bug#5856: 24.0.50; Crash in redisplay

["Jan Djärv" <jan.h.d@swipnet.se>]

Eli Zaretskii skrev 2010-04-08 23.29:
>> Date: Thu, 08 Apr 2010 18:13:20 +0200
>> From: Jan Djärv<jan.h.d@swipnet.se>
>> CC: 5856@debbugs.gnu.org
>>
>>> How many of these "C-x b"s caused the list of possible completions to
>>> exceed one screen line?  If the answer is "many" or "all", then could
>>> you try to figure out or recall if there was anything special about
>>> the ones that caused crashes?
>>
>> Somewhere between "many" and "all".  It is the same list of files I was
>> editing.  They mostly start on x (xsettings, xtern, xfns, xlwmenu, and so on),
>> so it probably looked pretty much the same each time.
>>
>> There was nothing special about the one that caused a crash I can think of.
>> It seems it just takes time. I just got a crash again, but this time I hadn't
>> started it from gdb, unfortunately.  Also, about 3-5 hours before it crashed
>> this time.
>
> I think I found the problem.  The invalid glyph that caused the crash
> was not supposed to be dereferenced.  Its pointer is exactly the same
> as `end', as your backtrace shows:
>
>    #0  0x000000000044d2f1 in set_cursor_from_row (w=0x1378d60, row=0x1fbf550,
>    matrix=0x18217a0, delta=0, delta_bytes=0, dy=0, dvpos=0) at
>    /home/jhd/src/emacs/fixes/src/xdisp.c:12775
> 	   glyph = 0x1fa5cd0
> 	   end = 0x1fa5cd0
>
> But `end' points beyond the last glyph in the TEXT_AREA of the glyph
> row:
>
>    struct glyph *end = glyph + row->used[TEXT_AREA];
>
> If we dereference this pointer, we could be referencing uninitialized
> memory, e.g. if there are no margins (i.e. no glyphs in the row after
> TEXT_AREA).
>
> The old code was careful not to dereference such a pointer, but when I
> rewrote set_cursor_from_row, I failed to copy those precautions.
>
> I installed a fix.  Please see if it stops these crashes, and if so,
> please close the bug report.
>

Great!  I'll run for a couple of days and if it doesn'r reappear I will close 
the bug.

Thanks,

	Jan D.