GNU bug report logs -
#16140
24.3.50; GC tries to free invalid font objects
Previous Next
Reported by: Eli Zaretskii <eliz <at> gnu.org>
Date: Sat, 14 Dec 2013 09:52:01 UTC
Severity: normal
Tags: moreinfo
Merged with 16414,
17071,
17602,
17771
Found in versions 24.3.50, 24.3.91, 24.4.50
Fixed in version 24.3.93
Done: Glenn Morris <rgm <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 16140 in the body.
You can then email your comments to 16140 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16140; Package
emacs.
(Sat, 14 Dec 2013 09:52:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Eli Zaretskii <eliz <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sat, 14 Dec 2013 09:52:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This program:
(defun bloat-font ()
(interactive)
(let ((fonts (x-list-fonts "*")))
(while fonts
(condition-case nil (set-frame-font (car fonts)) (error nil))
(setq fonts (cdr fonts))
(redisplay))))
reveals some subtle problem in GC: we sometimes try to free font
objects that re not valid (already freed?). Here's one such case:
Program received signal SIGSEGV, Segmentation fault.
0x01160e2c in cleanup_vector (vector=0x100ed2a0) at alloc.c:2884
2884 fnt->driver->close (fnt);
(gdb) p fnt
$1 = (struct font *) 0x100ed2a0
(gdb) p fnt->driver
$2 = (struct font_driver *) 0x26
When I originally saw this, fnt->driver was NULL. I added protection
against that, but then it crashed with non-NULL but still invalid
pointer. Such pointers should never end up in font objects, so how
come they do?
In GNU Emacs 24.3.50.137 (i686-pc-mingw32)
of 2013-12-14 on HOME-C4E4A596F7
Bzr revision: 115517 eliz <at> gnu.org-20131214091610-1glyl0400451irx0
Windowing system distributor `Microsoft Corp.', version 5.1.2600
Configured using:
`configure --prefix=/d/usr --enable-checking=yes,glyphs 'CFLAGS=-O0
-gdwarf-2 -g3''
Important settings:
value of $LANG: ENU
locale-coding-system: cp1255
default enable-multibyte-characters: t
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent input:
M-x r e p o r t - e m <tab> <return>
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Load-path shadows:
None found.
Features:
(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util mail-prsvr mail-utils time-date tooltip electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel dos-w32 ls-lisp
w32-common-fns disp-table w32-win w32-vars tool-bar dnd fontset image
regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process w32notify w32
multi-tty emacs)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16140; Package
emacs.
(Mon, 16 Dec 2013 08:01:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 16140 <at> debbugs.gnu.org (full text, mbox):
On 12/14/2013 01:51 PM, Eli Zaretskii wrote:
> When I originally saw this, fnt->driver was NULL. I added protection
> against that, but then it crashed with non-NULL but still invalid
> pointer. Such pointers should never end up in font objects, so how
> come they do?
Hm...I've tried bloat-font quite a lot with my MinGW build, but didn't
see anything similar. Anyway, r115541 has an extra check for valid
font driver pointer in font objects; if you hit this eassert, please
let me know.
Dmitry
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16140; Package
emacs.
(Mon, 16 Dec 2013 15:28:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 16140 <at> debbugs.gnu.org (full text, mbox):
On 12/16/2013 12:00 PM, Dmitry Antipov wrote:
> On 12/14/2013 01:51 PM, Eli Zaretskii wrote:
>
>> When I originally saw this, fnt->driver was NULL. I added protection
>> against that, but then it crashed with non-NULL but still invalid
>> pointer. Such pointers should never end up in font objects, so how
>> come they do?
>
> Hm...I've tried bloat-font quite a lot with my MinGW build, but didn't
> see anything similar. Anyway, r115541 has an extra check for valid
> font driver pointer in font objects; if you hit this eassert, please
> let me know.
BTW, this may be caused by heap corruption, which I found and described
in Bug#16165.
Dmitry
Merged 16140 16414.
Request was from
Eli Zaretskii <eliz <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Sat, 11 Jan 2014 14:07:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#16140; Package
emacs.
(Fri, 25 Apr 2014 18:32:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 16140 <at> debbugs.gnu.org (full text, mbox):
Dmitry Antipov <dmantipov <at> yandex.ru> writes:
> On 12/14/2013 01:51 PM, Eli Zaretskii wrote:
>
>> When I originally saw this, fnt->driver was NULL. I added protection
>> against that, but then it crashed with non-NULL but still invalid
>> pointer. Such pointers should never end up in font objects, so how
>> come they do?
>
> Hm...I've tried bloat-font quite a lot with my MinGW build, but didn't
> see anything similar. Anyway, r115541 has an extra check for valid
> font driver pointer in font objects; if you hit this eassert, please
> let me know.
#0 0x00007fd1f97cba8b in raise (sig=sig <at> entry=6)
at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:38
#1 0x0000000000513c76 in terminate_due_to_signal (sig=sig <at> entry=6,
backtrace_limit=backtrace_limit <at> entry=2147483647) at emacs.c:382
#2 0x0000000000577794 in die (
msg=msg <at> entry=0x651d78 "valid_font_driver (((struct font *) vector)->driver)", file=file <at> entry=0x651580 "alloc.c", line=line <at> entry=2961) at alloc.c:6953
#3 0x000000000057bd0d in cleanup_vector (vector=0x3b7f650) at alloc.c:2961
#4 0x000000000057bdc6 in sweep_vectors () at alloc.c:3001
#5 0x000000000057d62a in gc_sweep () at alloc.c:6771
#6 Fgarbage_collect () at alloc.c:5678
I have a core file if that is of any help.
In GNU Emacs 24.4.50.1 (x86_64-unknown-linux-gnu, X toolkit, Xaw scroll bars)
of 2014-04-13 on muon
Repository revision: 116973 monnier <at> iro.umontreal.ca-20140412193806-72yt4285lm8bf9nj
Windowing system distributor `The X.Org Foundation', version 11.0.11405000
System Description: Ubuntu 13.10
Configured using:
`configure --enable-checking --enable-asserts'
Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GCONF GSETTINGS NOTIFY ACL
LIBSELINUX GNUTLS LIBXML2 FREETYPE XFT ZLIB
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 09 Sep 2014 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 10 years and 285 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.