On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii wrote: > > Date: Sun, 30 Aug 2015 12:51:26 +0000 > > From: Pip Cet > > Somehow, the argument to Fcopy_sequence was changed while concat was > > underway. > > How do you see that? > I originally concluded it was the only way to trigger the bug, but I just managed to trigger it again and have it open in a GDB session: #1 0x00000000005efdb3 in concat (nargs=1, args=0x7fffffff76e8, target_type=Lisp_Cons, last_special=false) at fns.c:747 747 XSETCAR (tail, elt); (gdb) p result_len $22 = 4 (gdb) p debug_print(Flength(args[0])) 5 $23 = void (gdb) > > Further investigation indicates that > > window-configuration-change-hook was called in the middle of concat: > > Did you understand how this fact is related to the segfault? > I _think_ I do. 1. concat called with args[0] == Vtimer_list 2. concat stores result_len (=4) 3. concat calls make_list (4) 4. make_list interrupted by QUIT 5. see stack trace 6. window-configuration-change-hook modifies Vtimer_list, which now has length 5 7. control returns to concat 8. concat tries to write 5 elements into a 4-element list, which causes the segfault because `tail' is unexpectedly NULL. Does that make sense to you? Thanks, Pip