GNU bug report logs -
#18659
24.3.94; Crash in deselect_palette (Cygwin-w32 build)
Previous Next
Reported by: Ken Brown <kbrown <at> cornell.edu>
Date: Tue, 7 Oct 2014 20:03:02 UTC
Severity: normal
Tags: moreinfo
Merged with 17688
Found in versions 24.3.90, 24.3.94
Done: Ken Brown <kbrown <at> cornell.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18659 in the body.
You can then email your comments to 18659 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#18659; Package
emacs.
(Tue, 07 Oct 2014 20:03:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ken Brown <kbrown <at> cornell.edu>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 07 Oct 2014 20:03:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I just tried to view an emacs window that had been idle for a long time.
I don't remember if I was using Alt-Tab to cycle through the open
windows or if I clicked on the emacs icon in the task bar. When I
couldn't get to the window, I checked the terminal from which I had
started emacs under gdb, and I saw that emacs had crashed:
Program received signal SIGSEGV, Segmentation fault.
0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
123 if (f->output_data.w32->old_palette)
(gdb) bt
#0 0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
#1 0x000000010068e798 in release_frame_dc (f=0x0, hdc=0x0)
at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:154
#2 0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98
<bss_sbrk_buffer+6283800>, c=32) at
/usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
#3 0x000000010047dfe5 in get_glyph_face_and_encoding (f=0x1010f3c48
<bss_sbrk_buffer+6275016>, glyph=0x60075a850, char2b=0x4280ce L"\003腐
B", two_byte_p=0x0)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24024
#4 0x000000010047f230 in x_get_glyph_overhangs (glyph=0x60075a850,
f=0x1010f3c48 <bss_sbrk_buffer+6275016>, left=0x428130, right=0x42812c)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24367
#5 0x000000010047f55b in left_overwriting (s=0x4281c0)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24446
#6 0x0000000100481200 in draw_glyphs (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, x=625, row=0x600790f20, area=TEXT_AREA,
start=77, end=78, hl=
DRAW_NORMAL_TEXT, overlaps=0)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:24945
#7 0x0000000100489ed1 in x_write_glyphs (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, updated_row=0x600790f20, start=0x60075ae20,
updated_area=TEXT_AREA, len=1)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:26812
#8 0x000000010040a277 in update_text_area (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, updated_row=0x600790f20, vpos=23)
at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3746
#9 0x000000010040a64d in update_window_line (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, vpos=23, mouse_face_overwritten_p=0x42878f)
at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3848
#10 0x000000010040952b in update_window (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, force_p=true) at
/usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3427
#11 0x0000000100408c9a in update_window_tree (w=0x1010f4c48
<bss_sbrk_buffer+6279112>, force_p=true) at
/usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3210
#12 0x0000000100408c63 in update_window_tree (w=0x600691538, force_p=true)
at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3208
#13 0x00000001004088b7 in update_frame (f=0x1010f3c48
<bss_sbrk_buffer+6275016>, force_p=true, inhibit_hairy_id_p=false)
at /usr/src/debug/emacs-24.3.94-1/src/dispnew.c:3099
#14 0x0000000100453e6c in redisplay_internal ()
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:13967
#15 0x000000010045495f in redisplay_preserve_echo_area (from_where=8)
at /usr/src/debug/emacs-24.3.94-1/src/xdisp.c:14185
#16 0x00000001005475cc in detect_input_pending_run_timers (do_display=true)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:9897
#17 0x000000010063a6e7 in wait_reading_process_output (time_limit=0,
nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=4306509874,
wait_proc=0x0, just_wait_proc=0) at
/usr/src/debug/emacs-24.3.94-1/src/process.c:4699
#18 0x0000000100538e14 in kbd_buffer_get_event (kbp=0x429b88,
used_mouse_menu=0x42a3cf, end_time=0x0) at
/usr/src/debug/emacs-24.3.94-1/src/keyboard.c:3906
#19 0x0000000100533cf3 in read_event_from_main_queue (end_time=0x0,
local_getcjmp=0x429fb0, used_mouse_menu=0x42a3cf)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2246
#20 0x0000000100534030 in read_decoded_event_from_main_queue
(end_time=0x0, local_getcjmp=0x429fb0, prev_event=4306509874,
used_mouse_menu=0x42a3cf)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2309
#21 0x0000000100535fe4 in read_char (commandflag=1, map=25780162614,
prev_event=4306509874, used_mouse_menu=0x42a3cf, end_time=0x0)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:2895
#22 0x00000001005455af in read_key_sequence (keybuf=0x42a5e0,
bufsize=30, prompt=4306509874, dont_downcase_last=false,
can_return_switch_frame=true, fix_current_buffer=true,
prevent_redisplay=false)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:9088
#23 0x0000000100531a04 in command_loop_1 ()
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1452
#24 0x00000001005dbdf0 in internal_condition_case (bfun=0x1005314ef
<command_loop_1>, handlers=4306584322, hfun=0x100530a7a <cmd_error>)
at /usr/src/debug/emacs-24.3.94-1/src/eval.c:1348
#25 0x00000001005310bd in command_loop_2 (ignore=4306509874)
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1177
#26 0x00000001005db141 in internal_catch (tag=4306578482,
func=0x10053108b <command_loop_2>, arg=4306509874) at
/usr/src/debug/emacs-24.3.94-1/src/eval.c:1112
#27 0x000000010053104c in command_loop ()
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:1156
#28 0x00000001005304db in recursive_edit_1 ()
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:777
#29 0x000000010053070d in Frecursive_edit ()
at /usr/src/debug/emacs-24.3.94-1/src/keyboard.c:848
#30 0x000000010052e3e3 in main (argc=1, argv=0x42ab00)
at /usr/src/debug/emacs-24.3.94-1/src/emacs.c:1647
Lisp Backtrace:
"redisplay_internal (C function)" (0xaf7720)
A full backtrace of all threads is attached.
At the time of the crash, the emacs frame was split into two windows.
One was viewing a plain text C++ file (ASCII only), and the other was a
*grep* buffer from `M-x rgrep'. I have no idea how that strange
(Chinese?) character got into frame 3.
I still have the gdb session open.
Ken
In GNU Emacs 24.3.94.1 (x86_64-unknown-cygwin)
of 2014-10-03 on desktop-new
Windowing system distributor `Microsoft Corp.', version 6.1.7601
Configured using:
`configure
--srcdir=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/src/emacs-24.3.94
--prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
--libexecdir=/usr/libexec --datadir=/usr/share --localstatedir=/var
--sysconfdir=/etc --libdir=/usr/lib --datarootdir=/usr/share
--docdir=/usr/share/doc/emacs --htmldir=/usr/share/doc/emacs/html -C
--with-w32 --with-file-notification=no --enable-checking=yes,glyphs
'CFLAGS=-ggdb -O2 -pipe -Wimplicit-function-declaration -O0 -g3
-fdebug-prefix-map=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/build=/usr/src/debug/emacs-24.3.94-1
-fdebug-prefix-map=/home/kbrown/src/cygemacs/emacs-24.3.94-1.x86_64/src/emacs-24.3.94=/usr/src/debug/emacs-24.3.94-1'
CPPFLAGS= LDFLAGS=-Wl,--stack,0x400000'
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Text
Minor modes in effect:
show-paren-mode: t
display-time-mode: t
delete-selection-mode: t
tooltip-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
temp-buffer-resize-mode: t
buffer-read-only: t
column-number-mode: t
line-number-mode: t
auto-fill-function: do-auto-fill
transient-mark-mode: t
view-mode: t
Load-path shadows:
None found.
Features:
(misearch multi-isearch mailalias mailclient browse-url qp help-mode pp
shadow gnus-util mail-extr emacsbug message cl-macs format-spec rfc822
mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev
gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util
mail-prsvr mail-utils view server dired edmacro kmacro solar cal-dst
planner-diary cl gv diary-lib diary-loaddefs planner-publish muse-xml
planner advice help-fns cal-menu calendar cal-loaddefs sort muse-colors
muse-latex muse-html muse-xml-common cus-edit muse-publish muse-project
muse-protocols muse-regexps wid-edit cl-loaddefs cl-lib derived muse
muse-nested-tags muse-mode gap-mode-autoloads info easymenu
muse-autoloads package epg-config preview-latex tex-site auto-loads
saveplace paren help-at-pt time delsel cus-start cus-load time-date
tooltip electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
w32-common-fns disp-table w32-win w32-vars tool-bar dnd fontset image
regexp-opt fringe tabulated-list newcomment lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew
greek romanian slovak czech european ethiopic indian cyrillic chinese
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind w32
multi-tty emacs)
[deselect_palette_bt.gz (application/gzip, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#18659; Package
emacs.
(Tue, 07 Oct 2014 20:42:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 18659 <at> debbugs.gnu.org (full text, mbox):
Resembles http://debbugs.gnu.org/17688
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#18659; Package
emacs.
(Wed, 08 Oct 2014 08:18:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 18659 <at> debbugs.gnu.org (full text, mbox):
> Date: Tue, 07 Oct 2014 16:02:02 -0400
> From: Ken Brown <kbrown <at> cornell.edu>
>
> I just tried to view an emacs window that had been idle for a long time.
> I don't remember if I was using Alt-Tab to cycle through the open
> windows or if I clicked on the emacs icon in the task bar. When I
> couldn't get to the window, I checked the terminal from which I had
> started emacs under gdb, and I saw that emacs had crashed:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
> at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> 123 if (f->output_data.w32->old_palette)
It crashes because f is a NULL pointer, and the code tries to
dereference that.
> (gdb) bt
> #0 0x000000010068e6c9 in deselect_palette (f=0x0, hdc=0x0)
> at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:123
> #1 0x000000010068e798 in release_frame_dc (f=0x0, hdc=0x0)
> at /usr/src/debug/emacs-24.3.94-1/src/w32xfns.c:154
> #2 0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98
> <bss_sbrk_buffer+6283800>, c=32) at
> /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
I don't understand how could this lead to a crash. Your detailed
backtrace shows:
> #2 0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98 <bss_sbrk_buffer+6283800>, c=32) at /usr/src/debug/emacs-24.3.94-1/src/w32uniscribe.c:585
> context = 0x0
> f = 0x0
> old_font = 0x0
> code = 3
> ch = L" \f"
> len = 1
> items = 0x427fa0
> nitems = 1
> uniscribe_font = 0x1010f5e98 <bss_sbrk_buffer+6283800>
Note that both 'context' and 'f' are NULL pointers. But the source
around line 585 says this:
if (context)
{
SelectObject (context, old_font);
release_frame_dc (f, context);
}
So why release_frame_dc is being called when 'context' is NULL??
Moreover, 'old_font' is also NULL, which means we never were in this
part of the code:
if (result == E_PENDING)
{
/* Use selected frame until API is updated to pass
the frame. */
f = XFRAME (selected_frame);
context = get_frame_dc (f);
old_font = SelectObject (context, FONT_HANDLE (font));
result = ScriptShape (context, &(uniscribe_font->cache),
ch, len, 2, &(items[0].a),
glyphs, clusters, attrs, &nglyphs);
}
which is the only part that sets these 3 variables to something
non-NULL, and requires the call to release_frame_dc to avoid leaking
GDI objects, in this case the font we opened.
What's going on here? is this another case of "bidi_check_type
crashes"?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#18659; Package
emacs.
(Wed, 08 Oct 2014 08:19:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 18659 <at> debbugs.gnu.org (full text, mbox):
> From: Glenn Morris <rgm <at> gnu.org>
> Date: Tue, 07 Oct 2014 16:41:37 -0400
> Cc: 18659 <at> debbugs.gnu.org
>
>
> Resembles http://debbugs.gnu.org/17688
Exactly the same, yes, and with exactly the same unexplained control
flow: release_frame_dc is called although 'context' is NULL.
Merged 17688 18659.
Request was from
Eli Zaretskii <eliz <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 08 Oct 2014 08:20:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#18659; Package
emacs.
(Wed, 08 Oct 2014 08:42:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 18659 <at> debbugs.gnu.org (full text, mbox):
> Date: Tue, 07 Oct 2014 16:02:02 -0400
> From: Ken Brown <kbrown <at> cornell.edu>
>
> I have no idea how that strange (Chinese?) character got into frame
> 3.
char2b is not a character, it is a code of a font glyph that
corresponds to some character. The character is a blank, as the call
to uniscribe_encode_char shows:
#2 0x0000000100691df6 in uniscribe_encode_char (font=0x1010f5e98
<bss_sbrk_buffer+6283800>, c=32) at
^^^^
Added tag(s) moreinfo.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 09 Sep 2020 11:54:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 08 Oct 2020 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 253 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.