GNU bug report logs - #77233
31.0.50; crash if message starts with a space and then without it

Previous Next

Package: emacs;

Reported by: Daniel Clemente <n142857 <at> gmail.com>

Date: Mon, 24 Mar 2025 09:44:02 UTC

Severity: normal

Found in version 31.0.50

Fixed in version 31.1

Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #35 received at 77233 <at> debbugs.gnu.org (full text, mbox):

From: Pip Cet <pipcet <at> protonmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: gerd.moellmann <at> gmail.com, n142857 <at> gmail.com, 77233 <at> debbugs.gnu.org
Subject: Re: bug#77233: 31.0.50;
 crash if message starts with a space and then without it
Date: Mon, 24 Mar 2025 19:40:58 +0000

"Eli Zaretskii" <eliz <at> gnu.org> writes:

>> Date: Mon, 24 Mar 2025 19:13:55 +0000
>> From: Pip Cet <pipcet <at> protonmail.com>
>> Cc: Gerd Möllmann <gerd.moellmann <at> gmail.com>, n142857 <at> gmail.com, 77233 <at> debbugs.gnu.org
>>
>> "Eli Zaretskii" <eliz <at> gnu.org> writes:
>>
>> > And you can explain how come curX(tty) got such a large value?
>>
>> We tried to print a character at (cols-1,rows-1)
>
> Why did we do that, when the messages were 2 and 3 characters long?

write_row decided to delete (using delete_glyphs) the initial space in
the final terminal line, which means the bottom-right corner no longer
has the right background color, so it needs to be redrawn (this is in a
158x44 "terminal"):

(gdb) b dispnew.c:6109 if nsp != osp
6109	  if (osp > nsp)
(gdb) bt full 1

#0  write_row (f=0x555555af45d0, vpos=44, updating_menu_p=false) at dispnew.c:6109
        obody = 0x7ffff49740d0
        nbody = 0x7ffff49120d0
        op1 = 0x7ffff4976360
        op2 = 0x7ffff4976360
        np1 = 0x7ffff4914360
        nend = 0x7ffff4914360
        tem = 1
        osp = 1
        nsp = 0
        begmatch = 157
        endmatch = 0
        olen = 158
        nlen = 158
        current_matrix = 0x555555af5b40
        desired_matrix = 0x555555af5ad0
        current_row = 0x555555b00ca0
        desired_row = 0x555555afdf90
        must_write_whole_line_p = false
        write_spaces_p = true
        colored_spaces_p = true
(More stack frames follow...)
[...]

6112	      delete_glyphs (f, osp - nsp);
(gdb) p osp - nsp
$2 = 1
[...]
6147		      cursor_to (f, vpos, nsp + begmatch);

(gdb) p nsp + begmatch

$3 = 157
(gdb) p vpos

$4 = 44
[...]
6148		      write_glyphs (f, nbody + nsp + begmatch, nlen - tem);

(gdb) p nsp + begmatch

$5 = 157
(gdb) p nlen - tem

$6 = 1

Then the abort.

(I agree with your comments about the patch, of course!  Thanks for
those.  I do think that this is an extremely rare situation and wanted
to make sure not to segfault even if the other display code is
changed...)

Pip
This bug report was last modified 51 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.