GNU bug report logs - #73933
30.0.91; Crash on scrolling in buffer with image at the end

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73933 in the body.
You can then email your comments to 73933 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: AKIYAMA Kouhei <misohena <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 30.0.91; Crash on scrolling in buffer with image at the end
Date: Tue, 22 Oct 2024 00:14:38 +0900

If there is an image at the end of the buffer and only part of it is
visible at the bottom of the window, scrolling with C-v can cause a
crash. I noticed this when using image-dired or org-mode (when
displaying inline images).

After investigating the minimum configuration for the problem to
occur, I found that it occurs when the scroll-preserve-screen-position
variable is set to t and winner-mode is used.

In my environment (Windows 10), the problem can be reproduced 100%
with the following steps.

1. Download
   https://alpha.gnu.org/gnu/emacs/pretest/windows/emacs-30/emacs-30.0.91.zip
   and unzip it.

2. Open the bin directory and type emacs -Q from the command prompt to
   start Emacs.

3. Paste the following code into the scratch buffer and evaluate it.

(progn
  ;; Minimal configuration
  (setq scroll-preserve-screen-position t)
  (winner-mode)

  ;; Reproduce the situation where the problem occurs
  ;; (There is an image at the end of the buffer, and only half of it
  ;; is visible.)
  (switch-to-buffer (generate-new-buffer "*TEST*"))
  ;;(setq line-spacing 0)
  (dotimes (_ (- (window-body-height) 4))
    (insert "\n"))
  (require 'svg)
  (let ((svg (svg-create 300 200)))
    (svg-rectangle svg 0 0 300 200 :fill "red")
    (svg-insert-image svg))
  (goto-char (point-min))

  ;; Crash
  (scroll-up-command))

When evaluated, the "Emacs Abort Dialog" will be displayed. The
following message will be displayed in the command prompt:

------
C:\...\emacs-30.0.91\bin>emacs -Q

lisp.h:1339: Emacs fatal error: assertion failed: 0 <= n && n <= MOST_POSITIVE_FIXNUM

Backtrace:
0000000400335f48
0000000400335ff1
000000040014e5ba
0000000400200f46
00000004000bbe9a
00000004000d7be5
00000004000d859d
000000040023e4d0
000000040029ec0f
000000040023eb6e
000000040023deb7
000000040023e195
0000000400159659
000000040023a52b
0000000400159c2a
000000040023dab9
0000000400159ecb
0000000400157c17
000000040023a224
0000000400156d03
0000000400239638
0000000400156c47
0000000400155ecf
000000040015611c
0000000400151460
00000004000012e1
00000004000013ee
000000040037ebe6
000000083974736c
000000083aa7cc89

C:\...\emacs-30.0.91\bin>
------

Since I hardly used winner-mode, I was able to avoid the problem by
turning it off for the time being, but I wanted to report it anyway.

In addition, it was not reproduced in Emacs 29.4.

-----------------
In GNU Emacs 30.0.91 (build 2, x86_64-w64-mingw32) of 2024-09-12 built
 on AVALON
Windowing system distributor 'Microsoft Corp.', version 10.0.19045
System Description: Microsoft Windows 10 Enterprise (v10.0.2009.19045.5011)

Configured using:
 'configure --with-modules --without-dbus --with-native-compilation=aot
 --without-compress-install --with-tree-sitter
 --enable-checking=yes,glyphs 'CFLAGS=-O0 -g3''

Configured features:
ACL GIF GMP GNUTLS HARFBUZZ JPEG LCMS2 LIBXML2 MODULES NATIVE_COMP
NOTIFY W32NOTIFY PDUMPER PNG RSVG SOUND SQLITE3 THREADS TIFF
TOOLKIT_SCROLL_BARS TREE_SITTER WEBP XPM ZLIB

Important settings:
  value of $LANG: ja_JP.CP932
  locale-coding-system: cp932

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  minibuffer-regexp-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr warnings icons compile comint ansi-osc ansi-color
ring comp-run bytecomp byte-compile comp-common rx emacsbug message
mailcap yank-media puny dired dired-loaddefs rfc822 mml mml-sec
password-cache epa derived epg rfc6068 epg-config gnus-util
text-property-search time-date subr-x mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib
sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
japan-util rmc iso-transl tooltip cconv eldoc paren electric uniquify
ediff-hook vc-hooks lisp-float-type elisp-mode mwheel touch-screen
dos-w32 ls-lisp disp-table term/w32-win w32-win w32-vars term/common-win
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode lisp-mode prog-mode register page tab-bar menu-bar
rfn-eshadow isearch easymenu timer select scroll-bar mouse jit-lock
font-lock syntax font-core term/tty-colors frame minibuffer nadvice seq
simple cl-generic indonesian philippine cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite emoji-zwj charscript charprop case-table
epa-hook jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button
loaddefs theme-loaddefs faces cus-face macroexp files window
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget keymap hashtable-print-readable backquote threads
w32notify w32 lcms2 multi-tty move-toolbar make-network-process
native-compile emacs)

Memory information:
((conses 16 68590 23722) (symbols 48 7693 0) (strings 32 19029 5244)
 (string-bytes 1 497076) (vectors 16 12560)
 (vector-slots 8 247648 13410) (floats 8 24 89)
 (intervals 56 1569 646) (buffers 992 13))

--
(gdb) bt full
#0  0x00007ffbd6fb1723 in KERNELBASE!DebugBreak () from C:\WINDOWS\System32\KernelBase.dll
No symbol table info available.
#1  0x00007ff79eff5fde in emacs_abort () at w32fns.c:11361
        button = 6
#2  0x00007ff79ee0e5c2 in terminate_due_to_signal (sig=22, backtrace_limit=2147483647)
    at emacs.c:480
No locals.
#3  0x00007ff79eec0f4e in die (
    msg=0x7ff79f693440 <o_fwd+80> "0 <= n && n <= MOST_POSITIVE_FIXNUM",
    file=0x7ff79f693400 <o_fwd+16> "lisp.h", line=1339) at alloc.c:8083
No locals.
#4  0x00007ff79ed7bea2 in make_fixed_natnum (n=-264) at G:/rel/emacs-30.0.91/src/lisp.h:1339
        int0 = 2
#5  0x00007ff79ed97bed in save_window_save (window=0x5118cf5, vector=0x66c4e70, i=1)
    at window.c:7694
        p = 0x6713990
        w = 0x5118cf0
        tem = 0x5
        pers = 0x70
        par = 0x7ff79eeb8b01 <allocate_vectorlike+225>
#6  0x00007ff79ed985a5 in Fcurrent_window_configuration (frame=0x0) at window.c:7837
        f = 0x5117cc0
        n_windows = 2
        data = 0x6713920
        tem = 0x66c4e75
#7  0x00007ff79eefe4d8 in funcall_subr (subr=0x7ff79f66ce00 <Scurrent_window_configuration>,
    numargs=0, args=0x55250b8) at eval.c:3161
        argbuf = {0x0, 0x7ff79ef5d89f <SPECPDL_INDEX+53>, 0xbfeb70, 0x7ff79ef5d3b9 <SUBRP+29>,
          0x7ff79f66ce05 <Scurrent_window_configuration+5>, 0x12, 0xbfeb90,
--Type <RET> for more, q to quit, c to continue without paging--
          0x7ff79ef5daf2 <NATIVE_COMP_FUNCTION_DYNP+27>}
        a = 0xbfeb30
        maxargs = 1
        fun = 0x7ff79ef5d3e5 <XSUBR+38>
#8  0x00007ff79ef5ec17 in exec_byte_code (fun=0x64953f5, args_template=0, nargs=0, args=0x5525068)
    at bytecode.c:812
        call_nargs = 0
        call_fun = 0x7ff79f66ce05 <Scurrent_window_configuration+5>
        count1 = {bytes = 192}
        val = 0x5117cc5
        call_args = 0x55250b8
        original_fun = 0xffff8008649f71d8
        op = 0
        type = 2666485150
        targets = {0x7ff79ef6286b <exec_byte_code+18878>, 0x7ff79ef62891 <exec_byte_code+18916>,
          0x7ff79ef62893 <exec_byte_code+18918>, 0x7ff79ef62895 <exec_byte_code+18920>,
          0x7ff79ef62897 <exec_byte_code+18922>, 0x7ff79ef62897 <exec_byte_code+18922>,
          0x7ff79ef628fc <exec_byte_code+19023>, 0x7ff79ef62970 <exec_byte_code+19139>,
          0x7ff79ef5e39d <exec_byte_code+1264>, 0x7ff79ef5e39f <exec_byte_code+1266>,
          0x7ff79ef5e3a1 <exec_byte_code+1268>, 0x7ff79ef5e3a3 <exec_byte_code+1270>,
          0x7ff79ef5e3a5 <exec_byte_code+1272>, 0x7ff79ef5e3a5 <exec_byte_code+1272>,
          0x7ff79ef5e3ab <exec_byte_code+1278>, 0x7ff79ef5e36c <exec_byte_code+1215>,
          0x7ff79ef5e754 <exec_byte_code+2215>, 0x7ff79ef5e756 <exec_byte_code+2217>,
          0x7ff79ef5e758 <exec_byte_code+2219>, 0x7ff79ef5e75a <exec_byte_code+2221>,
          0x7ff79ef5e75c <exec_byte_code+2223>, 0x7ff79ef5e75c <exec_byte_code+2223>,
          0x7ff79ef5e791 <exec_byte_code+2276>, 0x7ff79ef5e762 <exec_byte_code+2229>,
          0x7ff79ef5e93f <exec_byte_code+2706>, 0x7ff79ef5e941 <exec_byte_code+2708>,
          0x7ff79ef5e943 <exec_byte_code+2710>, 0x7ff79ef5e945 <exec_byte_code+2712>,
          0x7ff79ef5e947 <exec_byte_code+2714>, 0x7ff79ef5e947 <exec_byte_code+2714>,
--Type <RET> for more, q to quit, c to continue without paging--q

--
[This document was generated by machine translation from Japanese.]
AKIYAMA Kouhei
misohena <at> gmail.com

Message #8 received at 73933 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: AKIYAMA Kouhei <misohena <at> gmail.com>
Cc: 73933 <at> debbugs.gnu.org
Subject: Re: bug#73933: 30.0.91;
 Crash on scrolling in buffer with image at the end
Date: Mon, 21 Oct 2024 20:44:39 +0300

> From: AKIYAMA Kouhei <misohena <at> gmail.com>
> Date: Tue, 22 Oct 2024 00:14:38 +0900
> 
> 
> If there is an image at the end of the buffer and only part of it is
> visible at the bottom of the window, scrolling with C-v can cause a
> crash. I noticed this when using image-dired or org-mode (when
> displaying inline images).
> 
> After investigating the minimum configuration for the problem to
> occur, I found that it occurs when the scroll-preserve-screen-position
> variable is set to t and winner-mode is used.
> 
> In my environment (Windows 10), the problem can be reproduced 100%
> with the following steps.
> 
> 1. Download
>    https://alpha.gnu.org/gnu/emacs/pretest/windows/emacs-30/emacs-30.0.91.zip
>    and unzip it.
> 
> 2. Open the bin directory and type emacs -Q from the command prompt to
>    start Emacs.
> 
> 3. Paste the following code into the scratch buffer and evaluate it.
> 
> (progn
>   ;; Minimal configuration
>   (setq scroll-preserve-screen-position t)
>   (winner-mode)
> 
>   ;; Reproduce the situation where the problem occurs
>   ;; (There is an image at the end of the buffer, and only half of it
>   ;; is visible.)
>   (switch-to-buffer (generate-new-buffer "*TEST*"))
>   ;;(setq line-spacing 0)
>   (dotimes (_ (- (window-body-height) 4))
>     (insert "\n"))
>   (require 'svg)
>   (let ((svg (svg-create 300 200)))
>     (svg-rectangle svg 0 0 300 200 :fill "red")
>     (svg-insert-image svg))
>   (goto-char (point-min))
> 
>   ;; Crash
>   (scroll-up-command))
> 
> When evaluated, the "Emacs Abort Dialog" will be displayed. The
> following message will be displayed in the command prompt:

Thanks.  This 24-year old thinko should now be fixed on the emacs-30
branch.

Message #13 received at 73933-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: misohena <at> gmail.com
Cc: 73933-done <at> debbugs.gnu.org
Subject: Re: bug#73933: 30.0.91;
 Crash on scrolling in buffer with image at the end
Date: Sun, 27 Oct 2024 13:46:41 +0200

> Cc: 73933 <at> debbugs.gnu.org
> Date: Mon, 21 Oct 2024 20:44:39 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
> 
> > From: AKIYAMA Kouhei <misohena <at> gmail.com>
> > Date: Tue, 22 Oct 2024 00:14:38 +0900
> > 
> > 
> > If there is an image at the end of the buffer and only part of it is
> > visible at the bottom of the window, scrolling with C-v can cause a
> > crash. I noticed this when using image-dired or org-mode (when
> > displaying inline images).
> > 
> > After investigating the minimum configuration for the problem to
> > occur, I found that it occurs when the scroll-preserve-screen-position
> > variable is set to t and winner-mode is used.
> > 
> > In my environment (Windows 10), the problem can be reproduced 100%
> > with the following steps.
> > 
> > 1. Download
> >    https://alpha.gnu.org/gnu/emacs/pretest/windows/emacs-30/emacs-30.0.91.zip
> >    and unzip it.
> > 
> > 2. Open the bin directory and type emacs -Q from the command prompt to
> >    start Emacs.
> > 
> > 3. Paste the following code into the scratch buffer and evaluate it.
> > 
> > (progn
> >   ;; Minimal configuration
> >   (setq scroll-preserve-screen-position t)
> >   (winner-mode)
> > 
> >   ;; Reproduce the situation where the problem occurs
> >   ;; (There is an image at the end of the buffer, and only half of it
> >   ;; is visible.)
> >   (switch-to-buffer (generate-new-buffer "*TEST*"))
> >   ;;(setq line-spacing 0)
> >   (dotimes (_ (- (window-body-height) 4))
> >     (insert "\n"))
> >   (require 'svg)
> >   (let ((svg (svg-create 300 200)))
> >     (svg-rectangle svg 0 0 300 200 :fill "red")
> >     (svg-insert-image svg))
> >   (goto-char (point-min))
> > 
> >   ;; Crash
> >   (scroll-up-command))
> > 
> > When evaluated, the "Emacs Abort Dialog" will be displayed. The
> > following message will be displayed in the command prompt:
> 
> Thanks.  This 24-year old thinko should now be fixed on the emacs-30
> branch.

No further comments, so I'm now closing this bug.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.