xbfffad58)
> "run-hook-with-args" (0xbfffad54)
> "byte-code" (0xbfffb014)
> "jit-lock-fontify-now" (0xbfffb7d4)
> "jit-lock-function" (0xbfffbf6c)
> "pos-visible-in-window-p" (0xbfffd134)
> "ediff-position-region" (0xbfffd4a4)
> "ediff-recenter-one-window" (0xbfffd834)
> "ediff-recenter" (0xbfffdbb4)
> "ediff-unselect-and-select-difference" (0xbfffdf24)
> "ediff-next-difference" (0xbfffe2d4)
> "call-interactively" (0xbfffe57c)
> (gdb)


[-- Attachment #2: syntaxDecBoth.el --]
[-- Type: application/octet-stream, Size: 47 bytes --]

(while t
  (insert "(when t (if t t 'hi))\n"))

[-- Attachment #3: Type: text/plain, Size: 4 bytes --]