GNU bug report logs - #5856
24.0.50; Crash in redisplay

Previous Next

Package: emacs;

Reported by: Jan Djärv <jan.h.d <at> swipnet.se>

Date: Wed, 7 Apr 2010 19:12:02 UTC

Severity: normal

Done: Jan Djärv <jan.h.d <at> swipnet.se>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jan Djärv <jan.h.d <at> swipnet.se>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 5856 <at> debbugs.gnu.org
Subject: bug#5856: 24.0.50; Crash in redisplay
Date: Fri, 09 Apr 2010 07:32:57 +0200


Eli Zaretskii skrev 2010-04-08 23.29:
>> Date: Thu, 08 Apr 2010 18:13:20 +0200
>> From: Jan Djärv<jan.h.d <at> swipnet.se>
>> CC: 5856 <at> debbugs.gnu.org
>>
>>> How many of these "C-x b"s caused the list of possible completions to
>>> exceed one screen line?  If the answer is "many" or "all", then could
>>> you try to figure out or recall if there was anything special about
>>> the ones that caused crashes?
>>
>> Somewhere between "many" and "all".  It is the same list of files I was
>> editing.  They mostly start on x (xsettings, xtern, xfns, xlwmenu, and so on),
>> so it probably looked pretty much the same each time.
>>
>> There was nothing special about the one that caused a crash I can think of.
>> It seems it just takes time. I just got a crash again, but this time I hadn't
>> started it from gdb, unfortunately.  Also, about 3-5 hours before it crashed
>> this time.
>
> I think I found the problem.  The invalid glyph that caused the crash
> was not supposed to be dereferenced.  Its pointer is exactly the same
> as `end', as your backtrace shows:
>
>    #0  0x000000000044d2f1 in set_cursor_from_row (w=0x1378d60, row=0x1fbf550,
>    matrix=0x18217a0, delta=0, delta_bytes=0, dy=0, dvpos=0) at
>    /home/jhd/src/emacs/fixes/src/xdisp.c:12775
> 	   glyph = 0x1fa5cd0
> 	   end = 0x1fa5cd0
>
> But `end' points beyond the last glyph in the TEXT_AREA of the glyph
> row:
>
>    struct glyph *end = glyph + row->used[TEXT_AREA];
>
> If we dereference this pointer, we could be referencing uninitialized
> memory, e.g. if there are no margins (i.e. no glyphs in the row after
> TEXT_AREA).
>
> The old code was careful not to dereference such a pointer, but when I
> rewrote set_cursor_from_row, I failed to copy those precautions.
>
> I installed a fix.  Please see if it stops these crashes, and if so,
> please close the bug report.
>

Great!  I'll run for a couple of days and if it doesn'r reappear I will close 
the bug.

Thanks,

	Jan D.
This bug report was last modified 15 years and 47 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.