GNU bug report logs - #12025
24.1; Crash when using tootipshow

Previous Next

Package: emacs;

Reported by: Thierry Volpiatto <thierry.volpiatto <at> gmail.com>

Date: Sun, 22 Jul 2012 19:49:02 UTC

Severity: normal

Merged with 12026, 12027, 12035, 12039

Found in versions 24.1, 24.1.50

Done: Chong Yidong <cyd <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Thierry Volpiatto <thierry.volpiatto <at> gmail.com>, Chong Yidong <cyd <at> gnu.org>
Cc: 12025 <at> debbugs.gnu.org
Subject: bug#12025: 24.1; Crash when using tootipshow
Date: Mon, 23 Jul 2012 20:12:46 +0300

> From: Thierry Volpiatto <thierry.volpiatto <at> gmail.com>
> Date: Sun, 22 Jul 2012 21:41:32 +0200
> 
> I am sending this with 24.1, but the bug happen with last revision of
> trunk revno: 109188.
> 
> Always reproductible with (tooltip-show "hello") from emacs -Q, 
> possibly with help-echo's, didn't try.
> [...]
> Program received signal SIGSEGV, Segmentation fault.
> string_count_byte8 (string=4611686018567326152) at character.c:801
> 801             c = *p;
> (gdb) bt full
> #0  string_count_byte8 (string=4611686018567326152) at character.c:801
>         multibyte = 1
>         count = <optimized out>
>         c = <optimized out>
>         nbytes = 137266120
>         p = 0x8cc2000 <Address 0x8cc2000 out of bounds>
>         pend = 0x1085cd90 <Address 0x1085cd90 out of bounds>
> #1  string_escape_byte8 (string=4611686018567326152) at character.c:833
>         nchars = 408
>         nbytes = 137266120
>         multibyte = 1
>         byte8_count = 98387
>         src = <optimized out>
>         src_end = <optimized out>
>         dst = <optimized out>
>         val = <optimized out>
>         c = <optimized out>
>         len = <optimized out>
> #2  0x08217294 in print_string (string=<optimized out>, printcharfun=4611686018567326152) at print.c:363
>         chars = <optimized out>
> #3  0x08219ad9 in print_object (obj=<optimized out>, printcharfun=4611686018567326152, escapeflag=0)
>     at print.c:1903

There were actually 2 separate bugs here:

 . print_object couldn't cope with a frame which was not yet assigned
   a name (its name was nil).  This can happen when an error is
   signaled during the process of creating a frame.

 . x-show-tip was signaling an error due to the latest change in
   decode_any_window, which insists on w->frame being a live frame.
   When decode_any_window is called during creation of a tip frame,
   that frame is not yet "official", so the test fails.  The backtrace
   leading to the error is below; Chong, could you please look into
   this?  I commented out the CHECK_LIVE_FRAME test for now, because
   it renders tooltips unusable.

I'm not closing the bug report yet, pending Chong's investigation.

Here's the backtrace leading to an error from x-show-tip.  At the end
you can see that the predicate is frame-live-p.  The name of the frame
is nil.

Breakpoint 3, wrong_type_argument (predicate=54982066, value=55581541)
    at data.c:113
113       xsignal2 (Qwrong_type_argument, predicate, value);
(gdb) bt
#0  wrong_type_argument (predicate=54982066, value=55581541) at data.c:113
#1  0x011de9b7 in decode_any_window (window=55581925) at window.c:154
#2  0x011e0185 in Fwindow_buffer (window=55581925) at window.c:420
#3  0x01037357 in Ffuncall (nargs=2, args=0x82ddc4) at eval.c:2796
#4  0x01123d16 in exec_byte_code (bytestr=20365641, vector=20365749,
    maxdepth=28, args_template=54851610, nargs=0, args=0x0) at bytecode.c:898
#5  0x01038280 in funcall_lambda (fun=20365613, nargs=1, arg_vector=0x82e02c)
    at eval.c:3028
#6  0x0103775e in Ffuncall (nargs=2, args=0x82e028) at eval.c:2845
#7  0x010368d1 in call1 (fn=54992618, arg1=55581925) at eval.c:2568
#8  0x011f0864 in Fset_window_buffer (window=55581925,
    buffer_or_name=54874629, keep_margins=54851610) at window.c:3122
#9  0x0122859f in x_create_tip_frame (dpyinfo=0x16716f0, parms=57901686,
    text=55219873) at w32fns.c:5212
#10 0x01229898 in Fx_show_tip (string=55219873, frame=57650661,
    parms=57901606, timeout=40, dx=20, dy=80) at w32fns.c:5615
#11 0x010375d2 in Ffuncall (nargs=7, args=0x82e2c4) at eval.c:2817
#12 0x01123d16 in exec_byte_code (bytestr=21299801, vector=21299925,
    maxdepth=28, args_template=54851610, nargs=0, args=0x0) at bytecode.c:898
#13 0x01123202 in Fbyte_code (bytestr=21299801, vector=21299925, maxdepth=28)
    at bytecode.c:473
#14 0x01035520 in eval_sub (form=21299790) at eval.c:2152
#15 0x01032f8b in internal_lisp_condition_case (var=54902266,
    bodyform=21299790, handlers=21300022) at eval.c:1274
#16 0x011246f3 in exec_byte_code (bytestr=21299705, vector=21299757,
    maxdepth=12, args_template=54851610, nargs=0, args=0x0) at bytecode.c:1094
#17 0x01038280 in funcall_lambda (fun=21299653, nargs=2, arg_vector=0x82e888)
    at eval.c:3028
#18 0x0103775e in Ffuncall (nargs=3, args=0x82e884) at eval.c:2845
#19 0x01123d16 in exec_byte_code (bytestr=21301841, vector=21301885,
    maxdepth=12, args_template=54851610, nargs=0, args=0x0) at bytecode.c:898
#20 0x01038280 in funcall_lambda (fun=21301805, nargs=1, arg_vector=0x82ebfc)
    at eval.c:3028
#21 0x0103775e in Ffuncall (nargs=2, args=0x82ebf8) at eval.c:2845
#22 0x0103679f in run_hook_with_args (nargs=2, args=0x82ebf8,
    funcall=0x1036d2c <Ffuncall>) at eval.c:2505
#23 0x010363d0 in Frun_hook_with_args_until_success (nargs=2, args=0x82ebf8)
    at eval.c:2386
#24 0x010370c3 in Ffuncall (nargs=3, args=0x82ebf4) at eval.c:2777
#25 0x01123d16 in exec_byte_code (bytestr=20226097, vector=21299413,
    maxdepth=12, args_template=54851610, nargs=0, args=0x0) at bytecode.c:898
#26 0x01038280 in funcall_lambda (fun=21299349, nargs=1, arg_vector=0x82ef4c)
    at eval.c:3028
#27 0x0103775e in Ffuncall (nargs=2, args=0x82ef48) at eval.c:2845
#28 0x01035b16 in Fapply (nargs=2, args=0x82ef48) at eval.c:2251
#29 0x010370c3 in Ffuncall (nargs=3, args=0x82ef44) at eval.c:2777
#30 0x01123d16 in exec_byte_code (bytestr=21028297, vector=21028349,
    maxdepth=16, args_template=54851610, nargs=0, args=0x0) at bytecode.c:898
#31 0x01123202 in Fbyte_code (bytestr=21028297, vector=21028349, maxdepth=16)
    at bytecode.c:473
#32 0x01035520 in eval_sub (form=21028286) at eval.c:2152
#33 0x01032f8b in internal_lisp_condition_case (var=54851610,
    bodyform=21028286, handlers=20226830) at eval.c:1274
#34 0x011246f3 in exec_byte_code (bytestr=21028041, vector=21028173,
    maxdepth=20, args_template=54851610, nargs=0, args=0x0) at bytecode.c:1094
#35 0x01038280 in funcall_lambda (fun=21028013, nargs=1, arg_vector=0x82f51c)
    at eval.c:3028
#36 0x0103775e in Ffuncall (nargs=2, args=0x82f518) at eval.c:2845
#37 0x010368d1 in call1 (fn=54893906, arg1=55581493) at eval.c:2568
#38 0x0100e15a in timer_check_2 () at keyboard.c:4457
#39 0x0100e211 in timer_check () at keyboard.c:4502
#40 0x0100c069 in readable_events (flags=1) at keyboard.c:3398
#41 0x01014c11 in get_input_pending (addr=0x166ccc0, flags=1)
    at keyboard.c:6725
#42 0x010208c0 in detect_input_pending_run_timers (do_display=1)
    at keyboard.c:10358
#43 0x0104d558 in wait_reading_process_output (time_limit=28, nsecs=0,
    read_kbd=-1, do_display=1, wait_for_cell=54851610, wait_proc=0x0,
    just_wait_proc=0) at process.c:4721
#44 0x0109d401 in sit_for (timeout=112, reading=1, do_display=1)
    at dispnew.c:6000
#45 0x010092c8 in read_char (commandflag=1, nmaps=2, maps=0x82fa30,
    prev_event=54851610, used_mouse_menu=0x82fb5c, end_time=0x0)
    at keyboard.c:2701
#46 0x0101c97d in read_key_sequence (keybuf=0x82fc60, bufsize=30,
    prompt=54851610, dont_downcase_last=0, can_return_switch_frame=1,
    fix_current_buffer=1) at keyboard.c:9316
#47 0x01005afa in command_loop_1 () at keyboard.c:1449
#48 0x01033095 in internal_condition_case (bfun=0x1005508 <command_loop_1>,
    handlers=54902266, hfun=0x1004d10 <cmd_error>) at eval.c:1320
#49 0x0100514c in command_loop_2 (ignore=54851610) at keyboard.c:1152
#50 0x01032a54 in internal_catch (tag=54892098,
    func=0x1005129 <command_loop_2>, arg=54851610) at eval.c:1077
#51 0x01005104 in command_loop () at keyboard.c:1131
#52 0x010046ce in recursive_edit_1 () at keyboard.c:752
#53 0x010049f0 in Frecursive_edit () at keyboard.c:816
#54 0x010027d7 in main (argc=2, argv=0xa42828) at emacs.c:1677

Lisp Backtrace:
"window-buffer" (0x82ddc8)
"record-window-buffer" (0x82e02c)
"x-show-tip" (0x82e2c8)
"byte-code" (0x82e4a0)
"tooltip-show" (0x82e888)
"tooltip-help-tips" (0x82ebfc)
"run-hook-with-args-until-success" (0x82ebf8)
"tooltip-timeout" (0x82ef4c)
"apply" (0x82ef48)
"byte-code" (0x82f120)
"timer-event-handler" (0x82f51c)
113       xsignal2 (Qwrong_type_argument, predicate, value);
(gdb) pp predicate
frame-live-p
(gdb) pp value
#<dead frame
print.c:417: Emacs fatal error: assertion failed: STRINGP (string)
This bug report was last modified 13 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.