From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#71929: 30.0.60; crash in mark_image_cache Date: Tue, 09 Jul 2024 17:18:20 +0300 Message-ID: <86le2azm1f.fsf@gnu.org> References: <87tth1rkfy.fsf@melete.silentflame.com> <87plrprkb2.fsf@melete.silentflame.com> <87frsl3l0p.fsf@yahoo.com> <87plrpvm2y.fsf@melete.silentflame.com> <86a5it3cj2.fsf@gnu.org> <875xth3aym.fsf@yahoo.com> <87ed851gwv.fsf@melete.silentflame.com> <871q452u1b.fsf@yahoo.com> <87frsi226v.fsf@yahoo.com> <874j8y1x3d.fsf@yahoo.com> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3852"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 71929@debbugs.gnu.org, spwhitton@spwhitton.name To: Po Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jul 09 16:19:07 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sRBgR-0000l3-JX for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 09 Jul 2024 16:19:07 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sRBgL-0004Dq-5F; Tue, 09 Jul 2024 10:19:01 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sRBgI-0003y2-IO for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 10:18:58 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sRBgH-0001Cc-2f for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 10:18:57 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sRBgM-0001UV-Hc for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 10:19:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 09 Jul 2024 14:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71929 X-GNU-PR-Package: emacs Original-Received: via spool by 71929-submit@debbugs.gnu.org id=B71929.17205347375719 (code B ref 71929); Tue, 09 Jul 2024 14:19:02 +0000 Original-Received: (at 71929) by debbugs.gnu.org; 9 Jul 2024 14:18:57 +0000 Original-Received: from localhost ([127.0.0.1]:53830 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sRBgH-0001UA-6D for submit@debbugs.gnu.org; Tue, 09 Jul 2024 10:18:57 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:47798) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sRBg0-0001Tg-3n for 71929@debbugs.gnu.org; Tue, 09 Jul 2024 10:18:55 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sRBfl-00016I-Qt; Tue, 09 Jul 2024 10:18:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=J00V8diRSBpSwDkoN2Pc0CTYlq4avvv/9T17cUIZJwU=; b=JV5/oZfb02ff oX8i48CwdrXQfBrSP8z/HesMWvN7B18U2KvWAPmf4za5gBc9PPLkkyinNvIDYgCX14vORBG0NY8Gi 0V1ElvlyCF4k30XGrfkE8GQgCy9H90ymwgkC0HQj6uwdy+hDKefIkjEJ6lKL5XlDj72vBoSiadPBV jfm4i33m+WFvqmcOTM6k7FCtomkZQn7i4UmanfwQn92B7DjnsdY1HAeQmYmb9C5Q9cANec4AhNLWw +i6SDSgsTBHIBBcpOQyaA+iHMx/IS9SSlwvVRLH4piRQ3XPOkJbF/9lUUmxoqGTD4o0KGr1AMPZ7x e8haP/mvcD4IWWYPhtqz7A==; In-Reply-To: <874j8y1x3d.fsf@yahoo.com> (message from Po Lu on Tue, 09 Jul 2024 22:03:34 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:288639 Archived-At: > From: Po Lu > Cc: 71929@debbugs.gnu.org, Eli Zaretskii > Date: Tue, 09 Jul 2024 22:03:34 +0800 > > OK, I believe I understand the source of these crashes. A frame whose > image cache is shared among several frames is destroyed, but its > `image_cache' field is never cleared after it is destroyed, as its cache > continues to be referenced, and, if references to the dead frame remain, > GC attempts to mark the said image cache although its validity is no > longer guaranteed. In earlier Emacs versions, this problem would have > appeared if references to dead frames were preserved beyond the > destruction of a display structure. This has been corrected on the > emacs-30 branch, and therefore if the crashes do not resurface in a few > days, I will close this ticket. Thanks, but I don't think I understand this part of the change you installed: --- a/src/image.c +++ b/src/image.c @@ -2304,23 +2304,18 @@ uncache_image (struct frame *f, Lisp_Object spec) free_image_cache (struct frame *f) { struct image_cache *c = FRAME_IMAGE_CACHE (f); - if (c) - { - ptrdiff_t i; + ptrdiff_t i; - /* Cache should not be referenced by any frame when freed. */ - eassert (c->refcount == 0); + /* Cache should not be referenced by any frame when freed. */ + eassert (c->refcount == 0); - for (i = 0; i < c->used; ++i) - free_image (f, c->images[i]); - xfree (c->images); - xfree (c->buckets); - xfree (c); - FRAME_IMAGE_CACHE (f) = NULL; - } + for (i = 0; i < c->used; ++i) + free_image (f, c->images[i]); + xfree (c->images); + xfree (c->buckets); + xfree (c); } This basically removes the test of 'c' being non-NULL, leaving the rest of the code unchanged. But if 'c' is NULL, dereferencing it in the following code will segfault, so why remove the test? In particular, what about frames that were not yet allocated the image cache (could this happen with TTY frames, for example)? What am I missing here?