From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Pip Cet via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#71744: 29.4;
 SIGSEGV during completion-at-point in lsp-mode with corfu and cape
Date: Thu, 15 Aug 2024 09:07:39 +0000
Message-ID: <87jzgi17dy.fsf@protonmail.com>
References: <CAG3xYBCnnend0gP+2SCdoQVRhcxryO9YfmzFJCQN_zDthXz82g@mail.gmail.com>
 <vg_LwJgMLRxmmvWDzEi5jju4NCWBzOOaYb3lgnkHu-hUlD_C3YtjdDis6jGriB3HPruYNQ0MgT8OoQ1jH_mzUhAxr9Yb1zkAlu9wvpb-D8I=@pm.me>
 <86mslf8axb.fsf@gnu.org>
 <xx7x0Z_rwNEcj4OiuQGtBYWJWr-4-LXoOOJcS5BHeiMe8BKII-ytGa9eADFaWPapHQD9ceac4qC6SCBrXrlZjjYrOyTL5WP5LcCeX9z2Raw=@pm.me>
 <86ed6r8535.fsf@gnu.org> <86cymb846o.fsf@gnu.org>
Reply-To: Pip Cet <pipcet@protonmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="31622"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: sigve.indregard@pm.me, 71744@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Aug 15 11:08:45 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1seWTK-00080r-Q6
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 15 Aug 2024 11:08:43 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1seWT6-0001OW-Vl; Thu, 15 Aug 2024 05:08:30 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1seWT4-0001O9-Te
 for bug-gnu-emacs@gnu.org; Thu, 15 Aug 2024 05:08:27 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1seWT4-0002Wl-KG
 for bug-gnu-emacs@gnu.org; Thu, 15 Aug 2024 05:08:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=MIME-Version:References:In-Reply-To:From:Date:To:Subject;
 bh=HUnwuwxMEQ+Hy348Ef3Qi7TTIpyCz2QpQ/8mJublhB4=; 
 b=EPSDvgqXPgkOl3TXxaOIpSuFeV7mD5agMGizf0muWPcMqdGmGFnj2BauPD/L25F2wsbM4BrI8AbnAo0C+sxgbROYYJ8UJnIWl5rAyItWJ1FkwZXIqCikXVNn6eJgSZwyGrjgnhzX21XmbwXIxTvJlNffnZO8m6o2/qTVcsVUV+sqizSo/bHCTNtyavmM7WWXIGgs2BGks1lUQYDy5OOzcr9Txm7rKwp4odHnRaIssq69SKi8xo9w7kKh4R/oIv3p2YvlSMaDZIGvHXGGDNme6Ite/F49nzYThDSOOWVKj4MJ5B9bgZ7mYjTYQYGtyY6OA+TIi84EHV+X6PDp4PYfGg==;
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1seWTe-0006mp-Gw
 for bug-gnu-emacs@gnu.org; Thu, 15 Aug 2024 05:09:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Pip Cet <pipcet@protonmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 15 Aug 2024 09:09:02 +0000
Resent-Message-ID: <handler.71744.B71744.172371291226044@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 71744
X-GNU-PR-Package: emacs
Original-Received: via spool by 71744-submit@debbugs.gnu.org id=B71744.172371291226044
 (code B ref 71744); Thu, 15 Aug 2024 09:09:02 +0000
Original-Received: (at 71744) by debbugs.gnu.org; 15 Aug 2024 09:08:32 +0000
Original-Received: from localhost ([127.0.0.1]:48348 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1seWT9-0006lz-IO
 for submit@debbugs.gnu.org; Thu, 15 Aug 2024 05:08:32 -0400
Original-Received: from mail-4316.protonmail.ch ([185.70.43.16]:20527)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pipcet@protonmail.com>) id 1seWT6-0006lj-GV
 for 71744@debbugs.gnu.org; Thu, 15 Aug 2024 05:08:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1723712865; x=1723972065;
 bh=HUnwuwxMEQ+Hy348Ef3Qi7TTIpyCz2QpQ/8mJublhB4=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=XNxVfkLDDTCYmqNOifc+kvscPd8m99l04owrxlJ41VL34QP4oN8nwvdjc7iobytqg
 RPkhm5RnCkLUD0pb3Jw+XAIcnn553JFV+l9BEGEfuwHxODtj7GEdjUhbVllQwOsRCi
 ZZpSvOvCvCvvalFYvEsOEzI2T7ebQTnF4YU9PAz0RENkBW+PX43IRVq3TRe5hsBVOy
 MjSOHJcl+/s1RS1Z8w5LOE0yRt24q71OCI46osPH3tvqM3yOLHkSih/OsTLWgZIpfk
 pltF8jSyXQ3TqXAIaj75r9WFtIJHpNpi/W63LmWVqSavb8xzbL/b774WVU93XJGBqd
 P7rgKbvrgTAHg==
In-Reply-To: <86cymb846o.fsf@gnu.org>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 78e54a34eea011a0e3be73d37fdc3166ae41590a
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:290175
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/290175>

Pip Cet <pipcet@protonmail.com> writes:

> "Eli Zaretskii" <eliz@gnu.org> writes:
>
>>> Cc: 71744@debbugs.gnu.org
>>> Date: Wed, 14 Aug 2024 19:03:10 +0300
>>> From: Eli Zaretskii <eliz@gnu.org>
>>>
>>> > Date: Wed, 14 Aug 2024 15:40:34 +0000
>>> > From: Sigve Indregard <sigve.indregard@pm.me>
>>> > Cc: 71744@debbugs.gnu.org
>>> >
>>> > (gdb) frame 3
>>> > #3  parse_modifiers (symbol=3DXIL(0x5555564e3dc0)) at /usr/src/debug/=
emacs/emacs-29.4-wayland/src/keyboard.c:6888
>>> > 6888=09parse_modifiers (Lisp_Object symbol)
>>> > (gdb) print symbol
>>> > $11 =3D XIL(0x5555564e3dc0)
>>> > (gdb) xsymbol
>>> > $12 =3D (struct Lisp_Symbol *) 0xaaaaac1f1640
>>> > Cannot access memory at address 0xaaaaac1f1648
>>
>> Btw, this 0x5555564e3dc0 value is the same as the pointer to old_kbd
>> inside read_char:
>>
>>   #7  read_char (commandflag=3D0, map=3D0x0, prev_event=3D0x0, used_mous=
e_menu=3D0x0, end_time=3D0x7fffffffb5b0) at /usr/src/debug/emacs/emacs-29.4=
-wayland/src/keyboard.c:3018
>> =09  c =3D <optimized out>
>> =09  local_getcjmp =3D {{__jmpbuf =3D {93825000405056, -5147324661749537=
557, 1, 4611686019484352512, 5, 0, -5147324661946669845, -13138346963781783=
25}, __mask_was_saved =3D 0, __saved_mask =3D {__val =3D {0, 93825010269488=
, 93825104789632, 140737488335792, 18446744073709550936, 11, 93825104789616=
, 140737488335856, 140737279378894, 140737488335856, 140737488335920, 0, 14=
0737488335920, 0, 93825010269488, 140737488336000}}}}
>> =09  save_jump =3D {{__jmpbuf =3D {12048, 140737188459256, 1407374883358=
56, 93825095637120, 16, -7692597586030666240, 48, 1}, __mask_was_saved =3D =
1453957408, __saved_mask =3D {__val =3D {140737488335776, 2, 14073748833582=
4, 140737488335760, 140737321006214, 1, 140737321006651, 143195355577426903=
04, 6, 140737488335696, 140737279373914, 93825000331312, 0, 1, 1, 938235605=
81122}}}}
>> =09  tem =3D <optimized out>
>> =09  save =3D 0x0
>> =09  previous_echo_area_message =3D 0x0
>> =09  also_record =3D 0x0
>> =09  reread =3D false
>> =09  recorded =3D false
>> =09  polling_stopped_here =3D false
>> =09  orig_kboard =3D 0x5555564e3dc0  <<<<<<<<<<<<<<<<<<<<<<<
>>
>> So either the value of orig_kboard here is bogus (perhaps due to
>> optimizations), or somehow the variable C, which is supposed to hold
>> an input event, holds something very different instead, and then it's
>> a small surprise that we crash.
>
> I think this looks like a setjmp-related bug. If this sys_setjmp in
> read_char:
>
>   specpdl_ref jmpcount =3D SPECPDL_INDEX ();
>   if (sys_setjmp (local_getcjmp))
>     {
>       /* Handle quits while reading the keyboard.  */
>
> returns true, we goto non_reread, where we test NILP (c). However, 'c'
> is not declared volatile, and it might have changed, which would lead to
> undefined behavior, including the possibility of holding another value
> like orig_kboard.
>
> I'm afraid the only way to know for sure whether there's anything to
> that theory is to look at the output of "disass/rs read_char" in gdb,
> using the exact same binary that crashed, and check it line by line
> (about 3,000 lines here...)

I've done that now, and the bug is as I've described: the location
-0x4e8(%rbp) sometimes holds orig_kboard, but is assumed to hold 'c'
after a longjmp.

This should fix it:

diff --git a/src/keyboard.c b/src/keyboard.c
index b312d529e59..148b9ee4dbf 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -2522,7 +2522,7 @@ read_char (int commandflag, Lisp_Object map,
 =09   Lisp_Object prev_event,
 =09   bool *used_mouse_menu, struct timespec *end_time)
 {
-  Lisp_Object c;
+  volatile Lisp_Object c;
   sys_jmp_buf local_getcjmp;
   sys_jmp_buf save_jump;
   Lisp_Object tem, save;


But it'd be really nice to recreate the buggy build and apply just this
patch and see whether that fixes things. Unfortunately, Arch builds are
very hard to reproduce precisely, so I'm not sure I can do it.

Pip