GNU bug report logs -
#77024
31.0.50; feature/igc: crash "switching to thread"
Previous Next
To reply to this bug, email your comments to 77024 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Sat, 15 Mar 2025 06:40:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Oliver Reiter <reiter <at> wiiw.ac.at>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sat, 15 Mar 2025 06:40:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Evening!
After weeks of no crash, emacs crashed on me today again.
[New Thread 0x7fffb3bb96c0 (LWP 54691)]
[Thread 0x7fffb3bb96c0 (LWP 54691) exited]
... quite a lot of those
[New Thread 0x7fffb3bb96c0 (LWP 54696)]
[Thread 0x7fffb3bb96c0 (LWP 54696) exited]
[New Thread 0x7fffb3bb96c0 (LWP 54709)]
[Thread 0x7fffb3bb96c0 (LWP 54709) exited]
[New Thread 0x7fffb3bb96c0 (LWP 54751)]
[Switching to Thread 0x7fffb3bb96c0 (LWP 54751)]
Thread 409 "diff-hl--update" hit Breakpoint 1, terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
425 {
(gdb) bt
#0 terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
#1 0x00005555556d31a5 in emacs_abort () at /home/reitero/build/sources/emacs/emacs_debug/src/sysdep.c:2378
#2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
#3 0x00005555557a1040 in scan_specpdl (ss=0x7fffb3bb81a8, start=<optimized out>, end=0x555556f684e0, closure=<optimized out>) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1535
#4 0x0000555555861428 in RootScan ()
#5 0x00005555558615fa in traceScanRootRes ()
#6 0x0000555555861c0b in TraceStart ()
#7 0x0000555555862bf8 in PolicyStartTrace ()
#8 0x0000555555866331 in TracePoll ()
#9 0x00005555558664f9 in ArenaPoll ()
#10 0x00005555558668e3 in mps_ap_fill ()
#11 0x00005555557a13b7 in alloc_impl (size=size <at> entry=304, type=type <at> entry=IGC_OBJ_HANDLER, ap=0x7fffb8367818) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4094
#12 0x00005555557a14a6 in alloc (size=size <at> entry=304, type=type <at> entry=IGC_OBJ_HANDLER) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4122
#13 0x00005555557a17cd in igc_alloc_handler () at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4499
#14 0x00005555557a392f in run_thread (state=0x7fffa66f9c90) at /home/reitero/build/sources/emacs/emacs_debug/src/thread.c:804
#15 0x00007ffff353270a in start_thread (arg=<optimized out>) at pthread_create.c:448
#16 0x00007ffff35b6aac in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
(gdb) bt full
#0 terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
No locals.
#1 0x00005555556d31a5 in emacs_abort () at /home/reitero/build/sources/emacs/emacs_debug/src/sysdep.c:2378
No locals.
#2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
word = <optimized out>
p = 0x555556f67eb0
tag = 1
client = <optimized out>
base = <optimized out>
res = <optimized out>
_ss = 0x7fffb3bb81a8
_mps_zs = <optimized out>
_mps_ufs = 0
_mps_wt = <optimized out>
_mps_w = <optimized out>
#3 0x00005555557a1040 in scan_specpdl (ss=0x7fffb3bb81a8, start=<optimized out>, end=0x555556f684e0, closure=<optimized out>) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1535
res = <optimized out>
pdl = 0x555556f67ea0
t = <optimized out>
_ss = 0x7fffb3bb81a8
_mps_zs = <optimized out>
_mps_ufs = 0
_mps_wt = <optimized out>
_mps_w = <optimized out>
#4 0x0000555555861428 in RootScan ()
No symbol table info available.
#5 0x00005555558615fa in traceScanRootRes ()
No symbol table info available.
#6 0x0000555555861c0b in TraceStart ()
No symbol table info available.
#7 0x0000555555862bf8 in PolicyStartTrace ()
No symbol table info available.
#8 0x0000555555866331 in TracePoll ()
No symbol table info available.
#9 0x00005555558664f9 in ArenaPoll ()
No symbol table info available.
#10 0x00005555558668e3 in mps_ap_fill ()
No symbol table info available.
#11 0x00005555557a13b7 in alloc_impl (size=size <at> entry=304, type=type <at> entry=IGC_OBJ_HANDLER, ap=0x7fffb8367818) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4094
res = <optimized out>
p = 0x0
#12 0x00005555557a14a6 in alloc (size=size <at> entry=304, type=type <at> entry=IGC_OBJ_HANDLER) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4122
No locals.
#13 0x00005555557a17cd in igc_alloc_handler () at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:4499
h = <optimized out>
#14 0x00005555557a392f in run_thread (state=0x7fffa66f9c90) at /home/reitero/build/sources/emacs/emacs_debug/src/thread.c:804
stack_pos = {
o = 0x7fffb3bb85c0,
p = 0x7fffb3bb85c0,
c = -64 '\300'
}
self = 0x7fffa66f9c90
--Type <RET> for more, q to quit, c to continue without paging--
iter = <optimized out>
c = <optimized out>
#15 0x00007ffff353270a in start_thread (arg=<optimized out>) at pthread_create.c:448
ret = <optimized out>
pd = <optimized out>
out = <optimized out>
unwind_buf = {
cancel_jmp_buf = {{
jmp_buf = {140736208803520, -7017451993682105089, 140736208803520, -600, 11, 140737488338656, -7017451993560470273, -7017310503391286017},
mask_was_saved = 0
}},
priv = {
pad = {0x0, 0x0, 0x0, 0x0},
data = {
prev = 0x0,
cleanup = 0x0,
canceltype = 0
}
}
}
not_first_call = <optimized out>
#16 0x00007ffff35b6aac in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
No locals.
(gdb) xbacktrace ## is empty
In GNU Emacs 31.0.50 (build 13, x86_64-pc-linux-gnu, GTK+ Version
3.24.48, cairo version 1.18.2) of 2025-03-07 built on wilap
Repository revision: 07cca9aec11b2c40d1107a90b81400c3a34e1f68
Repository branch: HEAD
System Description: Arch Linux
Configured using:
'configure 'CFLAGS=-g3 -ggdb -Og -fno-omit-frame-pointer'
CPPFLAGS=-I/home/reitero/.local/lib/mps
LDFLAGS=-L/home/reitero/.local/lib/mps --prefix=/usr --sysconfdir=/etc
--libexecdir=/usr/lib --localstatedir=/var --with-mps=yes
--with-gameuser=root:games --with-pgtk --with-xft --with-harfbuzz
--with-modules --without-compress-install --without-m17n-flt
--with-libotf --without-imagemagick --without-gsettings --without-gconf
--with-native-compilation=aot --with-tree-sitter
--enable-link-time-optimization'
Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM HARFBUZZ JPEG LCMS2
LIBOTF LIBSYSTEMD LIBXML2 MODULES MPS NATIVE_COMP NOTIFY INOTIFY PDUMPER
PGTK PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF TOOLKIT_SCROLL_BARS
TREE_SITTER WEBP XIM GTK3 ZLIB
Cheers,
Oliver
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Sat, 15 Mar 2025 10:29:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 77024 <at> debbugs.gnu.org (full text, mbox):
> From: Oliver Reiter <reiter <at> wiiw.ac.at>
> Date: Fri, 14 Mar 2025 21:34:32 +0100
>
> After weeks of no crash, emacs crashed on me today again.
>
> [New Thread 0x7fffb3bb96c0 (LWP 54691)]
> [Thread 0x7fffb3bb96c0 (LWP 54691) exited]
> ... quite a lot of those
> [New Thread 0x7fffb3bb96c0 (LWP 54696)]
> [Thread 0x7fffb3bb96c0 (LWP 54696) exited]
> [New Thread 0x7fffb3bb96c0 (LWP 54709)]
> [Thread 0x7fffb3bb96c0 (LWP 54709) exited]
> [New Thread 0x7fffb3bb96c0 (LWP 54751)]
> [Switching to Thread 0x7fffb3bb96c0 (LWP 54751)]
>
> Thread 409 "diff-hl--update" hit Breakpoint 1, terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
> 425 {
> (gdb) bt
> #0 terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
> #1 0x00005555556d31a5 in emacs_abort () at /home/reitero/build/sources/emacs/emacs_debug/src/sysdep.c:2378
> #2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
This is here:
mps_word_t tag = word & IGC_TAG_MASK;
if (tag == Lisp_Int0 || tag == Lisp_Int1)
return MPS_RES_OK;
else if (tag == Lisp_Type_Unused0)
emacs_abort (); <<<<<<<<<<<<<<<<<<<<<<<<<<
Called from here:
case SPECPDL_UNWIND:
IGC_FIX12_OBJ (ss, &pdl->unwind.arg);
break;
Can you show the contents of 'pdl' here?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Sat, 15 Mar 2025 11:10:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 77024 <at> debbugs.gnu.org (full text, mbox):
"Oliver Reiter" <reiter <at> wiiw.ac.at> writes:
> Evening!
> After weeks of no crash, emacs crashed on me today again.
Thanks for the report!
I'm surprised that you hit the multi-Lisp-thread code, I thought it
remained essentially unused. In any case, the problem here is that when
we create a new thread, we xmalloc the new thread's specpdl. This is
Fmake_thread:
union specbinding *pdlvec = xmalloc ((1 + size) * sizeof (union specbinding));
new_thread->m_specpdl = pdlvec + 1; /* Skip the dummy entry. */
new_thread->m_specpdl_end = new_thread->m_specpdl + size;
new_thread->m_specpdl_ptr = new_thread->m_specpdl;
And this is init_eval_once_for_pdumper, which works:
union specbinding *pdlvec = xzalloc ((size + 1) * sizeof *specpdl);
specpdl = specpdl_ptr = pdlvec + 1;
specpdl_end = specpdl + size;
xmalloc often returns memory that happens to be zeroed, but doesn't
guarantee it, and then we try to scan the new specpdl and hit the assert
below.
> [New Thread 0x7fffb3bb96c0 (LWP 54691)]
> [Thread 0x7fffb3bb96c0 (LWP 54691) exited]
> ... quite a lot of those
> [New Thread 0x7fffb3bb96c0 (LWP 54696)]
> [Thread 0x7fffb3bb96c0 (LWP 54696) exited]
> [New Thread 0x7fffb3bb96c0 (LWP 54709)]
> [Thread 0x7fffb3bb96c0 (LWP 54709) exited]
> [New Thread 0x7fffb3bb96c0 (LWP 54751)]
> [Switching to Thread 0x7fffb3bb96c0 (LWP 54751)]
TBH, I'd rather go through the thread.c code once more to make sure
there aren't any obvious bugs preventing it from working with HAVE_MPS.
What were you doing that launched multiple threads?
> Thread 409 "diff-hl--update" hit Breakpoint 1, terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
I'll fix the xmalloc->xzalloc thing now, but it's possible there are
other problems, particularly with so many threads...
Pip
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Sun, 16 Mar 2025 08:07:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 77024 <at> debbugs.gnu.org (full text, mbox):
Pip Cet <pipcet <at> protonmail.com> writes:
> What were you doing that launched multiple threads?
Either diff-hl or debbugs.el. It was the latter which caught me
unawares one morning having just updated it from ELPA and prompted me to
implement threads properly on Android.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Wed, 19 Mar 2025 08:09:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 77024 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Eli Zaretskii <eliz <at> gnu.org> writes:
>> From: Oliver Reiter <reiter <at> wiiw.ac.at>
>> Date: Fri, 14 Mar 2025 21:34:32 +0100
>>
>> After weeks of no crash, emacs crashed on me today again.
>>
>> [New Thread 0x7fffb3bb96c0 (LWP 54691)]
>> [Thread 0x7fffb3bb96c0 (LWP 54691) exited]
>> ... quite a lot of those
>> [New Thread 0x7fffb3bb96c0 (LWP 54696)]
>> [Thread 0x7fffb3bb96c0 (LWP 54696) exited]
>> [New Thread 0x7fffb3bb96c0 (LWP 54709)]
>> [Thread 0x7fffb3bb96c0 (LWP 54709) exited]
>> [New Thread 0x7fffb3bb96c0 (LWP 54751)]
>> [Switching to Thread 0x7fffb3bb96c0 (LWP 54751)]
>>
>> Thread 409 "diff-hl--update" hit Breakpoint 1, terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
>> 425 {
>> (gdb) bt
>> #0 terminate_due_to_signal (sig=6, backtrace_limit=40) at /home/reitero/build/sources/emacs/emacs_debug/src/emacs.c:425
>> #1 0x00005555556d31a5 in emacs_abort () at /home/reitero/build/sources/emacs/emacs_debug/src/sysdep.c:2378
>> #2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
>
> This is here:
>
> mps_word_t tag = word & IGC_TAG_MASK;
> if (tag `= Lisp_Int0 || tag =' Lisp_Int1)
> return MPS_RES_OK;
> else if (tag == Lisp_Type_Unused0)
> emacs_abort (); <<<<<<<<<<<<<<<<<<<<<<<<<<
>
> Called from here:
>
> case SPECPDL_UNWIND:
> IGC_FIX12_OBJ (ss, &pdl->unwind.arg);
> break;
>
> Can you show the contents of 'pdl' here?
I am not that proficient in debugging, do you mean like this?
From 'bt full', I figured that 'pdl' is at 0x555556f67ea0:
#2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
word = <optimized out>
p = 0x555556f67eb0
tag = 1
client = <optimized out>
base = <optimized out>
res = <optimized out>
_ss = 0x7fffb3bb81a8
_mps_zs = <optimized out>
_mps_ufs = 0
_mps_wt = <optimized out>
_mps_w = <optimized out>
#3 0x00005555557a1040 in scan_specpdl (ss=0x7fffb3bb81a8, start=<optimized out>, end=0x555556f684e0, closure=<optimized out>) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1535
res = <optimized out>
pdl = 0x555556f67ea0
t = <optimized out>
_ss = 0x7fffb3bb81a8
_mps_zs = <optimized out>
_mps_ufs = 0
_mps_wt = <optimized out>
_mps_w = <optimized out>
So:
(gdb) p *(struct Lisp_String *)0x555556f67ea0
$5 = {
gc_header = {
v = 1,
gcaligned = 1 '\001'
},
u = {
s = {
size = 1,
size_byte = 4294967297,
intervals = 0x1,
data = 0x0
},
next = 0x1,
gcaligned = 1 '\001'
}
}
This should then be pdl->unwind.arg, I guess:
(gdb) p *(struct Lisp_String *)0x555556f67eb0
$4 = {
gc_header = {
v = 4294967297,
gcaligned = 1 '\001'
},
u = {
s = {
size = 1,
size_byte = 0,
intervals = 0x0,
data = 0x1287 <error: Cannot access memory at address 0x1287>
},
next = 0x1,
gcaligned = 1 '\001'
}
}
If you meant something else, happy to help.
Oliver
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Wed, 19 Mar 2025 08:11:03 GMT)
Full text and
rfc822 format available.
Message #20 received at 77024 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Po Lu <luangruo <at> yahoo.com> writes:
> Pip Cet <pipcet <at> protonmail.com> writes:
>
>> What were you doing that launched multiple threads?
Nothing particular comes to mind. I think I marked a region to do some
editing. I definitely didn't start a thread on purpose.
>
> Either diff-hl or debbugs.el. It was the latter which caught me
> unawares one morning having just updated it from ELPA and prompted me to
> implement threads properly on Android.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Wed, 19 Mar 2025 14:16:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 77024 <at> debbugs.gnu.org (full text, mbox):
> From: Oliver Reiter <reiter <at> wiiw.ac.at>
> Cc: 77024 <at> debbugs.gnu.org
> Date: Wed, 19 Mar 2025 09:08:44 +0100
>
> > Can you show the contents of 'pdl' here?
>
> I am not that proficient in debugging, do you mean like this?
>
> >From 'bt full', I figured that 'pdl' is at 0x555556f67ea0:
>
> #2 0x000055555579fa76 in fix_lisp_obj (ss=ss <at> entry=0x7fffb3bb81a8, pobj=pobj <at> entry=0x555556f67eb0) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1132
> word = <optimized out>
> p = 0x555556f67eb0
> tag = 1
> client = <optimized out>
> base = <optimized out>
> res = <optimized out>
> _ss = 0x7fffb3bb81a8
> _mps_zs = <optimized out>
> _mps_ufs = 0
> _mps_wt = <optimized out>
> _mps_w = <optimized out>
> #3 0x00005555557a1040 in scan_specpdl (ss=0x7fffb3bb81a8, start=<optimized out>, end=0x555556f684e0, closure=<optimized out>) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1535
> res = <optimized out>
> pdl = 0x555556f67ea0
> t = <optimized out>
> _ss = 0x7fffb3bb81a8
> _mps_zs = <optimized out>
> _mps_ufs = 0
> _mps_wt = <optimized out>
> _mps_w = <optimized out>
>
> So:
>
> (gdb) p *(struct Lisp_String *)0x555556f67ea0
> $5 = {
> gc_header = {
> v = 1,
> gcaligned = 1 '\001'
> },
> u = {
> s = {
> size = 1,
> size_byte = 4294967297,
> intervals = 0x1,
> data = 0x0
> },
> next = 0x1,
> gcaligned = 1 '\001'
> }
> }
>
> This should then be pdl->unwind.arg, I guess:
>
> (gdb) p *(struct Lisp_String *)0x555556f67eb0
> $4 = {
> gc_header = {
> v = 4294967297,
> gcaligned = 1 '\001'
> },
> u = {
> s = {
> size = 1,
> size_byte = 0,
> intervals = 0x0,
> data = 0x1287 <error: Cannot access memory at address 0x1287>
> },
> next = 0x1,
> gcaligned = 1 '\001'
> }
> }
>
> If you meant something else, happy to help.
Just "p *pdl" is what I had in mind.
Thanks.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#77024; Package
emacs.
(Wed, 19 Mar 2025 14:48:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 77024 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Eli Zaretskii <eliz <at> gnu.org> writes:
>
> Just "p *pdl" is what I had in mind.
>
> Thanks.
Ah, didn't know it could be that easy. Here you go:
(gdb) fr 3
#3 0x00005555557a1040 in scan_specpdl (ss=0x7fffb3bb81a8, start=<optimized out>, end=0x555556f684e0, closure=<optimized out>) at /home/reitero/build/sources/emacs/emacs_debug/src/igc.c:1535
1535 case SPECPDL_FREE:
(gdb) p *pdl
$7 = {
kind = SPECPDL_UNWIND,
unwind = {
kind = SPECPDL_UNWIND,
func = 0x1,
arg = XIL(0x100000001),
eval_depth = 1
},
unwind_array = {
kind = SPECPDL_UNWIND,
nelts = 1,
array = 0x100000001
},
unwind_ptr = {
kind = SPECPDL_UNWIND,
func = 0x1,
arg = 0x100000001,
mark = 0x1
},
unwind_int = {
kind = SPECPDL_UNWIND,
func = 0x1,
arg = 1
},
unwind_intmax = {
kind = SPECPDL_UNWIND,
func = 0x1,
arg = 4294967297
},
unwind_excursion = {
kind = SPECPDL_UNWIND,
marker = XIL(0x1),
window = XIL(0x100000001)
},
unwind_void = {
kind = SPECPDL_UNWIND,
func = 0x1
},
let = {
kind = SPECPDL_UNWIND,
symbol = XIL(0x1),
old_value = XIL(0x100000001),
where = {
kbd = 0x1,
buf = XIL(0x1)
}
},
bt = {
kind = SPECPDL_UNWIND,
debug_on_exit = false,
function = XIL(0x1),
args = 0x100000001,
nargs = 1
}
}
This bug report was last modified 16 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.