I forgot to make clear that I verified with gdb that args[0] == Vtimer_list. And if there's anything else you would like me to debug, please let me know. It's very unfortunate I can't reproduce it with emacs -Q and I realize that makes it impossible for you to deal with this bug except through information I provide. Thanks for trying anyway, Pip On Sun, Aug 30, 2015 at 3:24 PM, Pip Cet wrote: > > > On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii wrote: > >> > Date: Sun, 30 Aug 2015 12:51:26 +0000 >> > From: Pip Cet >> > Somehow, the argument to Fcopy_sequence was changed while concat was >> > underway. >> >> How do you see that? >> > > I originally concluded it was the only way to trigger the bug, but I just > managed to trigger it again and have it open in a GDB session: > > #1 0x00000000005efdb3 in concat (nargs=1, args=0x7fffffff76e8, > target_type=Lisp_Cons, last_special=false) at fns.c:747 > 747 XSETCAR (tail, elt); > (gdb) p result_len > $22 = 4 > (gdb) p debug_print(Flength(args[0])) > 5 > $23 = void > (gdb) > > >> > Further investigation indicates that >> > window-configuration-change-hook was called in the middle of concat: >> >> Did you understand how this fact is related to the segfault? >> > > I _think_ I do. > > 1. concat called with args[0] == Vtimer_list > 2. concat stores result_len (=4) > 3. concat calls make_list (4) > 4. make_list interrupted by QUIT > 5. see stack trace > 6. window-configuration-change-hook modifies Vtimer_list, which now has > length 5 > 7. control returns to concat > 8. concat tries to write 5 elements into a 4-element list, which causes > the segfault because `tail' is unexpectedly NULL. > > Does that make sense to you? > > Thanks, > Pip >