Problem report #18

Problem report #18

[Dan Nicolaescu]

CID: 18
Checker: FORWARD_NULL (help)
File: emacs/src/xmenu.c
Function: digest_single_submenu
Description: Variable "save_wv" tracked as NULL was dereferenced.

Event assign_zero: Variable "prev_wv" assigned value 0.
Also see events: [alias_transfer][var_deref_op]

1815 		  prev_wv = 0;
1816 		  i += MENU_ITEMS_PANE_LENGTH;
1817 		}
1818 	      else
1819 		{
1820 		  /* Create a new item within current pane.  */
1821 		  Lisp_Object item_name, enable, descrip, def, type, selected;
1822 		  Lisp_Object help;
1823 	
1824 		  item_name = AREF (menu_items, i + MENU_ITEMS_ITEM_NAME);
1825 		  enable = AREF (menu_items, i + MENU_ITEMS_ITEM_ENABLE);
1826 		  descrip = AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY);
1827 		  def = AREF (menu_items, i + MENU_ITEMS_ITEM_DEFINITION);
1828 		  type = AREF (menu_items, i + MENU_ITEMS_ITEM_TYPE);
1829 		  selected = AREF (menu_items, i + MENU_ITEMS_ITEM_SELECTED);
1830 		  help = AREF (menu_items, i + MENU_ITEMS_ITEM_HELP);
1831 	
1832 	#ifndef HAVE_MULTILINGUAL_MENU

At conditional (9): "((0), (item_name & -8))->size_byte >= 0" taking true path

1833 	          if (STRING_MULTIBYTE (item_name))
1834 		    {

At conditional (10): "Vlocale_coding_system != Qnil" taking true path
At conditional (11): "Vlocale_coding_system != 0" taking true path

1835 		      item_name = ENCODE_MENU_STRING (item_name);
1836 		      AREF (menu_items, i + MENU_ITEMS_ITEM_NAME) = item_name;
1837 		    }
1838 	

At conditional (12): "descrip & 7 == 3" taking true path
At conditional (13): "((0), (descrip & -8))->size_byte >= 0" taking true path

1839 	          if (STRINGP (descrip) && STRING_MULTIBYTE (descrip))
1840 		    {

At conditional (14): "Vlocale_coding_system != Qnil" taking true path
At conditional (15): "Vlocale_coding_system != 0" taking true path

1841 		      descrip = ENCODE_MENU_STRING (descrip);
1842 		      AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY) = descrip;
1843 		    }
1844 	#endif /* not HAVE_MULTILINGUAL_MENU */
1845 	
1846 		  wv = xmalloc_widget_value ();

At conditional (16): "prev_wv != 0" taking false path

1847 		  if (prev_wv)
1848 		    prev_wv->next = wv;
1849 		  else

Event var_deref_op: Variable "save_wv" tracked as NULL was dereferenced.
Also see events: [assign_zero][alias_transfer]

1850 		    save_wv->contents = wv;
1851 	
1852 		  wv->lname = item_name;

Re: Problem report #18

[Stuart D. Herring]

Another simplification (unfortunately -- not a solution):  The majority of
this report is a red herring.  The (possible) issue is quite simple:
before the while loop, save_wv==prev_wv==0.  This code in the loop:

> 1847 		  if (prev_wv)
> 1848 		    prev_wv->next = wv;
> 1849 		  else
>
> Event var_deref_op: Variable "save_wv" tracked as NULL was dereferenced.
> Also see events: [assign_zero][alias_transfer]
>
> 1850 		    save_wv->contents = wv;

insists on dereferencing one of them.  If this branch (the else of a
vector-element-is-which-type? conditional) gets taken first time through
the loop, SIGSEGV.  But we're analyzing the vector menu_items here... if
we know that its structure precludes the first iteration of this loop
taking the last case (that is, if (aref menu_items start) is t, nil,
'lambda, or 'quote), then it's fine.

Hope it helps,
Davis

-- 
This product is sold by volume, not by mass.  If it appears too dense or
too sparse, it is because mass-energy conversion has occurred during
shipping.

Re: Problem report #18 PENDING

[Jan D.]

Dan Nicolaescu wrote:
> CID: 18
> Checker: FORWARD_NULL (help)
> File: emacs/src/xmenu.c
> Function: digest_single_submenu
> Description: Variable "save_wv" tracked as NULL was dereferenced.
> 
> Event assign_zero: Variable "prev_wv" assigned value 0.
> Also see events: [alias_transfer][var_deref_op]
> 
> 1815 		  prev_wv = 0;
> 1816 		  i += MENU_ITEMS_PANE_LENGTH;
> 1817 		}
> 1818 	      else
> 1819 		{
> 1820 		  /* Create a new item within current pane.  */
> 1821 		  Lisp_Object item_name, enable, descrip, def, type, selected;
> 1822 		  Lisp_Object help;
> 1823 	
> 1824 		  item_name = AREF (menu_items, i + MENU_ITEMS_ITEM_NAME);
> 1825 		  enable = AREF (menu_items, i + MENU_ITEMS_ITEM_ENABLE);
> 1826 		  descrip = AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY);
> 1827 		  def = AREF (menu_items, i + MENU_ITEMS_ITEM_DEFINITION);
> 1828 		  type = AREF (menu_items, i + MENU_ITEMS_ITEM_TYPE);
> 1829 		  selected = AREF (menu_items, i + MENU_ITEMS_ITEM_SELECTED);
> 1830 		  help = AREF (menu_items, i + MENU_ITEMS_ITEM_HELP);
> 1831 	
> 1832 	#ifndef HAVE_MULTILINGUAL_MENU
> 
> At conditional (9): "((0), (item_name & -8))->size_byte >= 0" taking true path
> 
> 1833 	          if (STRING_MULTIBYTE (item_name))
> 1834 		    {
> 
> At conditional (10): "Vlocale_coding_system != Qnil" taking true path
> At conditional (11): "Vlocale_coding_system != 0" taking true path
> 
> 1835 		      item_name = ENCODE_MENU_STRING (item_name);
> 1836 		      AREF (menu_items, i + MENU_ITEMS_ITEM_NAME) = item_name;
> 1837 		    }
> 1838 	
> 
> At conditional (12): "descrip & 7 == 3" taking true path
> At conditional (13): "((0), (descrip & -8))->size_byte >= 0" taking true path
> 
> 1839 	          if (STRINGP (descrip) && STRING_MULTIBYTE (descrip))
> 1840 		    {
> 
> At conditional (14): "Vlocale_coding_system != Qnil" taking true path
> At conditional (15): "Vlocale_coding_system != 0" taking true path
> 
> 1841 		      descrip = ENCODE_MENU_STRING (descrip);
> 1842 		      AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY) = descrip;
> 1843 		    }
> 1844 	#endif /* not HAVE_MULTILINGUAL_MENU */
> 1845 	
> 1846 		  wv = xmalloc_widget_value ();
> 
> At conditional (16): "prev_wv != 0" taking false path
> 
> 1847 		  if (prev_wv)
> 1848 		    prev_wv->next = wv;
> 1849 		  else
> 
> Event var_deref_op: Variable "save_wv" tracked as NULL was dereferenced.
> Also see events: [assign_zero][alias_transfer]
> 
> 1850 		    save_wv->contents = wv;
> 1851 	
> 1852 		  wv->lname = item_name;

The thing is that the code assumes menu descriptions first have panes and then 
items.  In that case save_wv will always be != NULL (the /* Create a new pane. 
  */ branch).  I don't know if it is possible to give a description (in lisp) 
that only contains items.  Maybe it is.

	Jan D.

Re: Problem report #18 PENDING

[Sascha Wilde]

"Jan D." <jan.h.d@swipnet.se> wrote:

> Dan Nicolaescu wrote:
>> CID: 18
>> Checker: FORWARD_NULL (help)
>> File: emacs/src/xmenu.c
>> Function: digest_single_submenu
>> Description: Variable "save_wv" tracked as NULL was dereferenced.
>> Event assign_zero: Variable "prev_wv" assigned value 0.
[...]
> The thing is that the code assumes menu descriptions first have panes
> and then items.  In that case save_wv will always be != NULL (the /*
> Create a new pane. */ branch).  I don't know if it is possible to give
> a description (in lisp) that only contains items.  Maybe it is.

I'm currently experiencing the problem that it _is_ possible.  Please
see my mails on "SEGV in xmenu.c digest_single_submenu".  This seems
to be _exactly_ the problem I'm reporting.

cheers
sascha
-- 
Sascha Wilde

A conclusion is simply the place where someone got tired of thinking.

Re: Problem report #18 PENDING

[Dan Nicolaescu]

"Jan D." <jan.h.d@swipnet.se> writes:

  > Dan Nicolaescu wrote:
  > > CID: 18
  > > Checker: FORWARD_NULL (help)
  > > File: emacs/src/xmenu.c
  > > Function: digest_single_submenu
  > > Description: Variable "save_wv" tracked as NULL was dereferenced.
  > >
  > > Event assign_zero: Variable "prev_wv" assigned value 0.
  > > Also see events: [alias_transfer][var_deref_op]
  > >
  > > 1815 		  prev_wv = 0;
  > > 1816 		  i += MENU_ITEMS_PANE_LENGTH;
  > > 1817 		}
  > > 1818 	      else
  > > 1819 		{
  > > 1820 		  /* Create a new item within current pane.  */
  > > 1821 		  Lisp_Object item_name, enable, descrip, def, type, selected;
  > > 1822 		  Lisp_Object help;
  > > 1823 	
  > > 1824 		  item_name = AREF (menu_items, i + MENU_ITEMS_ITEM_NAME);
  > > 1825 		  enable = AREF (menu_items, i + MENU_ITEMS_ITEM_ENABLE);
  > > 1826 		  descrip = AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY);
  > > 1827 		  def = AREF (menu_items, i + MENU_ITEMS_ITEM_DEFINITION);
  > > 1828 		  type = AREF (menu_items, i + MENU_ITEMS_ITEM_TYPE);
  > > 1829 		  selected = AREF (menu_items, i + MENU_ITEMS_ITEM_SELECTED);
  > > 1830 		  help = AREF (menu_items, i + MENU_ITEMS_ITEM_HELP);
  > > 1831 	
  > > 1832 	#ifndef HAVE_MULTILINGUAL_MENU
  > >
  > > At conditional (9): "((0), (item_name & -8))->size_byte >= 0" taking true path
  > >
  > > 1833 	          if (STRING_MULTIBYTE (item_name))
  > > 1834 		    {
  > >
  > > At conditional (10): "Vlocale_coding_system != Qnil" taking true path
  > > At conditional (11): "Vlocale_coding_system != 0" taking true path
  > >
  > > 1835 		      item_name = ENCODE_MENU_STRING (item_name);
  > > 1836 		      AREF (menu_items, i + MENU_ITEMS_ITEM_NAME) = item_name;
  > > 1837 		    }
  > > 1838 	
  > >
  > > At conditional (12): "descrip & 7 == 3" taking true path
  > > At conditional (13): "((0), (descrip & -8))->size_byte >= 0" taking true path
  > >
  > > 1839 	          if (STRINGP (descrip) && STRING_MULTIBYTE (descrip))
  > > 1840 		    {
  > >
  > > At conditional (14): "Vlocale_coding_system != Qnil" taking true path
  > > At conditional (15): "Vlocale_coding_system != 0" taking true path
  > >
  > > 1841 		      descrip = ENCODE_MENU_STRING (descrip);
  > > 1842 		      AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY) = descrip;
  > > 1843 		    }
  > > 1844 	#endif /* not HAVE_MULTILINGUAL_MENU */
  > > 1845 	
  > > 1846 		  wv = xmalloc_widget_value ();
  > >
  > > At conditional (16): "prev_wv != 0" taking false path
  > >
  > > 1847 		  if (prev_wv)
  > > 1848 		    prev_wv->next = wv;
  > > 1849 		  else
  > >
  > > Event var_deref_op: Variable "save_wv" tracked as NULL was dereferenced.
  > > Also see events: [assign_zero][alias_transfer]
  > >
  > > 1850 		    save_wv->contents = wv;
  > > 1851 	
  > > 1852 		  wv->lname = item_name;
  >
  > The thing is that the code assumes menu descriptions first have panes
  > and then items.  In that case save_wv will always be != NULL (the /*
  > Create a new pane. */ branch).  I don't know if it is possible to give
  > a description (in lisp) that only contains items.  Maybe it is.

Has anybody reached a conclusion about this issue? 

Thanks

Re: Problem report #18 PENDING

[Jan D.]

Dan Nicolaescu wrote:
> "Jan D." <jan.h.d@swipnet.se> writes:
>
>   > The thing is that the code assumes menu descriptions first have panes
>   > and then items.  In that case save_wv will always be != NULL (the /*
>   > Create a new pane. */ branch).  I don't know if it is possible to give
>   > a description (in lisp) that only contains items.  Maybe it is.
>
> Has anybody reached a conclusion about this issue? 

Richard installed a change in this code that fixed crashes people had 
seen.  I guess it was related to this.  Anyway, the code now looks 
different so I guess it is solved.  The code does an abort now if an 
item is not in a pane.

    Jan D.

Re: Problem report #18 PENDING

[Dan Nicolaescu]

"Jan D." <jan.h.d@swipnet.se> writes:

  > Dan Nicolaescu wrote:
  > > "Jan D." <jan.h.d@swipnet.se> writes:
  > >
  > >   > The thing is that the code assumes menu descriptions first have panes
  > >   > and then items.  In that case save_wv will always be != NULL (the /*
  > >   > Create a new pane. */ branch).  I don't know if it is possible to give
  > >   > a description (in lisp) that only contains items.  Maybe it is.
  > >
  > > Has anybody reached a conclusion about this issue? 
  >
  > Richard installed a change in this code that fixed crashes people had
  > seen.  I guess it was related to this.  Anyway, the code now looks
  > different so I guess it is solved.  The code does an abort now if an
  > item is not in a pane.

Thanks. It seems that the report has changed too. Could you please
look it over just to make sure that it's not pointing to a different
issue? 

How about #26 and #27? You said they are the same as #18, are they OK
now too? #19 is not reported anymore.



1759 	static widget_value *
1760 	digest_single_submenu (start, end, top_level_items)
1761 	     int start, end, top_level_items;
1762 	{
1763 	  widget_value *wv, *prev_wv, *save_wv, *first_wv;
1764 	  int i;
1765 	  int submenu_depth = 0;
1766 	  widget_value **submenu_stack;
1767 	  int panes_seen = 0;
1768 	
1769 	  submenu_stack
1770 	    = (widget_value **) alloca (menu_items_used * sizeof (widget_value *));
1771 	  wv = xmalloc_widget_value ();
1772 	  wv->name = "menu";
1773 	  wv->value = 0;
1774 	  wv->enabled = 1;
1775 	  wv->button_type = BUTTON_TYPE_NONE;
1776 	  wv->help = Qnil;
1777 	  first_wv = wv;
1778 	  save_wv = 0;
1779 	  prev_wv = 0;
1780 	
1781 	  /* Loop over all panes and items made by the preceding call
1782 	     to parse_single_submenu and construct a tree of widget_value objects.
1783 	     Ignore the panes and items used by previous calls to
1784 	     digest_single_submenu, even though those are also in menu_items.  */
1785 	  i = start;

At conditional (1): "i < end" taking true path
At conditional (3): "i < end" taking true path

1786 	  while (i < end)
1787 	    {

At conditional (2): "((0), (menu_items & -8))->contents[i] == Qnil" taking true path
At conditional (4): "((0), (menu_items & -8))->contents[i] == Qnil" taking false path

1788 	      if (EQ (XVECTOR (menu_items)->contents[i], Qnil))
1789 		{
1790 		  submenu_stack[submenu_depth++] = save_wv;

Event alias_transfer: Variable "save_wv" tracked as NULL because of assignment to "prev_wv"
Also see events: [assign_zero][var_deref_op]

1791 		  save_wv = prev_wv;
1792 		  prev_wv = 0;
1793 		  i++;
1794 		}

At conditional (5): "((0), (menu_items & -8))->contents[i] == Qlambda" taking false path

1795 	      else if (EQ (XVECTOR (menu_items)->contents[i], Qlambda))
1796 		{
1797 		  prev_wv = save_wv;
1798 		  save_wv = submenu_stack[--submenu_depth];
1799 		  i++;
1800 		}

At conditional (6): "((0), (menu_items & -8))->contents[i] == Qt" taking false path

1801 	      else if (EQ (XVECTOR (menu_items)->contents[i], Qt)
1802 		       && submenu_depth != 0)
1803 		i += MENU_ITEMS_PANE_LENGTH;
1804 	      /* Ignore a nil in the item list.
1805 		 It's meaningful only for dialog boxes.  */

At conditional (7): "((0), (menu_items & -8))->contents[i] == Qquote" taking false path

1806 	      else if (EQ (XVECTOR (menu_items)->contents[i], Qquote))
1807 		i += 1;

At conditional (8): "((0), (menu_items & -8))->contents[i] == Qt" taking false path

1808 	      else if (EQ (XVECTOR (menu_items)->contents[i], Qt))
1809 		{
1810 		  /* Create a new pane.  */
1811 		  Lisp_Object pane_name, prefix;
1812 		  char *pane_string;
1813 	
1814 		  panes_seen++;
1815 	
1816 		  pane_name = XVECTOR (menu_items)->contents[i + MENU_ITEMS_PANE_NAME];
1817 		  prefix = XVECTOR (menu_items)->contents[i + MENU_ITEMS_PANE_PREFIX];
1818 	
1819 	#ifndef HAVE_MULTILINGUAL_MENU
1820 		  if (STRINGP (pane_name) && STRING_MULTIBYTE (pane_name))
1821 		    {
1822 		      pane_name = ENCODE_MENU_STRING (pane_name);
1823 		      AREF (menu_items, i + MENU_ITEMS_PANE_NAME) = pane_name;
1824 		    }
1825 	#endif
1826 		  pane_string = (NILP (pane_name)
1827 				 ? "" : (char *) SDATA (pane_name));
1828 		  /* If there is just one top-level pane, put all its items directly
1829 		     under the top-level menu.  */
1830 		  if (menu_items_n_panes == 1)
1831 		    pane_string = "";
1832 	
1833 		  /* If the pane has a meaningful name,
1834 		     make the pane a top-level menu item
1835 		     with its items as a submenu beneath it.  */
1836 		  if (strcmp (pane_string, ""))
1837 		    {
1838 		      wv = xmalloc_widget_value ();
1839 		      if (save_wv)
1840 			save_wv->next = wv;
1841 		      else
1842 			first_wv->contents = wv;
1843 		      wv->lname = pane_name;
1844 	              /* Set value to 1 so update_submenu_strings can handle '@'  */
1845 		      wv->value = (char *)1;
1846 		      wv->enabled = 1;
1847 		      wv->button_type = BUTTON_TYPE_NONE;
1848 		      wv->help = Qnil;
1849 		      save_wv = wv;
1850 		    }
1851 		  else
1852 		    save_wv = first_wv;
1853 	

Event assign_zero: Variable "prev_wv" assigned value 0.
Also see events: [alias_transfer][var_deref_op]

1854 		  prev_wv = 0;
1855 		  i += MENU_ITEMS_PANE_LENGTH;
1856 		}
1857 	      else
1858 		{
1859 		  /* Create a new item within current pane.  */
1860 		  Lisp_Object item_name, enable, descrip, def, type, selected;
1861 		  Lisp_Object help;
1862 	
1863 		  /* All items should be contained in panes.  */

At conditional (9): "panes_seen == 0" taking false path

1864 		  if (panes_seen == 0)
1865 		    abort ();
1866 	
1867 		  item_name = AREF (menu_items, i + MENU_ITEMS_ITEM_NAME);
1868 		  enable = AREF (menu_items, i + MENU_ITEMS_ITEM_ENABLE);
1869 		  descrip = AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY);
1870 		  def = AREF (menu_items, i + MENU_ITEMS_ITEM_DEFINITION);
1871 		  type = AREF (menu_items, i + MENU_ITEMS_ITEM_TYPE);
1872 		  selected = AREF (menu_items, i + MENU_ITEMS_ITEM_SELECTED);
1873 		  help = AREF (menu_items, i + MENU_ITEMS_ITEM_HELP);
1874 	
1875 	#ifndef HAVE_MULTILINGUAL_MENU

At conditional (10): "((0), (item_name & -8))->size_byte >= 0" taking true path

1876 	          if (STRING_MULTIBYTE (item_name))
1877 		    {

At conditional (11): "Vlocale_coding_system != Qnil" taking true path
At conditional (12): "Vlocale_coding_system != 0" taking true path

1878 		      item_name = ENCODE_MENU_STRING (item_name);
1879 		      AREF (menu_items, i + MENU_ITEMS_ITEM_NAME) = item_name;
1880 		    }
1881 	

At conditional (13): "descrip & 7 == 3" taking true path
At conditional (14): "((0), (descrip & -8))->size_byte >= 0" taking true path

1882 	          if (STRINGP (descrip) && STRING_MULTIBYTE (descrip))
1883 		    {

At conditional (15): "Vlocale_coding_system != Qnil" taking true path
At conditional (16): "Vlocale_coding_system != 0" taking true path

1884 		      descrip = ENCODE_MENU_STRING (descrip);
1885 		      AREF (menu_items, i + MENU_ITEMS_ITEM_EQUIV_KEY) = descrip;
1886 		    }
1887 	#endif /* not HAVE_MULTILINGUAL_MENU */
1888 	
1889 		  wv = xmalloc_widget_value ();

At conditional (17): "prev_wv != 0" taking false path

1890 		  if (prev_wv)
1891 		    prev_wv->next = wv;
1892 		  else

Event var_deref_op: Variable "save_wv" tracked as NULL was dereferenced.
Also see events: [assign_zero][alias_transfer]

1893 		    save_wv->contents = wv;
1894 	
1895 		  wv->lname = item_name;
1896 		  if (!NILP (descrip))
1897 		    wv->lkey = descrip;
1898 		  wv->value = 0;
1899 		  /* The EMACS_INT cast avoids a warning.  There's no problem
1900 		     as long as pointers have enough bits to hold small integers.  */
1901 		  wv->call_data = (!NILP (def) ? (void *) (EMACS_INT) i : 0);
1902 		  wv->enabled = !NILP (enable);
1903 	
1904 		  if (NILP (type))
1905 		    wv->button_type = BUTTON_TYPE_NONE;
1906 		  else if (EQ (type, QCradio))
1907 		    wv->button_type = BUTTON_TYPE_RADIO;
1908 		  else if (EQ (type, QCtoggle))
1909 		    wv->button_type = BUTTON_TYPE_TOGGLE;
1910 		  else
1911 		    abort ();
1912 	
1913 		  wv->selected = !NILP (selected);
1914 		  if (! STRINGP (help))
1915 		    help = Qnil;
1916 	
1917 		  wv->help = help;
1918 	
1919 		  prev_wv = wv;
1920 	
1921 		  i += MENU_ITEMS_ITEM_LENGTH;
1922 		}
1923 	    }
1924 	
1925 	  /* If we have just one "menu item"
1926 	     that was originally a button, return it by itself.  */
1927 	  if (top_level_items && first_wv->contents && first_wv->contents->next == 0)
1928 	    {
1929 	      wv = first_wv->contents;
1930 	      free_widget_value (first_wv);
1931 	      return wv;
1932 	    }
1933 	
1934 	  return first_wv;
1935 	}

Re: Problem report #18 PENDING

[Jan D.]

Dan Nicolaescu wrote:
> "Jan D." <jan.h.d@swipnet.se> writes:
>
>   > Dan Nicolaescu wrote:
>   > > "Jan D." <jan.h.d@swipnet.se> writes:
>   > >
>   > >   > The thing is that the code assumes menu descriptions first have panes
>   > >   > and then items.  In that case save_wv will always be != NULL (the /*
>   > >   > Create a new pane. */ branch).  I don't know if it is possible to give
>   > >   > a description (in lisp) that only contains items.  Maybe it is.
>   > >
>   > > Has anybody reached a conclusion about this issue? 
>   >
>   > Richard installed a change in this code that fixed crashes people had
>   > seen.  I guess it was related to this.  Anyway, the code now looks
>   > different so I guess it is solved.  The code does an abort now if an
>   > item is not in a pane.
>
> Thanks. It seems that the report has changed too. Could you please
> look it over just to make sure that it's not pointing to a different
> issue? 
>
> How about #26 and #27? You said they are the same as #18, are they OK
> now too? #19 is not reported anymore.
>   

Yes, they are basically the same as 18, but with some different paths 
being true and false.
> At conditional (8): "((0), (menu_items & -8))->contents[i] == Qt" taking false path
>
> 1808 	      else if (EQ (XVECTOR (menu_items)->contents[i], Qt))
> 1809 		{
> 1810 		  /* Create a new pane.  */
> 1811 		  Lisp_Object pane_name, prefix;
> 1812 		  char *pane_string;
> 1813 	
> 1814 		  panes_seen++;
> 1815 	
>   

Ok, we are not taking this path, so panes_seen == 0.

> 1863 		  /* All items should be contained in panes.  */
>
> At conditional (9): "panes_seen == 0" taking false path
>
> 1864 		  if (panes_seen == 0)
> 1865 		    abort ();
> 1866 
>   

And here suddenly it is assumed it is not 0.  This can not happen.  If 
panes_seen != 0 save_wv can not be NULL.

    Jan D.