GNU bug report logs -
#9495
24.0.50; Segfault in try_cursor_movement
Previous Next
Reported by: Johan Bockgård <bojohan <at> gnu.org>
Date: Tue, 13 Sep 2011 19:33:02 UTC
Severity: normal
Found in version 24.0.50
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 9495 in the body.
You can then email your comments to 9495 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#9495; Package
emacs.
(Tue, 13 Sep 2011 19:33:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Johan Bockgård <bojohan <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 13 Sep 2011 19:33:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Program terminated with signal 11, Segmentation fault.
#0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
82 ../sysdeps/unix/syscall-template.S: No such file or directory.
in ../sysdeps/unix/syscall-template.S
(gdb) bt
#0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
#1 0x000000000056e889 in fatal_error_signal (sig=11) at emacs.c:358
#2 <signal handler called>
#3 0x0000000000465f3f in try_cursor_movement (window=20987605, startp=...,
scroll_step=0x7fff5e400758) at xdisp.c:14639
xdisp.c:14639: (BUFFERP (g->object) && g->charpos == PT)
g is not a valid glyph here.
(gdb) p MATRIX_ROW (w->current_matrix, w->cursor.vpos).used[TEXT_AREA]
$3 = 80
(gdb) p w->cursor.hpos
$4 = 80
2011-09-13 Johan Bockgård <bojohan <at> gnu.org>
* xdisp.c (try_cursor_movement): Check bounds of hpos.
=== modified file 'src/xdisp.c'
--- src/xdisp.c 2011-09-09 01:06:52 +0000
+++ src/xdisp.c 2011-09-11 15:03:56 +0000
@@ -14627,7 +14627,11 @@ try_cursor_movement (Lisp_Object window,
is set, we are done. */
at_zv_p =
MATRIX_ROW (w->current_matrix, w->cursor.vpos)->ends_at_zv_p;
- if (!at_zv_p)
+ if (!at_zv_p
+ && w->cursor.hpos >= 0
+ && (w->cursor.hpos
+ < MATRIX_ROW_USED (w->current_matrix,
+ w->cursor.vpos)))
{
struct glyph_row *candidate =
MATRIX_ROW (w->current_matrix, w->cursor.vpos);
BTW, is this code in try_window_reusing_current_matrix correct?
struct glyph *glyph = row->glyphs[TEXT_AREA] + w->cursor.hpos;
struct glyph *end = glyph + row->used[TEXT_AREA];
It doesn't seem right for end to depend on hpos.
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#9495; Package
emacs.
(Wed, 14 Sep 2011 05:27:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 9495 <at> debbugs.gnu.org (full text, mbox):
> From: Johan Bockgård <bojohan <at> gnu.org>
> Date: Tue, 13 Sep 2011 21:28:17 +0200
>
>
> Program terminated with signal 11, Segmentation fault.
> #0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
> 82 ../sysdeps/unix/syscall-template.S: No such file or directory.
> in ../sysdeps/unix/syscall-template.S
> (gdb) bt
> #0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
> #1 0x000000000056e889 in fatal_error_signal (sig=11) at emacs.c:358
> #2 <signal handler called>
> #3 0x0000000000465f3f in try_cursor_movement (window=20987605, startp=...,
> scroll_step=0x7fff5e400758) at xdisp.c:14639
>
> xdisp.c:14639: (BUFFERP (g->object) && g->charpos == PT)
>
> g is not a valid glyph here.
>
> (gdb) p MATRIX_ROW (w->current_matrix, w->cursor.vpos).used[TEXT_AREA]
> $3 = 80
> (gdb) p w->cursor.hpos
> $4 = 80
Thanks. But what is the value of `rv' at that point?
> 2011-09-13 Johan Bockgård <bojohan <at> gnu.org>
>
> * xdisp.c (try_cursor_movement): Check bounds of hpos.
That will prevent your particular crash, but I'm not sure it's correct
in all cases (like R2L lines and other atrocities). Can you give a
recipe for reproducing this crash from "emacs -Q"? I'd like to
investigate a bit more. TIA.
> BTW, is this code in try_window_reusing_current_matrix correct?
>
> struct glyph *glyph = row->glyphs[TEXT_AREA] + w->cursor.hpos;
> struct glyph *end = glyph + row->used[TEXT_AREA];
No, it's a bug. I fixed it. Thanks for spotting it.
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#9495; Package
emacs.
(Wed, 14 Sep 2011 19:56:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 9495 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii <eliz <at> gnu.org> writes:
>> From: Johan Bockgård <bojohan <at> gnu.org>
>> Date: Tue, 13 Sep 2011 21:28:17 +0200
>>
>>
>> Program terminated with signal 11, Segmentation fault.
>> #0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
>> 82 ../sysdeps/unix/syscall-template.S: No such file or directory.
>> in ../sysdeps/unix/syscall-template.S
>> (gdb) bt
>> #0 0x00007f5bccbe6fe7 in kill () at ../sysdeps/unix/syscall-template.S:82
>> #1 0x000000000056e889 in fatal_error_signal (sig=11) at emacs.c:358
>> #2 <signal handler called>
>> #3 0x0000000000465f3f in try_cursor_movement (window=20987605, startp=...,
>> scroll_step=0x7fff5e400758) at xdisp.c:14639
>>
>> xdisp.c:14639: (BUFFERP (g->object) && g->charpos == PT)
>>
>> g is not a valid glyph here.
>>
>> (gdb) p MATRIX_ROW (w->current_matrix, w->cursor.vpos).used[TEXT_AREA]
>> $3 = 80
>> (gdb) p w->cursor.hpos
>> $4 = 80
>
> Thanks. But what is the value of `rv' at that point?
1
>> 2011-09-13 Johan Bockgård <bojohan <at> gnu.org>
>>
>> * xdisp.c (try_cursor_movement): Check bounds of hpos.
>
> That will prevent your particular crash, but I'm not sure it's correct
> in all cases (like R2L lines and other atrocities). Can you give a
> recipe for reproducing this crash from "emacs -Q"? I'd like to
> investigate a bit more. TIA.
emacs -Q -eval '(setq line-move-visual nil truncate-lines t track-eol t)'
C-u 100 x RET
y <up>
At this point, in try_cursor_movement, point is in the "x" line, the
window has not yet hscrolled, and the value of hpos is just after the
last valid element in glyphs[TEXT_AREA].
(It only actually crashes some of the time, of course.)
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#9495; Package
emacs.
(Thu, 15 Sep 2011 03:18:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 9495 <at> debbugs.gnu.org (full text, mbox):
On 2011-09-15 03:50 +0800, Johan Bockgård wrote:
> emacs -Q -eval '(setq line-move-visual nil truncate-lines t track-eol t)'
>
> C-u 100 x RET
> y <up>
>
> At this point, in try_cursor_movement, point is in the "x" line, the
> window has not yet hscrolled, and the value of hpos is just after the
> last valid element in glyphs[TEXT_AREA].
>
> (It only actually crashes some of the time, of course.)
Does this happen with emacs-23? FWIW, I cannot get emacs-23 to crash.
Leo
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#9495; Package
emacs.
(Thu, 15 Sep 2011 04:47:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 9495 <at> debbugs.gnu.org (full text, mbox):
> From: Leo <sdl.web <at> gmail.com>
> Cc: Eli Zaretskii <eliz <at> gnu.org>, 9495 <at> debbugs.gnu.org
> Date: Thu, 15 Sep 2011 11:12:32 +0800
>
> On 2011-09-15 03:50 +0800, Johan Bockgård wrote:
> > emacs -Q -eval '(setq line-move-visual nil truncate-lines t track-eol t)'
> >
> > C-u 100 x RET
> > y <up>
> >
> > At this point, in try_cursor_movement, point is in the "x" line, the
> > window has not yet hscrolled, and the value of hpos is just after the
> > last valid element in glyphs[TEXT_AREA].
> >
> > (It only actually crashes some of the time, of course.)
>
> Does this happen with emacs-23? FWIW, I cannot get emacs-23 to crash.
It cannot possibly happen with Emacs 23, because this code is part of
the changes introduced in Emacs 24 for supporting display of
bidirectional text.
IOW, it's my fault ;-)
Reply sent
to
Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility.
(Thu, 15 Sep 2011 16:12:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Johan Bockgård <bojohan <at> gnu.org>:
bug acknowledged by developer.
(Thu, 15 Sep 2011 16:12:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 9495-done <at> debbugs.gnu.org (full text, mbox):
> From: Johan Bockgård <bojohan <at> gnu.org>
> Cc: 9495 <at> debbugs.gnu.org
> Date: Wed, 14 Sep 2011 21:50:29 +0200
>
> emacs -Q -eval '(setq line-move-visual nil truncate-lines t track-eol t)'
>
> C-u 100 x RET
> y <up>
>
> At this point, in try_cursor_movement, point is in the "x" line, the
> window has not yet hscrolled, and the value of hpos is just after the
> last valid element in glyphs[TEXT_AREA].
>
> (It only actually crashes some of the time, of course.)
Thanks, I committed your patch with a minor variation.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 14 Oct 2011 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 12 years and 190 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.