Package: emacs;
Reported by: Oliver Reiter <oliver.reiter <at> snapdragon.cc>
Date: Wed, 12 Feb 2025 20:24:02 UTC
Severity: normal
Found in version 31.0.50
Done: Pip Cet <pipcet <at> protonmail.com>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Pip Cet <pipcet <at> protonmail.com> To: 76238 <at> debbugs.gnu.org, Oliver Reiter <oliver.reiter <at> snapdragon.cc> Subject: bug#76238: 31.0.50; feature/igc: crash #2, 2025-02-12 Date: Fri, 14 Feb 2025 15:15:36 +0000
"Oliver Reiter via \"Bug reports for GNU Emacs, the Swiss army knife of text editors\"" <bug-gnu-emacs <at> gnu.org> writes:
> Dear all,
>
> a crash while marking a region:
Thanks again! I was hoping to fix bug#76237 first, but as that has me
stumped, can I get a "bt full" for this one, plus the following:
x/79gx 0x7fffb9c07730
This is one of a number of bugs in which a string data object is
recycled but the string metadata object is still present. My current
idea is to extend the string metadata object, temporarily, by a
fixed-size 64-byte "data" section containing the initial string
contents. That redundancy may allow us to find out what was in those
strings, and why they were apparently lost to GC before being
rediscovered.
> Thread 1 "emacs" hit Breakpoint 1, terminate_due_to_signal (sig=11, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs/src/emacs.c:425
> 425 {
> (gdb) bt
> #0 terminate_due_to_signal (sig=11, backtrace_limit=40)
> at /home/reitero/build/sources/emacs/emacs/src/emacs.c:425
> #1 0x00005555556d38d2 in handle_fatal_signal (sig=sig <at> entry=11)
> at /home/reitero/build/sources/emacs/emacs/src/sysdep.c:1793
> #2 0x00005555556d0fb9 in deliver_thread_signal (sig=sig <at> entry=11,
> handler=handler <at> entry=0x5555556d38c4 <handle_fatal_signal>)
> at /home/reitero/build/sources/emacs/emacs/src/sysdep.c:1785
> #3 0x00005555556d101d in deliver_fatal_thread_signal (sig=sig <at> entry=11)
> at /home/reitero/build/sources/emacs/emacs/src/sysdep.c:1805
> #4 0x00005555556d104e in handle_sigsegv (sig=11, siginfo=<optimized out>, arg=<optimized out>)
> at /home/reitero/build/sources/emacs/emacs/src/sysdep.c:1943
> #5 <signal handler called>
> #6 0x00007ffff364c3db in __GI_kill () at ../sysdeps/unix/syscall-template.S:120
> #7 0x000055555585f797 in sigHandle ()
> #8 <signal handler called>
> #9 0x0000555555799d5a in igc_header_nwords (h=h <at> entry=0x7fffc3f96f10)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:689
This is the last interesting bit: the IGC header for the string data was
overwritten (probably by other string data), and igc_header_nwords tried
to treat it as as exthdr, which it wasn't.
> #10 0x0000555555799d68 in obj_size (h=h <at> entry=0x7fffc3f96f10)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:720
> #11 0x0000555555799d92 in dflt_skip (base_addr=0x7fffc3f96f10)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:1753
> #12 0x000055555586953d in amcSegFix ()
> #13 0x000055555580362d in _mps_fix2 ()
> #14 0x00005555557994a7 in fix_raw (ss=ss <at> entry=0x7ffffffef108, p=p <at> entry=0x7ffffffeef80)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:1188
> #15 0x0000555555799563 in fix_string (ss=ss <at> entry=0x7ffffffef108, s=s <at> entry=0x7fffb9c074b8)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:1765
> #16 0x00005555557a0f93 in dflt_scan_obj (ss=ss <at> entry=0x7ffffffef108,
> base_start=base_start <at> entry=0x7fffb9c074b8, base_limit=base_limit <at> entry=0x7fffb9c07730,
> closure=closure <at> entry=0x0) at /home/reitero/build/sources/emacs/emacs/src/igc.c:2032
> #17 0x00005555557a1146 in dflt_scanx (ss=ss <at> entry=0x7ffffffef108, base_start=<optimized out>,
> base_limit=0x7fffb9c07730, closure=closure <at> entry=0x0)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:2099
> #18 0x00005555557a1182 in dflt_scan (ss=0x7ffffffef108, base_start=<optimized out>,
> base_limit=<optimized out>) at /home/reitero/build/sources/emacs/emacs/src/igc.c:2110
> #19 0x0000555555834ce5 in amcSegScan ()
> #20 0x0000555555863ec0 in traceScanSegRes ()
> #21 0x00005555558640aa in traceScanSeg ()
> #22 0x0000555555864f06 in TraceAdvance ()
> #23 0x00005555558656cd in TracePoll ()
> #24 0x0000555555865939 in ArenaPoll ()
> #25 0x0000555555865d23 in mps_ap_fill ()
> #26 0x000055555579d572 in alloc_impl (size=size <at> entry=24, type=type <at> entry=IGC_OBJ_CONS,
> ap=0x7fffe8001900) at /home/reitero/build/sources/emacs/emacs/src/igc.c:4089
> #27 0x000055555579d661 in alloc (size=size <at> entry=24, type=type <at> entry=IGC_OBJ_CONS)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:4117
> #28 0x000055555579d682 in igc_make_cons (car=0x2, cdr=0x0)
> at /home/reitero/build/sources/emacs/emacs/src/igc.c:4146
> #29 0x000055555570e3cd in Fcons (car=<optimized out>, cdr=<optimized out>)
> at /home/reitero/build/sources/emacs/emacs/src/alloc.c:2812
> #30 0x000055555570f143 in Flist (nargs=1, args=0x7ffffffef510)
> at /home/reitero/build/sources/emacs/emacs/src/alloc.c:2928
> #31 0x0000555555702422 in Fmatch_data (integers=integers <at> entry=0x0, reuse=reuse <at> entry=0x0,
> --Type <RET> for more, q to quit, c to continue without paging--
> reseat=reseat <at> entry=0x0) at /home/reitero/build/sources/emacs/emacs/src/search.c:2936
> #32 0x00005555557028bd in record_unwind_save_match_data ()
> at /home/reitero/build/sources/emacs/emacs/src/search.c:3181
> #33 0x000055555579639f in autocmp_chars (rule=rule <at> entry=0x7fffb904568d, charpos=charpos <at> entry=1162,
> bytepos=bytepos <at> entry=1162, limit=limit <at> entry=21798, win=win <at> entry=0x7fffeecf3c08,
> face=face <at> entry=0x7fffc376c888, string=0x0, direction=0x3bf0, ch=40)
> at /home/reitero/build/sources/emacs/emacs/src/composite.c:948
Could I also get x/32gx 0x7fffb9045688? Maybe we were lucky (or
unlucky) and the string is in the composition rule.
> In GNU Emacs 31.0.50 (build 9, x86_64-pc-linux-gnu, GTK+ Version
> 3.24.48, cairo version 1.18.2) of 2025-02-11 built on wilap
> Repository revision: 9d3e946e756ac5a146c21d6fbae2fc803de95059
> Repository branch: feature/igc
> System Description: Arch Linux
>
> Configured using:
> 'configure 'CFLAGS=-g3 -ggdb -Og -fno-omit-frame-pointer'
> CPPFLAGS=-I/home/reitero/.local/lib/mps
> LDFLAGS=-L/home/reitero/.local/lib/mps --prefix=/usr --sysconfdir=/etc
> --libexecdir=/usr/lib --localstatedir=/var --with-mps=yes
> --with-gameuser=root:games --with-pgtk --with-xft --with-harfbuzz
> --with-modules --without-compress-install --without-m17n-flt
> --with-libotf --without-imagemagick --without-gsettings --without-gconf
> --with-native-compilation=aot --with-tree-sitter
> --enable-link-time-optimization'
>
> Configured features:
> ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM HARFBUZZ JPEG LCMS2
> LIBOTF LIBSYSTEMD LIBXML2 MODULES MPS NATIVE_COMP NOTIFY INOTIFY PDUMPER
> PGTK PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF TOOLKIT_SCROLL_BARS
> TREE_SITTER WEBP XIM GTK3 ZLIB
>
> Important settings:
> value of $LANG: de_AT.UTF-8
> locale-coding-system: utf-8-unix
Thanks again
Pip
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.