GNU bug report logs - #11917
24.1.50; Segfault in with make-local-variable and indirect buffers

Previous Next

Package: emacs;

Reported by: Matthew Woodcraft <matthew <at> woodcraft.me.uk>

Date: Wed, 11 Jul 2012 21:47:01 UTC

Severity: normal

Found in version 24.1.50

Done: Andreas Schwab <schwab <at> linux-m68k.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11917 in the body.
You can then email your comments to 11917 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#11917; Package emacs. (Wed, 11 Jul 2012 21:47:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Matthew Woodcraft <matthew <at> woodcraft.me.uk>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Wed, 11 Jul 2012 21:47:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Matthew Woodcraft <matthew <at> woodcraft.me.uk>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.1.50; Segfault in with make-local-variable and indirect buffers
Date: Wed, 11 Jul 2012 22:25:57 +0100

I've been getting frequent crashes when using indirect buffers. I've
narrowed them down to the following recipe, which consistently gets a
segmentation fault for me with Emacs 24:


cat > /tmp/crashme.el <<EOF
(define-derived-mode crashme-mode fundamental-mode
  (make-local-variable 'crashme)
)
EOF

cat > /tmp/crashme.txt <<EOF
-*- crashme -*-
EOF

emacs -Q -l /tmp/crashme.el /tmp/crashme.txt
M-x clone-indirect-buffer
C-x k


This is with bzr trunk as of 2012-07-05.

I've seen what I believe is the same bug with the released emacs 24.1
(but I don't have access to that at the moment to test).


Notes:

The culprit seems to be this bit in buffer.c swap_out_buffer_local_variables:
      if (EQ (SYMBOL_BLV (XSYMBOL (sym))->where, buffer))
	{
	  /* Symbol is set up for this buffer's old local value:
	     swap it out!  */
	  swap_in_global_binding (XSYMBOL (sym));
	}
(see full backtrace below).

I've also seen it crash in clone-indirect-buffer (though more usually
it's only when you kill the buffer). In that case it seems to be this
bit in buffer.c set_buffer_internal_1:
	  if (sym->redirect == SYMBOL_LOCALIZED /* Just to be sure.  */
	      && SYMBOL_BLV (sym)->fwd)
	    /* Just reference the variable
	       to cause it to become set for this buffer.  */
	    Fsymbol_value (var);

-----

In GNU Emacs 24.1.50.1 (i486-pc-linux-gnu, GTK+ Version 3.4.2)
 of 2012-07-10 on golux, modified by Debian
 (emacs-snapshot package, version 2:20120705-1mjw1)
Windowing system distributor `The X.Org Foundation', version 11.0.11201902
Configured using:
 `configure '--build' 'i486-linux-gnu' '--host' 'i486-linux-gnu'
 '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
 '--localstatedir=/var' '--infodir=/usr/share/info'
 '--mandir=/usr/share/man' '--with-pop=yes'
 '--enable-locallisppath=/etc/emacs-snapshot:/etc/emacs:/usr/local/share/emacs/24.1.50/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.1.50/site-lisp:/usr/share/emacs/site-lisp'
 '--without-compress-info' '--with-crt-dir=/usr/lib/i386-linux-gnu/'
 '--with-x=yes' '--with-x-toolkit=gtk3' '--with-imagemagick=yes'
 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu'
 'CFLAGS=-DDEBIAN -DSITELOAD_PURESIZE_EXTRA=5000 -g -O2' 'LDFLAGS=-g
 -Wl,--as-needed -znocombreloc' 'CPPFLAGS=-D_FORTIFY_SOURCE=2''

Important settings:
  value of $LC_CTYPE: en_GB.UTF-8
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t

-----

#0  0x08156a8c in swap_out_buffer_local_variables (b=b <at> entry=0x8b7db28)
    at buffer.c:2505
        sym = 142721624
        oalist = <optimized out>
        alist = 142203662
        buffer = 146266925
#1  0x0815a379 in Fkill_buffer (buffer_or_name=138991257) at buffer.c:1656
        buffer = 146266925
        b = 0x8b7db28
        tem = 138831130
        m = <optimized out>
#2  0x081ac0f3 in Ffuncall (nargs=nargs <at> entry=2, args=args <at> entry=0xffffcdf0)
    at eval.c:2819
        fun = 136786053
        original_fun = <optimized out>
        funcar = <optimized out>
        numargs = 1
        lisp_numargs = <optimized out>
        val = <optimized out>
        backtrace = {
          next = 0xffffcedc, 
          function = 0xffffcdf0, 
          args = 0xffffcdf4, 
          nargs = 1, 
          debug_on_exit = 0
        }
        internal_args = 0xffffcdf4
        i = <optimized out>
#3  0x081a89ed in Fcall_interactively (function=138908474, 
    record_flag=138831130, keys=138840221) at callint.c:853
        val = <optimized out>
        args = 0xffffcdf0
        visargs = 0xffffcdd0
        specs = <optimized out>
        filter_specs = <optimized out>
        teml = <optimized out>
        up_event = 138831130
        enable = 1
        speccount = 3
        next_event = 2
        prefix_arg = 138831130
        string = 0xffffce10 "bKill buffer: "
        tem = <optimized out>
        varies = 0xffffcdb0 ""
        i = <optimized out>
        nargs = <optimized out>
        foo = <optimized out>
        arg_from_tty = <optimized out>
        key_count = 2
        record_then_fail = 0
        save_this_command = 138908474
        save_last_command = 141330122
        save_this_original_command = 138908474
        save_real_this_command = 138908474
#4  0x081ac0d2 in Ffuncall (nargs=nargs <at> entry=4, args=args <at> entry=0xffffcf20)
    at eval.c:2826
        fun = 138425997
        original_fun = <optimized out>
        funcar = <optimized out>
        numargs = 3
        lisp_numargs = <optimized out>
        val = <optimized out>
        backtrace = {
          next = 0x0, 
          function = 0xffffcf20, 
          args = 0xffffcf24, 
          nargs = 3, 
          debug_on_exit = 0
        }
        internal_args = 0xffffcf24
        i = <optimized out>
#5  0x081ac3a7 in call3 (fn=138909330, arg1=138908474, arg2=138831130, 
    arg3=138831130) at eval.c:2619
        ret_ungc_val = 142721622
        args = {138909330, 138908474, 138831130, 138831130}
#6  0x0813c365 in Fcommand_execute (cmd=138909330, record_flag=138908474, 
    keys=138831130, special=138831130) at keyboard.c:10338
        final = <optimized out>
        tem = <optimized out>
        prefixarg = <optimized out>
#7  0x081486c1 in command_loop_1 () at keyboard.c:1569
        scount = 2
        cmd = <optimized out>
        keybuf = {96, 428, 142397630, 138831130, -10888, 135521619, 142397630, 
          138831154, -12297, 138831130, -12297, 138831130, 138831130, 
          135521917, 142397630, -12297, -157819388, 2, 140496742, 138831130, 
          -10888, 138831130, 140496742, 4613402, 400, 1, 0, 138831130, -10888, 
          135514425}
        i = <optimized out>
        prev_modiff = 2
        prev_buffer = 0x8b7db28
#8  0x081aa6e0 in internal_condition_case (
    bfun=bfun <at> entry=0x81483a0 <command_loop_1>, handlers=138864682, 
    hfun=hfun <at> entry=0x813e5a0 <cmd_error>) at eval.c:1332
        val = <optimized out>
        c = {
          tag = 138831130, 
          val = 138831130, 
          next = 0xffffd168, 
          gcpro = 0x0, 
          jmp = {{
              __jmpbuf = {1, 0, 138831130, -10888, -602430504, 385542199}, 
              __mask_was_saved = 0, 
              __saved_mask = {
                __val = {4294955296, 4294955224, 4294955236, 4294955216, 
                  4160739592, 0, 136456303, 2, 134555894, 4294955216, 0, 0, 0, 
                  0, 135610259, 2, 4294955364, 4294955216, 0, 0, 0, 
                  4137164516, 4139719464, 134555158, 4294967295, 4160737268, 
                  134555894, 1, 4294955312, 4160674838, 4160740032, 4132181552}
              }
            }}, 
          backlist = 0x0, 
          handlerlist = 0x0, 
          lisp_eval_depth = 0, 
          pdlcount = 2, 
          poll_suppress_count = 1, 
          interrupt_input_blocked = 0, 
          byte_stack = 0x0
        }
        h = {
          handler = 138864682, 
          var = 138831130, 
          chosen_clause = 138831154, 
          tag = 0xffffd058, 
          next = 0x0
        }
#9  0x0813ceb5 in command_loop_2 (ignore=ignore <at> entry=138831130)
    at keyboard.c:1152
        val = 142721622
#10 0x081aa60b in internal_catch (tag=138862658, 
    func=func <at> entry=0x813ce90 <command_loop_2>, arg=138831130) at eval.c:1089
        c = {
          tag = 138862658, 
          val = 138831130, 
          next = 0x0, 
          gcpro = 0x0, 
          jmp = {{
              __jmpbuf = {1, 0, 138831130, -10888, -602577960, 385646135}, 
              __mask_was_saved = 0, 
              __saved_mask = {
                __val = {0, 0, 0, 0, 4138247633, 140593801, 136244952, 
                  142614060, 136549538, 14, 0, 142614060, 14, 136549538, 
                  4294955592, 22, 0, 22, 4294955592, 400, 4294957049, 
                  136549538, 138953370, 138831130, 138953368, 4294956408, 
                  135976291, 138953370, 138831130, 138831130, 1, 4138550208}
              }
            }}, 
          backlist = 0x0, 
          handlerlist = 0x0, 
          lisp_eval_depth = 0, 
          pdlcount = 2, 
          poll_suppress_count = 1, 
          interrupt_input_blocked = 0, 
          byte_stack = 0x0
        }
#11 0x0813e0da in command_loop () at keyboard.c:1131
No locals.
#12 recursive_edit_1 () at keyboard.c:752
        count = <optimized out>
        val = 0
#13 0x0813e3ca in Frecursive_edit () at keyboard.c:816
        count = 0
        buffer = 138831130
#14 0x0805aa90 in main (argc=<optimized out>, argv=0xffffd634) at emacs.c:1693
        dummy = 0
        stack_bottom_variable = 0 '\000'
        do_initial_setlocale = <optimized out>
        skip_args = 0
        rlim = {
          rlim_cur = 8388608, 
          rlim_max = 18446744073709551615
        }
        no_loadup = 0
        junk = 0x0
        dname_arg = 0x0
        ch_to_dir = 0xf6bf1b28 ""

Lisp Backtrace:
"kill-buffer" (0xffffcdf4)
"call-interactively" (0xffffcf24)
Reply sent to Andreas Schwab <schwab <at> linux-m68k.org>:
You have taken responsibility. (Thu, 12 Jul 2012 07:21:02 GMT) Full text and rfc822 format available.
Notification sent to Matthew Woodcraft <matthew <at> woodcraft.me.uk>:
bug acknowledged by developer. (Thu, 12 Jul 2012 07:21:02 GMT) Full text and rfc822 format available.

Message #10 received at 11917-done <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> linux-m68k.org>
To: Matthew Woodcraft <matthew <at> woodcraft.me.uk>
Cc: 11917-done <at> debbugs.gnu.org
Subject: Re: bug#11917: 24.1.50;
	Segfault in with make-local-variable and indirect buffers
Date: Thu, 12 Jul 2012 09:15:19 +0200

Reduced test case:
emacs --batch --eval "(with-current-buffer (get-buffer-create \"foo\") (make-local-variable 'foo) (make-indirect-buffer (current-buffer) \"bar\" t))"

Fixed on emacs-24.

Andreas.

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 09 Aug 2012 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 12 years and 315 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.