From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Pip Cet Newsgroups: gmane.emacs.bugs Subject: bug#21380: 25.0.50; GTK-induced segfault when scheduling timer from window-configuration-change-hook Date: Sun, 30 Aug 2015 15:24:26 +0000 Message-ID: References: <83mvx8252m.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a1144ac348b0ffa051e88e9e2 X-Trace: ger.gmane.org 1440948328 6662 80.91.229.3 (30 Aug 2015 15:25:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 30 Aug 2015 15:25:28 +0000 (UTC) Cc: 21380@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Aug 30 17:25:19 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ZW4Tt-00007J-F7 for geb-bug-gnu-emacs@m.gmane.org; Sun, 30 Aug 2015 17:25:17 +0200 Original-Received: from localhost ([::1]:58989 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZW4Tt-0006zf-An for geb-bug-gnu-emacs@m.gmane.org; Sun, 30 Aug 2015 11:25:17 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47229) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZW4Tj-0006wT-0B for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:25:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZW4Te-0004Wg-8Y for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:25:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:50640) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZW4Te-0004W5-3i for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:25:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1ZW4Td-0006YR-QS for bug-gnu-emacs@gnu.org; Sun, 30 Aug 2015 11:25:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Pip Cet Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 30 Aug 2015 15:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 21380 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 21380-submit@debbugs.gnu.org id=B21380.144094826925149 (code B ref 21380); Sun, 30 Aug 2015 15:25:01 +0000 Original-Received: (at 21380) by debbugs.gnu.org; 30 Aug 2015 15:24:29 +0000 Original-Received: from localhost ([127.0.0.1]:42850 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZW4T6-0006XZ-JN for submit@debbugs.gnu.org; Sun, 30 Aug 2015 11:24:28 -0400 Original-Received: from mail-io0-f175.google.com ([209.85.223.175]:35260) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZW4T4-0006XR-Uv for 21380@debbugs.gnu.org; Sun, 30 Aug 2015 11:24:27 -0400 Original-Received: by iog7 with SMTP id 7so12205692iog.2 for <21380@debbugs.gnu.org>; Sun, 30 Aug 2015 08:24:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=R3SFLx8lysYurQ900+tNl6dLusYOdzBYnPV3H76Djew=; b=tKWhBla+3QfoPmGlrW3qXnS7ZsPPhy0aBLVXvwr0N5UKc+zdjnndO1cLPcFvrUrGUO +2H8VSKts6LV5fDUdRImB93tNi/dSLsaBbpqWs+oW3tjKmXIpCa34Xh5z67ogAYYAUKX eIQSCpR8FQHaNiKCbgAMMfFnrc16gnScYEOPc5vPCj3iZh7Ye2+f23D4mPi2jpM9ebuW +P0ZVREiO5M19jSSRDHzvqhyrc5n2ZD0M/c4NfcXBR8KCxElfjcXKiLHvf+YITPiIyJa YicYo94FbBAT5J2GvzvKzaROnGASd/vlSqjG830dAvEl5raglJudILd+4eHXqUUCMLZN s5rQ== X-Received: by 10.107.47.97 with SMTP id j94mr21375441ioo.136.1440948266140; Sun, 30 Aug 2015 08:24:26 -0700 (PDT) Original-Received: by 10.79.78.66 with HTTP; Sun, 30 Aug 2015 08:24:26 -0700 (PDT) In-Reply-To: <83mvx8252m.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:105981 Archived-At: --001a1144ac348b0ffa051e88e9e2 Content-Type: text/plain; charset=UTF-8 On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii wrote: > > Date: Sun, 30 Aug 2015 12:51:26 +0000 > > From: Pip Cet > > Somehow, the argument to Fcopy_sequence was changed while concat was > > underway. > > How do you see that? > I originally concluded it was the only way to trigger the bug, but I just managed to trigger it again and have it open in a GDB session: #1 0x00000000005efdb3 in concat (nargs=1, args=0x7fffffff76e8, target_type=Lisp_Cons, last_special=false) at fns.c:747 747 XSETCAR (tail, elt); (gdb) p result_len $22 = 4 (gdb) p debug_print(Flength(args[0])) 5 $23 = void (gdb) > > Further investigation indicates that > > window-configuration-change-hook was called in the middle of concat: > > Did you understand how this fact is related to the segfault? > I _think_ I do. 1. concat called with args[0] == Vtimer_list 2. concat stores result_len (=4) 3. concat calls make_list (4) 4. make_list interrupted by QUIT 5. see stack trace 6. window-configuration-change-hook modifies Vtimer_list, which now has length 5 7. control returns to concat 8. concat tries to write 5 elements into a 4-element list, which causes the segfault because `tail' is unexpectedly NULL. Does that make sense to you? Thanks, Pip --001a1144ac348b0ffa051e88e9e2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii <eliz@gnu.org>= wrote:
> Date: Sun= , 30 Aug 2015 12:51:26 +0000
> From: Pip Cet <pipcet@gmail.com= >
> Somehow, the argument to Fcopy_sequence was changed while concat was > underway.

How do you see that?

I originally concl= uded it was the only way to trigger the bug, but I just managed to trigger = it again and have it open in a GDB session:

#1= =C2=A0 0x00000000005efdb3 in concat (nargs=3D1, args=3D0x7fffffff76e8, targ= et_type=3DLisp_Cons, last_special=3Dfalse) at fns.c:747
747=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 XSETCAR (tail, elt);
(gdb) p result_le= n
$22 =3D 4
(gdb) p debug_print(Flength(args[0]))
5
$23 =3D voi= d
(gdb)
=C2=A0
> Further investigation indicates that
> window-configuration-change-hook was called in the middle of concat:
Did you understand how this fact is related to the segfault?

I _think_ I do.

1. conca= t called with args[0] =3D=3D Vtimer_list
2. concat stores res= ult_len (=3D4)
3. concat calls make_list (4)
4.= make_list interrupted by QUIT
5. see stack trace
6. window-configuration-change-hook modifies Vtimer_list, which now has = length 5
7. control returns to concat
8. concat= tries to write 5 elements into a 4-element list, which causes the segfault= because `tail' is unexpectedly NULL.

Does= that make sense to you?

Thanks,
Pip
--001a1144ac348b0ffa051e88e9e2--