From: Pip Cet via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
To: Eli Zaretskii <eliz@gnu.org>
Cc: execvy@gmail.com, 72692@debbugs.gnu.org
Subject: bug#72692: Emacs 31.05 (40eecd594ac) get SIGSEGV on Linux (Linux 6.6.45 Kde Wayland)
Date: Mon, 19 Aug 2024 15:03:13 +0000 [thread overview]
Message-ID: <87y14sd07m.fsf@protonmail.com> (raw)
In-Reply-To: <868qwsy40c.fsf@gnu.org>
"Eli Zaretskii" <eliz@gnu.org> writes:
>> Date: Mon, 19 Aug 2024 13:32:42 +0000
>> From: Pip Cet <pipcet@protonmail.com>
>> Cc: execvy@gmail.com, 72692@debbugs.gnu.org
>>
>> >> * modify the right frame parameter (such as alpha-background) so that
>> >> the basic faces are re-realized ('free_realized_face' is called for
>> >> them), but 'free_realized_faces' is not.
>> >
>> > Basic faces are routinely freed and re-realized whenever we start the
>> > display iteration, see init_iterator.
>>
>> > AFAIR, all you need to do for
>> > that is to customize some face -- doing so sets the face_change flag,
>> > and init_iterator will then normally free all the faces and realize
>> > them again.
>>
>> ... which won't trigger the bug, because it calls 'free_realized_faces'.
>
> Not necessarily. I show below a backtrace which called
> realize_basic_faces and triggered the same freeing of the fontset of
> the ASCII face. This was obtained by changing the color of the
> default face via Customize.
But only momentarily, right? Because we set f->face_change = true in
update_face_from_frame_parameter, under this comment:
/* Changing a named face means that all realized faces depending on
that face are invalid. Since we cannot tell which realized faces
depend on the face, make sure they are all removed. This is done
by setting face_change. The next call to init_iterator will then
free realized faces. */
>> I specifically explained why 'free_realized_face' must be called
>> directly, not via (or after) 'free_realized_faces', to trigger the bug.
>
> Any caller of realize_face (and only those, AFAICT) will go that path.
'realize_basic_faces' doesn't call 'free_realized_faces', just
'free_realized_face', via 'realize_face' and its 'former_face_id'.
> Which is why I asked for a backtrace in your case (since I cannot
> reproduce it exactly myself). As I explained in my other message,
> there's potentially a much more serious problem here, if indeed you
> are right.
I think it's a serious problem either way. Leaving a pointer to freed
memory in a structure is a bug unless there's a VERY LOUD COMMENT
explaining that this is so.
>> I meant why we need at least two non-ASCII faces to trigger the bug.
>
> Which bug? I can trigger freeing the fontset of an ASCII face while
> its non-ASCII variants are not freed without having 2 ASCII faces, see
> the backtrace below.
I can trigger that part, but not the crash, using only one non-ASCII
face.
>> Here's a reproducer hibiscus.el which uses buffer text:
>>
>> (while t
>> (insert (concat (make-string 1 (floor (random 132000)))))
>> (set-frame-parameter nil 'alpha-background 1.0)
>> (sit-for 1.0))
>
> Thanks, but this doesn't help me because AFAIK alpha-background is not
> supported on Windows.
w32_frame_parm_handlers includes it by setting the
gui_set_alpha_background slot, though.
> Here's the backtrace I promised:
>
> #0 realize_face (cache=0x7c73288, attrs=0xbfb8d8, former_face_id=0)
> at xfaces.c:6097
> #1 0x00df6b33 in realize_default_face (f=0x7c6bad8) at xfaces.c:6010
> #2 0x00df5d73 in realize_basic_faces (f=0x7c6bad8) at xfaces.c:5862
> #3 0x00def95a in update_face_from_frame_parameter (f=0x7c6bad8,
> param=XIL(0x8940), new_value=XIL(0x8000000010805bb8)) at xfaces.c:3813
update_face_from_frame_parameter will set f->face_change = true before
it returns.
> And I wrote a simple GDB script that loops over the cached faces when
> free_realized_face is called under conditions that will cause it to
> call free_face_fontset, and got this:
>
> face 0xbcad118(N), fontset 3, ascii 0x10643628
> face 0x1025a7f0(N), fontset 3, ascii 0x10643628
> face 0x101a0f50(N), fontset 3, ascii 0x10643628
> face 0x1016a328(N), fontset 3, ascii 0x10643628
> face 0xc02ed68(N), fontset 3, ascii 0x10643628
> face 0xb9fb020(N), fontset 3, ascii 0x10643628
> face 0xb98fc38(N), fontset 3, ascii 0x10643628
> face 0xb9b1498(N), fontset 3, ascii 0x10643628
> face 0x7c4cd48(N), fontset 3, ascii 0x10643628
> face 0xbcbb350(N), fontset 3, ascii 0x10643628
> face 0x107e5410(N), fontset 3, ascii 0x10643628
> face 0x105ff8e8(N), fontset 3, ascii 0x10643628
> face 0xbcab9f8(N), fontset 3, ascii 0x10643628
> face 0xb9c8cd0(N), fontset 3, ascii 0x10643628
> face 0xb99e470(N), fontset 3, ascii 0x10643628
> face 0xb998d38(N), fontset 3, ascii 0x10643628
> face 0xb97cbd0(N), fontset 3, ascii 0x10643628
> face 0x104ac2b8(N), fontset 3, ascii 0x10643628
> face 0x10167af0(N), fontset 3, ascii 0x10643628
> face 0x10643d30(N), fontset 3, ascii 0x10643628
> face 0x104d0c48(N), fontset 3, ascii 0x10643628
> face 0x107e31b0(N), fontset 3, ascii 0x10643628
> face 0xb949650(N), fontset 3, ascii 0x10643628
> face 0xb949758(N), fontset 3, ascii 0x10643628
> face 0x105403f0(N), fontset 3, ascii 0x10643628
> face 0x105404f8(N), fontset 3, ascii 0x10643628
> face 0x10540600(N), fontset 3, ascii 0x10643628
> face 0x10540708(N), fontset 3, ascii 0x10643628
> face 0x10540810(N), fontset 3, ascii 0x10643628
> face 0x10540918(N), fontset 3, ascii 0x10643628
> face 0x10540a20(N), fontset 3, ascii 0x10643628
> face 0x10540b28(N), fontset 3, ascii 0x10643628
> face 0x104a4fe8(N), fontset 3, ascii 0x10643628
> face 0x104a50f0(N), fontset 3, ascii 0x10643628
> face 0x104a51f8(N), fontset 3, ascii 0x10643628
> face 0x104a5300(N), fontset 3, ascii 0x10643628
>
> The "(N)" part means that this face is not ASCII face (its ASCII
> parent is shown by "ascii 0xNNNNN").
>
> Except that in this case the caller sets the frame's 'face_change'
> flag, which then frees and all the non-ASCII faces the first time we
> call init_iterator.
I'll check whether setting f->face_change = true in the relevant places
is enough to avoid the bug...
Pip
next prev parent reply other threads:[~2024-08-19 15:03 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-18 8:29 bug#72692: Emacs 31.05 (40eecd594ac) get SIGSEGV on Linux (Linux 6.6.45 Kde Wayland) Eval EXEC
2024-08-18 8:58 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 9:08 ` Eval EXEC
2024-08-18 9:23 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 9:24 ` execvy
2024-08-18 9:34 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 9:36 ` execvy
2024-08-18 12:43 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 12:53 ` execvy
2024-08-18 13:35 ` Eli Zaretskii
2024-08-18 13:44 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 14:12 ` Eli Zaretskii
2024-08-18 14:59 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 15:38 ` Eli Zaretskii
2024-08-18 16:08 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 17:55 ` Eli Zaretskii
2024-08-18 18:11 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 18:52 ` Eli Zaretskii
2024-08-19 6:17 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 17:56 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-18 18:38 ` Eli Zaretskii
2024-08-19 6:28 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-19 11:30 ` Eli Zaretskii
2024-08-19 13:32 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-19 14:35 ` Eli Zaretskii
2024-08-19 15:03 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors [this message]
2024-08-19 15:54 ` Eli Zaretskii
2024-08-19 16:34 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-19 16:49 ` Eli Zaretskii
2024-08-24 9:09 ` Eli Zaretskii
2024-08-24 10:04 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-24 10:13 ` Eli Zaretskii
2024-08-25 17:58 ` Juri Linkov
2024-08-25 18:49 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-27 16:31 ` Juri Linkov
2024-08-28 11:50 ` Eli Zaretskii
2024-08-28 16:21 ` Juri Linkov
2024-08-28 17:53 ` Eli Zaretskii
2024-08-28 18:35 ` Juri Linkov
2024-08-28 18:57 ` Eli Zaretskii
2024-08-28 19:02 ` Juri Linkov
2024-08-29 4:36 ` Eli Zaretskii
2024-08-29 10:06 ` Eli Zaretskii
2024-08-29 12:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-29 12:26 ` Eli Zaretskii
2024-09-07 7:52 ` Eli Zaretskii
2024-09-08 0:42 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-28 17:56 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-25 18:57 ` Eli Zaretskii
2024-08-26 5:52 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-26 12:39 ` Eli Zaretskii
2024-08-26 19:04 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-26 19:20 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-27 11:47 ` Eli Zaretskii
2024-08-27 19:26 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-28 11:48 ` Eli Zaretskii
2024-08-28 11:58 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-27 11:44 ` Eli Zaretskii
2024-08-27 19:23 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-28 11:41 ` Eli Zaretskii
2024-08-28 12:07 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-28 12:51 ` Eli Zaretskii
2024-08-18 19:24 ` Eli Zaretskii
2024-08-19 6:07 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-08-19 14:17 ` Eli Zaretskii
2024-08-19 14:44 ` Pip Cet via Bug reports for GNU Emacs, the Swiss army knife of text editors
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y14sd07m.fsf@protonmail.com \
--to=bug-gnu-emacs@gnu.org \
--cc=72692@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=execvy@gmail.com \
--cc=pipcet@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.