Package: emacs;
Reported by: Eval Exec <execvy <at> gmail.com>
Date: Wed, 12 Mar 2025 02:45:02 UTC
Severity: normal
Found in version 31.0.50
To reply to this bug, email your comments to 76970 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 12 Mar 2025 02:45:02 GMT) Full text and rfc822 format available.Eval Exec <execvy <at> gmail.com>:bug-gnu-emacs <at> gnu.org.
(Wed, 12 Mar 2025 02:45:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Eval Exec <execvy <at> gmail.com> To: bug-gnu-emacs <at> gnu.org Subject: 31.0.50; master emacs crash with stack overflow Date: Wed, 12 Mar 2025 10:43:59 +0800
Hello, I got a master branch emacs crash:
(gdb) bt full
#0 0x000000000055979e in stack_overflow (siginfo=0x85d1b0 <sigsegv_stack+62640>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1895
addr = 0x70 <error: Cannot access memory at address 0x70>
bot = <optimized out>
top = <optimized out>
LG_STACK_HEURISTIC = LG_STACK_HEURISTIC
#1 handle_sigsegv (sig=11, siginfo=0x85d1b0 <sigsegv_stack+62640>, arg=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1930
fatal = false
#2 <signal handler called>
No symbol table info available.
#3 backtrace_top () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:174
pdl = <optimized out>
pdl = <optimized out>
#4 backtrace_top_function () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:4270
pdl = <optimized out>
pdl = <optimized out>
#5 add_sample (count=1, plog=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:328
No locals.
#6 handle_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:380
count = 1
count = <optimized out>
overruns = <optimized out>
#7 deliver_process_signal (handler=<optimized out>, sig=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1751
old_errno = 1
on_main_thread = true
old_errno = <optimized out>
on_main_thread = <optimized out>
blocked = <optimized out>
#8 deliver_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:386
No locals.
Backtrace stopped: Cannot access memory at address 0x7ffe5c5f2678
You can't do that without a process to debug.
(gdb)
In GNU Emacs 31.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version
3.24.43, cairo version 1.18.2) of 2025-03-11 built on Mufasa
Repository revision: 5e9675367ad0697f615b5168441bf6490977168c
Repository branch: master
System Description: NixOS 24.11 (Vicuna)
Configured using:
'configure 'CFLAGS=-O3 -march=native -g3 -ggdb'
--prefix=/home/exec/Projects/git.savannah.gnu.org/git/emacs-build/master-5e9675367ad0697f615b5168441bf6490977168c-O3-gdb
--with-imagemagick --with-modules --with-pgtk --with-cairo
--with-cairo-xcb --without-compress-install --with-mailutils
--with-tree-sitter --with-xinput2 --enable-link-time-optimization
--with-file-notification=inotify'
Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GSETTINGS HARFBUZZ
IMAGEMAGICK JPEG LCMS2 LIBOTF LIBXML2 MODULES NATIVE_COMP NOTIFY INOTIFY
PDUMPER PGTK PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF
TOOLKIT_SCROLL_BARS TREE_SITTER WEBP XIM GTK3 ZLIB
Important settings:
value of $LC_COLLATE: C
value of $LC_MONETARY: en_US.UTF-8
value of $LC_NUMERIC: en_US.UTF-8
value of $LC_TIME: en_US.UTF-8
value of $LANG: en_US.UTF-8
value of $XMODIFIERS: @im=fcitx
locale-coding-system: utf-8-unix
Major mode: mu4e:main
Minor modes in effect:
restore-point-mode: t
global-atomic-chrome-edit-mode: t
marginalia-mode: t
hes-mode: t
keycast-tab-bar-mode: t
vertico-truncate-mode: t
vertico-multiform-mode: t
vertico-mode: t
telega-root-auto-fill-mode: t
telega-contact-birthdays-mode: t
telega-active-video-chats-mode: t
telega-active-locations-mode: t
telega-patrons-mode: t
telega-active-stories-mode: t
tab-line-nerd-icons-global-mode: t
global-tab-line-mode: t
tab-line-mode: t
org-roam-db-autosync-mode: t
global-org-modern-mode: t
mu4e-search-minor-mode: t
mu4e-update-minor-mode: t
mu4e-context-minor-mode: t
mu4e-modeline-mode: t
global-git-commit-mode: t
treemacs-git-commit-diff-mode: t
treemacs-project-follow-mode: t
treemacs-filewatch-mode: t
treemacs-follow-mode: t
treemacs-git-mode: t
treemacs-fringe-indicator-mode: t
global-hungry-delete-mode: t
hungry-delete-mode: t
global-anzu-mode: t
anzu-mode: t
engine-mode: t
global-evil-surround-mode: t
evil-surround-mode: t
global-git-gutter-mode: t
yas-global-mode: t
yas-minor-mode: t
corfu-terminal-mode: t
global-corfu-mode: t
corfu-mode: t
burly-tabs-mode: t
global-form-feed-st-mode: t
eat-eshell-mode: t
sly-symbol-completion-mode: t
super-save-mode: t
savehist-mode: t
which-key-mode: t
super-hint-xref-mode: t
super-hint-rg-mode: t
windmove-mode: t
server-mode: t
save-place-mode: t
recentf-mode: t
winner-mode: t
persistent-scratch-autosave-mode: t
global-dash-fontify-mode: t
nerd-icons-completion-mode: t
sudo-edit-indicator-mode: t
global-evil-visualstar-mode: t
evil-visualstar-mode: t
evil-commentary-mode: t
global-evil-mc-mode: t
evil-mc-mode: t
evil-lion-mode: t
global-evil-collection-unimpaired-mode: t
evil-collection-unimpaired-mode: t
TeX-PDF-mode: t
global-auto-revert-mode: t
evil-mode: t
evil-local-mode: t
general-override-mode: t
minions-mode: t
el-patch-use-package-mode: t
elpaca-use-package-mode: t
override-global-mode: t
tooltip-mode: t
global-eldoc-mode: t
show-paren-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tab-bar-mode: t
file-name-shadow-mode: t
context-menu-mode: t
global-font-lock-mode: t
font-lock-mode: t
minibuffer-regexp-mode: t
buffer-read-only: t
column-number-mode: -1
line-number-mode: -1
transient-mark-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
Load-path shadows:
/home/exec/.emacs.d/elpaca/builds/lispy/elpa hides /home/exec/.emacs.d/elpaca/builds/ivy/elpa
/home/exec/.emacs.d/elpaca/builds/modus-themes/theme-loaddefs hides /home/exec/.emacs.d/elpaca/builds/standard-themes/theme-loaddefs
/home/exec/.emacs.d/elpaca/builds/modus-themes/theme-loaddefs hides /home/exec/.emacs.d/elpaca/builds/ef-themes/theme-loaddefs
/home/exec/.emacs.d/elpaca/builds/modus-themes/theme-loaddefs hides /home/exec/Projects/git.savannah.gnu.org/git/emacs-build/master-5e9675367ad0697f615b5168441bf6490977168c-O3-gdb/share/emacs/31.0.50/lisp/theme-loaddefs
/home/exec/.emacs.d/elpaca/builds/transient/transient hides /home/exec/Projects/git.savannah.gnu.org/git/emacs-build/master-5e9675367ad0697f615b5168441bf6490977168c-O3-gdb/share/emacs/31.0.50/lisp/transient
Features:
(shadow sort mail-extr copilot copilot-balancer editorconfig
editorconfig-core editorconfig-core-handle editorconfig-fnmatch jsonrpc
consult-dir-autoloads consult-ag-autoloads restore-point
evil-collection-atomic-chrome atomic-chrome marginalia rainbow-mode
elisp-autofmt highlight-defined elisp-def evil-collection-ert ert
highlight-numbers parent-mode highlight-escape-sequences
rainbow-delimiters breadcrumb symbol-overlay keycast zig-mode
reformatter empv vertico-truncate vertico-posframe vertico-multiform
evil-collection-vertico vertico lsp-uniteai nix-ts-mode go-translate
gt-text-utility gt-engine-echo gt-engine-libre gt-engine-chatgpt
gt-engine-youdao gt-engine-stardict gt-engine-deepl gt-engine-google-rpc
gt-engine-google gt-engine-bing gt-extension gt-faces gt-core gt-httpx
sdcv cap-words superword subword evil-collection-telega telega-obsolete
telega telega-tdlib-events telega-match telega-root telega-info
telega-chat telega-modes telega-company telega-emoji telega-user
telega-notifications telega-voip telega-msg telega-story telega-webpage
telega-tme telega-sticker telega-vvnote telega-ffplay telega-i18n
telega-sort telega-filter telega-ins telega-inline telega-util
telega-folders telega-topic telega-media telega-tdlib telega-server
telega-core telega-customize emacsbug tab-line-nerd-icons
evil-collection-imenu-list imenu-list tab-line rust-utils
rust-mode-treesitter rust-ts-mode rust-mode rust-playpen rust-cargo
rust-common rust-rustfmt rust-compile cargo cargo-process toml
rg-info-hack rg-menu rg-ibuffer rg-result wgrep-rg rg-history ibuf-ext
evil-collection-ibuffer ibuffer ibuffer-loaddefs rg-header
evil-collection-ultra-scroll ultra-scroll pixel-scroll cua-base
org-sliced-images evil-collection-org-roam org-roam-migrate org-roam-log
org-roam-mode org-roam-capture org-roam-id org-roam-node org-roam-db
emacsql-sqlite-builtin sqlite org-roam-utils org-roam-compat org-roam
org-capture org-journal org-crypt cal-iso org-modern orderless
evil-collection-mu4e mu4e mu4e-org mu4e-notification mu4e-main smtpmail
mu4e-view mu4e-mime-parts mu4e-headers mu4e-thread mu4e-actions
mu4e-compose mu4e-draft gnus-msg gnus-art mm-uu mml2015 gnus-sum
gnus-group gnus-undo gnus-start gnus-dbus gnus-cloud nnimap nnmail
mail-source utf7 nnoo gnus-spec gnus-int gnus-range gnus-win mu4e-search
mu4e-lists mu4e-bookmarks mu4e-mark mu4e-message flow-fill mu4e-contacts
mu4e-update mu4e-folders mu4e-context mu4e-query-items mu4e-server
mu4e-modeline mu4e-vars mu4e-helpers mu4e-config mu4e-window ido
mu4e-obsolete cyphejor qml-mode rfc-mode string-inflection systemd
minuet pr-review pr-review-render pr-review-action pr-review-input
pr-review-api pr-review-common evil-collection-forge forge-repos
forge-tablist forge-topics forge-commands forge-semi forge-bitbucket
buck forge-gogs gogs forge-gitea gtea forge-gitlab glab forge-github
ghub-graphql treepy gsexp ghub forge-forgejo forge-notify forge-revnote
forge-pullreq forge-issue forge-topic eieio-custom bug-reference
forge-post forge-repo forge forge-core forge-db closql emacsql-sqlite
emacsql emacsql-compiler eieio-base treemacs-magit magit-bookmark
evil-collection-magit magit-submodule magit-blame magit-stash
magit-reflog magit-bisect magit-push magit-pull magit-fetch magit-clone
magit-remote magit-commit magit-sequence magit-notes magit-worktree
magit-tag magit-merge magit-branch magit-reset magit-files magit-refs
magit-status magit evil-collection-magit-repos magit-repos magit-apply
magit-wip magit-log which-func magit-diff git-commit
evil-collection-log-edit log-edit pcvs-util add-log magit-core
magit-autorevert magit-margin magit-transient magit-process
evil-collection-with-editor with-editor magit-mode magit-git magit-base
dap-java dap-mode dap-tasks dap-launch lsp-docker yaml dap-overlays
lsp-java treemacs-nerd-icons lsp-treemacs lsp-treemacs-generic
lsp-treemacs-themes treemacs-treelib treemacs-git-commit-diff-mode
treemacs-project-follow-mode treemacs-mouse-interface zoom treemacs
treemacs-header-line treemacs-compatibility treemacs-mode
treemacs-bookmarks treemacs-tags treemacs-interface treemacs-persistence
treemacs-filewatch-mode treemacs-follow-mode treemacs-rendering
treemacs-annotations treemacs-async treemacs-workspaces treemacs-dom
treemacs-visuals treemacs-fringe-indicator treemacs-faces treemacs-icons
treemacs-scope treemacs-themes treemacs-core-utils pfuture
treemacs-logging treemacs-customization treemacs-macros consult-lsp
lsp-ui lsp-ui-flycheck lsp-ui-doc evil-collection-lsp-ui-imenu
lsp-ui-imenu lsp-ui-peek lsp-ui-sideline lsp-rust lsp-semantic-tokens
lsp-mode network-stream lsp-ui-util lsp-protocol llm-prompt groovy-mode
iedit iedit-lib evil-collection-hungry-delete hungry-delete hide-comnt
minibuffer-header gptel-quick gotest fzf flycheck-clj-kondo pos-tip
consult-flycheck flycheck-rust evil-anzu anzu engine-mode
evil-collection-ement ement-room-list taxy-magit-section taxy ement
ement-notifications ement-notify ement-room ewoc ement-lib ement-api
ement-structs ement-macros dns llm-ollama llm-provider-utils llm-models
llm-request-plz plz-event-source plz-media-type plz llm symex symex-evil
symex-evil-support symex-hydra symex-transformations
symex-transformations-lisp symex-utils evil-cleverparens
evil-cleverparens-text-objects evil-cleverparens-util smartparens
loadhist evil-surround symex-misc symex-interface-builtins
symex-interface-fennel symex-interface-arc symex-interface-common-lisp
symex-interface-clojure symex-interface-scheme symex-interface-racket
symex-interface-elisp symex-interop symex-interface symex-traversals
symex-dsl symex-evaluator symex-computations symex-primitives symex-ts
symex-utils-ts symex-transformations-ts symex-primitives-lisp symex-data
symex-ui symex-custom evil-collection-lispy lispy le-clojure delsel
lispy-inline avy lispy-tags zoutline combobulate evil-collection-elfeed
elfeed-show elfeed-search elfeed-csv elfeed elfeed-curl elfeed-log
elfeed-db elfeed-lib xml-query dired-git-info dired-hacks dired-preview
git-gutter evil-collection-cmake-mode cmake-mode consult-yasnippet
yasnippet-capf yasnippet-snippets yasnippet kind-icon svg-lib
corfu-terminal popon corfu-popupinfo corfu-indexed corfu-history
evil-collection-corfu corfu consult-ls-git paredit clojure-ts-mode
evil-collection-cider cider tramp-sh cider-debug cider-browse-ns
cider-mode cider-xref-backend cider-find cider-inspector
cider-completion cider-profile cider-eval cider-jar cider-repl-history
pulse cider-repl cider-resolve cider-test cider-overlays
cider-stacktrace cider-doc cider-browse-spec cider-clojuredocs
cider-eldoc cider-docstring cider-client cider-common
cider-completion-context cider-connection cider-popup sesman-browser
nrepl-client cider-util sesman queue nrepl-dict spinner clojure-mode
chatgpt-shell chatgpt-shell-openrouter chatgpt-shell-perplexity
chatgpt-shell-openai chatgpt-shell-ollama chatgpt-shell-kagi
chatgpt-shell-google chatgpt-shell-anthropic
chatgpt-shell-prompt-compose evil-collection-smerge-mode smerge-mode
diff shell-maker ielm evil-collection-eshell eshell em-prompt esh-mode
esh-var esh-cmd esh-ext esh-proc esh-opt esh-io esh-arg esh-module
esh-module-loaddefs esh-util bookmark-in-project bookmark+ bookmark+-key
bookmark+-1 bookmark+-bmu bookmark+-lit babashka parseedn
parseclj-parser parseclj-lex parseclj-alist
evil-collection-markdown-mode markdown-mode cnfonts burly-tabs burly
frameset compile-multi form-feed-st google-this echo-bar fcitx
evil-collection-eat eat term/xterm xterm evil-collection-term term ehelp
ox-reveal ox-odt rng-loc rng-uri rng-parse rng-match rng-dt rng-util
rng-pttrn nxml-parse nxml-ns nxml-enc xmltok nxml-util ox-latex
ox-icalendar org-agenda ox-html table ox-ascii ox-publish ox org-attach
org-element org-persist org-id org-refile org-element-ast inline
avl-tree htmlize evil-collection-explain-pause-mode explain-pause-mode
explain-pause-top explain-pause-log-to-socket evil-collection-profiler
profiler weather-metno solar cal-dst url-cache display-wttr kdeconnect
crux pest-mode popwin modus-themes blackboard-theme standard-themes
nimbus-theme tok-theme danneskjold-theme srcery-theme subatomic256-theme
iscroll xml+ evil-textobj-tree-sitter
evil-textobj-tree-sitter-thing-at-point evil-textobj-tree-sitter-core
tree-sitter tree-sitter-load tree-sitter-cli tsc tsc-dyn tsc-dyn-get
dired-aux tsc-obsolete ctable evil-collection-color-rg color-rg
line-reminder ov ht fringe-helper solarized-theme solarized
solarized-faces sqlup-mode evil-collection-bm bm zen-mode
evil-collection-sly sly sly-completion sly-buttons sly-messages
sly-common evil-collection-apropos apropos evil-collection-arc-mode
arc-mode archive-mode hyperspec sicp base16-theme idea-darkula-theme
hybrid-reverse-theme material-theme doom-themes doom-themes-base
nyan-mode organic-green-theme inkpot-theme github-dark-vscode-theme
almost-mono-themes cyberpunk-theme soothe-theme soothe-tva zenburn-theme
mindre-theme kaolin-themes kaolin-themes-lib tron-legacy-theme
wildcharm-theme atom-one-dark-theme parchment-theme autothemer
visual-fill-column transpose-frame gameoflife evil-collection-docker
docker docker-context docker-volume docker-network docker-image
docker-container docker-faces docker-core docker-compose docker-process
docker-utils docker-group dockerfile-mode emacs-everywhere cus-dir
dumb-jump evil-collection-popup popup websocket bindat bing-dict
bing-dict-cache hl-todo atom-dark-theme ef-themes uwu-theme vagrant
evil-collection-ag ag vc-svn find-dired alarm-clock alert notifications
gntp pinentry evil-collection-hackernews hackernews
evil-collection-notmuch notmuch notmuch-tree notmuch-jump notmuch-hello
notmuch-show notmuch-print notmuch-crypto notmuch-mua notmuch-message
notmuch-draft notmuch-maildir-fcc notmuch-address notmuch-company
notmuch-parser notmuch-wash coolj goto-addr icalendar diary-lib
diary-loaddefs notmuch-tag notmuch-lib notmuch-compat message sendmail
yank-media rfc822 mml mailabbrev gmm-utils mm-view mml-smime mml-sec
smime gnutls dig mm-decode mm-bodies mm-encode fussy flx affe
evil-collection-consult consult clang-format apheleia apheleia-rcs
apheleia-dp apheleia-formatters apheleia-utils apheleia-log
apheleia-formatter-context vimrc-mode gnuplot olivetti super-save
evil-collection-helpful helpful cc-langs trace cl-print
evil-collection-edebug edebug evil-collection-debug debug backtrace
info-look evil-collection-info info help-fns radix-tree
evil-collection-elisp-refs elisp-refs solidity-mode solidity-common
evil-collection-git-timemachine git-timemachine web-mode disp-table
evil-collection-go-mode go-mode find-file evil-collection-js2-mode
js2-mode etags fileloop git-gutter-autoloads zig-mode-autoloads
reformatter-autoloads empv-autoloads yasnippet-snippets-autoloads
marginalia-autoloads vertico-truncate-autoloads
vertico-posframe-autoloads vertico-autoloads lsp-uniteai-autoloads
nix-ts-mode-autoloads go-translate-autoloads alert-autoloads
gntp-autoloads sdcv-autoloads telega-autoloads
tab-line-nerd-icons-autoloads keycast-autoloads rust-mode-autoloads
cargo-autoloads toml-autoloads rg-autoloads writeroom-mode-autoloads
nov-autoloads esxml-autoloads kv-autoloads ultra-scroll-autoloads
pdf-tools-autoloads org-sliced-images-autoloads
consult-org-roam-autoloads org-roam-autoloads org-journal-autoloads
org-download-autoloads org-modern-autoloads orderless-autoloads
mu4e-autoloads cyphejor-autoloads symbol-overlay-autoloads
qml-mode-autoloads rfc-mode-autoloads string-inflection-autoloads
webpaste-autoloads systemd-autoloads minuet-autoloads
pr-review-autoloads forge-autoloads closql-autoloads emacsql-autoloads
ghub-autoloads treepy-autoloads lsp-java-autoloads dap-mode-autoloads
bui-autoloads lsp-treemacs-autoloads lsp-docker-autoloads yaml-autoloads
lsp-pyright-autoloads consult-lsp-autoloads lsp-ui-autoloads
lsp-mode-autoloads groovy-mode-autoloads imenu-list-autoloads
hungry-delete-autoloads hide-comnt-autoloads minibuffer-header-autoloads
gptel-quick-autoloads gptel-autoloads gotest-autoloads fzf-autoloads
flycheck-golangci-lint-autoloads flycheck-clj-kondo-autoloads
pos-tip-autoloads consult-flycheck-autoloads flycheck-rust-autoloads
flycheck-posframe-autoloads flycheck-autoloads evil-anzu-autoloads
anzu-autoloads engine-mode-autoloads ement-autoloads
taxy-magit-section-autoloads taxy-autoloads embark-consult-autoloads
embark-autoloads ellama-autoloads llm-autoloads
plz-event-source-autoloads plz-media-type-autoloads plz-autoloads
symex-autoloads tree-sitter-autoloads tsc-autoloads lispy-autoloads
iedit-autoloads swiper-autoloads ivy-autoloads zoutline-autoloads
evil-cleverparens-autoloads smartparens-autoloads combobulate-autoloads
combobulate-go combobulate-json combobulate-yaml combobulate-css
combobulate-js-ts combobulate-python combobulate-html combobulate-toml
combobulate-cursor multiple-cursors mc-separate-operations
rectangular-region-mode mc-mark-pop mc-edit-lines
mc-hide-unmatched-lines-mode mc-mark-more sgml-mode mc-cycle-cursors
multiple-cursors-core combobulate-query savehist evil-collection-scheme
scheme combobulate-ui combobulate-display combobulate-ztree
combobulate-envelope combobulate-manipulation evil-collection-python
python combobulate-procedure combobulate-navigation combobulate-misc
combobulate-setup tempo combobulate-interface combobulate-settings
combobulate-rules elisp-def-autoloads elfeed-tube-mpv-autoloads
elfeed-tube-autoloads elfeed-autoloads eee-autoloads eee
dired-git-info-autoloads dired-hacks-autoloads dired-preview-autoloads
diredfl-autoloads cmake-mode-autoloads consult-yasnippet-autoloads
yasnippet-capf-autoloads yasnippet-autoloads cape-autoloads
kind-icon-autoloads svg-lib-autoloads corfu-terminal-autoloads
popon-autoloads corfu-autoloads copilot-autoloads copilot-chat-autoloads
consult-ls-git-autoloads paredit-autoloads clojure-ts-mode-autoloads
cider-autoloads clojure-mode-autoloads queue-autoloads spinner-autoloads
sesman-autoloads chatgpt-shell-autoloads shell-maker-autoloads
breadcrumb-autoloads bookmark-in-project-autoloads bookmark+-autoloads
babashka-autoloads parseedn-autoloads parseclj-autoloads
aidermacs-autoloads mediawiki-autoloads markdown-mode-autoloads
treemacs-magit-autoloads magit-autoloads with-editor-autoloads
nerd-icons-ibuffer-autoloads treemacs-nerd-icons-autoloads
treemacs-autoloads pfuture-autoloads cfrs-autoloads cnfonts-autoloads
burly-autoloads compile-multi-autoloads form-feed-st-autoloads
google-this-autoloads echo-bar-autoloads zoom-autoloads fcitx-autoloads
eat-autoloads vterm-autoloads chatgpt-autoloads polymode-autoloads
ox-reveal-autoloads htmlize-autoloads wordreference-autoloads
explain-pause-mode-autoloads weather-metno-autoloads
display-wttr-autoloads kdeconnect-autoloads emms-autoloads
crux-autoloads pest-mode-autoloads popwin-autoloads
modus-themes-autoloads blackboard-theme-autoloads
standard-themes-autoloads nimbus-theme-autoloads tok-theme-autoloads
danneskjold-theme-autoloads srcery-theme-autoloads
subatomic256-theme-autoloads iscroll-autoloads xml+-autoloads
multiple-cursors-autoloads evil-textobj-tree-sitter-autoloads
evil-numbers-autoloads ctable-autoloads color-rg-autoloads
line-reminder-autoloads fringe-helper-autoloads ov-autoloads
solarized-theme-autoloads sqlup-mode-autoloads bm-autoloads
zen-mode-autoloads sly-autoloads expand-region-autoloads
highlight-defined-autoloads base16-theme-autoloads
idea-darkula-theme-autoloads hybrid-reverse-theme-autoloads
material-theme-autoloads doom-themes-autoloads nyan-mode-autoloads
organic-green-theme-autoloads inkpot-theme-autoloads
github-dark-vscode-theme-autoloads almost-mono-themes-autoloads
cyberpunk-theme-autoloads soothe-theme-autoloads zenburn-theme-autoloads
mindre-theme-autoloads kaolin-themes-autoloads
tron-legacy-theme-autoloads wildcharm-theme-autoloads
atom-one-dark-theme-autoloads parchment-theme-autoloads
autothemer-autoloads visual-fill-column-autoloads
transpose-frame-autoloads gameoflife-autoloads docker-autoloads
dockerfile-mode-autoloads emacs-everywhere-autoloads cus-dir-autoloads
makefile-executor-autoloads dumb-jump-autoloads popup-autoloads
bing-dict-autoloads hl-todo-autoloads atom-dark-theme-autoloads
ef-themes-autoloads uwu-theme-autoloads vagrant-autoloads ag-autoloads
alarm-clock-autoloads pinentry-autoloads hackernews-autoloads
notmuch-autoloads fussy-autoloads flx-autoloads affe-autoloads
consult-autoloads clang-format-autoloads apheleia-autoloads
elisp-autofmt-autoloads vimrc-mode-autoloads mpv-autoloads
gnuplot-autoloads mermaid-mode-autoloads atomic-chrome-autoloads
websocket-autoloads restore-point-autoloads ace-window-autoloads
avy-autoloads olivetti-autoloads super-save-autoloads helpful-autoloads
elisp-refs-autoloads solidity-mode-autoloads git-timemachine-autoloads
web-mode-autoloads adoc-mode-autoloads go-mode-autoloads
js2-mode-autoloads rust-playground-autoloads evil-collection-which-key
which-key super-hint-xref super-hint-rg super-hint evil-collection-xref
xref evil-collection-rg rg piper ob-shell ob-gnuplot ob-C
evil-collection-org org ob ob-tangle ob-ref ob-lob ob-table ob-exp
org-macro org-src evil-collection-sh-script sh-script executable
ob-comint org-pcomplete org-list org-footnote org-faces org-entities
ob-emacs-lisp ob-core ob-eval org-cycle org-table ol org-fold
org-fold-core org-keys oc org-loaddefs org-version org-compat org-macs
molecule-mode lsp hyperbole hideshow gptel-manual-complete
evil-collection-gptel gptel windmove evil-collection-flycheck flycheck
erc erc-backend erc-networks erc-common erc-compat erc-loaddefs
evil-collection-ediff ediff ediff-merg ediff-mult ediff-wind ediff-diff
ediff-help ediff-init ediff-util dired-x consult-ripgrep-all server
evil-collection-eww eww vtable mule-util url-queue epa-file
evil-collection-epa epa epg rfc6068 epg-config saveplace recentf
tree-widget winner edit-list refine loop list-utils
evil-collection-leetcode leetcode derived log4e aio mm-url
evil-collection-gnus gnus nnheader gnus-util range let-alist prompts
file-info browse-at-remote f image-roll evil-collection-image image-mode
exif toc-mode rst scratch sql evil-collection-view view
persistent-scratch exercism persist async-await iter2 generator promise
url-http url-auth mail-parse rfc2231 rfc2047 rfc2045 mm-util ietf-drums
mail-prsvr url-gw nsm promise-rejection-tracking promise-finally
promise-done promise-es6-extensions promise-core async request
mailheader mail-utils a indent-bars evil-collection-outline noutline
outline mode-line-bell powerthesaurus jeison dash s
evil-collection-ripgrep ripgrep evil-collection-wgrep wgrep
evil-collection-grep grep evil-collection-vlf vlf vlf-base vlf-tune
gptai ctrlf hl-line nerd-icons-completion nerd-icons nerd-icons-faces
nerd-icons-data nerd-icons-data-mdicon nerd-icons-data-flicon
nerd-icons-data-codicon nerd-icons-data-devicon nerd-icons-data-sucicon
nerd-icons-data-wicon nerd-icons-data-faicon nerd-icons-data-powerline
nerd-icons-data-octicon nerd-icons-data-pomicon nerd-icons-data-ipsicon
disable-mouse mingus libmpdee evil-collection-mpdel mpdel mpdel-browser
libmpdel-directory mpdel-playlist mpdel-tablist mpdel-song mpdel-core
navigel evil-collection-bookmark bookmark evil-collection-tablist
tablist tablist-filter semantic/wisent/comp semantic/wisent
semantic/wisent/wisent semantic/util-modes semantic/util semantic
semantic/tag semantic/lex semantic/fw mode-local find-func cedet
libmpdel tq time-stamp posframe esup esup-child benchmark
ssh-config-mode jq-mode json-mode json-snatcher js c-ts-common treesit
evil-collection-imenu imenu cc-mode cc-fonts cc-guess cc-menus cc-cmds
cc-styles cc-align cc-engine cc-vars cc-defs evil-collection-yaml-mode
yaml-mode toml-mode conf-mode align highlight facemenu nix-mode ffap
smie nix-repl nix-shell nix-store evil-collection-magit-section
magit-section cursor-sensor llama nix-log nix-instantiate nix-shebang
nix-format nix sudo-edit tramp trampver tramp-integration tramp-message
tramp-compat shell pcomplete parse-time iso8601 time-date tramp-loaddefs
evil-collection-devdocs devdocs mathjax evil-terminal-cursor-changer
evil-visualstar evil-commentary evil-commentary-integration
evil-collection-evil-mc evil-mc evil-mc-command-execute
evil-mc-command-record evil-mc-cursor-make evil-mc-region
evil-mc-cursor-state evil-mc-undo evil-mc-vars evil-mc-known-commands
evil-mc-common evil-exchange evil-lion evil-args smartscan timeout ess
ess-utils ess-custom evil-collection-unimpaired evil-collection-vc-git
evil-collection-tabulated-list evil-collection-tab-bar
evil-collection-simple evil-collection-replace
evil-collection-process-menu evil-collection-package-menu
evil-collection-minibuffer evil-collection-man evil-collection-kmacro
evil-collection-indent evil-collection-help evil-collection-flymake
evil-collection-elisp-mode evil-collection-eldoc evil-collection-elpaca
evil-collection-dired evil-collection-diff-mode evil-collection-custom
evil-collection-compile evil-collection-comint evil-collection-calendar
evil-collection-buff-menu evil-collection annalist sqlite3 sqlite3-api
treebundel vc-git diff-mode track-changes files-x git-link dired
dired-loaddefs texfrag face-remap shr pixel-fill kinsoku url-file puny
svg dom preview latex latex-flymake flymake project compile
text-property-search comint ansi-osc tex-ispell tex-style tex dbus xml
crm texmathp auctex display-line-numbers elec-pair lisp-mnt package
browse-url xdg url-handlers xterm-color edit-list-autoloads
refine-autoloads list-utils-autoloads loop-autoloads leetcode-autoloads
aio-autoloads log4e-autoloads prompts-autoloads file-info-autoloads
hydra-autoloads lv-autoloads browse-at-remote-autoloads
image-roll-autoloads saveplace-pdf-view-autoloads pdfgrep-autoloads
toc-mode-autoloads scratch-autoloads persistent-scratch-autoloads
exercism-autoloads a-autoloads request-autoloads async-autoloads
async-await-autoloads promise-autoloads iter2-autoloads
persist-autoloads indent-bars-autoloads rainbow-delimiters-autoloads
rainbow-mode-autoloads mode-line-bell-autoloads powerthesaurus-autoloads
hydra lv jeison-autoloads ripgrep-autoloads wgrep-autoloads
vlf-autoloads gptai-autoloads popper-autoloads ctrlf-autoloads
nerd-icons-dired-autoloads nerd-icons-completion-autoloads
nerd-icons-autoloads disable-mouse-autoloads mingus-autoloads
libmpdee-autoloads mpdel-autoloads libmpdel-autoloads navigel-autoloads
tablist-autoloads posframe-autoloads esup-autoloads quickrun-autoloads
ht-autoloads ssh-config-mode-autoloads jq-mode-autoloads
json-mode-autoloads json-snatcher-autoloads yaml-mode-autoloads
toml-mode-autoloads highlight-escape-sequences-autoloads
highlight-autoloads highlight-numbers-autoloads parent-mode-autoloads
nix-mode-autoloads magit-section-autoloads llama-autoloads
sudo-edit-autoloads attrap-autoloads f-autoloads dash-autoloads
s-autoloads devdocs-autoloads mathjax-autoloads
evil-terminal-cursor-changer-autoloads evil-surround-autoloads
evil-visualstar-autoloads evil-commentary-autoloads evil-mc-autoloads
evil-exchange-autoloads evil-lion-autoloads evil-args-autoloads
smartscan-autoloads timeout-autoloads ess-autoloads
info-colors-autoloads evil-collection-autoloads annalist-autoloads
sqlite3-autoloads treebundel-autoloads git-link-autoloads
texfrag-autoloads auctex-autoloads tex-site xterm-color-autoloads ispell
man ansi-color autorevert filenotify cal-menu calendar cal-loaddefs
advice evil evil-integration evil-maps evil-commands reveal evil-jumps
evil-command-window evil-types evil-search evil-ex evil-macros
evil-repeat evil-states evil-core comp comp-cstr comp-run comp-common rx
evil-common thingatpt rect evil-vars ring undo-fu goto-chg
evil-autoloads undo-fu-autoloads goto-chg-autoloads transient pcase
format-spec transient-autoloads general memoize
sanityinc-tomorrow-bright-theme color-theme-sanityinc-tomorrow color
minions compat general-autoloads memoize-autoloads
color-theme-sanityinc-tomorrow-autoloads minions-autoloads
el-patch-autoloads el-patch el-patch-stub edmacro kmacro vc
vc-dispatcher cl-extra help-mode elpaca-use-package use-package
use-package-ensure use-package-delight use-package-diminish
use-package-bind-key bind-key easy-mmode use-package-core
elpaca-use-package-autoloads elpaca-log elpaca-ui elpaca-menu-elpa
elpaca-menu-melpa url url-proxy url-privacy url-expand url-methods
url-history url-cookie generate-lisp-file url-domsuf url-util url-parse
auth-source cl-seq eieio eieio-core cl-macs password-cache json subr-x
map byte-opt gv bytecomp byte-compile url-vars mailcap elpaca-menu-org
elpaca warnings elpaca-process elpaca-autoloads early-init cus-edit pp
cus-load icons wid-edit cl-loaddefs cl-lib rmc iso-transl tooltip cconv
eldoc paren electric uniquify ediff-hook vc-hooks lisp-float-type
elisp-mode mwheel term/pgtk-win pgtk-win term/common-win touch-screen
pgtk-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list
replace newcomment text-mode lisp-mode prog-mode register page tab-bar
menu-bar rfn-eshadow isearch easymenu timer select scroll-bar mouse
jit-lock font-lock syntax font-core term/tty-colors frame minibuffer
nadvice seq simple cl-generic indonesian philippine cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese composite emoji-zwj charscript charprop
case-table epa-hook jka-cmpr-hook help abbrev obarray oclosure
cl-preloaded button loaddefs theme-loaddefs faces cus-face macroexp
files window text-properties overlay sha1 md5 base64 format env
code-pages mule custom widget keymap hashtable-print-readable backquote
threads dbusbind inotify dynamic-setting system-font-setting
font-render-setting cairo gtk pgtk lcms2 multi-tty move-toolbar
make-network-process tty-child-frames native-compile emacs)
Memory information:
((conses 16 2481616 4646933) (symbols 48 135791 2607) (strings 32 664112 282039)
(string-bytes 1 20437581) (vectors 16 211082) (vector-slots 8 2492503 1101148)
(floats 8 3434 2313) (intervals 56 8122 1991) (buffers 992 34))
--
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 12 Mar 2025 13:57:02 GMT) Full text and rfc822 format available.Message #8 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: Eval Exec <execvy <at> gmail.com> Cc: 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Wed, 12 Mar 2025 15:56:00 +0200
> From: Eval Exec <execvy <at> gmail.com>
> Date: Wed, 12 Mar 2025 10:43:59 +0800
>
>
> Hello, I got a master branch emacs crash:
>
> (gdb) bt full
> #0 0x000000000055979e in stack_overflow (siginfo=0x85d1b0 <sigsegv_stack+62640>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1895
> addr = 0x70 <error: Cannot access memory at address 0x70>
> bot = <optimized out>
> top = <optimized out>
> LG_STACK_HEURISTIC = LG_STACK_HEURISTIC
> #1 handle_sigsegv (sig=11, siginfo=0x85d1b0 <sigsegv_stack+62640>, arg=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1930
> fatal = false
> #2 <signal handler called>
> No symbol table info available.
> #3 backtrace_top () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:174
> pdl = <optimized out>
> pdl = <optimized out>
> #4 backtrace_top_function () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:4270
> pdl = <optimized out>
> pdl = <optimized out>
> #5 add_sample (count=1, plog=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:328
> No locals.
> #6 handle_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:380
> count = 1
> count = <optimized out>
> overruns = <optimized out>
> #7 deliver_process_signal (handler=<optimized out>, sig=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1751
> old_errno = 1
> on_main_thread = true
> old_errno = <optimized out>
> on_main_thread = <optimized out>
> blocked = <optimized out>
> #8 deliver_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:386
> No locals.
> Backtrace stopped: Cannot access memory at address 0x7ffe5c5f2678
> You can't do that without a process to debug.
> (gdb)
Is this the main thread ("thread 1"), or some other thread? What does
"info threads" say?
Would it be possible for you to run Emacs under GDB at all times?
That would allow to do more when Emacs crashes, because some things
GDB cannot do when all it has is the core file, as opposed to a live
process. E.g., the above backtrace doesn't give a clue what caused
stack overflow, because it shows too few stack frames.
Any idea what Emacs was doing when this happened?
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 12 Mar 2025 14:01:02 GMT) Full text and rfc822 format available.Message #11 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eval Exec <execvy <at> gmail.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Wed, 12 Mar 2025 22:00:06 +0800
> Would it be possible for you to run Emacs under GDB at all times?
it's possible.
> Any idea what Emacs was doing when this happened?
I forget, maybe I'm doing `(profiler-start)` that times? I'm not sure.
On Wed, Mar 12, 2025 at 9:56 PM Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > From: Eval Exec <execvy <at> gmail.com>
> > Date: Wed, 12 Mar 2025 10:43:59 +0800
> >
> >
> > Hello, I got a master branch emacs crash:
> >
> > (gdb) bt full
> > #0 0x000000000055979e in stack_overflow (siginfo=0x85d1b0 <sigsegv_stack+62640>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1895
> > addr = 0x70 <error: Cannot access memory at address 0x70>
> > bot = <optimized out>
> > top = <optimized out>
> > LG_STACK_HEURISTIC = LG_STACK_HEURISTIC
> > #1 handle_sigsegv (sig=11, siginfo=0x85d1b0 <sigsegv_stack+62640>, arg=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1930
> > fatal = false
> > #2 <signal handler called>
> > No symbol table info available.
> > #3 backtrace_top () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:174
> > pdl = <optimized out>
> > pdl = <optimized out>
> > #4 backtrace_top_function () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:4270
> > pdl = <optimized out>
> > pdl = <optimized out>
> > #5 add_sample (count=1, plog=<optimized out>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:328
> > No locals.
> > #6 handle_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:380
> > count = 1
> > count = <optimized out>
> > overruns = <optimized out>
> > #7 deliver_process_signal (handler=<optimized out>, sig=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1751
> > old_errno = 1
> > on_main_thread = true
> > old_errno = <optimized out>
> > on_main_thread = <optimized out>
> > blocked = <optimized out>
> > #8 deliver_profiler_signal (signal=27) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/profiler.c:386
> > No locals.
> > Backtrace stopped: Cannot access memory at address 0x7ffe5c5f2678
> > You can't do that without a process to debug.
> > (gdb)
>
> Is this the main thread ("thread 1"), or some other thread? What does
> "info threads" say?
>
> Would it be possible for you to run Emacs under GDB at all times?
> That would allow to do more when Emacs crashes, because some things
> GDB cannot do when all it has is the core file, as opposed to a live
> process. E.g., the above backtrace doesn't give a clue what caused
> stack overflow, because it shows too few stack frames.
>
> Any idea what Emacs was doing when this happened?
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 12 Mar 2025 15:28:02 GMT) Full text and rfc822 format available.Message #14 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: Eval Exec <execvy <at> gmail.com> Cc: 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Wed, 12 Mar 2025 17:26:59 +0200
> From: Eval Exec <execvy <at> gmail.com> > Date: Wed, 12 Mar 2025 22:00:06 +0800 > Cc: 76970 <at> debbugs.gnu.org > > > Would it be possible for you to run Emacs under GDB at all times? > > it's possible. Then please consider doing this. > > Any idea what Emacs was doing when this happened? > > I forget, maybe I'm doing `(profiler-start)` that times? I'm not sure. Then I'm completely stomped how could that cause stack overflow.
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 12 Mar 2025 16:23:02 GMT) Full text and rfc822 format available.Message #17 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Pip Cet <pipcet <at> protonmail.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: 76970 <at> debbugs.gnu.org, Eval Exec <execvy <at> gmail.com> Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Wed, 12 Mar 2025 16:21:52 +0000
"Eli Zaretskii" <eliz <at> gnu.org> writes: >> From: Eval Exec <execvy <at> gmail.com> >> Date: Wed, 12 Mar 2025 10:43:59 +0800 >> >> >> Hello, I got a master branch emacs crash: >> >> (gdb) bt full >> #0 0x000000000055979e in stack_overflow (siginfo=0x85d1b0 <sigsegv_stack+62640>) at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1895 >> addr = 0x70 <error: Cannot access memory at address 0x70> >> bot = <optimized out> >> top = <optimized out> >> LG_STACK_HEURISTIC = LG_STACK_HEURISTIC >> #1 handle_sigsegv (sig=11, siginfo=0x85d1b0 <sigsegv_stack+62640>, >> arg=<optimized out>) at >> /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1930 >> fatal = false >> #2 <signal handler called> >> No symbol table info available. >> #3 backtrace_top () at /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/eval.c:174 >> pdl = <optimized out> >> pdl = <optimized out> That looks like current_thread was NULL, and there was no stack overflow at all. It looks like this can happen when running several Lisp threads while profiling is in use, but it's not trivial to trigger. Pip
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Tue, 18 Mar 2025 04:05:01 GMT) Full text and rfc822 format available.Message #20 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eval Exec <execvy <at> gmail.com> To: Pip Cet <pipcet <at> protonmail.com> Cc: Eli Zaretskii <eliz <at> gnu.org>, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Tue, 18 Mar 2025 12:04:22 +0800
[Message part 1 (text/plain, inline)]
Hello, Pip ,could you please merge master into feature/igc branch again? Thank you. On Thu, Mar 13, 2025, 00:22 Pip Cet <pipcet <at> protonmail.com> wrote: > "Eli Zaretskii" <eliz <at> gnu.org> writes: > > >> From: Eval Exec <execvy <at> gmail.com> > >> Date: Wed, 12 Mar 2025 10:43:59 +0800 > >> > >> > >> Hello, I got a master branch emacs crash: > >> > >> (gdb) bt full > >> #0 0x000000000055979e in stack_overflow (siginfo=0x85d1b0 > <sigsegv_stack+62640>) at /home/exec/Projects/ > git.savannah.gnu.org/git/emacs/src/sysdep.c:1895 > >> addr = 0x70 <error: Cannot access memory at address 0x70> > >> bot = <optimized out> > >> top = <optimized out> > >> LG_STACK_HEURISTIC = LG_STACK_HEURISTIC > >> #1 handle_sigsegv (sig=11, siginfo=0x85d1b0 <sigsegv_stack+62640>, > >> arg=<optimized out>) at > >> /home/exec/Projects/git.savannah.gnu.org/git/emacs/src/sysdep.c:1930 > >> fatal = false > >> #2 <signal handler called> > >> No symbol table info available. > >> #3 backtrace_top () at /home/exec/Projects/ > git.savannah.gnu.org/git/emacs/src/eval.c:174 > >> pdl = <optimized out> > >> pdl = <optimized out> > > That looks like current_thread was NULL, and there was no stack overflow > at all. It looks like this can happen when running several Lisp > threads while profiling is in use, but it's not trivial to trigger. > > Pip > >
[Message part 2 (text/html, inline)]
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Tue, 17 Jun 2025 22:39:01 GMT) Full text and rfc822 format available.Message #23 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Aaron Zeng <azeng <at> janestreet.com> To: 76970 <at> debbugs.gnu.org Cc: app-emacs-dev <at> janestreet.com Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Tue, 17 Jun 2025 18:38:26 -0400
I'd like to report that users at my site have seen this crash occur
quite a few times recently, although not necessarily ending in a
stack_overflow() frame (instead usually ending in backtrace_top()).
For us, we believe the incidence was increased by enabling
global-diff-hl-mode (with diff-hl-update-async set to t, so that it
uses threads). If the Lisp profiler is running and SIGPROF happens to
be delivered while current_thread is NULL, then the following code in
backtrace_top will cause a segfault:
union specbinding *
backtrace_top (void)
{
/* This is so "xbacktrace" doesn't crash in pdumped Emacs if they
invoke the command before init_eval_once_for_pdumper initializes
specpdl machinery. See also backtrace_p above. */
if (!specpdl) /* HERE!!! */
return NULL;
add_sample (profiler.c) is called from a signal handler and therefore
needs to be robust in the case where a thread has just died and there
is no current thread, so it cannot blindly read specpdl.
Here is a full backtrace that I managed to reproduce once. Emacs was
built at commit 31bac0d68c08f3f2fb03fa6ded17b771b168353e.
Unfortunately, getting a completely reliable reproduction has proved
tricky.
emacs -Q
M-x package-initialize
M-: (setopt diff-hl-update-async t)
M-x global-diff-hl-mode
... and then visiting some files under version control
(gdb) bt full
#0 0x00000000005564f7 in stack_overflow (siginfo=0xcbeb30 <sigsegv_stack+62896>) at sysdep.c:1902
addr = 0x70 <error: Cannot access memory at address 0x70>
bot = <optimized out>
top = <optimized out>
fatal = false
#1 0x00000000005564f7 in handle_sigsegv (sig=11, siginfo=0xcbeb30 <sigsegv_stack+62896>, arg=<optimized out>) at sysdep.c:1937
fatal = false
#2 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
#3 0x00000000005c3f27 in backtrace_top () at eval.c:4294
pdl = <optimized out>
pdl = <optimized out>
#4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
pdl = <optimized out>
#5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
#6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
old_errno = 11
on_main_thread = true
#7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
#8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
#9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
#10 0x000000000063af2f in release_global_lock () at thread.c:621
sa = 0x7ffc6645abd0
self = 0xc76300 <main_thread>
oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
#11 0x000000000063af2f in really_call_select (arg=0x7ffc6645abd0) at thread.c:621
sa = 0x7ffc6645abd0
self = 0xc76300 <main_thread>
oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
#12 0x000000000063bb1e in flush_stack_call_func (arg=0x7ffc6645abd0, func=0x63af00 <really_call_select>) at lisp.h:4509
sa =
{func = 0x419450 <pselect <at> plt>, max_fds = 16, rfds = 0x7ffc6645acc0, wfds = 0x7ffc6645ad40, efds = 0x0, timeout = 0x7ffc6645b2d0, sigmask = 0x0, result = -1756783244}
#13 0x000000000063bb1e in thread_select
(func=<optimized out>, max_fds=max_fds <at> entry=16, rfds=rfds <at> entry=0x7ffc6645acc0, wfds=wfds <at> entry=0x7ffc6645ad40, efds=efds <at> entry=0x0, timeout=timeout <at> entry=0x7ffc6645b2d0, sigmask=0x0) at thread.c:656
sa =
{func = 0x419450 <pselect <at> plt>, max_fds = 16, rfds = 0x7ffc6645acc0, wfds = 0x7ffc6645ad40, efds = 0x0, timeout = 0x7ffc6645b2d0, sigmask = 0x0, result = -1756783244}
#14 0x00000000006687ae in xg_select
(fds_lim=16, rfds=rfds <at> entry=0x7ffc6645b440, wfds=wfds <at> entry=0x7ffc6645b4c0, efds=efds <at> entry=0x0, timeout=timeout <at> entry=0x7ffc6645b2d0, sigmask=sigmask <at> entry=0x0) at xgselect.c:184
all_rfds = {fds_bits = {32872, 0 <repeats 15 times>}}
all_wfds = {fds_bits = {0 <repeats 16 times>}}
tmo = {tv_sec = 843691368, tv_nsec = 0}
tmop = 0x7ffc6645b2d0
context = 0x30c3c7c0
have_wfds = <optimized out>
gfds_buf =
{{fd = 6, events = 1, revents = 0}, {fd = 20, events = 0, revents = 0}, {fd = 838180836, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 843421012, events = 0, revents = 0}, {fd = 28, events = 0, revents = 0}, {fd = 1715839064, events = 32764, revents = 0}, {fd = 6398880, events = 0, revents = 0}, {fd = 1715839040, events = 32764, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 837799222, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 838180836, events = 0, revents = 0}, {fd = -1547505218, events = 32701, revents = 0}, {fd = 838180836, events = 0, revents = 0}, {fd = 0, events = 42256, revents = 59604}, {fd = 1715843008, events = 32764, revents = 0}, {fd = 838931840, events = 0, revents = 0}, {fd = -40, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 1715842976, events = 32764, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1715843168, events = 32764, revents = 0}, {fd = -1547358463, events = 32701, revents = 0}, {fd = 13385680, events = 0, revents = 0}, {fd = 13385744, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 838180808, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1715842936, events = 32764, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 800, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1715842928, events = 32764, revents = 0}, {fd = 1715842936, events = 32764, revents = 0}, {fd = 31536, events = 0, revents = 0}, {fd = 800, events = 0, revents = 0}, {fd = 6023312, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 1715843168, events = 32764, revents = 0}, {fd = 838931840, events = 0, revents = 0}, {fd = 835827600, events = 0, revents = 0}, {fd = -1419453425, events = 32701, revents = 0}, {fd --Type <RET> for more, q to quit, c to continue without paging--c
= 20, events = 0, revents = 0}, {fd = 13397248, events = 0, revents = 0}, {fd = 843393045, events = 0, revents = 0}, {fd = -900935680, events = 56540, revents = 24937}, {fd = 31536, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1715843168, events = 32764, revents = 0}, {fd = 13831584, events = 0, revents = 0}, {fd = 1715843216, events = 32764, revents = 0}, {fd = 1715843152, events = 32764, revents = 0}, {fd = -1547525380, events = 32701, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = -1547524967, events = 32701, revents = 0}, {fd = -1143734272, events = 13752, revents = 50873}, {fd = 6, events = 0, revents = 0}, {fd = 48, events = 0, revents = 0}, {fd = 4511648, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 836797584, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1, events = 2, revents = 0}, {fd = 838931840, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = -900935680, events = 56540, revents = 24937}, {fd = 0, events = 0, revents = 0}, {fd = 13831584, events = 0, revents = 0}, {fd = 2, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 13831584, events = 0, revents = 0}, {fd = -1547505218, events = 32701, revents = 0}, {fd = 1715843280, events = 32764, revents = 0}, {fd = 0, events = 10240, revents = 61035}, {fd = 838931840, events = 0, revents = 0}, {fd = 838931832, events = 0, revents = 0}, {fd = -30, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 1, events = 0, revents = 0}, {fd = 13831584, events = 0, revents = 0}, {fd = 838931840, events = 0, revents = 0}, {fd = -1547572342, events = 32701, revents = 0}, {fd = 838468288, events = 0, revents = 0}, {fd = -727379968, events = 232, revents = 0}, {fd = 818666165, events = 0, revents = 0}, {fd = 5612100, events = 0, revents = 0}, {fd = 125000000, events = 0, revents = 0}, {fd = 818666165, events = 0, revents = 0}, {fd = 52961, events = 0, revents = 0}, {fd = 6444207, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 1715843456, events = 32764, revents = 0}, {fd = 6450379, events = 0, revents = 0}, {fd = 1783793666, events = 116, revents = 0}, {fd = 1385447426, events = 931, revents = 0}, {fd = 837309808, events = 0, revents = 0}, {fd = 5510319, events = 0, revents = 0}, {fd = 1056964608, events = 0, revents = 16384}, {fd = 5946044, events = 65281, revents = 65535}, {fd = -1778304512, events = 32701, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 1750195774, events = 0, revents = 0}, {fd = 219655029, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 837309811, events = 0, revents = 0}, {fd = 5, events = 0, revents = 0}, {fd = 817673880, events = 0, revents = 0}, {fd = 4848413, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 125000000, events = 0, revents = 0}, {fd = 37, events = 0, revents = 0}, {fd = 836738800, events = 0, revents = 0}, {fd = 0, events = 0, revents = 0}, {fd = 836738800, events = 0, revents = 0}, {fd = 1715843552, events = 32764, revents = 0}, {fd = 5511222, events = 0, revents = 0}}
gfds = 0x7ffc6645adc0
gfds_size = <optimized out>
n_gfds = <optimized out>
retval = 0
our_fds = 0
max_fds = <optimized out>
i = <optimized out>
nfds = <optimized out>
tmo_in_millisec = -1
must_free = <optimized out>
need_to_dispatch = <optimized out>
#15 0x0000000000619058 in wait_reading_process_output (time_limit=time_limit <at> entry=37, nsecs=nsecs <at> entry=0, read_kbd=read_kbd <at> entry=-1, do_display=do_display <at> entry=true, wait_for_cell=wait_for_cell <at> entry=0x0, wait_proc=wait_proc <at> entry=0x0, just_wait_proc=0) at process.c:5748
tls_nfds = 0
tls_available = {fds_bits = {0 <repeats 16 times>}}
process_skipped = <optimized out>
wrapped = <optimized out>
channel_start = <optimized out>
child_fd = <optimized out>
last_read_channel = 11
channel = <optimized out>
nfds = <optimized out>
Available = {fds_bits = {32808, 0 <repeats 15 times>}}
Writeok = {fds_bits = {0 <repeats 16 times>}}
check_write = true
check_delay = <optimized out>
no_avail = false
xerrno = 2
proc = <optimized out>
timeout = {tv_sec = 0, tv_nsec = 124947039}
end_time = <optimized out>
timer_delay = <optimized out>
got_output_end_time = {tv_sec = 1750195811, tv_nsec = 219652299}
wait = TIMEOUT
got_some_output = -1
prev_wait_proc_nbytes_read = 0
retry_for_async = <optimized out>
now = <optimized out>
#16 0x000000000043159d in sit_for (timeout=timeout <at> entry=0x96, reading=reading <at> entry=true, display_option=display_option <at> entry=1) at lisp.h:1192
sec = 37
nsec = 0
do_display = true
curbuf_eq_winbuf = true
nbytes = <optimized out>
#17 0x0000000000547f46 in read_char (commandflag=1, map=0x31e9ec83, prev_event=0x0, used_mouse_menu=0x7ffc6645bcab, end_time=0x0) at lisp.h:1226
tem0 = <optimized out>
timeout = 37
delay_level = <optimized out>
buffer_size = <optimized out>
c = 0x0
local_getcjmp = {{__jmpbuf = {13838880, 2237550689305543785, 0, 817841440, 837414019, 140722024332816, -2236691474347539351, 2237551069047604329}, __mask_was_saved = 0, __saved_mask = {__val = {0, 836738805, 1, 6, 48096, 1, 6494148, 2, 6467199, 837428755, 1, 836738805, 48096, 53913, 53913, 836738800}}}}
save_jump = {{__jmpbuf = {0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
tem = <optimized out>
save = <optimized out>
previous_echo_area_message = 0x0
also_record = 0x0
reread = false
recorded = false
polling_stopped_here = false
orig_kboard = 0x30bf4520
#18 0x0000000000548b34 in read_key_sequence (keybuf=0x7ffc6645be10, prompt=0x0, dont_downcase_last=<optimized out>, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=<optimized out>, disable_text_conversion_p=false) at keyboard.c:10743
interrupted_kboard = 0x30bf4520
interrupted_frame = 0x30bcb3e0
key = <optimized out>
used_mouse_menu = false
echo_local_start = 0
last_real_key_start = 0
keys_local_start = 0
new_binding = <optimized out>
t = 0
echo_start = 0
keys_start = 0
current_binding = 0x31e9ec83
first_unbound = 31
mock_input = 0
used_mouse_menu_history = {false <repeats 30 times>}
fkey = {parent = 0x7fbdac6f98a3, map = 0x7fbdac6f98a3, start = 0, end = 0}
keytran = {parent = 0x7fbd9749a683, map = 0x7fbd9749a683, start = 0, end = 0}
indec = {parent = 0x7fbdac6f9893, map = 0x7fbdac6f9893, start = 0, end = 0}
shift_translated = false
delayed_switch_frame = 0x0
original_uppercase = 0x539f22 <safe_run_hook_funcall+146>
original_uppercase_position = -1
disabled_conversion = <optimized out>
starting_buffer = <optimized out>
fake_prefixed_keys = 0x0
first_event = 0x0
second_event = <optimized out>
#19 0x000000000054a394 in command_loop_1 () at lisp.h:1192
cmd = <optimized out>
keybuf = {0x36, 0x18a, 0x7fbd973a343c, 0x60, 0x60, 0x0, 0x0, 0x111c0, 0x400000003f000000, 0x5be4f4 <unbind_to+516>, 0x0, 0x31ee8a03, 0xb, 0x111c0, 0x30, 0x30c8b715, 0x7fbd95e7fbb8, 0x60, 0x31ee8a03, 0x7ffc6645bed0, 0x0, 0x0, 0x7ffc6645c078, 0x53f0c6 <cmd_error+358>, 0xffffffffffffff00, 0x7ffc6645c044, 0xb, 0xb310, 0x0, 0x7fbd96f922a5}
i = <optimized out>
last_pt = <optimized out>
prev_modiff = 1582
prev_buffer = 0x32452810
#20 0x00000000005bd222 in internal_condition_case (bfun=bfun <at> entry=0x54a1d0 <command_loop_1>, handlers=handlers <at> entry=0x90, hfun=hfun <at> entry=0x53ef60 <cmd_error>) at eval.c:1613
val = <optimized out>
c = 0x30c7a5f0
#21 0x0000000000537c4a in command_loop_2 (handlers=handlers <at> entry=0x90) at keyboard.c:1168
val = <optimized out>
#22 0x00000000005bd151 in internal_catch (tag=tag <at> entry=0x122d0, func=func <at> entry=0x537c30 <command_loop_2>, arg=arg <at> entry=0x90) at eval.c:1292
val = <optimized out>
c = 0x30c7a4b0
#23 0x0000000000537bef in command_loop () at lisp.h:1192
#24 0x000000000053eb16 in recursive_edit_1 () at keyboard.c:754
val = <optimized out>
#25 0x000000000053eea4 in Frecursive_edit () at keyboard.c:837
buffer = <optimized out>
#26 0x0000000000426797 in main (argc=<optimized out>, argv=<optimized out>) at emacs.c:2646
stack_bottom_variable = 0x6169dcdcca4cd000
old_argc = <optimized out>
no_loadup = false
junk = 0x0
dname_arg = 0x0
ch_to_dir = 0x0
original_pwd = <optimized out>
dump_mode = <optimized out>
skip_args = 1
temacs = 0x0
attempt_load_pdump = <optimized out>
only_version = <optimized out>
rlim = {rlim_cur = 10022912, rlim_max = 18446744073709551615}
lc_all = <optimized out>
sockfd = -1
module_assertions = <optimized out>
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Sat, 21 Jun 2025 09:07:03 GMT) Full text and rfc822 format available.Message #26 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: Aaron Zeng <azeng <at> janestreet.com> Cc: 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Sat, 21 Jun 2025 12:06:00 +0300
> Cc: app-emacs-dev <at> janestreet.com
> Date: Tue, 17 Jun 2025 18:38:26 -0400
> From: Aaron Zeng via "Bug reports for GNU Emacs,
> the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
>
> I'd like to report that users at my site have seen this crash occur
> quite a few times recently, although not necessarily ending in a
> stack_overflow() frame (instead usually ending in backtrace_top()).
>
> For us, we believe the incidence was increased by enabling
> global-diff-hl-mode (with diff-hl-update-async set to t, so that it
> uses threads). If the Lisp profiler is running and SIGPROF happens to
> be delivered while current_thread is NULL, then the following code in
> backtrace_top will cause a segfault:
>
> union specbinding *
> backtrace_top (void)
> {
> /* This is so "xbacktrace" doesn't crash in pdumped Emacs if they
> invoke the command before init_eval_once_for_pdumper initializes
> specpdl machinery. See also backtrace_p above. */
> if (!specpdl) /* HERE!!! */
> return NULL;
>
> add_sample (profiler.c) is called from a signal handler and therefore
> needs to be robust in the case where a thread has just died and there
> is no current thread, so it cannot blindly read specpdl.
Thanks, I installed a fix on the master branch, please see if it fixes
your problem.
> Here is a full backtrace that I managed to reproduce once. Emacs was
> built at commit 31bac0d68c08f3f2fb03fa6ded17b771b168353e.
> Unfortunately, getting a completely reliable reproduction has proved
> tricky.
>
> emacs -Q
> M-x package-initialize
> M-: (setopt diff-hl-update-async t)
> M-x global-diff-hl-mode
> ... and then visiting some files under version control
>
> (gdb) bt full
> #0 0x00000000005564f7 in stack_overflow (siginfo=0xcbeb30 <sigsegv_stack+62896>) at sysdep.c:1902
> addr = 0x70 <error: Cannot access memory at address 0x70>
> bot = <optimized out>
> top = <optimized out>
> fatal = false
> #1 0x00000000005564f7 in handle_sigsegv (sig=11, siginfo=0xcbeb30 <sigsegv_stack+62896>, arg=<optimized out>) at sysdep.c:1937
> fatal = false
> #2 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
> #3 0x00000000005c3f27 in backtrace_top () at eval.c:4294
> pdl = <optimized out>
> pdl = <optimized out>
> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
> pdl = <optimized out>
> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
> #6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
> old_errno = 11
> on_main_thread = true
> #7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
> #10 0x000000000063af2f in release_global_lock () at thread.c:621
> sa = 0x7ffc6645abd0
> self = 0xc76300 <main_thread>
> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
> #11 0x000000000063af2f in really_call_select (arg=0x7ffc6645abd0) at thread.c:621
> sa = 0x7ffc6645abd0
> self = 0xc76300 <main_thread>
> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
This seems to be a different problem? The segfault is inside
release_global_lock, with self = current_thread = &main_thread, which
is not NULL? Or what did I miss?
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Sat, 21 Jun 2025 09:39:02 GMT) Full text and rfc822 format available.Message #29 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Pip Cet <pipcet <at> protonmail.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com, Aaron Zeng <azeng <at> janestreet.com> Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Sat, 21 Jun 2025 09:38:41 +0000
"Eli Zaretskii" <eliz <at> gnu.org> writes:
>> (gdb) bt full
>> #0 0x00000000005564f7 in stack_overflow (siginfo=0xcbeb30 <sigsegv_stack+62896>) at sysdep.c:1902
>> addr = 0x70 <error: Cannot access memory at address 0x70>
>> bot = <optimized out>
>> top = <optimized out>
>> fatal = false
>> #1 0x00000000005564f7 in handle_sigsegv (sig=11, siginfo=0xcbeb30 <sigsegv_stack+62896>, arg=<optimized out>) at sysdep.c:1937
>> fatal = false
>> #2 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
>> #3 0x00000000005c3f27 in backtrace_top () at eval.c:4294
>> pdl = <optimized out>
>> pdl = <optimized out>
The segfault is the signal delivered while we were in frame #3, with
signal number 11.
>> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
>> pdl = <optimized out>
>> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
>> #6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
>> old_errno = 11
>> on_main_thread = true
>> #7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
>> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
This is the profiler signal, delivered while we're in frame #8, with
signal number 27.
>> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
>> #10 0x000000000063af2f in release_global_lock () at thread.c:621
>> sa = 0x7ffc6645abd0
>> self = 0xc76300 <main_thread>
>> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
>> #11 0x000000000063af2f in really_call_select (arg=0x7ffc6645abd0) at thread.c:621
>> sa = 0x7ffc6645abd0
>> self = 0xc76300 <main_thread>
>> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
>
> This seems to be a different problem? The segfault is inside
> release_global_lock, with self = current_thread = &main_thread, which
> is not NULL? Or what did I miss?
release_global_lock has released the lock, so any other thread could
have set current_thread to point to its thread structure, or set it to
NULL if the other thread has exited.
So there's no second problem here, as far as I can see.
Pip
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Sat, 21 Jun 2025 10:45:01 GMT) Full text and rfc822 format available.Message #32 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: Pip Cet <pipcet <at> protonmail.com> Cc: 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com, azeng <at> janestreet.com Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Sat, 21 Jun 2025 13:44:25 +0300
> Date: Sat, 21 Jun 2025 09:38:41 +0000
> From: Pip Cet <pipcet <at> protonmail.com>
> Cc: Aaron Zeng <azeng <at> janestreet.com>, 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com
>
> "Eli Zaretskii" <eliz <at> gnu.org> writes:
> >> (gdb) bt full
> >> #0 0x00000000005564f7 in stack_overflow (siginfo=0xcbeb30 <sigsegv_stack+62896>) at sysdep.c:1902
> >> addr = 0x70 <error: Cannot access memory at address 0x70>
> >> bot = <optimized out>
> >> top = <optimized out>
> >> fatal = false
> >> #1 0x00000000005564f7 in handle_sigsegv (sig=11, siginfo=0xcbeb30 <sigsegv_stack+62896>, arg=<optimized out>) at sysdep.c:1937
> >> fatal = false
> >> #2 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
> >> #3 0x00000000005c3f27 in backtrace_top () at eval.c:4294
> >> pdl = <optimized out>
> >> pdl = <optimized out>
>
> The segfault is the signal delivered while we were in frame #3, with
> signal number 11.
>
> >> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
> >> pdl = <optimized out>
> >> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
> >> #6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
> >> old_errno = 11
> >> on_main_thread = true
> >> #7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
> >> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
>
> This is the profiler signal, delivered while we're in frame #8, with
> signal number 27.
>
> >> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
> >> #10 0x000000000063af2f in release_global_lock () at thread.c:621
> >> sa = 0x7ffc6645abd0
> >> self = 0xc76300 <main_thread>
> >> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
> >> #11 0x000000000063af2f in really_call_select (arg=0x7ffc6645abd0) at thread.c:621
> >> sa = 0x7ffc6645abd0
> >> self = 0xc76300 <main_thread>
> >> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
> >
> > This seems to be a different problem? The segfault is inside
> > release_global_lock, with self = current_thread = &main_thread, which
> > is not NULL? Or what did I miss?
>
> release_global_lock has released the lock, so any other thread could
> have set current_thread to point to its thread structure, or set it to
> NULL if the other thread has exited.
The variable current_thread is a global variable. really_call_select,
which calls release_global_lock in the backtrace, does this:
static void
really_call_select (void *arg)
{
struct select_args *sa = arg;
struct thread_state *self = current_thread;
sigset_t oldset;
block_interrupt_signal (&oldset);
self->not_holding_lock = 1;
release_global_lock ();
If we are to believe the backtrace, SIGPROF was delivered when we were
inside release_global_lock (which doesn't touch current_thread,
AFAICT). And the backtrace shows:
> #10 0x000000000063af2f in release_global_lock () at thread.c:621
> sa = 0x7ffc6645abd0
> self = 0xc76300 <main_thread>
Which tells me that current_thread's value is main_thread, since
that's the value of 'self'. And main_thread is always a valid value.
If release_global_lock caused some other thread to run, then that
other thread will call post_acquire_global_lock, which never sets
current_thread to NULL, it only assigns that variable the value of
another thread's self. If there's no other thread (i.e., that other
thread exited), then release_global_lock will not switch to any other
thread and will not set current_thread to NULL.
So please elaborate on how this scenario could cause a segfault.
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Sun, 22 Jun 2025 06:16:01 GMT) Full text and rfc822 format available.Message #35 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Pip Cet <pipcet <at> protonmail.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com, azeng <at> janestreet.com Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Sun, 22 Jun 2025 06:15:07 +0000
"Eli Zaretskii" <eliz <at> gnu.org> writes:
>> Date: Sat, 21 Jun 2025 09:38:41 +0000
>> From: Pip Cet <pipcet <at> protonmail.com>
>> Cc: Aaron Zeng <azeng <at> janestreet.com>, 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com
>>
>> "Eli Zaretskii" <eliz <at> gnu.org> writes:
>> >> (gdb) bt full
>> >> #0 0x00000000005564f7 in stack_overflow (siginfo=0xcbeb30 <sigsegv_stack+62896>) at sysdep.c:1902
>> >> addr = 0x70 <error: Cannot access memory at address 0x70>
>> >> bot = <optimized out>
>> >> top = <optimized out>
>> >> fatal = false
>> >> #1 0x00000000005564f7 in handle_sigsegv (sig=11, siginfo=0xcbeb30 <sigsegv_stack+62896>, arg=<optimized out>) at sysdep.c:1937
>> >> fatal = false
>> >> #2 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
>> >> #3 0x00000000005c3f27 in backtrace_top () at eval.c:4294
>> >> pdl = <optimized out>
>> >> pdl = <optimized out>
>>
>> The segfault is the signal delivered while we were in frame #3, with
>> signal number 11.
>>
>> >> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
>> >> pdl = <optimized out>
>> >> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
>> >> #6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
>> >> old_errno = 11
>> >> on_main_thread = true
>> >> #7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
>> >> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
>>
>> This is the profiler signal, delivered while we're in frame #8, with
>> signal number 27.
>>
>> >> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
>> >> #10 0x000000000063af2f in release_global_lock () at thread.c:621
>> >> sa = 0x7ffc6645abd0
>> >> self = 0xc76300 <main_thread>
>> >> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
>> >> #11 0x000000000063af2f in really_call_select (arg=0x7ffc6645abd0) at thread.c:621
>> >> sa = 0x7ffc6645abd0
>> >> self = 0xc76300 <main_thread>
>> >> oldset = {__val = {0, 0, 843691369, 843691368, 843691369, 843691368, 0, 837799220, 0, 1, 13385680, 13385744, 0, 0, 13385680, 13385744}}
>> >
>> > This seems to be a different problem? The segfault is inside
>> > release_global_lock, with self = current_thread = &main_thread, which
>> > is not NULL? Or what did I miss?
>>
>> release_global_lock has released the lock, so any other thread could
>> have set current_thread to point to its thread structure, or set it to
>> NULL if the other thread has exited.
>
> The variable current_thread is a global variable. really_call_select,
> which calls release_global_lock in the backtrace, does this:
>
> static void
> really_call_select (void *arg)
> {
> struct select_args *sa = arg;
> struct thread_state *self = current_thread;
> sigset_t oldset;
>
> block_interrupt_signal (&oldset);
> self->not_holding_lock = 1;
> release_global_lock ();
>
> If we are to believe the backtrace, SIGPROF was delivered when we were
> inside release_global_lock (which doesn't touch current_thread,
> AFAICT). And the backtrace shows:
>
>> #10 0x000000000063af2f in release_global_lock () at thread.c:621
>> sa = 0x7ffc6645abd0
>> self = 0xc76300 <main_thread>
>
> Which tells me that current_thread's value is main_thread, since
> that's the value of 'self'. And main_thread is always a valid value.
>
> If release_global_lock caused some other thread to run, then that
> other thread will call post_acquire_global_lock, which never sets
> current_thread to NULL, it only assigns that variable the value of
Most likely the other thread continued running, finished, and set
current_thread to NULL before we got a chance to run the main thread
again. It's very likely we spent some time in release_global_lock
because we were still in that function when SIGPROF, which only happens
once in a while, hit. There may well have been more threads than CPU
cores.
Pip
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Sun, 22 Jun 2025 07:16:01 GMT) Full text and rfc822 format available.Message #38 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: Pip Cet <pipcet <at> protonmail.com> Cc: 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com, azeng <at> janestreet.com Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Sun, 22 Jun 2025 10:15:24 +0300
> Date: Sun, 22 Jun 2025 06:15:07 +0000
> From: Pip Cet <pipcet <at> protonmail.com>
> Cc: azeng <at> janestreet.com, 76970 <at> debbugs.gnu.org, app-emacs-dev <at> janestreet.com
>
> "Eli Zaretskii" <eliz <at> gnu.org> writes:
>
> >> release_global_lock has released the lock, so any other thread could
> >> have set current_thread to point to its thread structure, or set it to
> >> NULL if the other thread has exited.
> >
> > The variable current_thread is a global variable. really_call_select,
> > which calls release_global_lock in the backtrace, does this:
> >
> > static void
> > really_call_select (void *arg)
> > {
> > struct select_args *sa = arg;
> > struct thread_state *self = current_thread;
> > sigset_t oldset;
> >
> > block_interrupt_signal (&oldset);
> > self->not_holding_lock = 1;
> > release_global_lock ();
> >
> > If we are to believe the backtrace, SIGPROF was delivered when we were
> > inside release_global_lock (which doesn't touch current_thread,
> > AFAICT). And the backtrace shows:
> >
> >> #10 0x000000000063af2f in release_global_lock () at thread.c:621
> >> sa = 0x7ffc6645abd0
> >> self = 0xc76300 <main_thread>
> >
> > Which tells me that current_thread's value is main_thread, since
> > that's the value of 'self'. And main_thread is always a valid value.
> >
> > If release_global_lock caused some other thread to run, then that
> > other thread will call post_acquire_global_lock, which never sets
> > current_thread to NULL, it only assigns that variable the value of
>
> Most likely the other thread continued running, finished, and set
> current_thread to NULL before we got a chance to run the main thread
> again.
This is possible, but we have no evidence to think this is what
happened. Moreover, the main thread didn't yet return from
pthread_mutex_unlock when SIGPROF is delivered:
>> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294
>> pdl = <optimized out>
>> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) at lisp.h:1192
>> #6 0x0000000000557604 in deliver_process_signal (sig=27, handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758
>> old_errno = 11
>> on_main_thread = true
>> #7 0x00007fbda4812970 in <signal handler called> () at /lib64/libpthread.so.0
>> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0
>> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at /lib64/libpthread.so.0
>> >> #10 0x000000000063af2f in release_global_lock () at thread.c:621
Is the global lock already released at this point? are other threads
allowed to run? What is __lll_unlock_wake about -- doesn't it wake
some other thread? If it did not yet do so, the other thread couldn't
have been running.
IOW, we need backtrace from all the threads, not just from the main
thread, to draw any definitive conclusions.
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Mon, 23 Jun 2025 20:08:02 GMT) Full text and rfc822 format available.Message #41 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Aaron Zeng <azeng <at> janestreet.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: Pip Cet <pipcet <at> protonmail.com>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Mon, 23 Jun 2025 16:06:52 -0400
[Message part 1 (text/plain, inline)]
On Sun, Jun 22, 2025 at 3:15 AM Eli Zaretskii <eliz <at> gnu.org> wrote: > This is possible, but we have no evidence to think this is what > happened. Moreover, the main thread didn't yet return from > pthread_mutex_unlock when SIGPROF is delivered: > > >> #4 0x00000000005c3f27 in backtrace_top_function () at eval.c:4294 > >> pdl = <optimized out> > >> #5 0x000000000063a0da in add_sample (plog=0xcdf060 <cpu>, count=1436) > at lisp.h:1192 > >> #6 0x0000000000557604 in deliver_process_signal (sig=27, > handler=0x63a440 <handle_profiler_signal>) at sysdep.c:1758 > >> old_errno = 11 > >> on_main_thread = true > >> #7 0x00007fbda4812970 in <signal handler called> () at > /lib64/libpthread.so.0 > >> #8 0x00007fbda481154a in __lll_unlock_wake () at /lib64/libpthread.so.0 > >> #9 0x00007fbda480c2e6 in __pthread_mutex_unlock_usercnt () at > /lib64/libpthread.so.0 > >> >> #10 0x000000000063af2f in release_global_lock () at thread.c:621 > > Is the global lock already released at this point? are other threads > allowed to run? What is __lll_unlock_wake about -- doesn't it wake > some other thread? If it did not yet do so, the other thread couldn't > have been running. > > IOW, we need backtrace from all the threads, not just from the main > thread, to draw any definitive conclusions. > I applied your patch from the master branch and got a segfault again, but it has a different top frame. I have attached a backtrace generated with [thread apply all bt full]. In this one, I do not see __lll_unlock_wake appear at all. This is from Emacs compiled at revision 991d3ad80a37a1cf8951d2607eb5f7544f968e93. It seems it is possible for current_thread to be set to NULL by the dying thread, during backtrace_top.
[Message part 2 (text/html, inline)]
[gdb2.txt (text/plain, attachment)]
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Tue, 24 Jun 2025 05:47:05 GMT) Full text and rfc822 format available.Message #44 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Pip Cet <pipcet <at> protonmail.com> To: Aaron Zeng <azeng <at> janestreet.com> Cc: Eli Zaretskii <eliz <at> gnu.org>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Tue, 24 Jun 2025 05:46:22 +0000
"Aaron Zeng" <azeng <at> janestreet.com> writes:
> I applied your patch from the master branch and got a segfault again, but it has a different
> top frame. I have attached a backtrace generated with [thread apply all bt full]. In this one,
> I do not see __lll_unlock_wake appear at all.
This one happened while waiting for the lock, not right after unlocking
it. Not a big difference.
The original fix was incomplete, please try applying this one, too:
diff --git a/src/eval.c b/src/eval.c
index 46705dc4543..20782639990 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -159,7 +159,11 @@ set_backtrace_debug_on_exit (union specbinding *pdl, bool doe)
bool
backtrace_p (union specbinding *pdl)
-{ return specpdl ? pdl >= specpdl : false; }
+{
+ if (current_thread && specpdl && pdl)
+ return pdl >= specpdl;
+ return false;
+}
static bool
backtrace_thread_p (struct thread_state *tstate, union specbinding *pdl)
> This is from Emacs compiled at revision 991d3ad80a37a1cf8951d2607eb5f7544f968e93.
>
> It seems it is possible for current_thread to be set to NULL by the dying thread,
> during backtrace_top.
It is possible, in theory, for that to happen, and this additional race
condition also should be fixed, but it's not what happened here. What
happened here was that current_thread became NULL, we checked it in
backtrace_top, returned a NULL pointer for the pdl, passed that NULL
pointer to backtrace_p, dereferenced current_thread again (by evaluating
specpdl) and caused a segfault.
Pip
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Tue, 24 Jun 2025 18:52:02 GMT) Full text and rfc822 format available.Message #47 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Aaron Zeng <azeng <at> janestreet.com> To: Pip Cet <pipcet <at> protonmail.com> Cc: Eli Zaretskii <eliz <at> gnu.org>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Tue, 24 Jun 2025 14:50:17 -0400
On Tue, Jun 24, 2025 at 1:46 AM Pip Cet <pipcet <at> protonmail.com> wrote:
>
> The original fix was incomplete, please try applying this one, too:
>
> diff --git a/src/eval.c b/src/eval.c
> index 46705dc4543..20782639990 100644
> --- a/src/eval.c
> +++ b/src/eval.c
> @@ -159,7 +159,11 @@ set_backtrace_debug_on_exit (union specbinding *pdl, bool doe)
>
> bool
> backtrace_p (union specbinding *pdl)
> -{ return specpdl ? pdl >= specpdl : false; }
> +{
> + if (current_thread && specpdl && pdl)
> + return pdl >= specpdl;
> + return false;
> +}
>
> static bool
> backtrace_thread_p (struct thread_state *tstate, union specbinding *pdl)
>
> > This is from Emacs compiled at revision 991d3ad80a37a1cf8951d2607eb5f7544f968e93.
> >
> > It seems it is possible for current_thread to be set to NULL by the dying thread,
> > during backtrace_top.
>
> It is possible, in theory, for that to happen, and this additional race
> condition also should be fixed, but it's not what happened here. What
> happened here was that current_thread became NULL, we checked it in
> backtrace_top, returned a NULL pointer for the pdl, passed that NULL
> pointer to backtrace_p, dereferenced current_thread again (by evaluating
> specpdl) and caused a segfault.
Doesn't this new code have the same issue, though? Each time specpdl appears
in the code, it's dereferencing current_thread anew.
Maybe I am being overly paranoid, but it seems like the only correct
way to avoid
this race condition altogether is to read current_thread only once
during the course
of the signal handler, and to avoid using the macros which may read it a second
time, instead dereferencing a local copy of the pointer once it has
been verified
to be not-NULL.
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Wed, 25 Jun 2025 11:44:02 GMT) Full text and rfc822 format available.Message #50 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Pip Cet <pipcet <at> protonmail.com> To: Aaron Zeng <azeng <at> janestreet.com> Cc: Eli Zaretskii <eliz <at> gnu.org>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Wed, 25 Jun 2025 11:43:34 +0000
"Aaron Zeng" <azeng <at> janestreet.com> writes:
> On Tue, Jun 24, 2025 at 1:46 AM Pip Cet <pipcet <at> protonmail.com> wrote:
>>
>> The original fix was incomplete, please try applying this one, too:
>>
>> diff --git a/src/eval.c b/src/eval.c
>> index 46705dc4543..20782639990 100644
>> --- a/src/eval.c
>> +++ b/src/eval.c
>> @@ -159,7 +159,11 @@ set_backtrace_debug_on_exit (union specbinding *pdl, bool doe)
>>
>> bool
>> backtrace_p (union specbinding *pdl)
>> -{ return specpdl ? pdl >= specpdl : false; }
>> +{
>> + if (current_thread && specpdl && pdl)
>> + return pdl >= specpdl;
>> + return false;
>> +}
>>
>> static bool
>> backtrace_thread_p (struct thread_state *tstate, union specbinding *pdl)
>>
>> > This is from Emacs compiled at revision 991d3ad80a37a1cf8951d2607eb5f7544f968e93.
>> >
>> > It seems it is possible for current_thread to be set to NULL by the dying thread,
>> > during backtrace_top.
>>
>> It is possible, in theory, for that to happen, and this additional race
>> condition also should be fixed, but it's not what happened here. What
>> happened here was that current_thread became NULL, we checked it in
>> backtrace_top, returned a NULL pointer for the pdl, passed that NULL
>> pointer to backtrace_p, dereferenced current_thread again (by evaluating
>> specpdl) and caused a segfault.
>
> Doesn't this new code have the same issue, though? Each time specpdl appears
> in the code, it's dereferencing current_thread anew.
That is an additional issue, but it's not what happened here. But yes,
we should fix that, too, if we can.
Note that current_thread isn't volatile, so the compiler is free not to
dereference it every time; this means that optimization may hide the
race condition you're worried about.
> Maybe I am being overly paranoid, but it seems like the only correct
> way to avoid this race condition altogether is to read current_thread
> only once during the course of the signal handler, and to avoid using
> the macros which may read it a second time, instead dereferencing a
> local copy of the pointer once it has been verified to be not-NULL.
It's not just current_thread that may become invalid, the specpdl itself
may also be concurrently modified (or grow!), and depending on your
precise CPU architecture that may result in nonsensical results: in
fact, the union member which is in use for a specpdl entry might change,
and this would almost always result in a problem, I think.
However, concurrent modifications are much less likely than seeing a
NULL pointer in the rather long window between the termination of one
thread's function and the point when another thread has grabbed the lock
and set current_thread to its own thread state. I'm not saying we
shouldn't worry about them, but if we can avoid the latter for now and
add a comment explaining the former problem that would be good, I think.
Ultimately, it may be best to wait for the next maybe_quit so we can get
a consistent view of the specpdl, but that would distort the backtrace,
too.
Pip
bug-gnu-emacs <at> gnu.org:bug#76970; Package emacs.
(Tue, 01 Jul 2025 16:19:02 GMT) Full text and rfc822 format available.Message #53 received at 76970 <at> debbugs.gnu.org (full text, mbox):
From: Aaron Zeng <azeng <at> janestreet.com> To: Pip Cet <pipcet <at> protonmail.com> Cc: Eli Zaretskii <eliz <at> gnu.org>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org Subject: Re: bug#76970: 31.0.50; master emacs crash with stack overflow Date: Tue, 1 Jul 2025 12:17:45 -0400
On Tue, Jun 24, 2025 at 1:46 AM Pip Cet <pipcet <at> protonmail.com> wrote:
> The original fix was incomplete, please try applying this one, too:
>
> diff --git a/src/eval.c b/src/eval.c
> index 46705dc4543..20782639990 100644
> --- a/src/eval.c
> +++ b/src/eval.c
> @@ -159,7 +159,11 @@ set_backtrace_debug_on_exit (union specbinding *pdl, bool doe)
>
> bool
> backtrace_p (union specbinding *pdl)
> -{ return specpdl ? pdl >= specpdl : false; }
> +{
> + if (current_thread && specpdl && pdl)
> + return pdl >= specpdl;
> + return false;
> +}
>
> static bool
> backtrace_thread_p (struct thread_state *tstate, union specbinding *pdl)
After installing that patch as well, it does seem to have helped a
lot. I was seeing segfaults every couple of hours and I haven't seen
one in several days.
Thanks, Pip!
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.