From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#71929: 30.0.60; crash in mark_image_cache Date: Tue, 09 Jul 2024 18:45:36 +0300 Message-ID: <86jzhuzhzz.fsf@gnu.org> References: <87tth1rkfy.fsf@melete.silentflame.com> <87plrprkb2.fsf@melete.silentflame.com> <87frsl3l0p.fsf@yahoo.com> <87plrpvm2y.fsf@melete.silentflame.com> <86a5it3cj2.fsf@gnu.org> <875xth3aym.fsf@yahoo.com> <87ed851gwv.fsf@melete.silentflame.com> <871q452u1b.fsf@yahoo.com> <87frsi226v.fsf@yahoo.com> <874j8y1x3d.fsf@yahoo.com> <86le2azm1f.fsf@gnu.org> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26446"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 71929@debbugs.gnu.org, spwhitton@spwhitton.name To: Po Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jul 09 17:46:48 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sRD3H-0006fS-2p for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 09 Jul 2024 17:46:47 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sRD2Y-0008La-Tr; Tue, 09 Jul 2024 11:46:02 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sRD2T-00086I-3y for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:45:58 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sRD2S-0002Lk-MW for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:45:56 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sRD2Y-0006iI-2R for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:46:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 09 Jul 2024 15:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71929 X-GNU-PR-Package: emacs Original-Received: via spool by 71929-submit@debbugs.gnu.org id=B71929.172053995525792 (code B ref 71929); Tue, 09 Jul 2024 15:46:02 +0000 Original-Received: (at 71929) by debbugs.gnu.org; 9 Jul 2024 15:45:55 +0000 Original-Received: from localhost ([127.0.0.1]:53918 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sRD2Q-0006hw-Hd for submit@debbugs.gnu.org; Tue, 09 Jul 2024 11:45:54 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:33940) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sRD2O-0006hh-CI for 71929@debbugs.gnu.org; Tue, 09 Jul 2024 11:45:53 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sRD2B-0002KM-W8; Tue, 09 Jul 2024 11:45:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=4bIoWDRnc06R2W9vndfcu6plMCPlUi/bEFU9tWkVzf0=; b=IvH9hoDL6gWa oBR/a/73ov1SYSbFOT8QK5RbAGUTCArXxzGaV10OzE06g5gOoUfFtdaAPSuc4HimTg/g2OL9F7zr0 cx4+W64ZGIaGJAGJkhFTgBpCc1XbL7L94OL3OaQO5OjFmj+VteomOaI+QeUSzJizVkBIehtBZ0Bmi yC8VxUpWUzEaSxe9EuvVpEaXfbR80n6IKpLj2k3nzLQFIYOApV8wdGEHYE0ZZuqUfGD6aeWkw19ZM fKuZvffCw1HtUl+SXmpS5CDsLfxq0R6fUUMd+vY+4Z/ZO+0XGoTA/BEoR1deaVBEIYdi6Vn7HeaSd ETWzAREjbj9h+ZquLG8etg==; In-Reply-To: (message from Po Lu on Tue, 09 Jul 2024 23:02:22 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:288643 Archived-At: > From: Po Lu > Cc: spwhitton@spwhitton.name, 71929@debbugs.gnu.org > Date: Tue, 09 Jul 2024 23:02:22 +0800 > > Eli Zaretskii writes: > > >> From: Po Lu > >> Cc: 71929@debbugs.gnu.org, Eli Zaretskii > >> Date: Tue, 09 Jul 2024 22:03:34 +0800 > >> > >> OK, I believe I understand the source of these crashes. A frame > >> whose > >> image cache is shared among several frames is destroyed, but its > >> `image_cache' field is never cleared after it is destroyed, as its > >> cache > >> continues to be referenced, and, if references to the dead frame > >> remain, > >> GC attempts to mark the said image cache although its validity is no > >> longer guaranteed. In earlier Emacs versions, this problem would > >> have > >> appeared if references to dead frames were preserved beyond the > >> destruction of a display structure. This has been corrected on the > >> emacs-30 branch, and therefore if the crashes do not resurface in a > >> few > >> days, I will close this ticket. > > > > Thanks, but I don't think I understand this part of the change you > > installed: > > > > --- a/src/image.c > > +++ b/src/image.c > > @@ -2304,23 +2304,18 @@ uncache_image (struct frame *f, Lisp_Object spec) > > free_image_cache (struct frame *f) > > { > > struct image_cache *c = FRAME_IMAGE_CACHE (f); > > - if (c) > > - { > > - ptrdiff_t i; > > + ptrdiff_t i; > > > > - /* Cache should not be referenced by any frame when freed. */ > > - eassert (c->refcount == 0); > > + /* Cache should not be referenced by any frame when freed. */ > > + eassert (c->refcount == 0); > > > > - for (i = 0; i < c->used; ++i) > > - free_image (f, c->images[i]); > > - xfree (c->images); > > - xfree (c->buckets); > > - xfree (c); > > - FRAME_IMAGE_CACHE (f) = NULL; > > - } > > + for (i = 0; i < c->used; ++i) > > + free_image (f, c->images[i]); > > + xfree (c->images); > > + xfree (c->buckets); > > + xfree (c); > > } > > > > This basically removes the test of 'c' being non-NULL, leaving the > > rest of the code unchanged. But if 'c' is NULL, dereferencing it in > > the following code will segfault, so why remove the test? In > > particular, what about frames that were not yet allocated the image > > cache (could this happen with TTY frames, for example)? > > > > What am I missing here? > > That free_frame_faces has been the sole caller of this function for > quite some time, and it already performs the same test around its call > to free_image_cache. Such dependencies are not a good idea, IME, for public (non-static) functions, if at all, not in the long run. At the very least, please add an assertion at entry to the function which verifies that the cache is not NULL. That will at least serve as prominent documentation of the function's contract.