Hi, I've been hunting a segfault during usage of rgrep for some time, now I've managed to catch it in gdb. From the looks of it, BEGV_ADDR is changed during a single run of search_buffer, which leaves a stale pointer in a local variable. I don't know enough about emacs to tell whether this is expected, or how to fix it. Here is some info from my gdb session, please tell me anything you might need to further investigate this. I'm also willing to hand out my core file individually: (gdb) dir /tmp/emacs-25.1/src/ Source directories searched: /tmp/emacs-25.1/src:$cdir:$cwd (gdb) bt #0 re_search_2 (bufp=bufp@entry=0xb9dac0 , str1=str1@entry=0x6154ca8 , size1=size1@entry =1559060, str2=str2@entry=0x62d1fec , size2=size2@entry=26, startpos=1556280, range=136, regs=0xb9c3f0 , stop=1556416) at regex.c:4464 #1 0x00000000005395ef in search_buffer (string=string@entry=48209668, pos=, pos_byte=, lim=lim@entry=1556364, lim_byte=lim_byte@entry=1556417, n=1, RE=1, trt=0, inverse_trt=0, posix=false) at search.c:1265 #2 0x0000000000539f52 in search_command (string=48209668, bound=, noerror=44832, count=, direction=direction@entry=1, RE=RE@entry=1, posix=false) at search.c:1058 #3 0x000000000053a167 in Fre_search_forward (regexp=, bound=, noerror=, count=) at search.c:2264 #4 0x00000000005686af in Ffuncall (nargs=4, args=args@entry=0x7ffc312cf088) at eval.c:2704 #5 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=args_template@entry=0, nargs=nargs@entry=0, args=, args@entry=0x0) at bytecode.c:880 #6 0x00000000005680cd in funcall_lambda (fun=10112541, nargs=nargs@entry=3, arg_vector=arg_vector@entry=0x7ffc312cf2c0) at eval.c:2921 #7 0x00000000005684cb in Ffuncall (nargs=4, args=args@entry=0x7ffc312cf2b8) at eval.c:2754 #8 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=args_template@entry=0, nargs=nargs@entry=0, args=, args@entry=0x0) at bytecode.c:880 #9 0x00000000005680cd in funcall_lambda (fun=10107237, nargs=nargs@entry=3, arg_vector=arg_vector@entry=0x7ffc312cf4d0) at eval.c:2921 #10 0x00000000005684cb in Ffuncall (nargs=4, args=args@entry=0x7ffc312cf4c8) at eval.c:2754 #11 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=args_template@entry=0, nargs=nargs@entry=0, args=, args@entry=0x0) at bytecode.c:880 #12 0x00000000005680cd in funcall_lambda (fun=10104949, nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7ffc312cf6e8) at eval.c:2921 #13 0x00000000005684cb in Ffuncall (nargs=3, args=args@entry=0x7ffc312cf6e0) at eval.c:2754 #14 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=nargs@entry=11260497, args=, args@entry=0x9a8684 ) at bytecode.c:880 #15 0x000000000056820b in funcall_lambda (fun=140721133517472, nargs=11260497, nargs@entry=1, arg_vector=0x9a8684 , arg_vector@entry=0x7ffc312cf9e8) at eval.c:2855 #16 0x00000000005684cb in Ffuncall (nargs=2, args=args@entry=0x7ffc312cf9e0) at eval.c:2754 #17 0x000000000056877c in run_hook_wrapped_funcall (nargs=, args=0x7ffc312cf9e0) at eval.c:2428 #18 0x0000000000566f1d in run_hook_with_args (nargs=2, args=0x7ffc312cf9e0, funcall=0x568760 ) at eval.c:2509 #19 0x00000000005685e1 in Ffuncall (nargs=3, args=args@entry=0x7ffc312cf9d8) at eval.c:2673 #20 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=nargs@entry=11260594, args=, args@entry=0x9a8604 ) at bytecode.c:880 #21 0x000000000056820b in funcall_lambda (fun=140721133518064, nargs=11260594, nargs@entry=2, arg_vector=0x9a8604 , arg_vector@entry=0x7ffc312cfbf0) at eval.c:2855 #22 0x00000000005684cb in Ffuncall (nargs=3, args=args@entry=0x7ffc312cfbe8) at eval.c:2754 #23 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=nargs@entry=11260309, args=, args@entry=0x9a872c ) at bytecode.c:880 #24 0x000000000056820b in funcall_lambda (fun=140721133518544, nargs=11260309, nargs@entry=2, arg_vector=0x9a872c , arg_vector@entry=0x7ffc312cfe18) at eval.c:2855 #25 0x00000000005684cb in Ffuncall (nargs=3, args=args@entry=0x7ffc312cfe10) at eval.c:2754 #26 0x00000000005a1803 in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=nargs@entry=11260666, args=, args@entry=0x9a84bc ) at bytecode.c:880 #27 0x000000000056820b in funcall_lambda (fun=0, nargs=11260666, nargs@entry=1, arg_vector=0x9a84bc , arg_vector@entry=0x7ffc312d0018) at eval.c:2855 #28 0x00000000005684cb in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7ffc312d0010) at eval.c:2754 #29 0x0000000000566e80 in internal_condition_case_n (bfun=0x5682c0 , nargs=nargs@entry=2, args=args@entry=0x7ffc312d0010, handlers=handlers@entry=44832, hfun=hfun@entry=0x43dfb0 ) at eval.c:1389 #30 0x000000000042ef78 in safe__call (inhibit_quit=inhibit_quit@entry=false, nargs=nargs@entry=2, func=, ap=ap@entry=0x7ffc312d0090) at xdisp.c:2558 #31 0x000000000043afac in safe_call (nargs=nargs@entry=2, func=) at xdisp.c:2574 #32 0x000000000043afe2 in safe_call1 (fn=, arg=arg@entry=6222870) at xdisp.c:2585 #33 0x000000000043b110 in handle_fontified_prop (it=0x7ffc312d6300) at xdisp.c:3805 #34 0x000000000043fdfa in handle_stop (it=it@entry=0x7ffc312d6300) at xdisp.c:3371 #35 0x00000000004449b2 in next_element_from_buffer (it=0x7ffc312d6300) at xdisp.c:8321 #36 0x0000000000442d25 in get_next_display_element (it=it@entry=0x7ffc312d6300) at xdisp.c:6921 #37 0x0000000000444f62 in move_it_in_display_line_to (it=it@entry=0x7ffc312d6300, to_charpos=to_charpos@entry=1559034, to_x=to_x@entry=0, op=op@entry=(MOVE_TO_X | MOVE_TO_POS)) at xdisp.c:8662 #38 0x000000000044716c in move_it_to (it=it@entry=0x7ffc312d6300, to_charpos=to_charpos@entry=1559034, to_x=to_x@entry=-1, to_y=51, to_vpos=to_vpos@entry=-1, op=op@entry=10) at xdisp.c:9231 #39 0x000000000044ce7f in pos_visible_p (w=w@entry=0x375b290, charpos=1559034, x=x@entry=0x7ffc312d9c9c, y=y@entry=0x7ffc312d9ca0, rtop=rtop@entry=0x7ffc312d9cac, rbot=rbot@entry=0x7ffc312d9cb0, rowh=0x7ffc312d9ca4, vpos=0x7ffc312d9ca8) at xdisp.c:1336 #40 0x0000000000464ba9 in redisplay_window (window=58045077, just_this_one_p=just_this_one_p@entry=false) at xdisp.c:16626 #41 0x000000000046803b in redisplay_window_0 (window=window@entry=58045077) at xdisp.c:14446 #42 0x0000000000566d6c in internal_condition_case_1 (bfun=bfun@entry=0x468010 , arg=58045077, handlers=, hfun=hfun@entry=0x42d230 ) at eval.c:1333 #43 0x0000000000432273 in redisplay_windows (window=58045077) at xdisp.c:14426 #44 0x0000000000432238 in redisplay_windows (window=58044589) at xdisp.c:14420 #45 0x0000000000454db9 in redisplay_internal () at xdisp.c:13986 #46 0x0000000000456ede in redisplay_preserve_echo_area (from_where=from_where@entry=12) at xdisp.c:14279 #47 0x00000000005ad119 in wait_reading_process_output (time_limit=time_limit@entry=120, nsecs=nsecs@entry=0, read_kbd=read_kbd@entry=-1, do_display=do_display@entry=true, wait_for_cell=wait_for_cell@entry=0, wait_proc=wait_proc@entry=0x0, just_wait_proc=0) at process.c:5074 #48 0x0000000000422d35 in sit_for (timeout=, reading=reading@entry=true, display_option=display_option@entry=1) at dispnew.c:5762 #49 0x00000000004fe971 in read_char (commandflag=commandflag@entry=1, map=map@entry=76057843, prev_event=0, used_mouse_menu=used_mouse_menu@entry=0x7ffc312de2bb, end_time=end_time@entry=0x0) at keyboard.c:2714 #50 0x00000000004ff59b in read_key_sequence (keybuf=keybuf@entry=0x7ffc312de3e0, prompt=prompt@entry=0, dont_downcase_last=dont_downcase_last@entry=false, can_return_switch_frame=can_return_switch_frame@entry=true, fix_current_buffer=fix_current_buffer@entry=true, prevent_redisplay=prevent_redisplay@entry=false, bufsize=30) at keyboard.c:9063 #51 0x000000000050131e in command_loop_1 () at keyboard.c:1365 #52 0x0000000000566cf6 in internal_condition_case (bfun=bfun@entry=0x5010e0 , handlers=handlers@entry=19056, hfun=hfun@entry=0x4f5d20 ) at eval.c:1309 #53 0x00000000004f2744 in command_loop_2 (ignore=ignore@entry=0) at keyboard.c:1107 #54 0x0000000000566c7b in internal_catch (tag=tag@entry=46224, func=func@entry=0x4f2720 , arg=arg@entry=0) at eval.c:1074 #55 0x00000000004f26ed in command_loop () at keyboard.c:1086 #56 0x00000000004f5913 in recursive_edit_1 () at keyboard.c:692 #57 0x00000000004f5c53 in Frecursive_edit () at keyboard.c:763 #58 0x0000000000418db4 in main (argc=2, argv=0x7ffc312de768) at emacs.c:1626 Lisp Backtrace: "re-search-forward" (0x312cf090) "font-lock-fontify-keywords-region" (0x312cf2c0) "font-lock-default-fontify-region" (0x312cf4d0) "font-lock-fontify-region" (0x312cf6e8) 0x429efa0 PVEC_COMPILED "run-hook-wrapped" (0x312cf9e0) "jit-lock--run-functions" (0x312cfbf0) "jit-lock-fontify-now" (0x312cfe18) "jit-lock-function" (0x312d0018) "redisplay_internal (C function)" (0x0) (gdb) up #1 0x00000000005395ef in search_buffer (string=string@entry=48209668, pos=, pos_byte=, lim=lim@entry=1556364, lim_byte=lim_byte@entry=1556417, n=1, RE=1, trt=0, inverse_trt=0, posix=false) at search.c:1265 1265 val = re_search_2 (bufp, (char *) p1, s1, (char *) p2, s2, (gdb) print p1 $30 = (unsigned char *) 0x6154ca8 (gdb) print BEGV_ADDR $31 = (unsigned char *) 0x5e0dca8 "-*- mode: grep; default-directory: \"/tmp/alt/\" -*-\nGrep started at Wed Oct 26 17:08:00\n\nfind . -type d \\( -path \\*/SCCS -o -path \\*/RCS -o -path \\*/CVS -o -path \\*/MCVS -o -path \\*/.src -o -path \\*/.s"... So, while BEGV_ADDR is valid, re_search_2 gets called with an invalid pointer, which is strange because p1 is initialized from BEGV_ADDR a few lines earlier and there are no locations within search_buffer, where p1 is updated. That can only mean, that BEGV_ADDR is updated somewhere within search_buffer. Is the rgrep process supposed to be able to write to (hence possibly reallocate) its buffer during a single search_buffer call? Can somebody help me with producing a test case for this for the bug report? thanks