bug#558: 23.0.60; crash on M-x make-frame-on-display

bug#558: 23.0.60; crash on M-x make-frame-on-display

[Andreas Seltenreich]

> Please write in English if possible, because the Emacs maintainers
> usually do not have translators to read other languages for them.

> Your bug report will be posted to the emacs-pretest-bug@gnu.org mailing list.

> Please describe exactly what actions triggered the bug
> and the precise symptoms of the bug:

1. compiling emacs from CVS using
./configure --with-x-toolkit=no CFLAGS='-O2 -g -fno-crossjumping'
2. running emacs -Q -nw
3. now there's a 1 in 10 chance M-x make-frame-on-display RET :0 RET
will crash emacs with the following symptoms:

--8<---------------cut here---------------start------------->8---
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47821396663536 (LWP 3159)]
0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
(gdb) bt
#0  0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, hold_quit=0x7fff6301e830) at xterm.c:7193
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
#5  0x000000000049f783 in x_display_info_for_name (name=20626963) at xfns.c:4101
#6  0x00000000004a453d in Fx_create_frame (parms=28664357) at xfns.c:3149
#7  0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3042
#8  0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=19839377, maxdepth=28) at bytecode.c:678
#9  0x0000000000529f6f in funcall_lambda (fun=7562500, nargs=1, arg_vector=0x7fff6301ec38) at eval.c:3229
#10 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#11 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=29642081, maxdepth=80) at bytecode.c:678
#12 0x0000000000529f6f in funcall_lambda (fun=8106276, nargs=1, arg_vector=0x7fff6301edc8) at eval.c:3229
#13 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#14 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=10541745, maxdepth=26) at bytecode.c:678
#15 0x0000000000529f6f in funcall_lambda (fun=8103764, nargs=1, arg_vector=0x7fff6301ef98) at eval.c:3229
#16 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#17 0x0000000000527522 in Fcall_interactively (function=29659713, record_flag=9669105, keys=9736036) at callint.c:857
#18 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3048
#19 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#20 0x00000000004c092c in Fexecute_extended_command (prefixarg=9669009) at keyboard.c:10533
#21 0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3042
#22 0x0000000000527522 in Fcall_interactively (function=9739089, record_flag=9669009, keys=9736036) at callint.c:857
#23 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3048
#24 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#25 0x00000000004cd322 in command_loop_1 () at keyboard.c:1910
#26 0x0000000000528d34 in internal_condition_case (bfun=0x4ccf60 <command_loop_1>, handlers=9756209, hfun=0x4c6ab0 <cmd_error>) at eval.c:1511
#27 0x00000000004c5d9a in command_loop_2 () at keyboard.c:1367
#28 0x0000000000528e37 in internal_catch (tag=<value optimized out>, func=0x4c5d80 <command_loop_2>, arg=9669009) at eval.c:1247
#29 0x00000000004c68f3 in command_loop () at keyboard.c:1346
#30 0x00000000004c6c8c in recursive_edit_1 () at keyboard.c:955
#31 0x00000000004c6df0 in Frecursive_edit () at keyboard.c:1017
#32 0x00000000004bc533 in main (argc=3, argv=0x7fff6301fe38) at emacs.c:1762

Lisp Backtrace:
  "x-create-frame" (0x6301eaa8)
  "x-create-frame-with-faces" (0x6301ec38)
  "make-frame" (0x6301edc8)
  "make-frame-on-display" (0x6301ef98)
  "call-interactively" (0x6301f1b8)
  "execute-extended-command" (0x6301f368)
  "call-interactively" (0x6301f578)
(gdb) up
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, hold_quit=0x7fff6301e830) at xterm.c:7193
(gdb) list
7188	#endif
7189	    }
7190	#endif
7191	
7192	#ifndef USE_GTK
7193	  while (XPending (terminal->display_info.x->display))
7194	    {
7195	      int finish;
7196	
7197	      XNextEvent (terminal->display_info.x->display, &event);
(gdb) p terminal->display_info.x->display
$1 = (Display *) 0x0
(gdb) up
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
(gdb) 
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
(gdb) 
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
(gdb) list
10123		init_kboard (terminal->kboard);
10124		terminal->kboard->Vwindow_system = intern ("x");
10125		if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
10126		  {
10127		    char *vendor = ServerVendor (dpy);
10128		    UNBLOCK_INPUT;
10129		    terminal->kboard->Vsystem_key_alist
10130		      = call1 (Qvendor_specific_keysyms,
10131			       vendor ? build_string (vendor) : empty_unibyte_string);
10132		    BLOCK_INPUT;
(gdb) p terminal == terminal_list
$2 = 1
(gdb) p terminal->display_info.x->display
$3 = (Display *) 0x0
(gdb)
--8<---------------cut here---------------end--------------->8---

I can no longer trigger any crashes after patching xterm.c like this:

--8<---------------cut here---------------start------------->8---
*** xterm.c.~1.1000.~	2008-07-13 18:20:31.000000000 +0200
--- xterm.c	2008-07-14 05:22:26.000000000 +0200
***************
*** 10125,10135 ****
--- 10125,10140 ----
  	if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
  	  {
  	    char *vendor = ServerVendor (dpy);
+ 	    /* temporarily hide the partially initialized terminal */
+ 	    xassert(terminal_list == terminal);
+ 	    terminal_list = terminal->next;
  	    UNBLOCK_INPUT;
  	    terminal->kboard->Vsystem_key_alist
  	      = call1 (Qvendor_specific_keysyms,
  		       vendor ? build_string (vendor) : empty_unibyte_string);
  	    BLOCK_INPUT;
+ 	    terminal->next = terminal_list;
+ 	    terminal_list = terminal;
  	  }
  
  	terminal->kboard->next_kboard = all_kboards;
--8<---------------cut here---------------end--------------->8---

Here's a ChangeLog entry in case this fix is actually correct.

--8<---------------cut here---------------start------------->8---
2008-07-14  Andreas Seltenreich  <seltenreich@gmx.de>

	* xterm.c (x_term_init) [MULTI_KBOARD]: Hide the partially
	initialized terminal while unblocking input for call1 of
	Qvendor_specific_keysyms.
--8<---------------cut here---------------end--------------->8---

regards,
andreas

> In GNU Emacs 23.0.60.6 (x86_64-unknown-linux-gnu)
>  of 2008-07-14 on tengen
> Windowing system distributor `The X.Org Foundation', version 11.0.70101000
> configured using `configure  '--with-x-toolkit=no' '--enable-debug''

bug#558: (23.0.60; crash on M-x make-frame-on-display)

[Andreas Seltenreich]

Emacs bug Tracking System writes:

> If you wish to submit further information on this problem, please
> send it to 558@emacsbugs.donarmstrong.com, as before.

The patch in the initial report is broken.  Sorry for the inconvenience.
Here's a tested version.

--8<---------------cut here---------------start------------->8---
*** xterm.c.~1.1000.~	2008-07-13 18:20:31.000000000 +0200
--- xterm.c	2008-07-14 19:04:45.000000000 +0200
***************
*** 10125,10135 ****
--- 10125,10140 ----
  	if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
  	  {
  	    char *vendor = ServerVendor (dpy);
+ 	    /* temporarily hide the partially initialized terminal */
+ 	    xassert(terminal_list == terminal);
+ 	    terminal_list = terminal->next_terminal;
  	    UNBLOCK_INPUT;
  	    terminal->kboard->Vsystem_key_alist
  	      = call1 (Qvendor_specific_keysyms,
  		       vendor ? build_string (vendor) : empty_unibyte_string);
  	    BLOCK_INPUT;
+ 	    terminal->next_terminal = terminal_list;
+ 	    terminal_list = terminal;
  	  }
  
  	terminal->kboard->next_kboard = all_kboards;
--8<---------------cut here---------------end--------------->8---

I also found a way to artificially cause a SIGIO at the right time to
trigger the crash more reliably:

1. compiling emacs from CVS using
./configure --with-x-toolkit=no CFLAGS='-O2 -g -fno-crossjumping'
2. running emacs -Q -nw
3. M-x find-function RET vendor-specific-keysyms RET
4. C-u C-M-x
5. crash on M-x make-frame-on-display RET :0 RET

regards,
andreas

bug#558: marked as done (23.0.60; crash on M-x make-frame-on-display)

[Emacs bug Tracking System]

[-- Attachment #1: Type: text/plain, Size: 856 bytes --]


Your message dated Tue, 26 Aug 2008 20:11:04 -0400
with message-id <877ia3nwpz.fsf@cyd.mit.edu>
and subject line Re: bug#558: (23.0.60; crash on M-x make-frame-on-display)
has caused the Emacs bug report #558,
regarding 23.0.60; crash on M-x make-frame-on-display
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact don@donarmstrong.com
immediately.)


-- 
558: http://emacsbugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=558
Emacs Bug Tracking System
Contact don@donarmstrong.com with problems

[-- Attachment #2: Type: message/rfc822, Size: 9602 bytes --]

From: Andreas Seltenreich <seltenreich@gmx.de>
To: emacs-pretest-bug@gnu.org
Subject: 23.0.60; crash on M-x make-frame-on-display
Date: Mon, 14 Jul 2008 10:40:50 +0200
Message-ID: <87d4lg3lkd.fsf@gate450.dyndns.org>


> Please write in English if possible, because the Emacs maintainers
> usually do not have translators to read other languages for them.

> Your bug report will be posted to the emacs-pretest-bug@gnu.org mailing list.

> Please describe exactly what actions triggered the bug
> and the precise symptoms of the bug:

1. compiling emacs from CVS using
./configure --with-x-toolkit=no CFLAGS='-O2 -g -fno-crossjumping'
2. running emacs -Q -nw
3. now there's a 1 in 10 chance M-x make-frame-on-display RET :0 RET
will crash emacs with the following symptoms:

--8<---------------cut here---------------start------------->8---
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47821396663536 (LWP 3159)]
0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
(gdb) bt
#0  0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, hold_quit=0x7fff6301e830) at xterm.c:7193
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
#5  0x000000000049f783 in x_display_info_for_name (name=20626963) at xfns.c:4101
#6  0x00000000004a453d in Fx_create_frame (parms=28664357) at xfns.c:3149
#7  0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3042
#8  0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=19839377, maxdepth=28) at bytecode.c:678
#9  0x0000000000529f6f in funcall_lambda (fun=7562500, nargs=1, arg_vector=0x7fff6301ec38) at eval.c:3229
#10 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#11 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=29642081, maxdepth=80) at bytecode.c:678
#12 0x0000000000529f6f in funcall_lambda (fun=8106276, nargs=1, arg_vector=0x7fff6301edc8) at eval.c:3229
#13 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#14 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, vector=10541745, maxdepth=26) at bytecode.c:678
#15 0x0000000000529f6f in funcall_lambda (fun=8103764, nargs=1, arg_vector=0x7fff6301ef98) at eval.c:3229
#16 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3088
#17 0x0000000000527522 in Fcall_interactively (function=29659713, record_flag=9669105, keys=9736036) at callint.c:857
#18 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3048
#19 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#20 0x00000000004c092c in Fexecute_extended_command (prefixarg=9669009) at keyboard.c:10533
#21 0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3042
#22 0x0000000000527522 in Fcall_interactively (function=9739089, record_flag=9669009, keys=9736036) at callint.c:857
#23 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value optimized out>) at eval.c:3048
#24 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#25 0x00000000004cd322 in command_loop_1 () at keyboard.c:1910
#26 0x0000000000528d34 in internal_condition_case (bfun=0x4ccf60 <command_loop_1>, handlers=9756209, hfun=0x4c6ab0 <cmd_error>) at eval.c:1511
#27 0x00000000004c5d9a in command_loop_2 () at keyboard.c:1367
#28 0x0000000000528e37 in internal_catch (tag=<value optimized out>, func=0x4c5d80 <command_loop_2>, arg=9669009) at eval.c:1247
#29 0x00000000004c68f3 in command_loop () at keyboard.c:1346
#30 0x00000000004c6c8c in recursive_edit_1 () at keyboard.c:955
#31 0x00000000004c6df0 in Frecursive_edit () at keyboard.c:1017
#32 0x00000000004bc533 in main (argc=3, argv=0x7fff6301fe38) at emacs.c:1762

Lisp Backtrace:
  "x-create-frame" (0x6301eaa8)
  "x-create-frame-with-faces" (0x6301ec38)
  "make-frame" (0x6301edc8)
  "make-frame-on-display" (0x6301ef98)
  "call-interactively" (0x6301f1b8)
  "execute-extended-command" (0x6301f368)
  "call-interactively" (0x6301f578)
(gdb) up
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, hold_quit=0x7fff6301e830) at xterm.c:7193
(gdb) list
7188	#endif
7189	    }
7190	#endif
7191	
7192	#ifndef USE_GTK
7193	  while (XPending (terminal->display_info.x->display))
7194	    {
7195	      int finish;
7196	
7197	      XNextEvent (terminal->display_info.x->display, &event);
(gdb) p terminal->display_info.x->display
$1 = (Display *) 0x0
(gdb) up
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
(gdb) 
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
(gdb) 
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
(gdb) list
10123		init_kboard (terminal->kboard);
10124		terminal->kboard->Vwindow_system = intern ("x");
10125		if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
10126		  {
10127		    char *vendor = ServerVendor (dpy);
10128		    UNBLOCK_INPUT;
10129		    terminal->kboard->Vsystem_key_alist
10130		      = call1 (Qvendor_specific_keysyms,
10131			       vendor ? build_string (vendor) : empty_unibyte_string);
10132		    BLOCK_INPUT;
(gdb) p terminal == terminal_list
$2 = 1
(gdb) p terminal->display_info.x->display
$3 = (Display *) 0x0
(gdb)
--8<---------------cut here---------------end--------------->8---

I can no longer trigger any crashes after patching xterm.c like this:

--8<---------------cut here---------------start------------->8---
*** xterm.c.~1.1000.~	2008-07-13 18:20:31.000000000 +0200
--- xterm.c	2008-07-14 05:22:26.000000000 +0200
***************
*** 10125,10135 ****
--- 10125,10140 ----
  	if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
  	  {
  	    char *vendor = ServerVendor (dpy);
+ 	    /* temporarily hide the partially initialized terminal */
+ 	    xassert(terminal_list == terminal);
+ 	    terminal_list = terminal->next;
  	    UNBLOCK_INPUT;
  	    terminal->kboard->Vsystem_key_alist
  	      = call1 (Qvendor_specific_keysyms,
  		       vendor ? build_string (vendor) : empty_unibyte_string);
  	    BLOCK_INPUT;
+ 	    terminal->next = terminal_list;
+ 	    terminal_list = terminal;
  	  }
  
  	terminal->kboard->next_kboard = all_kboards;
--8<---------------cut here---------------end--------------->8---

Here's a ChangeLog entry in case this fix is actually correct.

--8<---------------cut here---------------start------------->8---
2008-07-14  Andreas Seltenreich  <seltenreich@gmx.de>

	* xterm.c (x_term_init) [MULTI_KBOARD]: Hide the partially
	initialized terminal while unblocking input for call1 of
	Qvendor_specific_keysyms.
--8<---------------cut here---------------end--------------->8---

regards,
andreas

> In GNU Emacs 23.0.60.6 (x86_64-unknown-linux-gnu)
>  of 2008-07-14 on tengen
> Windowing system distributor `The X.Org Foundation', version 11.0.70101000
> configured using `configure  '--with-x-toolkit=no' '--enable-debug''



[-- Attachment #3: Type: message/rfc822, Size: 1053 bytes --]

From: Chong Yidong <cyd@stupidchicken.com>
To: Andreas Seltenreich <seltenreich@gmx.de>
Cc: 558-done@emacsbugs.donarmstrong.com
Subject: Re: bug#558: (23.0.60; crash on M-x make-frame-on-display)
Date: Tue, 26 Aug 2008 20:11:04 -0400
Message-ID: <877ia3nwpz.fsf@cyd.mit.edu>

Thanks very much for your patch.  I've checked it in.