From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Po Lu via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#71929: 30.0.60; crash in mark_image_cache
Date: Tue, 09 Jul 2024 23:02:22 +0800
Message-ID: <s54v81e622p.fsf@yahoo.com>
References: <87tth1rkfy.fsf@melete.silentflame.com>
 <87plrprkb2.fsf@melete.silentflame.com> <87frsl3l0p.fsf@yahoo.com>
 <87plrpvm2y.fsf@melete.silentflame.com> <86a5it3cj2.fsf@gnu.org>
 <875xth3aym.fsf@yahoo.com> <87ed851gwv.fsf@melete.silentflame.com>
 <871q452u1b.fsf@yahoo.com> <ZozPMCE1s5tNvdpw@melete.silentflame.com>
 <87frsi226v.fsf@yahoo.com> <Zo0-tNrra8qrdv1T@melete.silentflame.com>
 <874j8y1x3d.fsf@yahoo.com> <86le2azm1f.fsf@gnu.org>
Reply-To: Po Lu <luangruo@yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="15137"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: 71929@debbugs.gnu.org, spwhitton@spwhitton.name
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jul 09 17:03:30 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1sRCNN-0003ie-Ih
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 09 Jul 2024 17:03:29 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1sRCN0-0004mb-B5; Tue, 09 Jul 2024 11:03:06 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1sRCMx-0004lg-Rn
 for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:03:04 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1sRCMq-0001QZ-Pe
 for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:03:01 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1sRCMw-0002l9-5O
 for bug-gnu-emacs@gnu.org; Tue, 09 Jul 2024 11:03:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Po Lu <luangruo@yahoo.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 09 Jul 2024 15:03:02 +0000
Resent-Message-ID: <handler.71929.B71929.172053733810547@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 71929
X-GNU-PR-Package: emacs
Original-Received: via spool by 71929-submit@debbugs.gnu.org id=B71929.172053733810547
 (code B ref 71929); Tue, 09 Jul 2024 15:03:02 +0000
Original-Received: (at 71929) by debbugs.gnu.org; 9 Jul 2024 15:02:18 +0000
Original-Received: from localhost ([127.0.0.1]:53894 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1sRCME-0002k3-3Y
 for submit@debbugs.gnu.org; Tue, 09 Jul 2024 11:02:18 -0400
Original-Received: from sonic312-23.consmr.mail.ne1.yahoo.com ([66.163.191.204]:35044)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1sRCMC-0002jn-ED
 for 71929@debbugs.gnu.org; Tue, 09 Jul 2024 11:02:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1720537324; bh=qD8+rxtuUgso0oFGZIHq6s25b4JdnIuNZ8SOOobOiIk=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=kTy8o58LwCEKstlR0KYXVztEVT15I6cDSuk05paR1Dx2PPKXsxp17PKmLYrekvdwiAYG2tga3e8xT9LG/Jof0hRtKfq0W0YIbRbBRKWNLN5zmIwFzwTJjPM5AHLG9wzhgsAvE9H+xmLyYbUOgfL6sRC4OXwAa/zjkHyEDnE9hNgnBBwEsn2pWu+fOq7NmnIqhSoC09TVrIXyFJAiQonda80HTLq6tvptz+UIsbThClEG8qxq/2/DduqoJZkOhrzH8n8VOvMqaIsDiXcdZXjBsw3KTLqRApSh3sSI6NZLz6wQTnfsh/ebmZxG5HDPEOI9+HM+1qxsaA5/Bc3Q/m9EPA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; 
 t=1720537324;
 bh=o9G8MxlEGlRdFiON73ZrGViTOcnWwNVA52nsOEBEbF4=; 
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=MMyYSmxGzBuUYDq0GI1Lqgex5K2HBW8rzLNYto8B8u2I5yYIf9+YXDudSVzwe3IJzk/2Grt80tf1r5by1nli4kJiyPNWpuVOgJgNVXnIHZYUpgjjv9JiRoEAvc5Pfuc8hhr/Trre7inoiTLmZAwuVJp3sqtZkpxnCEyn5G0V5FlVaITie0isCzisIPeGBA+5uQEK9/KV+rgbmP0+yPL7HOHSCkOpPuHjKQ4E5I8JrwIOsWN5EnEx6j7WbOksbxctiM5yUYiXmsbzr4+fNa57JOVKmZ9FAdoD6bulQc2brFC5ZO1YHmuJkvLYLB23O9j39O8NwrPbTRTvfw6TViqmTg==
X-YMail-OSG: VkxGwd0VM1m9q6IMWzzgAFmGROcp.zqKUujnaO0HzDxSc5ydCcrVCt5qPxpMbJR
 FnZ9eQ7174oNujfz2TxZ6NFnfEkRAIolUh7NpqVfjQqM4m8t0aSKZYgmTiXlq5rx8c4fTA9UBj8C
 vpQK83NT.wXoi.Ko5L_Bx4ZeeZXwxmp9H9.hLxMgNGEO.8G42wx_.ayeUePddE9FH5OSzxNfXL8m
 cRYRFkSaN1gEqgu5JqujMjPE7hdv2p2kV.4Bv7mbS7gBlg7_OmrWXBUGyyIhJZg8ysGYjaw8BdLp
 bVRwGcUuCN51bDmNtud_q8eewdCd9SvgULTGhJcPgfXG56ROLRwbvskqD3g5hMwPiROk1GCp6EVB
 U2zokJGTA3plQSVDe1Lu9XSH3NlexuzPchquY61uXL3THCTHiSlMvfYEspq8MTWLX1_af0XmZNNN
 AOptv7fQRwDF3NnsH_5v9A3CSoAiagLWk7NMR7yhUv42UUla1tKq9p4Tr7AnVdjOssIZrZF5.PCm
 9iMpBs9iArtX7E9t.9wTGtxtsJ02JP4U8T8CrsLtte4clm2sgEIkEdvik8hmGl1TFBcJxTpTn063
 kzMx5iyhFu0Hkd1fuFVJLhjoHSuvpMsrcRpnjGgSzUOi3OvKBxoYRO78R8XtUZ6EY6HpQcu5WFO6
 r4l3IMf5FpIqxaNOTdeAcWfpXOHiOGB5UjfpKmDlcM57KV0iRtd0Gz2Qjt0TGBYeUPWyDCgBLTwe
 TrrCddBrLelBUtG7E34hE7lrLNaMAul5zMEnDX52SCGJkWnCIMki.TtgWbW88QanposF.7LLbW.w
 rwUktxSw7wiiZdXZWMnGYMfORXDFb0VqEDc.xsotum 
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: a3869c71-5fe4-4ff5-8d4b-62c877979580
Original-Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Tue, 9 Jul 2024 15:02:04 +0000
Original-Received: by hermes--production-sg3-7b469d9f6-d5m7f (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 45991399f5b5692d6e7f4b40636d1761; 
 Tue, 09 Jul 2024 15:02:00 +0000 (UTC)
In-Reply-To: <86le2azm1f.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 09 Jul
 2024 17:18:20 +0300")
X-Mailer: WebService/1.1.22464
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:288641
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/288641>

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Po Lu <luangruo@yahoo.com>
>> Cc: 71929@debbugs.gnu.org,  Eli Zaretskii <eliz@gnu.org>
>> Date: Tue, 09 Jul 2024 22:03:34 +0800
>> 
>> OK, I believe I understand the source of these crashes.  A frame
>> whose
>> image cache is shared among several frames is destroyed, but its
>> `image_cache' field is never cleared after it is destroyed, as its
>> cache
>> continues to be referenced, and, if references to the dead frame
>> remain,
>> GC attempts to mark the said image cache although its validity is no
>> longer guaranteed.  In earlier Emacs versions, this problem would
>> have
>> appeared if references to dead frames were preserved beyond the
>> destruction of a display structure.  This has been corrected on the
>> emacs-30 branch, and therefore if the crashes do not resurface in a
>> few
>> days, I will close this ticket.
>
> Thanks, but I don't think I understand this part of the change you
> installed:
>
>   --- a/src/image.c
>   +++ b/src/image.c
>   @@ -2304,23 +2304,18 @@ uncache_image (struct frame *f, Lisp_Object spec)
>    free_image_cache (struct frame *f)
>    {
>      struct image_cache *c = FRAME_IMAGE_CACHE (f);
>   -  if (c)
>   -    {
>   -      ptrdiff_t i;
>   +  ptrdiff_t i;
>
>   -      /* Cache should not be referenced by any frame when freed.  */
>   -      eassert (c->refcount == 0);
>   +  /* Cache should not be referenced by any frame when freed.  */
>   +  eassert (c->refcount == 0);
>
>   -      for (i = 0; i < c->used; ++i)
>   -       free_image (f, c->images[i]);
>   -      xfree (c->images);
>   -      xfree (c->buckets);
>   -      xfree (c);
>   -      FRAME_IMAGE_CACHE (f) = NULL;
>   -    }
>   +  for (i = 0; i < c->used; ++i)
>   +    free_image (f, c->images[i]);
>   +  xfree (c->images);
>   +  xfree (c->buckets);
>   +  xfree (c);
>    }
>
> This basically removes the test of 'c' being non-NULL, leaving the
> rest of the code unchanged.  But if 'c' is NULL, dereferencing it in
> the following code will segfault, so why remove the test?  In
> particular, what about frames that were not yet allocated the image
> cache (could this happen with TTY frames, for example)?
>
> What am I missing here?

That free_frame_faces has been the sole caller of this function for
quite some time, and it already performs the same test around its call
to free_image_cache.