Emacs can be made to crash with a segmentation fault on Linux when navigating an Org mode buffer after hiding headlines with ~outline-hide-other~. This only happens when ~visual-line-mode~ and ~display-line-numbers-mode~ are active and ~display-line-numbers-type~ is set to ~'visual~. This bug can be replicated on a build from the current HEAD of emacs-27 (395f10cb98af122404bcdc2eb60d30decf297625) as well as the current HEAD of master (de54cd6f0edb3619777c17fe75560c5c84fed8a4). This bug report was produced from a version compiled from 395f10cb98af122404bcdc2eb60d30decf297625. Steps to reproduce: - 1. Launch ~emacs -Q~ 2. Enable "visual" line numbers (~(setq display-line-numbers-type 'visual)~) 3. Create an Org mode buffer with the following content: - * Heading 1 ** Heading 1a ** Heading 1b 4. Enable ~display-line-numbers-mode~ 5. Enable ~visual-line-mode~ 6. Move the point anywhere on the line with "Heading 1b" 7. Call ~outline-hide-other~ 8. Call ~previous-line~ (via keybinding or directly) Emacs then crashes with SIGSEGV. Debugging emacs in GDB while doing this seems to show a loop as follows: - Thread 1 "emacs" received signal SIGSEGV, Segmentation fault. 0x00005555555d1b39 in move_it_in_display_line_to (it=it@entry=0x7fffff6734e0, to_charpos=to_charpos@entry=171, to_x=to_x@entry=-1, op=op@entry=MOVE_TO_POS) at xdisp.c:9009 9009 { (gdb) bt #0 0x00005555555d1b39 in move_it_in_display_line_to (it=it@entry=0x7fffff6734e0, to_charpos=to_charpos@entry=171, to_x=to_x@entry=-1, op=op@entry=MOVE_TO_POS) at xdisp.c:9009 #1 0x00005555555d6bbd in move_it_to (it=0x7fffff6734e0, to_charpos=171, to_x=, to_y=, to_vpos=, op=8) at xdisp.c:9889 #2 0x00005555555d0e92 in start_display (it=it@entry=0x7fffff6734e0, w=0x555555eeffa0, pos=...) at xdisp.c:6866 #3 0x00005555555d1a50 in display_count_lines_visually (it=0x7fffff67bc70) at xdisp.c:22685 #4 maybe_produce_line_number (it=it@entry=0x7fffff67bc70) at xdisp.c:22729 #5 0x00005555555d2e11 in move_it_in_display_line_to (it=it@entry=0x7fffff67bc70, to_charpos=to_charpos@entry=171, to_x=to_x@entry=-1, op=op@entry=MOVE_TO_POS) at xdisp.c:9079 #6 0x00005555555d6bbd in move_it_to (it=0x7fffff67bc70, to_charpos=171, to_x=, to_y=, to_vpos=, op=8) at xdisp.c:9889 #7 0x00005555555d0e92 in start_display (it=it@entry=0x7fffff67bc70, w=0x555555eeffa0, pos=...) at xdisp.c:6866 #8 0x00005555555d1a50 in display_count_lines_visually (it=0x7fffff684400) at xdisp.c:22685 #9 maybe_produce_line_number (it=it@entry=0x7fffff684400) at xdisp.c:22729 (... sequence repeats ...) #1439 maybe_produce_line_number (it=it@entry=0x7fffffffb6a0) at xdisp.c:22729 #1440 0x00005555555d2e11 in move_it_in_display_line_to (it=it@entry=0x7fffffffb6a0, to_charpos=to_charpos@entry=171, to_x=to_x@entry=-1, op=op@entry=MOVE_TO_POS) at xdisp.c:9079 #1441 0x00005555555d6bbd in move_it_to (it=0x7fffffffb6a0, to_charpos=171, to_x=, to_y=, to_vpos=, op=8) at xdisp.c:9889 #1442 0x00005555555d0e92 in start_display (it=it@entry=0x7fffffffb6a0, w=w@entry=0x555555eeffa0, pos=...) at xdisp.c:6866 #1443 0x00005555555d7af4 in Fline_pixel_height () at xdisp.c:1422 #1444 0x00005555556fdae3 in Ffuncall (nargs=1, args=args@entry=0x7fffffffca70) at lisp.h:2110 #1445 0x00005555557342cc in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=, args=) at bytecode.c:633 #1446 0x00005555556fda47 in Ffuncall (nargs=5, args=args@entry=0x7fffffffce48) at eval.c:2809 #1447 0x00005555557342cc in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=, args=) at bytecode.c:633 #1448 0x00005555556fda47 in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fffffffd208) at eval.c:2809 #1449 0x00005555556fa295 in Ffuncall_interactively (nargs=3, args=0x7fffffffd208) at callint.c:254 #1450 0x00005555556fdae3 in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fffffffd200) at lisp.h:2110 #1451 0x00005555556fb676 in Fcall_interactively (function=, record_flag=, keys=) at callint.c:783 #1452 0x00005555556fdae3 in Ffuncall (nargs=4, args=args@entry=0x7fffffffd438) at lisp.h:2110 #1453 0x00005555557342cc in exec_byte_code (bytestr=, vector=, maxdepth=, args_template=, nargs=, args=) at bytecode.c:633 #1454 0x00005555556fda47 in Ffuncall (nargs=2, args=0x7fffffffd7e0) at eval.c:2809 #1455 0x00005555556fdbce in call1 (fn=fn@entry=0x4380, arg1=) at eval.c:2655 #1456 0x00005555556937e8 in command_loop_1 () at lisp.h:1033 #1457 0x00005555556fcd17 in internal_condition_case (bfun=bfun@entry=0x5555556933f0 , handlers=handlers@entry=0x90, hfun=hfun@entry=0x55555568a0f0 ) at eval.c:1356 #1458 0x0000555555684bb4 in command_loop_2 (ignore=ignore@entry=0x0) at lisp.h:1033 #1459 0x00005555556fcc59 in internal_catch (tag=tag@entry=0xd5c0, func=func@entry=0x555555684b90 , arg=arg@entry=0x0) at eval.c:1117 #1460 0x0000555555684b53 in command_loop () at lisp.h:1033 #1461 0x0000555555689cfa in recursive_edit_1 () at keyboard.c:714 #1462 0x000055555568a036 in Frecursive_edit () at keyboard.c:786 #1463 0x00005555555a69b7 in main (argc=2, argv=) at emacs.c:2066 In GNU Emacs 27.1.50 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20, cairo version 1.16.0) of 2020-09-24 built on karnak Repository revision: 395f10cb98af122404bcdc2eb60d30decf297625 Repository branch: emacs-27 Windowing system distributor 'The X.Org Foundation', version 11.0.12008000 System Description: Ubuntu 20.04.1 LTS Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Making completion list... Configured using: 'configure --with-cairo --with-mailutils --with-xwidgets --with-json' Configured features: XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS XWIDGETS LIBSYSTEMD JSON PDUMPER LCMS2 GMP Important settings: value of $LC_CTYPE: en_GB.UTF-8 value of $LANG: en_GB.UTF-8 value of $XMODIFIERS: @im=ibus locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg epg-config gnus-util rmail rmail-loaddefs text-property-search time-date subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting xwidget-internal cairo move-toolbar gtk x-toolkit x multi-tty make-network-process emacs) Memory information: ((conses 16 45107 8742) (symbols 48 6009 1) (strings 32 15461 1341) (string-bytes 1 507002) (vectors 16 10094) (vector-slots 8 130013 7762) (floats 8 20 43) (intervals 56 236 0) (buffers 1000 12))