GNU bug report logs - #79854
crash in emacs master branch: Segmentation fault.ld_to_fill()

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 25 Nov 2025 20:27:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 25 15:27:27 2025
Received: from localhost ([127.0.0.1]:42082 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vNzdH-0001pH-1c
	for submit <at> debbugs.gnu.org; Tue, 25 Nov 2025 15:27:27 -0500
Received: from mail-10628.protonmail.ch ([79.135.106.28]:47241)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vNXIm-000253-R5
 for 79854 <at> debbugs.gnu.org; Mon, 24 Nov 2025 09:12:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763993537; x=1764252737;
 bh=DlsUoa8vLPFytlfa1A4t4Zfbxi617ybCIbQaV2EnOLU=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=ljq+9fjAUvEehDC0vag2sP8uERrh+JKXTTIMyebqyIyIF9A9mX4NFWGEFZ3REe/Q4
 VRBqxIHUcRZEPiA5x3wuNbY8PfyYZZ1iNNeBt6M5F1UvFN6usOaAf7NTwegXzZwRJG
 Rb4RgoPjWlrjCQv1YKPSFCzeNBUKCrErAsVU+aRj3NeVx4vyr1putPOuY2070ncDco
 j1AlIRHTGe099fftkAaVq9hAu1LAX1hcarT1Vq2STDdblvq1OUIhDjEYYsNAbZROud
 j//OCWdB2oGORjZnQBTqVwJ7z88+lvNJ0qrBVzcCduwRMJCa/5qqOO77lwLKLUDvDZ
 8W6cqAv50fgNg==
Date: Mon, 24 Nov 2025 14:12:12 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <87zf8b5xl8.fsf@HIDDEN>
In-Reply-To: <87tsyju2fl.fsf@quad>
References: <871plwwglx.fsf@quad> <875xb53idd.fsf@HIDDEN>
 <877bvluedx.fsf@quad> <87zf8g255c.fsf@HIDDEN> <873468vm7q.fsf@quad>
 <87tsyo23n4.fsf@HIDDEN> <87y0o0u51l.fsf@quad>
 <87ldjw7nz5.fsf@HIDDEN> <87tsyju2fl.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 0e74ba13a0f4333e0e7438c9eead268c18994414
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.0 (-)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

> Howdy Pip,
>
> I lost the crashed emacs session by accident (my hapless ubuntu fell vict=
im
> of malfuncting suspend).

Sorry to hear it.

> A core file remains though but it seems to be unable to help us..

Please keep the core file around! It might still come in useful if we
see similar crashes elsewhere.

> (gdb) p $x =3D *XCONS(0x5555936f6563)
> +p $x =3D *XCONS(0x5555936f6563)
> You can't do that without a process to debug

You can't call XCONS, but you can inspect memory. However, it's a bit
harder, so I suggest to attempt to reproduce this first; it's probably a
good idea to try X clipboard operations involving (significantly) more
than 64 KB of data, if you feel so inclined.

Thanks for letting me know!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 25 Nov 2025 20:26:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 25 15:26:39 2025
Received: from localhost ([127.0.0.1]:42041 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vNzcV-0001hs-Gs
	for submit <at> debbugs.gnu.org; Tue, 25 Nov 2025 15:26:39 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43818)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vNVoD-0005xl-Uy
 for 79854 <at> debbugs.gnu.org; Mon, 24 Nov 2025 07:36:46 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vNVo6-0007YL-P7; Mon, 24 Nov 2025 07:36:38 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=PBXs1FdablhluRWzspc5BzxLPvQ9hLaxcXeFPSmB+VE=; b=hpQvtFtIvEZs
 VLqzxw57yVAq/9PXIVb17PNZQqheP+Ed5O7v2ALH6avD/Zu1O0lkxrXzDtWvYpwmOij2RTiQt8caW
 9OCesorNVWNORlJU6tz3KPxdXmQ2gU5lA6SrIlWHkerGFhlrEYxOGSaaWOgYaAMEsQS7rYAR3H1XJ
 3WkyUMoZeCWjv3b+540yiMUdTFoW/4WaRa2Rf9lqyJtuajNBraHPH+A1Up2rxjyAPHn+zEC62l/al
 hi+N/eyzJn+K1/w7SSZH00KLseVrbkS552InFhA0g3SlCUEO+hA/2vhdH+PSRxV4UxGreFQjqcCU1
 uctuxd3bJMIPtBUYgBldsQ==;
Date: Mon, 24 Nov 2025 14:36:06 +0200
Message-Id: <86a50behft.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <87tsyju2fl.fsf@quad> (andrei.elkin@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN>
 <877bvluedx.fsf@quad> <87zf8g255c.fsf@HIDDEN>
 <873468vm7q.fsf@quad> <87tsyo23n4.fsf@HIDDEN>
 <87y0o0u51l.fsf@quad> <87ldjw7nz5.fsf@HIDDEN> <87tsyju2fl.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, pipcet@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: andrei.elkin@HIDDEN
> Cc: Eli Zaretskii <eliz@HIDDEN>,  79854 <at> debbugs.gnu.org
> Date: Mon, 24 Nov 2025 12:53:34 +0200
> 
> (gdb) p $x = *XCONS(0x5555936f6563)
> +p $x = *XCONS(0x5555936f6563)
> You can't do that without a process to debug

You cannot call functions from GDB when you have only a core file, but
you can still use the .gdbinit commands that display Lisp data, such
as xcar, xcdr, xcons, etc.

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 25 Nov 2025 20:26:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 25 15:26:25 2025
Received: from localhost ([127.0.0.1]:42028 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vNzcG-0001g8-QP
	for submit <at> debbugs.gnu.org; Tue, 25 Nov 2025 15:26:25 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:14313)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vNUCs-0005r4-CS
 for 79854 <at> debbugs.gnu.org; Mon, 24 Nov 2025 05:54:07 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id F0C33E0070;
 Mon, 24 Nov 2025 11:53:59 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763981640; bh=FExW9rmNPmFo82BXUiX43NoIlni9vLzmxaZpkIio6Ao=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=ak9gbzvoVaGTK/wm7zd8CmSFdJ2DsK7/Mgaab9Y5R8Pannoh2y/3N9lnlC4r3uDFW
 QuBUlUP2EMc/72BnxYikOvok8iFf9bdoERN20L+ixOEpw6ttWRuMQKVNuPGs0nnG2c
 LAY0/+CtUWnbdPfBLGUwHx6DT3n8+hdk4FtlwAIrrigN3KOoctVzlCIbUbbUSCq/mT
 oxAb4W1nJA5gaPA2MdVCwce3ogWy1sKbZtQEf/MYDMpgyy7HBe87KTCHX89QnytAu8
 adwhyP56Dvup+5vGoWCuoZJEDWSxlLxwvlZVxw2RMMCp7s8QxLprSHVuc2LqyQBmjh
 kvTz9H0NJ14dw==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 8271B40138;
 Mon, 24 Nov 2025 11:53:59 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN>
 <877bvluedx.fsf@quad> <87zf8g255c.fsf@HIDDEN>
 <873468vm7q.fsf@quad> <87tsyo23n4.fsf@HIDDEN>
 <87y0o0u51l.fsf@quad> <87ldjw7nz5.fsf@HIDDEN>
Date: Mon, 24 Nov 2025 12:53:34 +0200
In-Reply-To: <87ldjw7nz5.fsf@HIDDEN> (Pip Cet's message of "Sun, 23
 Nov 2025 15:44:38 +0000")
Message-ID: <87tsyju2fl.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Howdy Pip,

I lost the crashed emacs session by accident (my hapless ubuntu fell victim
of malfuncting suspend).
A core file remains though but it seems to be unable to help us..

>>> #11 0x000055555578f1b3 in cmd_error_internal (data=XIL(0x5555936f6543),
>>>  context=0x7fffffffd940 "") at keyboard.c:1042
>>>
>>
>> No worries!
>>
>> (gdb) set $my_addr=0x5555936f6543
>> +set $my_addr=0x5555936f6543
>>
>> (gdb) p *XCONS(XCDR($my_addr))
>> +p *XCONS(XCDR($my_addr))
>>
>> $17 = {
>>   u = {
>>     s = {
>>       car = XIL(0xc7b0),
>
> That's Qlistp, most likely, and there are many places that call
> CHECK_LIST_END. One of them called it on a corrupted list, and that's
> what caused the crash.
>
>
>>       u = {
>>         cdr = XIL(0x5555936f6563),
>>         chain = 0x5555936f6563
>
> We want to inspect this list, which contains the expired cons cell, to
> see what it is and where it comes from.

.. here
>
> Please try
>
> p $x = *XCONS(0x5555936f6563)


(gdb) p $x = *XCONS(0x5555936f6563)
+p $x = *XCONS(0x5555936f6563)
You can't do that without a process to debug

The inabilty is worsened by my mistake to rebase/rebuild the master
brach before I had backed up the worktree so the symbol table is lost too0

(gdb) bt
+bt
#0  0x00005555558b4259 in ?? ()

does not work (attempts to rebuild the former binary did not succeed in
that the new binary always mismatches the core file). I guess we are done..
I am sorry for this.


However, I have little that I will catch it again and we'll resume.
Thank you over so far!

/ndrei

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 25 Nov 2025 20:22:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 25 15:22:26 2025
Received: from localhost ([127.0.0.1]:41912 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vNzYP-00016b-9N
	for submit <at> debbugs.gnu.org; Tue, 25 Nov 2025 15:22:26 -0500
Received: from mail-4316.protonmail.ch ([185.70.43.16]:41353)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vNCGh-0006Pb-Bh
 for 79854 <at> debbugs.gnu.org; Sun, 23 Nov 2025 10:44:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763912684; x=1764171884;
 bh=b2f9rKSIOcnEuOqpq1ivRmCWKvA5mLWLBTyjADTX4Lk=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=RznXWpR0d5kvb8Mzxb6RaroihlqtwwMcvtN1Npljji6kEKS6YEAIZNvTg1HAVbVoH
 aJcPfM0TEMRD3wRtPqhp2mqL7IXjvHIkh3CLZc1+6w+ztMHRIwnpGKl2qV92JtFNBT
 Y4wF8rK7N0aYqINYTC1XDrBQ+Fr88Ez/hcndq2GDzU3PfovILsvzxCBlZNsGKUpLDQ
 BBcjtes9eK5QSTboGP8VrrEqxwbLROg368GRX3OJjQSsZh4lNkyypXaZYLXgONSHsE
 qJphxUg71g0juHoCxBs225ytvDB/1fanLFUHdFXpIz4SXc+J1jw1h8XN/Uz54hlyYL
 qFxpUebq1+3QA==
Date: Sun, 23 Nov 2025 15:44:38 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <87ldjw7nz5.fsf@HIDDEN>
In-Reply-To: <87y0o0u51l.fsf@quad>
References: <871plwwglx.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN> <877bvluedx.fsf@quad>
 <87zf8g255c.fsf@HIDDEN> <873468vm7q.fsf@quad>
 <87tsyo23n4.fsf@HIDDEN> <87y0o0u51l.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: a4912c5fd868386c42cbf5011aa92432ff30d803
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

> Pip Cet <pipcet@HIDDEN> writes:
>
>> <andrei.elkin@HIDDEN> writes:
>>
>>> Pip Cet <pipcet@HIDDEN> writes:
>>>
>>>> <andrei.elkin@HIDDEN> writes:
>>>>
>>>>> Pip Cet <pipcet@HIDDEN> writes:
>>>>>
>>>>>> <andrei.elkin@HIDDEN> writes:
>>>>>>
>>>>>>>>>>
>>>>>>>>>> Can you try x/64gx 0x55559406b700?
>>>>>>>>>
>>>>>>>>> (gdb) x/64gx 0x55559406b700
>>>>>>>>>
>>>>>>>>> +x/64gx 0x55559406b700
>>>>>>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>>>>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>>>>>>
>>>>>>>> That looks like a bunch of freed conses. It seems we're seeing a
>>>>>>>> use-after-free error here.
>>>>>>>>
>>>>>>>> Your initial report involved the symbol 0xdbf0. We need to find ou=
t what
>>>>>>>> that is in your build: please run
>>>>>>>>
>>>>>>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>>>>>>
>>>>>>>> (the response is very likely to be 1173)
>>>>>>>>
>>>>>>>> then look into the src/globals.h file for the line
>>>>>>>>
>>>>>>>>     #define iQ<something> 1173
>>>>>>>>
>>>>>>>> The <something> part is the name of the symbol we're looking for.
>>>>>>>
>>>>>>> #define iQmouse_fixup_help_message 1173
>>>>>>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>>>>>>
>>>>>>> This finding fits to the mouse activity that were involved!
>>>>>>
>>>>>> Yes; IIUC, the X selection code is very tricky because "large"
>>>>>> selections are handled differently from small ones. Just to see whet=
her
>>>>>> we're on the right track here, please do:
>>>>>>
>>>>>> p selection_request_stack
>>>>>
>>>>> (gdb) p selection_request_stack
>>>>> +p selection_request_stack
>>>>> $8 =3D (struct x_selection_request *) 0x0
>>>>>
>>>>>
>>>>>> p *selection_request_stack
>>>>>> p outstanding_transfers
>>>>>
>>>>> (gdb)  p outstanding_transfers
>>>>> +p outstanding_transfers
>>>>> $9 =3D {
>>>>>   requestor =3D 0,
>>>>>   offset =3D 0,
>>>>>   items_per_request =3D 0,
>>>>>   dpyinfo =3D 0x0,
>>>>>   data =3D {
>>>>>     data =3D 0x0,
>>>>>     string =3D XIL(0),
>>>>>     size =3D 0,
>>>>>     format =3D 0,
>>>>>     type =3D 0,
>>>>>     property =3D 0,
>>>>>     next =3D 0x0
>>>>>   },
>>>>>   next =3D 0x555555ae7a20 <outstanding_transfers>,
>>>>>   last =3D 0x555555ae7a20 <outstanding_transfers>,
>>>>>   timeout =3D 0x0,
>>>>>   serial =3D 0,
>>>>>   flags =3D 0
>>>>> }
>>>>>
>>>>>
>>>>>> p outstanding_transfers.next
>>>>>
>>>>> (gdb)  p outstanding_transfers.next
>>>>> +p outstanding_transfers.next
>>>>> $10 =3D (struct transfer *) 0x555555ae7a20 <outstanding_transfers>
>>>>>
>>>>>> p property_change_reply
>>>>>
>>>>> (gdb) p property_change_reply
>>>>> +p property_change_reply
>>>>> $11 =3D XIL(0x7fffef968023)
>>>>>
>>>>>> p reading_selection_reply
>>>>>
>>>>> (gdb) p reading_selection_reply
>>>>> +p reading_selection_reply
>>>>> $12 =3D XIL(0x7fffefe76b13)
>>>>>
>>>>>> p *XCONS(0x5555936f543)
>>>>>
>>>>> (gdb) p *XCONS(0x5555936f543)
>>>>> +p *XCONS(0x5555936f543)
>>>>> Cannot access memory at address 0x5555936f540
>>>>>
>>>>> Well, I wonder where from do you pick 0x5555936f543...
>>>
>>> So at repeating of the corrected address the following is seen:
>>
>> Oh dear, I'm really sorry about this. the correct address is this one:
>>
>> #11 0x000055555578f1b3 in cmd_error_internal (data=3DXIL(0x5555936f6543)=
,
>>  context=3D0x7fffffffd940 "") at keyboard.c:1042
>>
>
> No worries!
>
> (gdb) set $my_addr=3D0x5555936f6543
> +set $my_addr=3D0x5555936f6543
>
> (gdb) p *XCONS(XCDR($my_addr))
> +p *XCONS(XCDR($my_addr))
>
> $17 =3D {
>   u =3D {
>     s =3D {
>       car =3D XIL(0xc7b0),

That's Qlistp, most likely, and there are many places that call
CHECK_LIST_END. One of them called it on a corrupted list, and that's
what caused the crash.


>       u =3D {
>         cdr =3D XIL(0x5555936f6563),
>         chain =3D 0x5555936f6563

We want to inspect this list, which contains the expired cons cell, to
see what it is and where it comes from.

Please try

p $x =3D *XCONS(0x5555936f6563)

then

p XCAR($x)
pp XCAR($x)
p $x =3D XCDR($x)
p *XCONS($x)

repeating the four in sequence until you hit a loop (the "pp" may fail,
but that's okay).

Thanks!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 20 Nov 2025 14:56:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 20 09:56:22 2025
Received: from localhost ([127.0.0.1]:48585 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vM657-00046t-Qi
	for submit <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:56:22 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:38951)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vM655-00046h-Ee
 for 79854 <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:56:20 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 0F4C3E00D3;
 Thu, 20 Nov 2025 15:56:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763650573; bh=AiUX6KW8LqAMJb3aX8327uPBcepUeCXqoztYAFSdSwA=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=UaQGOBzIYBcjYBQmOFoyUN5z194fcpp4VhzBNKDyjups9g+gFccLja+sj6v5VEcLX
 HaaCrZWrj85i//UMV24khDmThKOXEVC4hIzGwMUZQOUFh9jusMuiQUXcq0jUd42SKQ
 x52iLX68TOYsmejJbDshiTZhfZs6h2gklqMk7/WN6L2W+lFfSQLxiPpqnfnXT+NJp1
 tXurdOVnumHEeHmGFIwsRDFL18CQlnBecSnuh0nJ9D+NfqHtrBPodcmRhienvw1mZD
 OEdXVu8FJW7gk6VLaGNQVtHv/GqIGgicC8cb4XNFTMlz9O8+JN594wG4gDcgAg2l7a
 ai0fr1fD2+9Xw==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id B5A9B401A2;
 Thu, 20 Nov 2025 15:56:12 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN>
 <877bvluedx.fsf@quad> <87zf8g255c.fsf@HIDDEN>
 <873468vm7q.fsf@quad> <87tsyo23n4.fsf@HIDDEN>
Date: Thu, 20 Nov 2025 16:55:50 +0200
In-Reply-To: <87tsyo23n4.fsf@HIDDEN> (Pip Cet's message of "Thu, 20
 Nov 2025 14:13:37 +0000")
Message-ID: <87y0o0u51l.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Pip Cet <pipcet@HIDDEN> writes:

> <andrei.elkin@HIDDEN> writes:
>
>> Pip Cet <pipcet@HIDDEN> writes:
>>
>>> <andrei.elkin@HIDDEN> writes:
>>>
>>>> Pip Cet <pipcet@HIDDEN> writes:
>>>>
>>>>> <andrei.elkin@HIDDEN> writes:
>>>>>
>>>>>>>>>
>>>>>>>>> Can you try x/64gx 0x55559406b700?
>>>>>>>>
>>>>>>>> (gdb) x/64gx 0x55559406b700
>>>>>>>>
>>>>>>>> +x/64gx 0x55559406b700
>>>>>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>>>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>>>>>
>>>>>>> That looks like a bunch of freed conses. It seems we're seeing a
>>>>>>> use-after-free error here.
>>>>>>>
>>>>>>> Your initial report involved the symbol 0xdbf0. We need to find out what
>>>>>>> that is in your build: please run
>>>>>>>
>>>>>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>>>>>
>>>>>>> (the response is very likely to be 1173)
>>>>>>>
>>>>>>> then look into the src/globals.h file for the line
>>>>>>>
>>>>>>>     #define iQ<something> 1173
>>>>>>>
>>>>>>> The <something> part is the name of the symbol we're looking for.
>>>>>>
>>>>>> #define iQmouse_fixup_help_message 1173
>>>>>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>>>>>
>>>>>> This finding fits to the mouse activity that were involved!
>>>>>
>>>>> Yes; IIUC, the X selection code is very tricky because "large"
>>>>> selections are handled differently from small ones. Just to see whether
>>>>> we're on the right track here, please do:
>>>>>
>>>>> p selection_request_stack
>>>>
>>>> (gdb) p selection_request_stack
>>>> +p selection_request_stack
>>>> $8 = (struct x_selection_request *) 0x0
>>>>
>>>>
>>>>> p *selection_request_stack
>>>>> p outstanding_transfers
>>>>
>>>> (gdb)  p outstanding_transfers
>>>> +p outstanding_transfers
>>>> $9 = {
>>>>   requestor = 0,
>>>>   offset = 0,
>>>>   items_per_request = 0,
>>>>   dpyinfo = 0x0,
>>>>   data = {
>>>>     data = 0x0,
>>>>     string = XIL(0),
>>>>     size = 0,
>>>>     format = 0,
>>>>     type = 0,
>>>>     property = 0,
>>>>     next = 0x0
>>>>   },
>>>>   next = 0x555555ae7a20 <outstanding_transfers>,
>>>>   last = 0x555555ae7a20 <outstanding_transfers>,
>>>>   timeout = 0x0,
>>>>   serial = 0,
>>>>   flags = 0
>>>> }
>>>>
>>>>
>>>>> p outstanding_transfers.next
>>>>
>>>> (gdb)  p outstanding_transfers.next
>>>> +p outstanding_transfers.next
>>>> $10 = (struct transfer *) 0x555555ae7a20 <outstanding_transfers>
>>>>
>>>>> p property_change_reply
>>>>
>>>> (gdb) p property_change_reply
>>>> +p property_change_reply
>>>> $11 = XIL(0x7fffef968023)
>>>>
>>>>> p reading_selection_reply
>>>>
>>>> (gdb) p reading_selection_reply
>>>> +p reading_selection_reply
>>>> $12 = XIL(0x7fffefe76b13)
>>>>
>>>>> p *XCONS(0x5555936f543)
>>>>
>>>> (gdb) p *XCONS(0x5555936f543)
>>>> +p *XCONS(0x5555936f543)
>>>> Cannot access memory at address 0x5555936f540
>>>>
>>>> Well, I wonder where from do you pick 0x5555936f543...
>>
>> So at repeating of the corrected address the following is seen:
>
> Oh dear, I'm really sorry about this. the correct address is this one:
>
> #11 0x000055555578f1b3 in cmd_error_internal (data=XIL(0x5555936f6543),
>  context=0x7fffffffd940 "") at keyboard.c:1042
>

No worries!

(gdb) set $my_addr=0x5555936f6543
+set $my_addr=0x5555936f6543

(gdb) p *XCONS(XCDR($my_addr))
+p *XCONS(XCDR($my_addr))

$17 = {
  u = {
    s = {
      car = XIL(0xc7b0),
      u = {
        cdr = XIL(0x5555936f6563),
        chain = 0x5555936f6563
      }
    },
    gcaligned = -80 '\260'
  }
}
(gdb) p *XCONS(XCDR(XCDR($my_addr)))
+p *XCONS(XCDR(XCDR($my_addr)))
$18 = {
  u = {
    s = {
      car = XIL(0x55559406b720),
      u = {
        cdr = XIL(0),
        chain = 0x0
      }
    },
    gcaligned = 32 ' '
  }
}
(gdb) pp XCAR($my_addr)
+pp XCAR($my_addr)
++set $tmp = XCAR($my_addr)
++set $output_debug = print_output_debug_flag
++set print_output_debug_flag = 0
++call safe_debug_print ($tmp)
wrong-type-argument
++set print_output_debug_flag = $output_debug
(gdb) pp XCAR(XCDR($my_addr))
+pp XCAR(XCDR($my_addr))
++set $tmp = XCAR(XCDR($my_addr))
++set $output_debug = print_output_debug_flag
++set print_output_debug_flag = 0
++call safe_debug_print ($tmp)
listp
++set print_output_debug_flag = $output_debug
(gdb) pp XCAR(XCDR(XCDR($my_addr)))
+pp XCAR(XCDR(XCDR($my_addr)))
++set $tmp = XCAR(XCDR(XCDR($my_addr)))
++set $output_debug = print_output_debug_flag
++set print_output_debug_flag = 0
++call safe_debug_print ($tmp)
#<INVALID_LISP_OBJECT 0x55559406b720>
++set print_output_debug_flag = $output_debug
 

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 20 Nov 2025 14:13:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 20 09:13:52 2025
Received: from localhost ([127.0.0.1]:47577 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vM5Pz-00010x-OJ
	for submit <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:13:52 -0500
Received: from mail-4316.protonmail.ch ([185.70.43.16]:25937)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vM5Px-00010b-Hu
 for 79854 <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:13:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763648022; x=1763907222;
 bh=dSpyxm5y5IDcQDCpvsj8qUujtCi9WSTB5HX9reWHTsU=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=wkf/jniu8aheFE2b1rdOLb0ulhuUkwnN3UbznQUrVs4WLTnPn5WfXn/EOpp2KAXxl
 L+rc/d0M9f3ToQPPtkRPwAolq7iiG1Bokkv8oqTFyvSrFW4OEKf/vD9Eg7UogX9cZC
 Dxsa9vssocNUBjncafBnhFkZiBfzK37HoRAe6DYw8bzs9v0fSC3WKivXh14Skmp99p
 g/yobWtnW/VVqyR9gFSevbGs5WcAbJVLd7pEKmunGpKafEVu7y8vcZRpm/NeSmkzEF
 oUMQIt6WZ3SVXCOMJJw/EHqAz2wIMMe1UqAItyrof6y0NEaYCvMuDUm3k1+G+1pDte
 NhxghdEZoqgkg==
Date: Thu, 20 Nov 2025 14:13:37 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <87tsyo23n4.fsf@HIDDEN>
In-Reply-To: <873468vm7q.fsf@quad>
References: <871plwwglx.fsf@quad> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN> <87fraaug74.fsf@quad>
 <875xb53idd.fsf@HIDDEN> <877bvluedx.fsf@quad>
 <87zf8g255c.fsf@HIDDEN> <873468vm7q.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 35581ee5458bc3993be7d26c7db876a7c90c43af
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

> Pip Cet <pipcet@HIDDEN> writes:
>
>> <andrei.elkin@HIDDEN> writes:
>>
>>> Pip Cet <pipcet@HIDDEN> writes:
>>>
>>>> <andrei.elkin@HIDDEN> writes:
>>>>
>>>>>>>>
>>>>>>>> Can you try x/64gx 0x55559406b700?
>>>>>>>
>>>>>>> (gdb) x/64gx 0x55559406b700
>>>>>>>
>>>>>>> +x/64gx 0x55559406b700
>>>>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>>>>
>>>>>> That looks like a bunch of freed conses. It seems we're seeing a
>>>>>> use-after-free error here.
>>>>>>
>>>>>> Your initial report involved the symbol 0xdbf0. We need to find out =
what
>>>>>> that is in your build: please run
>>>>>>
>>>>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>>>>
>>>>>> (the response is very likely to be 1173)
>>>>>>
>>>>>> then look into the src/globals.h file for the line
>>>>>>
>>>>>>     #define iQ<something> 1173
>>>>>>
>>>>>> The <something> part is the name of the symbol we're looking for.
>>>>>
>>>>> #define iQmouse_fixup_help_message 1173
>>>>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>>>>
>>>>> This finding fits to the mouse activity that were involved!
>>>>
>>>> Yes; IIUC, the X selection code is very tricky because "large"
>>>> selections are handled differently from small ones. Just to see whethe=
r
>>>> we're on the right track here, please do:
>>>>
>>>> p selection_request_stack
>>>
>>> (gdb) p selection_request_stack
>>> +p selection_request_stack
>>> $8 =3D (struct x_selection_request *) 0x0
>>>
>>>
>>>> p *selection_request_stack
>>>> p outstanding_transfers
>>>
>>> (gdb)  p outstanding_transfers
>>> +p outstanding_transfers
>>> $9 =3D {
>>>   requestor =3D 0,
>>>   offset =3D 0,
>>>   items_per_request =3D 0,
>>>   dpyinfo =3D 0x0,
>>>   data =3D {
>>>     data =3D 0x0,
>>>     string =3D XIL(0),
>>>     size =3D 0,
>>>     format =3D 0,
>>>     type =3D 0,
>>>     property =3D 0,
>>>     next =3D 0x0
>>>   },
>>>   next =3D 0x555555ae7a20 <outstanding_transfers>,
>>>   last =3D 0x555555ae7a20 <outstanding_transfers>,
>>>   timeout =3D 0x0,
>>>   serial =3D 0,
>>>   flags =3D 0
>>> }
>>>
>>>
>>>> p outstanding_transfers.next
>>>
>>> (gdb)  p outstanding_transfers.next
>>> +p outstanding_transfers.next
>>> $10 =3D (struct transfer *) 0x555555ae7a20 <outstanding_transfers>
>>>
>>>> p property_change_reply
>>>
>>> (gdb) p property_change_reply
>>> +p property_change_reply
>>> $11 =3D XIL(0x7fffef968023)
>>>
>>>> p reading_selection_reply
>>>
>>> (gdb) p reading_selection_reply
>>> +p reading_selection_reply
>>> $12 =3D XIL(0x7fffefe76b13)
>>>
>>>> p *XCONS(0x5555936f543)
>>>
>>> (gdb) p *XCONS(0x5555936f543)
>>> +p *XCONS(0x5555936f543)
>>> Cannot access memory at address 0x5555936f540
>>>
>>> Well, I wonder where from do you pick 0x5555936f543...
>
> So at repeating of the corrected address the following is seen:

Oh dear, I'm really sorry about this. the correct address is this one:

#11 0x000055555578f1b3 in cmd_error_internal (data=3DXIL(0x5555936f6543),
 context=3D0x7fffffffd940 "") at keyboard.c:1042

>> It was the "error" list in the original bug report. But I was confused
>> and omitted one "5". The proper address for this and all following
>> commands is 0x55555936f543, which should have 12 digits, not 11. My
>> apologies for the confusion!
>
> Np!
> I might've guessed a human kind of copy-paste "misprint" :-)

And another one, I'm afraid.

Sorry again

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 20 Nov 2025 14:00:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 20 09:00:08 2025
Received: from localhost ([127.0.0.1]:47519 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vM5Ci-00006V-57
	for submit <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:00:08 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:23977)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vM5Cg-00005I-1j
 for 79854 <at> debbugs.gnu.org; Thu, 20 Nov 2025 09:00:06 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 216A6E009B;
 Thu, 20 Nov 2025 15:00:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763647200; bh=C1JA33aPO3PmWCegUeTG6C458/nR1DUoSY6DYTf7A5U=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=n9jSbJzE9PDkZiDuedgIbpGnsxe8FCsgWcLt1Gr2UGQnIO+gZWs52TI/TmSvIVn38
 KB5YnSQk4UNzrCiINFTZzWGxAUVKQKbLtYKZYr2GSe7KNitn8Dmb5OQeyr2xVAx/eQ
 JYQlUnD6CV7GAWxMeoVlgnClMPjJ80Bp0eEv7FTmTK8HPZ7dtLBdv2nkzuLibAuL7r
 sKfrQS8SZ9CsdFyXpN+AhsZ038GikLif05KL3Tm9XEEKu70p1wstfiAbZkQUxkpy3O
 Rvu8YBee/reuEuzTe933Zr8U2DBZ7lPwemLpJFdKtWPy3A+Ttzl8AUaxnF4J6RhfGR
 j1rf2142BkjkQ==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id CC29E401A6;
 Thu, 20 Nov 2025 14:59:59 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN>
 <877bvluedx.fsf@quad> <87zf8g255c.fsf@HIDDEN>
Date: Thu, 20 Nov 2025 15:59:37 +0200
In-Reply-To: <87zf8g255c.fsf@HIDDEN> (Pip Cet's message of "Thu, 20
 Nov 2025 13:41:06 +0000")
Message-ID: <873468vm7q.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Pip Cet <pipcet@HIDDEN> writes:

> <andrei.elkin@HIDDEN> writes:
>
>> Pip Cet <pipcet@HIDDEN> writes:
>>
>>> <andrei.elkin@HIDDEN> writes:
>>>
>>>>>>>
>>>>>>> Can you try x/64gx 0x55559406b700?
>>>>>>
>>>>>> (gdb) x/64gx 0x55559406b700
>>>>>>
>>>>>> +x/64gx 0x55559406b700
>>>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>>>
>>>>> That looks like a bunch of freed conses. It seems we're seeing a
>>>>> use-after-free error here.
>>>>>
>>>>> Your initial report involved the symbol 0xdbf0. We need to find out what
>>>>> that is in your build: please run
>>>>>
>>>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>>>
>>>>> (the response is very likely to be 1173)
>>>>>
>>>>> then look into the src/globals.h file for the line
>>>>>
>>>>>     #define iQ<something> 1173
>>>>>
>>>>> The <something> part is the name of the symbol we're looking for.
>>>>
>>>> #define iQmouse_fixup_help_message 1173
>>>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>>>
>>>> This finding fits to the mouse activity that were involved!
>>>
>>> Yes; IIUC, the X selection code is very tricky because "large"
>>> selections are handled differently from small ones. Just to see whether
>>> we're on the right track here, please do:
>>>
>>> p selection_request_stack
>>
>> (gdb) p selection_request_stack
>> +p selection_request_stack
>> $8 = (struct x_selection_request *) 0x0
>>
>>
>>> p *selection_request_stack
>>> p outstanding_transfers
>>
>> (gdb)  p outstanding_transfers
>> +p outstanding_transfers
>> $9 = {
>>   requestor = 0,
>>   offset = 0,
>>   items_per_request = 0,
>>   dpyinfo = 0x0,
>>   data = {
>>     data = 0x0,
>>     string = XIL(0),
>>     size = 0,
>>     format = 0,
>>     type = 0,
>>     property = 0,
>>     next = 0x0
>>   },
>>   next = 0x555555ae7a20 <outstanding_transfers>,
>>   last = 0x555555ae7a20 <outstanding_transfers>,
>>   timeout = 0x0,
>>   serial = 0,
>>   flags = 0
>> }
>>
>>
>>> p outstanding_transfers.next
>>
>> (gdb)  p outstanding_transfers.next
>> +p outstanding_transfers.next
>> $10 = (struct transfer *) 0x555555ae7a20 <outstanding_transfers>
>>
>>> p property_change_reply
>>
>> (gdb) p property_change_reply
>> +p property_change_reply
>> $11 = XIL(0x7fffef968023)
>>
>>> p reading_selection_reply
>>
>> (gdb) p reading_selection_reply
>> +p reading_selection_reply
>> $12 = XIL(0x7fffefe76b13)
>>
>>> p *XCONS(0x5555936f543)
>>
>> (gdb) p *XCONS(0x5555936f543)
>> +p *XCONS(0x5555936f543)
>> Cannot access memory at address 0x5555936f540
>>
>> Well, I wonder where from do you pick 0x5555936f543...

So at repeating of the corrected address the following is seen:

p *XCONS(0x55555936f543)
p *XCONS(XCDR(0x55555936f543))
p *XCONS(XCDR(XCDR(0x55555936f543)))
pp XCAR(0x55555936f543)
pp XCAR(XCDR(0x55555936f543))
pp XCAR(XCDR(XCDR(0x55555936f543)))



(gdb) p *XCONS(0x55555936f543)
+p *XCONS(0x55555936f543)
$13 = {
  u = {
    s = {
      car = XIL(0x3b29656d616e7073),
      u = {
        cdr = make_fixnum(2007436113970634562),
        chain = 0x6f6f620a0a0a7d0a
      }
    },
    gcaligned = 115 's'
  }
}


(gdb) p *XCONS(XCDR(0x55555936f543))
+p *XCONS(XCDR(0x55555936f543))


lisp.h:1481: Emacs fatal error: assertion failed: CONSP (a)

Thread 1 "emacs" hit Breakpoint 1, terminate_due_to_signal (sig=6, backtrace_limit=2147483647) at emacs.c:442
/usr/local/src/emacs/git/WTs/master/src/emacs.c:442:13960:beg:0x555555786694
The program being debugged stopped while in a function called from GDB.
Evaluation of the expression containing the function
(XCONS) will be abandoned.

(gdb) p *XCONS(XCDR(XCDR(0x55555936f543)))
+p *XCONS(XCDR(XCDR(0x55555936f543)))

lisp.h:1481: Emacs fatal error: assertion failed: CONSP (a)
<ditto>

(gdb) pp XCAR(0x55555936f543)
+pp XCAR(0x55555936f543)
++set $tmp = XCAR(0x55555936f543)
++set $output_debug = print_output_debug_flag
++set print_output_debug_flag = 0
++call safe_debug_print ($tmp)
#<INVALID_LISP_OBJECT 0x3b29656d616e7073>
++set print_output_debug_flag = $output_debug


The rest of two pp:s the same assert as above:

(gdb) pp XCAR(XCDR(0x55555936f543))
+pp XCAR(XCDR(0x55555936f543))
++set $tmp = XCAR(XCDR(0x55555936f543))

lisp.h:1481: Emacs fatal error: assertion failed: CONSP (a)

>
> It was the "error" list in the original bug report. But I was confused
> and omitted one "5". The proper address for this and all following
> commands is 0x55555936f543, which should have 12 digits, not 11. My
> apologies for the confusion!

Np!
I might've guessed a human kind of copy-paste "misprint" :-)

>
> Pip

/ndrei

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 20 Nov 2025 13:41:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 20 08:41:20 2025
Received: from localhost ([127.0.0.1]:47445 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vM4uW-0007Tw-2u
	for submit <at> debbugs.gnu.org; Thu, 20 Nov 2025 08:41:20 -0500
Received: from mail-244122.protonmail.ch ([109.224.244.122]:43629)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vM4uT-0007T6-Gi
 for 79854 <at> debbugs.gnu.org; Thu, 20 Nov 2025 08:41:18 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763646070; x=1763905270;
 bh=3Xvq1Kq3SoLu9my5NwtOemnN75HylUsnN748NiYiDsA=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=PA8zRuecouXVDd+tHRa5pecvM9l1aoji8ZX6alXQcyeWDPeGPoZCMVpV0J0CJFEIk
 O1E80mrWhNYc/50qF6TTT9yOd6Sjxu3ipoDoR0xCZaaen7Fz5139c1TvLlL8PTRoKf
 3qvhL5US/7MaWNeYQdRUlaEH4Dje+Ze4PbZX5G0BvSuFmIxGnrR5KBKwlPi0Hjq2ag
 HQ8QOj0A+O5dj7hD+lO3e9Dmy6Ol5XtIK185P/QTlvXl7IIC25hZ9Draz0uJSdjth0
 QQKt8fRA9SelJmXrPcWSvUtvTaRUZ/TzV05XZo9vcabEz13iom6Vnog9kZtmdyowyp
 CSqyrlmup8LIw==
Date: Thu, 20 Nov 2025 13:41:06 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <87zf8g255c.fsf@HIDDEN>
In-Reply-To: <877bvluedx.fsf@quad>
References: <871plwwglx.fsf@quad> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN> <87fraaug74.fsf@quad>
 <875xb53idd.fsf@HIDDEN> <877bvluedx.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 20a6302e9775f1fb534d86286f05221e891a853f
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

> Pip Cet <pipcet@HIDDEN> writes:
>
>> <andrei.elkin@HIDDEN> writes:
>>
>>>>>>
>>>>>> Can you try x/64gx 0x55559406b700?
>>>>>
>>>>> (gdb) x/64gx 0x55559406b700
>>>>>
>>>>> +x/64gx 0x55559406b700
>>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>>
>>>> That looks like a bunch of freed conses. It seems we're seeing a
>>>> use-after-free error here.
>>>>
>>>> Your initial report involved the symbol 0xdbf0. We need to find out wh=
at
>>>> that is in your build: please run
>>>>
>>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>>
>>>> (the response is very likely to be 1173)
>>>>
>>>> then look into the src/globals.h file for the line
>>>>
>>>>     #define iQ<something> 1173
>>>>
>>>> The <something> part is the name of the symbol we're looking for.
>>>
>>> #define iQmouse_fixup_help_message 1173
>>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>>
>>> This finding fits to the mouse activity that were involved!
>>
>> Yes; IIUC, the X selection code is very tricky because "large"
>> selections are handled differently from small ones. Just to see whether
>> we're on the right track here, please do:
>>
>> p selection_request_stack
>
> (gdb) p selection_request_stack
> +p selection_request_stack
> $8 =3D (struct x_selection_request *) 0x0
>
>
>> p *selection_request_stack
>> p outstanding_transfers
>
> (gdb)  p outstanding_transfers
> +p outstanding_transfers
> $9 =3D {
>   requestor =3D 0,
>   offset =3D 0,
>   items_per_request =3D 0,
>   dpyinfo =3D 0x0,
>   data =3D {
>     data =3D 0x0,
>     string =3D XIL(0),
>     size =3D 0,
>     format =3D 0,
>     type =3D 0,
>     property =3D 0,
>     next =3D 0x0
>   },
>   next =3D 0x555555ae7a20 <outstanding_transfers>,
>   last =3D 0x555555ae7a20 <outstanding_transfers>,
>   timeout =3D 0x0,
>   serial =3D 0,
>   flags =3D 0
> }
>
>
>> p outstanding_transfers.next
>
> (gdb)  p outstanding_transfers.next
> +p outstanding_transfers.next
> $10 =3D (struct transfer *) 0x555555ae7a20 <outstanding_transfers>
>
>> p property_change_reply
>
> (gdb) p property_change_reply
> +p property_change_reply
> $11 =3D XIL(0x7fffef968023)
>
>> p reading_selection_reply
>
> (gdb) p reading_selection_reply
> +p reading_selection_reply
> $12 =3D XIL(0x7fffefe76b13)
>
>> p *XCONS(0x5555936f543)
>
> (gdb) p *XCONS(0x5555936f543)
> +p *XCONS(0x5555936f543)
> Cannot access memory at address 0x5555936f540
>
> Well, I wonder where from do you pick 0x5555936f543...

It was the "error" list in the original bug report. But I was confused
and omitted one "5". The proper address for this and all following
commands is 0x55555936f543, which should have 12 digits, not 11. My
apologies for the confusion!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 20 Nov 2025 11:34:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 20 06:34:34 2025
Received: from localhost ([127.0.0.1]:46719 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vM2vq-0004jD-1P
	for submit <at> debbugs.gnu.org; Thu, 20 Nov 2025 06:34:34 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:5969)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vM2vn-0004ir-N2
 for 79854 <at> debbugs.gnu.org; Thu, 20 Nov 2025 06:34:32 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id E91FBE00C0;
 Thu, 20 Nov 2025 12:34:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763638465; bh=LplKdrrw3uaNtRFaD+uhQ8lfziXiFrrIz68u0hc3YdY=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=ZJfmWjotrwrR8d2ptPyig4kmpQ5nQZvMK2ayaUHJ5swi6OWHnA6n6aQgiOut3lkmI
 QIdBMo6nPdlGeODZ1p5d3Aom2SOMcaRCkXXIrLvomyDN/QHYzIs/33P9HvdKLTT6tN
 N6hH04bSdD6WpqhwX2jOj1K3cgOK6MRlKEdBwkYHIeMrf+q6Jkx242CeRl7BGfQZQx
 bMUf0/88tRk1uPhQyvJCJjMuZ+raqycGkwELgUK6UQSZ7hekK1p+80V+X6aiCcg1aO
 Bd4L7aE7LgbphfgVHM1O9V+pT/OCiinPtKPuUQ0YhKqcRK3wj9sACwadcNhzlBx6qF
 ZFKh7gQUOehdQ==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 9E449401A2;
 Thu, 20 Nov 2025 12:34:24 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <875xb53idd.fsf@HIDDEN>
Date: Thu, 20 Nov 2025 13:34:02 +0200
In-Reply-To: <875xb53idd.fsf@HIDDEN> (Pip Cet's message of "Wed, 19
 Nov 2025 19:59:38 +0000")
Message-ID: <877bvluedx.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Pip Cet <pipcet@HIDDEN> writes:

> <andrei.elkin@HIDDEN> writes:
>
>>>>>
>>>>> Can you try x/64gx 0x55559406b700?
>>>>
>>>> (gdb) x/64gx 0x55559406b700
>>>>
>>>> +x/64gx 0x55559406b700
>>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>>
>>> That looks like a bunch of freed conses. It seems we're seeing a
>>> use-after-free error here.
>>>
>>> Your initial report involved the symbol 0xdbf0. We need to find out what
>>> that is in your build: please run
>>>
>>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>>
>>> (the response is very likely to be 1173)
>>>
>>> then look into the src/globals.h file for the line
>>>
>>>     #define iQ<something> 1173
>>>
>>> The <something> part is the name of the symbol we're looking for.
>>
>> #define iQmouse_fixup_help_message 1173
>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>>
>> This finding fits to the mouse activity that were involved!
>
> Yes; IIUC, the X selection code is very tricky because "large"
> selections are handled differently from small ones. Just to see whether
> we're on the right track here, please do:
>
> p selection_request_stack

(gdb) p selection_request_stack
+p selection_request_stack
$8 = (struct x_selection_request *) 0x0


> p *selection_request_stack
> p outstanding_transfers

(gdb)  p outstanding_transfers
+p outstanding_transfers
$9 = {
  requestor = 0,
  offset = 0,
  items_per_request = 0,
  dpyinfo = 0x0,
  data = {
    data = 0x0,
    string = XIL(0),
    size = 0,
    format = 0,
    type = 0,
    property = 0,
    next = 0x0
  },
  next = 0x555555ae7a20 <outstanding_transfers>,
  last = 0x555555ae7a20 <outstanding_transfers>,
  timeout = 0x0,
  serial = 0,
  flags = 0
}


> p outstanding_transfers.next

(gdb)  p outstanding_transfers.next
+p outstanding_transfers.next
$10 = (struct transfer *) 0x555555ae7a20 <outstanding_transfers>

> p property_change_reply

(gdb) p property_change_reply
+p property_change_reply
$11 = XIL(0x7fffef968023)

> p reading_selection_reply

(gdb) p reading_selection_reply
+p reading_selection_reply
$12 = XIL(0x7fffefe76b13)

> p *XCONS(0x5555936f543)

(gdb) p *XCONS(0x5555936f543)
+p *XCONS(0x5555936f543)
Cannot access memory at address 0x5555936f540

Well, I wonder where from do you pick 0x5555936f543...

> p *XCONS(XCDR(0x5555936f543))

(gdb) p *XCONS(XCDR(0x5555936f543))
+p *XCONS(XCDR(0x5555936f543))
Cannot access memory at address 0x5555936f548


> p *XCONS(XCDR(XCDR(0x5555936f543)))

(gdb)  p *XCONS(XCDR(XCDR(0x5555936f543)))
+p *XCONS(XCDR(XCDR(0x5555936f543)))
Cannot access memory at address 0x5555936f548

> pp XCAR(0x5555936f543)

(gdb)  pp XCAR(0x5555936f543)
+pp XCAR(0x5555936f543)
++set $tmp = XCAR(0x5555936f543)
Cannot access memory at address 0x5555936f540

> pp XCAR(XCDR(0x5555936f543))
> pp XCAR(XCDR(XCDR(0x5555936f543)))

(gdb) pp XCAR(XCDR(0x5555936f543))
+pp XCAR(XCDR(0x5555936f543))
++set $tmp = XCAR(XCDR(0x5555936f543))
Cannot access memory at address 0x5555936f548
(gdb) pp XCAR(XCDR(XCDR(0x5555936f543)))
+pp XCAR(XCDR(XCDR(0x5555936f543)))
++set $tmp = XCAR(XCDR(XCDR(0x5555936f543)))
Cannot access memory at address 0x5555936f548

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 19:59:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 14:59:55 2025
Received: from localhost ([127.0.0.1]:40457 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLoLK-00004w-Lu
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 14:59:54 -0500
Received: from mail-10629.protonmail.ch ([79.135.106.29]:41545)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vLoLH-0008WL-UT
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 14:59:52 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763582384; x=1763841584;
 bh=SNUwu9Zi7iOJQcm2LNo6oXi3S5PZGSadyY3n0wyf2vw=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=YwMfzZPreEwwYiy7EzEeCWfZC7bljI76kqHgiOCF/daPPCuYJyUrrh0sIR7hg/xdV
 /jwmCSMSccEgg0HjuI+OYk7vYurKPOmYoHp2+DvvVSZGaQ5BG8hfyks18wOJMDXPBj
 8VyKtAnWPLHjuqWIQz4bV8My2CFvnd8/HxlWVxP6G32zuOgoJLhHo/eLFEyvIt27cx
 dNpHZUF2MwY2oOEk/LZISBOW5XPYvU9k+ovAkqGWEfLT5obhVJFlFCCYuWYEE7t1Fp
 ex9QsFMK8s/TRY5ddNm1PoOPsUv8Y7TGURf08eC8OojxQoBXEZDQ3SYUrs3J31irLD
 OKnukGt6v54eg==
Date: Wed, 19 Nov 2025 19:59:38 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <875xb53idd.fsf@HIDDEN>
In-Reply-To: <87fraaug74.fsf@quad>
References: <871plwwglx.fsf@quad> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad> <86pl9fjpws.fsf@HIDDEN>
 <871plv3tui.fsf@HIDDEN> <87jyzmuylr.fsf@quad>
 <87pl9e2j19.fsf@HIDDEN> <87fraaug74.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 34410e827cabd809b4a4a6fcc0bd216e20e2f68d
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

>>>>
>>>> Can you try x/64gx 0x55559406b700?
>>>
>>> (gdb) x/64gx 0x55559406b700
>>>
>>> +x/64gx 0x55559406b700
>>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>>
>> That looks like a bunch of freed conses. It seems we're seeing a
>> use-after-free error here.
>>
>> Your initial report involved the symbol 0xdbf0. We need to find out what
>> that is in your build: please run
>>
>>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>>
>> (the response is very likely to be 1173)
>>
>> then look into the src/globals.h file for the line
>>
>>     #define iQ<something> 1173
>>
>> The <something> part is the name of the symbol we're looking for.
>
> #define iQmouse_fixup_help_message 1173
> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>
> This finding fits to the mouse activity that were involved!

Yes; IIUC, the X selection code is very tricky because "large"
selections are handled differently from small ones. Just to see whether
we're on the right track here, please do:

p selection_request_stack
p *selection_request_stack
p outstanding_transfers
p outstanding_transfers.next
p property_change_reply
p reading_selection_reply
p *XCONS(0x5555936f543)
p *XCONS(XCDR(0x5555936f543))
p *XCONS(XCDR(XCDR(0x5555936f543)))
pp XCAR(0x5555936f543)
pp XCAR(XCDR(0x5555936f543))
pp XCAR(XCDR(XCDR(0x5555936f543)))

The last ones might give us a clue if it's not the xselect code after
all...

> You are certainly on the right track :prayer:.

Let's see what the above produces.

Thanks again!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 18:33:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 13:33:00 2025
Received: from localhost ([127.0.0.1]:39918 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLmzE-0002Nx-6h
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 13:33:00 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:5931)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLmzC-0002NK-FK
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 13:32:58 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 1037CE006A;
 Wed, 19 Nov 2025 19:32:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763577172; bh=ivcz9kytUWFhLNHP7h650TxXS+fsJV48NpDGQTV30oU=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=cWdMzBYcWP4CtS5ZK4hNzw9ZlqK0j1vSbhM142ZTN9aYdl+bBApbCQXiuUOpUg6b/
 QUCGT7ZAaffDrcOzc1soYBnfXQ5lDq58An2g5aVzEMN1RY1DvN7LgCNQgtfUZlNukA
 AnihawzK+1TrMOd8YJmMw79F9jCJ84zYjUzLiRdgi3llts1oCy7/ZBpNh2/EVCoV3y
 8SlmwS+AQ+lX2FPM9kX7wQDM7LjTCTZXJ/hZEIvuBAiHky2zrmwhaMtdYHBli5yTAc
 E9Mo/wsE/auaSOI0NRi1EfIdMVI7/kO4pXUgXHd/Q4QbX27SY1jSlPIj87Rb73ZMia
 TQuekOoLQKZOA==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id C478440138;
 Wed, 19 Nov 2025 19:32:51 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad> <86tsyqhs4h.fsf@HIDDEN>
Date: Wed, 19 Nov 2025 20:32:30 +0200
In-Reply-To: <86tsyqhs4h.fsf@HIDDEN> (Eli Zaretskii's message of "Wed, 19 Nov
 2025 19:03:26 +0200")
Message-ID: <87bjkxvpoh.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, pipcet@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli,

>> From: andrei.elkin@HIDDEN
>> Cc: Eli Zaretskii <eliz@HIDDEN>,  79854 <at> debbugs.gnu.org
>> Date: Wed, 19 Nov 2025 18:42:39 +0200
>> 
>> > Your initial report involved the symbol 0xdbf0. We need to find out what
>> > that is in your build: please run
>> >
>> >     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>> >
>> > (the response is very likely to be 1173)
>> >
>> > then look into the src/globals.h file for the line
>> >
>> >     #define iQ<something> 1173
>> >
>> > The <something> part is the name of the symbol we're looking for.
>> 
>> #define iQmouse_fixup_help_message 1173
>> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)
>
> But does
>
>   (gdb) p 0xdbf0 / sizeof (struct Lisp_Symbol)
>
> indeed display 1173 in your case?  We need to be sure that we are not
> chasing a wild goose here.

#0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
/usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259
(gdb)  p 0xdbf0 / sizeof (struct Lisp_Symbol)
+p 0xdbf0 / sizeof (struct Lisp_Symbol)
$7 = 1173

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 17:03:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 12:03:37 2025
Received: from localhost ([127.0.0.1]:39274 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLlaj-0004WL-0H
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 12:03:37 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:47492)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vLlag-0004Vw-U6
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 12:03:35 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vLlaa-0007Bn-RU; Wed, 19 Nov 2025 12:03:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=LmO/gH73qhcdBfejnUeDMG95Pu93URQQjPLTU7J6oJw=; b=KMsd92YazmqQ
 zDrFrk21e3Ifdxbw2aSDROaMBkdC3d8ZwxrfjOaAEOK9MB/1cqniw7bbiAkxfPifhg0tzXyPdABd6
 qdV3wW3eOy9filGYqe9MwUtBBpNDddFax8D3JMNCH2Z0zjZZdTSddpTP3g9pmn+g5HRUJ9RZcPbll
 okDQ6Nq3B0b/An5izZ1R/i6Mj7bUtYEJWDDmFtmVMUkVKO8R3tvs4QBHMoZZ8m/wehKePWkn3A7ed
 Dk2t/tDptpEG8O1e9qeGAQPp83lfc6EiMxf0ypXS3DEcLCkZEpaYBr1AqjBWlW+ajNbEqUHESHk3I
 20RIGQblcGCu/lcekIZJ0g==;
Date: Wed, 19 Nov 2025 19:03:26 +0200
Message-Id: <86tsyqhs4h.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <87fraaug74.fsf@quad> (andrei.elkin@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
 <87fraaug74.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, pipcet@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: andrei.elkin@HIDDEN
> Cc: Eli Zaretskii <eliz@HIDDEN>,  79854 <at> debbugs.gnu.org
> Date: Wed, 19 Nov 2025 18:42:39 +0200
> 
> > Your initial report involved the symbol 0xdbf0. We need to find out what
> > that is in your build: please run
> >
> >     p 0xdbf0 / sizeof (struct Lisp_Symbol)
> >
> > (the response is very likely to be 1173)
> >
> > then look into the src/globals.h file for the line
> >
> >     #define iQ<something> 1173
> >
> > The <something> part is the name of the symbol we're looking for.
> 
> #define iQmouse_fixup_help_message 1173
> DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)

But does

  (gdb) p 0xdbf0 / sizeof (struct Lisp_Symbol)

indeed display 1173 in your case?  We need to be sure that we are not
chasing a wild goose here.

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 16:43:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 11:43:10 2025
Received: from localhost ([127.0.0.1]:39110 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLlGv-0002tp-Ui
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 11:43:10 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:54999)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLlGt-0002sw-Kn
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 11:43:07 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 4BE83E004E;
 Wed, 19 Nov 2025 17:43:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763570581; bh=vfvOcN+ZM37D/zqyZl5TM/F6L2vhiyGHBLkTD+RcF6Y=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=ky/GAmWL7AucCegJtBVc/lufTAYeGvcEJddierHd51zzx22kh0IcZJrmpqvDLGpaf
 /GJkyVvZ1XlFhIDpxUfpCLjVV+Esj3URl3IrxSBSJLHfGtJvo7k1M/LdHtONMXEH7f
 ciuhpGR27FiDCT0UIrm+IkN56evxGPRhj31M5pAl1hfXJByHgcdIHWKpZGIwFQUjEO
 3LzlWrtqwgcSNB6g3hx0HambmztmRbXFFAWiNgQhSIkS/aNSEvvEmFMup9fQd9b53Y
 GfwHlVTH2B9lLebo8Q/M+Y4N5bWSldYBBbcd1hM3VplFDs2DWp0ADro0ahf+zX0bXo
 wXtdAo0UUoK/g==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 0760B40146;
 Wed, 19 Nov 2025 17:43:00 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
 <87jyzmuylr.fsf@quad> <87pl9e2j19.fsf@HIDDEN>
Date: Wed, 19 Nov 2025 18:42:39 +0200
In-Reply-To: <87pl9e2j19.fsf@HIDDEN> (Pip Cet's message of "Wed, 19
 Nov 2025 14:30:37 +0000")
Message-ID: <87fraaug74.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

>>>
>>> Can you try x/64gx 0x55559406b700?
>>
>> (gdb) x/64gx 0x55559406b700
>>
>> +x/64gx 0x55559406b700
>> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
>> 0x55559406b710: 0x0000000000000004      0x000055559406b700
>
> That looks like a bunch of freed conses. It seems we're seeing a
> use-after-free error here.
>
> Your initial report involved the symbol 0xdbf0. We need to find out what
> that is in your build: please run
>
>     p 0xdbf0 / sizeof (struct Lisp_Symbol)
>
> (the response is very likely to be 1173)
>
> then look into the src/globals.h file for the line
>
>     #define iQ<something> 1173
>
> The <something> part is the name of the symbol we're looking for.

#define iQmouse_fixup_help_message 1173
DEFINE_LISP_SYMBOL (Qmouse_fixup_help_message)

This finding fits to the mouse activity that were involved!
You are certainly on the right track :prayer:.

>
> If it's module_out_of_memory (which is nearby in my build), that might
> give us a hint where to look further. Are you using any modules, by any
> chance?

No modules.

>
> Thanks!
>
> Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 14:30:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 09:30:53 2025
Received: from localhost ([127.0.0.1]:37361 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLjCu-0002An-KG
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 09:30:52 -0500
Received: from mail-244122.protonmail.ch ([109.224.244.122]:29985)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vLjCs-0002AQ-4l
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 09:30:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763562643; x=1763821843;
 bh=J0Ju4iw2aSJp6H2x1ND0C1yrq45I+FYxGHE2oW+ytSI=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=seHh6Mc7RJLTyyCBXIDqvnvyhVqOn4Cfmu1xBP+iNgEjAbDGbW15XnNqGTggS0jX4
 mdV4K6J54zqVBZUBi93LSlR8tlHDxkbJmF9P6MjrJapMjl5LVS6vzNo5yGz9UA9xn8
 Mvv1k7xQk/C72qCbhzh9kBXL4VDpNoBP5FkMxDOapBkZARRek2C/+DOyZvZRBB7aAm
 3dBCyYTcNH1Meu/9tZAPDe8jc8qfNUl803qxNt7LcSM92MS7mmZIvADSaskt8hmOxZ
 5ypdrQzGfasSjcXejfHXK26kto1MitumVVr7s4qpypS1Nv+AjA0HCKCKrChMmxI2z1
 1O8knbMB8ZMaw==
Date: Wed, 19 Nov 2025 14:30:37 +0000
To: andrei.elkin@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <87pl9e2j19.fsf@HIDDEN>
In-Reply-To: <87jyzmuylr.fsf@quad>
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad> <86pl9fjpws.fsf@HIDDEN>
 <871plv3tui.fsf@HIDDEN> <87jyzmuylr.fsf@quad>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 5ea0de7597b944dca62b8401c3173506f705dcd8
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

<andrei.elkin@HIDDEN> writes:

> Howdy Pip!
>
>>>> 0  0x00005555558b4259 in SYMBOL_NAME (sym=3DXIL(0x55559406b720)) at li=
sp.h:2364
>>>> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x555555=
8b4259
>>>> (gdb) p sym
>>>> +p sym
>>>> $4 =3D XIL(0x55559406b720)
>>>> (gdb) pr sym
>>>> +pr sym
>>>> ++pp $
>>>> +++set $tmp =3D $
>>>> +++set $output_debug =3D print_output_debug_flag
>>>> +++set print_output_debug_flag =3D 0
>>>> +++call safe_debug_print ($tmp)
>>>> #<INVALID_LISP_OBJECT 0x55559406b720>
>>>> +++set print_output_debug_flag =3D $output_debug
>>>>
>>>> The segfault apparently (and I may be wrong of course) deals with
>>>> INVALID_LISP_OBJECT. Is it possible to track where the object gets suc=
h
>>>> status?
>>>
>>> If we figure out which code and why signaled this error, we could then
>>> see what was the symbol originally, and then how it got corrupted.
>>
>> I doubt it was a symbol originally. It looks like a normal pointer that
>> was written into a Lisp_Object slot somewhere, where it was
>> misinterpreted as a symbol because it's eight-byte aligned.
>>
>> We should inspect the memory that it actually points to when interpreted
>> as an ordinary pointer.
>>
>> Can you try x/64gx 0x55559406b700?
>
> (gdb) x/64gx 0x55559406b700
>
> +x/64gx 0x55559406b700
> 0x55559406b700: 0x0000000000000004      0x000055559406b6f0
> 0x55559406b710: 0x0000000000000004      0x000055559406b700

That looks like a bunch of freed conses. It seems we're seeing a
use-after-free error here.

Your initial report involved the symbol 0xdbf0. We need to find out what
that is in your build: please run

    p 0xdbf0 / sizeof (struct Lisp_Symbol)

(the response is very likely to be 1173)

then look into the src/globals.h file for the line

    #define iQ<something> 1173

The <something> part is the name of the symbol we're looking for.

If it's module_out_of_memory (which is nearby in my build), that might
give us a hint where to look further. Are you using any modules, by any
chance?

Thanks!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 19 Nov 2025 10:05:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 19 05:05:34 2025
Received: from localhost ([127.0.0.1]:35978 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLf49-0004Ok-Tv
	for submit <at> debbugs.gnu.org; Wed, 19 Nov 2025 05:05:34 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:57777)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLf48-0004OS-54
 for 79854 <at> debbugs.gnu.org; Wed, 19 Nov 2025 05:05:32 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id BD9CDE00B1;
 Wed, 19 Nov 2025 11:05:25 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763546725; bh=glthh9mHNSTE4PZZfxQBgCg2rEnq66SfK9zxbMWuXMs=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=uRCyQmXwMPg99mJ/5JpNspZnuqQXqlmCNB+NqlGOoSaZmnEbbKwo1XFUcVnmJ2A23
 SzTksBB9/8AHoGcmCZOF92zXO/eNTfPEYvJe2eQXnywtks0KOApt/tgY4Xk4Og8bqq
 5RYxsDHJNEcRU3wE36RUR+zEf+UCSl9/sVVHMENmTj7Tj1yKgo03nU69VQsSlvWVn4
 lm4mzXfIFdkMJ1lVOyEPBtXtYRG2oRZfUg1t4CEW4z1FTmG755OiZ1AtoExFD2mGhl
 OADfvIEg0+xcpt+PSyMSPGkp2YWJngImo+vRhg68VQ3K5hymXpqLQK2lRlCjpnLiHg
 tiFfB/D1H73Zg==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 7FF11400FE;
 Wed, 19 Nov 2025 11:05:25 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
 <86pl9fjpws.fsf@HIDDEN> <871plv3tui.fsf@HIDDEN>
Date: Wed, 19 Nov 2025 12:05:04 +0200
In-Reply-To: <871plv3tui.fsf@HIDDEN> (Pip Cet's message of "Tue, 18
 Nov 2025 21:39:31 +0000")
Message-ID: <87jyzmuylr.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Howdy Pip!

>>> 0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
>>> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259
>>> (gdb) p sym
>>> +p sym
>>> $4 = XIL(0x55559406b720)
>>> (gdb) pr sym
>>> +pr sym
>>> ++pp $
>>> +++set $tmp = $
>>> +++set $output_debug = print_output_debug_flag
>>> +++set print_output_debug_flag = 0
>>> +++call safe_debug_print ($tmp)
>>> #<INVALID_LISP_OBJECT 0x55559406b720>
>>> +++set print_output_debug_flag = $output_debug
>>>
>>> The segfault apparently (and I may be wrong of course) deals with
>>> INVALID_LISP_OBJECT. Is it possible to track where the object gets such
>>> status?
>>
>> If we figure out which code and why signaled this error, we could then
>> see what was the symbol originally, and then how it got corrupted.
>
> I doubt it was a symbol originally. It looks like a normal pointer that
> was written into a Lisp_Object slot somewhere, where it was
> misinterpreted as a symbol because it's eight-byte aligned.
>
> We should inspect the memory that it actually points to when interpreted
> as an ordinary pointer.
>
> Can you try x/64gx 0x55559406b700?

(gdb) x/64gx 0x55559406b700

+x/64gx 0x55559406b700
0x55559406b700: 0x0000000000000004      0x000055559406b6f0
0x55559406b710: 0x0000000000000004      0x000055559406b700
0x55559406b720: 0x0000000000000004      0x000055559406b710
0x55559406b730: 0x0000000000000004      0x000055559406b720
0x55559406b740: 0x0000000000000004      0x000055559406b730
0x55559406b750: 0x0000000000000004      0x000055559406b740
0x55559406b760: 0x0000000000000004      0x000055559406b750
0x55559406b770: 0x0000000000000004      0x000055559406b760
0x55559406b780: 0x0000000000000004      0x000055559406b770
0x55559406b790: 0x0000000000000004      0x000055559406b780
0x55559406b7a0: 0x0000000000000004      0x000055559406b790
0x55559406b7b0: 0x0000000000000004      0x000055559406b7a0
0x55559406b7c0: 0x0000000000000004      0x000055559406b7b0
0x55559406b7d0: 0x0000000000000004      0x000055559406b7c0
0x55559406b7e0: 0x0000000000000004      0x000055559406b7d0
0x55559406b7f0: 0x0000000000000004      0x000055559406b7e0
0x55559406b800: 0x0000000000000004      0x000055559406b7f0
0x55559406b810: 0x0000000000000004      0x000055559406b800
0x55559406b820: 0x0000000000000004      0x000055559406b810
0x55559406b830: 0x0000000000000004      0x000055559406b820
0x55559406b840: 0x0000000000000004      0x000055559406b830
0x55559406b850: 0x0000000000000004      0x000055559406b840
0x55559406b860: 0x0000000000000004      0x000055559406b850
0x55559406b870: 0x0000000000000004      0x000055559406b860
0x55559406b880: 0x0000000000000004      0x000055559406b870
0x55559406b890: 0x0000000000000004      0x000055559406b880
0x55559406b8a0: 0x0000000000000004      0x000055559406b890
0x55559406b8b0: 0x0000000000000004      0x000055559406b8a0
0x55559406b8c0: 0x0000000000000004      0x000055559406b8b0
0x55559406b8d0: 0x0000000000000004      0x000055559406b8c0
0x55559406b8e0: 0x0000000000000004      0x000055559406b8d0
0x55559406b8f0: 0x0000000000000004      0x000055559406b8e0


>
> Thanks!
>
> Pip

Thank yo as well, I am all ears for further inspection commands.


/ndrei

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 21:39:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 16:39:46 2025
Received: from localhost ([127.0.0.1]:59917 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLTQP-0004oR-OB
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 16:39:46 -0500
Received: from mail-244125.protonmail.ch ([109.224.244.125]:44495)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1vLTQN-0004nj-4v
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 16:39:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1763501974; x=1763761174;
 bh=WfFjuwZTSFDtNDCzKIlsJyoTnKV7IPZNfDPH+q+7Vhw=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=G5cc26Q2dGx84rbOJwX6DDsYV1PVS7nidpKPbZa5tobDZ/J56p22QKy1f8WfIKThR
 Ljd5s4ZKJM3Bcy/ahj9SPp043LnOdnqp5TdJL+pP/XnBH2yJK+qcVKUo+80lANje7N
 okAWCae1/gn8rDCV05Fvaq1az1Xg6uqrTAmst3xUbdUQNA2T+15eIvtrPfavNG4hwH
 QtfzqaEW2uw1KK7yb+DU29O4VkkCKqvE73cMn9sA5jkLHrHv2dJR87sY2TAuCa5J60
 aH4XqCz4SiKLOJ8CKoPCjxgrRK/+I8DDOZ9vIZ9C5AL8nW1qEcA7UOd4LBjjGAhT2R
 JGigyKlX/naMg==
Date: Tue, 18 Nov 2025 21:39:31 +0000
To: Eli Zaretskii <eliz@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Message-ID: <871plv3tui.fsf@HIDDEN>
In-Reply-To: <86pl9fjpws.fsf@HIDDEN>
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad> <86pl9fjpws.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: e23eb970400f3f2bc1fd2255cff53e7692260534
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org, andrei.elkin@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Eli Zaretskii" <eliz@HIDDEN> writes:

>> From: andrei.elkin@HIDDEN
>> Cc: 79854 <at> debbugs.gnu.org
>> Date: Tue, 18 Nov 2025 17:45:39 +0200
>>
>> Eli Zaretskii <eliz@HIDDEN> writes:
>>
>> >> From: andrei.elkin@HIDDEN
>> >> Cc: 79854 <at> debbugs.gnu.org
>> >> Date: Tue, 18 Nov 2025 17:13:54 +0200
>> >>
>> >> Eli Zaretskii <eliz@HIDDEN> writes:
>> >>
>> >> >> From: andrei.elkin@HIDDEN
>> >> >> Cc: 79854 <at> debbugs.gnu.org
>> >> >> Date: Tue, 18 Nov 2025 16:26:19 +0200
>> >> >>
>> >> >> >> when approximately at time I attempted to copy-paste a piece of=
 text
>> >> >> >> from the system clipboard (X11/xfce4 window manager).
>> >> >> >
>> >> >> > What was the piece of text, and which application produced it?
>> >> >>
>> >> >> Emacs was run under gdb which itself in a screen session.
>> >> >>  "...Segmentation fault.ld_to_fill()" is probably from outside of =
emacs
>> >> >>  (I could not grep that symbol in the emacs sources).
>> >> >
>> >> > No, I mean which application put the text into the clipboard?
>> >>
>> >> I am not sure what it was, my bad.. (as I did expect something bad to
>> >> re-occure at one pointt). Probably it was from an emacs frame that I
>> >> mouse-selected. Besides I had gnome-terminals and firefox.
>> >>
>> >> The crashed emacs instance is accessed via ssh from another box + ema=
csclient.
>> >>
>> >> >
>> >> >> (gdb) xsymbol
>> >> >> +xsymbol
>> >> >> ++set $sym =3D $
>> >> >> ++xgetsym $sym
>> >> >> +++xgetptr $sym
>> >> >> ++++if (CHECK_LISP_OBJECT_TYPE)
>> >> >> +++++set $bugfix =3D $sym.i
>> >> >> ++++set $ptr =3D (EMACS_INT) $bugfix & VALMASK
>> >> >> +++set $ptr =3D ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr)=
)
>> >> >> ++print (struct Lisp_Symbol *) $ptr
>> >> >> $3 =3D (struct Lisp_Symbol *) 0xaaaae9bb11e0
>> >> >> ++xprintsym $sym
>> >> >> +++xsymname $sym
>> >> >> ++++xgetsym $sym
>> >> >> +++++xgetptr $sym
>> >> >> ++++++if (CHECK_LISP_OBJECT_TYPE)
>> >> >> +++++++set $bugfix =3D $sym.i
>> >> >> ++++++set $ptr =3D (EMACS_INT) $bugfix & VALMASK
>> >> >> +++++set $ptr =3D ((struct Lisp_Symbol *) ((char *) &lispsym + $pt=
r))
>> >> >> ++++set $symname =3D $ptr->u.s.name
>> >> >> Cannot access memory at address 0xaaaae9bb11e8
>> >> >
>> >> > Sorry, I have no idea how that happens.  In general, Emacs tried to
>> >> > report some error, but that's all I see from the backtrace.
>> >>
>> >> It might come back I believe (given my rather routine use of Emacs).
>> >> Anything you might suggest to catch something essential in future?
>> >
>> > It would be good to understand what caused Emacs to signal an error in
>> > the first place.
>>
>> I might join this hunting journey, but obviously would have to climb a
>> lot. Let me ask about the very top of the stack
>>
>> 0  0x00005555558b4259 in SYMBOL_NAME (sym=3DXIL(0x55559406b720)) at lisp=
.h:2364
>> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b=
4259
>> (gdb) p sym
>> +p sym
>> $4 =3D XIL(0x55559406b720)
>> (gdb) pr sym
>> +pr sym
>> ++pp $
>> +++set $tmp =3D $
>> +++set $output_debug =3D print_output_debug_flag
>> +++set print_output_debug_flag =3D 0
>> +++call safe_debug_print ($tmp)
>> #<INVALID_LISP_OBJECT 0x55559406b720>
>> +++set print_output_debug_flag =3D $output_debug
>>
>> The segfault apparently (and I may be wrong of course) deals with
>> INVALID_LISP_OBJECT. Is it possible to track where the object gets such
>> status?
>
> If we figure out which code and why signaled this error, we could then
> see what was the symbol originally, and then how it got corrupted.

I doubt it was a symbol originally. It looks like a normal pointer that
was written into a Lisp_Object slot somewhere, where it was
misinterpreted as a symbol because it's eight-byte aligned.

We should inspect the memory that it actually points to when interpreted
as an ordinary pointer.

Can you try x/64gx 0x55559406b700?

Thanks!

Pip

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 15:56:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 10:56:42 2025
Received: from localhost ([127.0.0.1]:58588 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLO4Q-0007X3-93
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:56:42 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:57428)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vLO4N-0007Wo-LP
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:56:40 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vLO4H-0002hi-Lk; Tue, 18 Nov 2025 10:56:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=m5S4HO9/UV4djxIEKwi+N5HxbEVTYsFdmrHDxj4VXWg=; b=c0VTgUEFgL2I
 3/a+PmhGil30EM2oDkvLnC3J0eAuFS2QsS716v6gHVUoo1uSAukCzW4Gj/WIxPrDqw5nWOlkG+9OG
 xium4+uhAyJkGq1ImEDNV7QKQOsHEnlkWrIwn7lAk6cZsXXU1Mkb0YsfJDrbnIQ01WZqij50bPFTf
 i0qKz9+w4thVC27/Kj8v+yU9fdpRGR48Zd3U30hIJjfZuGwNxomVSB1ANuIbyxcw/NxKaCgDOq7wM
 m1HzkzlT8IPKZ4WtAlJAesv0Ps0Vqtvvce45jfZd7EPEkM/hTRC4sjLI2lhfD3QrLsTh2EbArntDN
 hbjlObHyCiU/Ei/3CgwnBA==;
Date: Tue, 18 Nov 2025 17:56:03 +0200
Message-Id: <86pl9fjpws.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <87o6ozuyxo.fsf@quad> (andrei.elkin@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN> <87o6ozuyxo.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: andrei.elkin@HIDDEN
> Cc: 79854 <at> debbugs.gnu.org
> Date: Tue, 18 Nov 2025 17:45:39 +0200
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> >> From: andrei.elkin@HIDDEN
> >> Cc: 79854 <at> debbugs.gnu.org
> >> Date: Tue, 18 Nov 2025 17:13:54 +0200
> >> 
> >> Eli Zaretskii <eliz@HIDDEN> writes:
> >> 
> >> >> From: andrei.elkin@HIDDEN
> >> >> Cc: 79854 <at> debbugs.gnu.org
> >> >> Date: Tue, 18 Nov 2025 16:26:19 +0200
> >> >> 
> >> >> >> when approximately at time I attempted to copy-paste a piece of text
> >> >> >> from the system clipboard (X11/xfce4 window manager).
> >> >> >
> >> >> > What was the piece of text, and which application produced it?
> >> >> 
> >> >> Emacs was run under gdb which itself in a screen session.
> >> >>  "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
> >> >>  (I could not grep that symbol in the emacs sources).
> >> >
> >> > No, I mean which application put the text into the clipboard?
> >> 
> >> I am not sure what it was, my bad.. (as I did expect something bad to
> >> re-occure at one pointt). Probably it was from an emacs frame that I
> >> mouse-selected. Besides I had gnome-terminals and firefox.
> >> 
> >> The crashed emacs instance is accessed via ssh from another box + emacsclient.
> >> 
> >> >
> >> >> (gdb) xsymbol 
> >> >> +xsymbol 
> >> >> ++set $sym = $
> >> >> ++xgetsym $sym
> >> >> +++xgetptr $sym
> >> >> ++++if (CHECK_LISP_OBJECT_TYPE)
> >> >> +++++set $bugfix = $sym.i
> >> >> ++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> >> >> +++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> >> >> ++print (struct Lisp_Symbol *) $ptr
> >> >> $3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
> >> >> ++xprintsym $sym
> >> >> +++xsymname $sym
> >> >> ++++xgetsym $sym
> >> >> +++++xgetptr $sym
> >> >> ++++++if (CHECK_LISP_OBJECT_TYPE)
> >> >> +++++++set $bugfix = $sym.i
> >> >> ++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> >> >> +++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> >> >> ++++set $symname = $ptr->u.s.name
> >> >> Cannot access memory at address 0xaaaae9bb11e8
> >> >
> >> > Sorry, I have no idea how that happens.  In general, Emacs tried to
> >> > report some error, but that's all I see from the backtrace.
> >> 
> >> It might come back I believe (given my rather routine use of Emacs).
> >> Anything you might suggest to catch something essential in future?
> >
> > It would be good to understand what caused Emacs to signal an error in
> > the first place.
> 
> I might join this hunting journey, but obviously would have to climb a
> lot. Let me ask about the very top of the stack
> 
> 0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259
> (gdb) p sym
> +p sym
> $4 = XIL(0x55559406b720)
> (gdb) pr sym
> +pr sym
> ++pp $
> +++set $tmp = $
> +++set $output_debug = print_output_debug_flag
> +++set print_output_debug_flag = 0
> +++call safe_debug_print ($tmp)
> #<INVALID_LISP_OBJECT 0x55559406b720>
> +++set print_output_debug_flag = $output_debug
> 
> The segfault apparently (and I may be wrong of course) deals with
> INVALID_LISP_OBJECT. Is it possible to track where the object gets such
> status?

If we figure out which code and why signaled this error, we could then
see what was the symbol originally, and then how it got corrupted.

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 15:46:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 10:46:12 2025
Received: from localhost ([127.0.0.1]:58546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLNuG-00070l-1n
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:46:12 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:47379)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLNuA-0006zw-O4
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:46:10 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 6E305E010F;
 Tue, 18 Nov 2025 16:46:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763480760; bh=9YfHW1ULgGOjSGfrCm7H5jBvtwZHham2pmdb3F9PpsI=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=pqHDEG5tdL8elhWN3UVpEPBX2a4FeyTd8NhoT0LR/ByIjd06C1aupsMQGQ5bn7DEX
 3iW24ERQOrD+ydBtUbs2L7M3huF+yQjoxeQTLOgzYg+YlhVDOsM4CLEflhXlNvzAgQ
 pQmxOCBe8AYqqn7mofW7m1WaLDn+BQ82pXVhJdTmadSk1fhMWoG3IMfIRf7MkR/BXe
 AheQ3Y8mZMotcx5um7NFT/BPB+4cEAPXeBQFFnYFyJ8gSCLlirCh01OkZ1SfqKf6hx
 MjsmHiQE8xQO0xK6gplydiGcjlrUPdPKKLXkBn59xqGxLCtQB1i6tlpfWE/5vwjhtS
 lnIJnYeILWd2Q==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 3944C40138;
 Tue, 18 Nov 2025 16:46:00 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
 <86seebjrae.fsf@HIDDEN>
Date: Tue, 18 Nov 2025 17:45:39 +0200
In-Reply-To: <86seebjrae.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 18 Nov
 2025 17:26:17 +0200")
Message-ID: <87o6ozuyxo.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: andrei.elkin@HIDDEN
>> Cc: 79854 <at> debbugs.gnu.org
>> Date: Tue, 18 Nov 2025 17:13:54 +0200
>> 
>> Eli Zaretskii <eliz@HIDDEN> writes:
>> 
>> >> From: andrei.elkin@HIDDEN
>> >> Cc: 79854 <at> debbugs.gnu.org
>> >> Date: Tue, 18 Nov 2025 16:26:19 +0200
>> >> 
>> >> >> when approximately at time I attempted to copy-paste a piece of text
>> >> >> from the system clipboard (X11/xfce4 window manager).
>> >> >
>> >> > What was the piece of text, and which application produced it?
>> >> 
>> >> Emacs was run under gdb which itself in a screen session.
>> >>  "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
>> >>  (I could not grep that symbol in the emacs sources).
>> >
>> > No, I mean which application put the text into the clipboard?
>> 
>> I am not sure what it was, my bad.. (as I did expect something bad to
>> re-occure at one pointt). Probably it was from an emacs frame that I
>> mouse-selected. Besides I had gnome-terminals and firefox.
>> 
>> The crashed emacs instance is accessed via ssh from another box + emacsclient.
>> 
>> >
>> >> (gdb) xsymbol 
>> >> +xsymbol 
>> >> ++set $sym = $
>> >> ++xgetsym $sym
>> >> +++xgetptr $sym
>> >> ++++if (CHECK_LISP_OBJECT_TYPE)
>> >> +++++set $bugfix = $sym.i
>> >> ++++set $ptr = (EMACS_INT) $bugfix & VALMASK
>> >> +++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
>> >> ++print (struct Lisp_Symbol *) $ptr
>> >> $3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
>> >> ++xprintsym $sym
>> >> +++xsymname $sym
>> >> ++++xgetsym $sym
>> >> +++++xgetptr $sym
>> >> ++++++if (CHECK_LISP_OBJECT_TYPE)
>> >> +++++++set $bugfix = $sym.i
>> >> ++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
>> >> +++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
>> >> ++++set $symname = $ptr->u.s.name
>> >> Cannot access memory at address 0xaaaae9bb11e8
>> >
>> > Sorry, I have no idea how that happens.  In general, Emacs tried to
>> > report some error, but that's all I see from the backtrace.
>> 
>> It might come back I believe (given my rather routine use of Emacs).
>> Anything you might suggest to catch something essential in future?
>
> It would be good to understand what caused Emacs to signal an error in
> the first place.

I might join this hunting journey, but obviously would have to climb a
lot. Let me ask about the very top of the stack

0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
/usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259
(gdb) p sym
+p sym
$4 = XIL(0x55559406b720)
(gdb) pr sym
+pr sym
++pp $
+++set $tmp = $
+++set $output_debug = print_output_debug_flag
+++set print_output_debug_flag = 0
+++call safe_debug_print ($tmp)
#<INVALID_LISP_OBJECT 0x55559406b720>
+++set print_output_debug_flag = $output_debug

The segfault apparently (and I may be wrong of course) deals with
INVALID_LISP_OBJECT. Is it possible to track where the object gets such
status?

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 15:26:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 10:26:41 2025
Received: from localhost ([127.0.0.1]:58460 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLNbM-0005mQ-TS
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:26:41 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:34056)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vLNbK-0005m4-U9
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:26:39 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vLNb4-0007U6-QG; Tue, 18 Nov 2025 10:26:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=DKu7AwK9wGfBxNYlE1YCN1eG/6LZTt51zxpD+lL7TgE=; b=EIewwlbNhp0Y
 V7oCXHpX2zmLWyh7EFxLq5LKjIkVR4Zlh57EVRbUlesh2F7aPYqqUh3mFU89mY9KG2LE1Fr1tFG7t
 kghbveNpQU69k95Zo3lxeGD2nGtYFs8yFUsLbE1z/AhUPX5nJRfenGatriYHqehLE5SFo//2ozGwn
 77VCs8pvArs3T0zbV0FungmodHkH+R/hTCZ/MN7fYSX20Zs0HA6gDTM9V3ajGcN1v9bkRfvepFUOR
 rclblKobNCQQO36eDBVLz/uNKqRA7uqGfm77aWRKuxTGozl97xcdrhnl3qVyc6kQw1xb5aj4SzeRH
 PahxPlTXRlW28hzyRSwVGw==;
Date: Tue, 18 Nov 2025 17:26:17 +0200
Message-Id: <86seebjrae.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <87seebv0el.fsf@quad> (andrei.elkin@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN> <87seebv0el.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: andrei.elkin@HIDDEN
> Cc: 79854 <at> debbugs.gnu.org
> Date: Tue, 18 Nov 2025 17:13:54 +0200
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> >> From: andrei.elkin@HIDDEN
> >> Cc: 79854 <at> debbugs.gnu.org
> >> Date: Tue, 18 Nov 2025 16:26:19 +0200
> >> 
> >> >> when approximately at time I attempted to copy-paste a piece of text
> >> >> from the system clipboard (X11/xfce4 window manager).
> >> >
> >> > What was the piece of text, and which application produced it?
> >> 
> >> Emacs was run under gdb which itself in a screen session.
> >>  "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
> >>  (I could not grep that symbol in the emacs sources).
> >
> > No, I mean which application put the text into the clipboard?
> 
> I am not sure what it was, my bad.. (as I did expect something bad to
> re-occure at one pointt). Probably it was from an emacs frame that I
> mouse-selected. Besides I had gnome-terminals and firefox.
> 
> The crashed emacs instance is accessed via ssh from another box + emacsclient.
> 
> >
> >> (gdb) xsymbol 
> >> +xsymbol 
> >> ++set $sym = $
> >> ++xgetsym $sym
> >> +++xgetptr $sym
> >> ++++if (CHECK_LISP_OBJECT_TYPE)
> >> +++++set $bugfix = $sym.i
> >> ++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> >> +++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> >> ++print (struct Lisp_Symbol *) $ptr
> >> $3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
> >> ++xprintsym $sym
> >> +++xsymname $sym
> >> ++++xgetsym $sym
> >> +++++xgetptr $sym
> >> ++++++if (CHECK_LISP_OBJECT_TYPE)
> >> +++++++set $bugfix = $sym.i
> >> ++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> >> +++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> >> ++++set $symname = $ptr->u.s.name
> >> Cannot access memory at address 0xaaaae9bb11e8
> >
> > Sorry, I have no idea how that happens.  In general, Emacs tried to
> > report some error, but that's all I see from the backtrace.
> 
> It might come back I believe (given my rather routine use of Emacs).
> Anything you might suggest to catch something essential in future?

It would be good to understand what caused Emacs to signal an error in
the first place.

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 15:14:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 10:14:24 2025
Received: from localhost ([127.0.0.1]:58401 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLNPT-000500-Mz
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:14:24 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:15057)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLNPR-0004zk-CI
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:14:21 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 5BC2BE00FE;
 Tue, 18 Nov 2025 16:14:15 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763478855; bh=kpMwjzArP1v0/lJI/6QsBmYeFLNqTvld3OdOtor4inc=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=iu/ADshjnsx+RXkKjP1VT39v2FBXlS/+QMtOhpwPypZOhA2c3Azm3pQbcvEiHRGhJ
 svpYJgx0meTywF+SGQOqzMa2YMmSxdANGuQRJKQMdudfvjb3jqjUfqWFMrZIZ8egLA
 RYd6Y2yGSde0bFzKDQcqZpf2s82lCUZioyzJjqqDuXfKDF0NMq75G5Ss81cF3jibRd
 xClP58rbYpctBnLt1XePBLFgVGNqMVmnj8UYoAVvi8QoGcfXaoxQBi9Il9NlQxr88D
 DT3Gc45l9Fko5oZklgYdnlcjz1NaZUQNJCq0hq5tFXxb2bx/4v1YSEyl10lW4be3uC
 J8sL2U9H7abVA==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 1952740138;
 Tue, 18 Nov 2025 16:14:15 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad> <86wm3njshf.fsf@HIDDEN>
Date: Tue, 18 Nov 2025 17:13:54 +0200
In-Reply-To: <86wm3njshf.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 18 Nov
 2025 17:00:28 +0200")
Message-ID: <87seebv0el.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: andrei.elkin@HIDDEN
>> Cc: 79854 <at> debbugs.gnu.org
>> Date: Tue, 18 Nov 2025 16:26:19 +0200
>> 
>> >> when approximately at time I attempted to copy-paste a piece of text
>> >> from the system clipboard (X11/xfce4 window manager).
>> >
>> > What was the piece of text, and which application produced it?
>> 
>> Emacs was run under gdb which itself in a screen session.
>>  "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
>>  (I could not grep that symbol in the emacs sources).
>
> No, I mean which application put the text into the clipboard?

I am not sure what it was, my bad.. (as I did expect something bad to
re-occure at one pointt). Probably it was from an emacs frame that I
mouse-selected. Besides I had gnome-terminals and firefox.

The crashed emacs instance is accessed via ssh from another box + emacsclient.

>
>> (gdb) xsymbol 
>> +xsymbol 
>> ++set $sym = $
>> ++xgetsym $sym
>> +++xgetptr $sym
>> ++++if (CHECK_LISP_OBJECT_TYPE)
>> +++++set $bugfix = $sym.i
>> ++++set $ptr = (EMACS_INT) $bugfix & VALMASK
>> +++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
>> ++print (struct Lisp_Symbol *) $ptr
>> $3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
>> ++xprintsym $sym
>> +++xsymname $sym
>> ++++xgetsym $sym
>> +++++xgetptr $sym
>> ++++++if (CHECK_LISP_OBJECT_TYPE)
>> +++++++set $bugfix = $sym.i
>> ++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
>> +++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
>> ++++set $symname = $ptr->u.s.name
>> Cannot access memory at address 0xaaaae9bb11e8
>
> Sorry, I have no idea how that happens.  In general, Emacs tried to
> report some error, but that's all I see from the backtrace.

It might come back I believe (given my rather routine use of Emacs).
Anything you might suggest to catch something essential in future?

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 15:00:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 10:00:40 2025
Received: from localhost ([127.0.0.1]:58353 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLNCC-0004NY-77
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:00:40 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:57700)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vLNC9-0004NK-K5
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 10:00:38 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vLNC3-0003Pa-C9; Tue, 18 Nov 2025 10:00:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=CA7/9FKOFjdqoRFqVwZBDUhpdf2ztQABU97vVFWiNBQ=; b=ldozQ4CWNzVe
 TMuQtmlQxeJtQ5a7wcx2ulgsM296k5hSETlRDNWNGUHbzEwx5IbjPmmd33lR5UzPuGnS5iBHGhamm
 NRnD7fsUpYP740hOqgwWqk1Trs3rRwPQGnXWM32P8Zz2/mQzIbprj4j82a+I0jngPizevNO25FR2j
 28TM0+js5mA3+p847DLBZHa6tol+iqWWSZkyUUhsS+Tmqyh5aJaFgDz7ndLePdtVeTh9MWbu5lNia
 qtGWzCKm2wUnTolRtC7kY3i9rH7Kad5mnxWWeAJmz33Wcpd9XJTK3/M24wRRQp3DeezB9yAh7SPYK
 UJMKpJaM/xLmOieXqugFAQ==;
Date: Tue, 18 Nov 2025 17:00:28 +0200
Message-Id: <86wm3njshf.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <87wm3nv2lw.fsf@quad> (andrei.elkin@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
 <87wm3nv2lw.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: andrei.elkin@HIDDEN
> Cc: 79854 <at> debbugs.gnu.org
> Date: Tue, 18 Nov 2025 16:26:19 +0200
> 
> >> when approximately at time I attempted to copy-paste a piece of text
> >> from the system clipboard (X11/xfce4 window manager).
> >
> > What was the piece of text, and which application produced it?
> 
> Emacs was run under gdb which itself in a screen session.
>  "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
>  (I could not grep that symbol in the emacs sources).

No, I mean which application put the text into the clipboard?

> (gdb) xsymbol 
> +xsymbol 
> ++set $sym = $
> ++xgetsym $sym
> +++xgetptr $sym
> ++++if (CHECK_LISP_OBJECT_TYPE)
> +++++set $bugfix = $sym.i
> ++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> +++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> ++print (struct Lisp_Symbol *) $ptr
> $3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
> ++xprintsym $sym
> +++xsymname $sym
> ++++xgetsym $sym
> +++++xgetptr $sym
> ++++++if (CHECK_LISP_OBJECT_TYPE)
> +++++++set $bugfix = $sym.i
> ++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
> +++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
> ++++set $symname = $ptr->u.s.name
> Cannot access memory at address 0xaaaae9bb11e8

Sorry, I have no idea how that happens.  In general, Emacs tried to
report some error, but that's all I see from the backtrace.

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 14:26:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 09:26:51 2025
Received: from localhost ([127.0.0.1]:57353 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLMfS-0002FF-0f
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 09:26:51 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203]:8049)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vLMfO-0002Ed-VE
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 09:26:48 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id 15ADFE00B9;
 Tue, 18 Nov 2025 15:26:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763476001; bh=6lSY33pMUYj5klrOb3iiEp3+fxFmW+EufBi48PRv44Y=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=fb9m06DCH2/xTgRMF57jMHRPGsoZVnwKsGkBeWEzIABYOUNWideRZtFT6ygbv0V5C
 XU1zZ3VWLrif54Dgtf01cdae1hyPXKstfRotMU9A6k4PlR9G1GXl9pe8j5Zl74OAvs
 PWVWcePdr5bOivyMFtOi6qdCOqEUADZNAvaSCQY5Sm5xg/uYkoV3s6Z/9LC3GD7vGI
 C4HcSCoSktlqz7Lgyzzs9DL1Pwhgqi8ZuASnV0fDYgO3wZ82g6LZXbcm2RbKta0e2l
 wyb73UY/+XsgjuYS7oKDMRYEgePxBhAJLJ3DrEJhX3aj+v8KjYeJBP9Np8J5lDSsCU
 3PAOps24uAPjQ==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id C642740138;
 Tue, 18 Nov 2025 15:26:40 +0100 (CET)
From: andrei.elkin@HIDDEN
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
Organization: Home sweet home
References: <871plwwglx.fsf@quad> <86a50jlbsk.fsf@HIDDEN>
Date: Tue, 18 Nov 2025 16:26:19 +0200
In-Reply-To: <86a50jlbsk.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 18 Nov
 2025 15:18:03 +0200")
Message-ID: <87wm3nv2lw.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> Date: Mon, 17 Nov 2025 22:26:18 +0200
>> From: andrei.elkin--- via "Bug reports for GNU Emacs,
>>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
>> 
>> Salve dear gurus!
>> 
>> Emacs of
>>   c9372ced9c0 (HEAD -> master, origin/master, origin/HEAD) : Update ldefs-boot.el.
>> is built with
>>  $ ./configure --with-x-toolkit=lucid --enable-checking=yes,glyphs --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0' LDFLAGS=-ggdb3 'CXXFLAGS=-ggdb3 -O0' --no-create
>> 
>> run under gdb to freeze with
>> 
>> Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.ld_to_fill(),                         |is displayed.  Here is sample code:
>>                                                           *va0x00005555558b4259 in SYMBOL_NAME (sym=...) at lisp.h:2364w-code-setup ()
>> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259                       |    ;; use `ffip-diff-mode' from package find-file-in-project instead of `diff-mode'
>> 
>> when approximately at time I attempted to copy-paste a piece of text
>> from the system clipboard (X11/xfce4 window manager).
>
> What was the piece of text, and which application produced it?

Emacs was run under gdb which itself in a screen session.
 "...Segmentation fault.ld_to_fill()" is probably from outside of emacs
 (I could not grep that symbol in the emacs sources).

>
> Also, your report lacks the data about the Emacs build and the
> underlying OS, which "M-x report-emacs-bug" collects.  That could be
> relevant, so please post it.

Done now:

---------------------------------------------------------------------
In GNU Emacs 31.0.50 (build 2, x86_64-pc-linux-gnu, X toolkit, cairo
 version 1.18.0, Xaw3d scroll bars) of 2025-11-15 built on
 andrei-MS-7D96
Repository revision: c9372ced9c03eac6dfaa2dedbb4033ce0a253499
Repository branch: master
System Description: Ubuntu 24.04.3 LTS

Configured using:
 'configure --with-x-toolkit=lucid --enable-checking=yes,glyphs
 --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0' LDFLAGS=-ggdb3
 'CXXFLAGS=-ggdb3 -O0''

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG
LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES NATIVE_COMP
NOTIFY INOTIFY PDUMPER PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF
TOOLKIT_SCROLL_BARS TREE_SITTER WEBP X11 XAW3D XDBE XIM XINERAMA XINPUT2
XPM XRANDR LUCID ZLIB

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Dired by name

Minor modes in effect:
  desktop-save-mode: t
  winner-mode: t
  global-git-commit-mode: t
  magit-auto-revert-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tab-bar-history-mode: t
  tab-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  minibuffer-nonselected-mode: t
  minibuffer-regexp-mode: t
  buffer-read-only: t
  column-number-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug lisp-mnt grep oc-basic org-element
org-persist org-id org-refile org-element-ast avl-tree generator ol-eww
eww vtable url-queue mm-url ol-rmail ol-mhe ol-irc ol-info ol-gnus
nnselect gnus-art mm-uu mml2015 mm-view mml-smime smime dig gnus-sum shr
pixel-fill kinsoku url-file svg gnus-group gnus-undo gnus-start
gnus-dbus dbus xml gnus-cloud nnimap nnmail mail-source utf7 nnoo
parse-time gnus-spec gnus-int gnus-range message sendmail rfc822 mml
mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045
ietf-drums mailabbrev gmm-utils mailheader gnus-win gnus nnheader
gnus-util mail-utils range mm-util mail-prsvr ol-docview doc-view
jka-compr image-mode exif ol-bibtex bibtex iso8601 ol-bbdb ol-w3m ol-doi
org-link-doi org ob ob-tangle ob-ref ob-lob ob-table ob-exp org-macro
org-src ob-comint org-pcomplete org-list org-footnote org-faces
org-entities ob-emacs-lisp ob-core ob-eval org-cycle org-table ol
org-fold org-fold-core org-keys oc org-loaddefs cal-menu calendar
cal-loaddefs org-version org-compat org-macs yank-media hi-lock
perl-mode edebug debug backtrace sh-script smie executable log-view
lsp-inline-completion follow bug-reference hideshow lsp-lens
lsp-diagnostics lsp-modeline lsp-headerline lsp-icons lsp-zig lsp-yang
lsp-yaml lsp-xml lsp-wgsl lsp-volar lsp-vimscript lsp-vhdl lsp-vetur
lsp-html lsp-verilog lsp-vala lsp-v lsp-typos lsp-typespec lsp-typeprof
lsp-ttcn3 lsp-ts-query lsp-trunk lsp-toml-tombi lsp-toml lsp-tilt
lsp-tex lsp-terraform lsp-svelte lsp-steep lsp-sqls lsp-sql lsp-sorbet
lsp-solidity lsp-solargraph lsp-semgrep lsp-rust lsp-ruff
lsp-ruby-syntax-tree lsp-ruby-lsp lsp-rubocop lsp-roslyn lsp-roc lsp-rf
lsp-remark lsp-racket lsp-r lsp-qml lsp-python-ty lsp-pylsp lsp-pyls
lsp-pwsh lsp-purescript lsp-postgres lsp-pls lsp-php lsp-perlnavigator
lsp-perl lsp-openscad lsp-odin lsp-ocaml find-file lsp-nushell lsp-nix
lsp-nim lsp-nginx lsp-nextflow lsp-move lsp-mojo lsp-mint lsp-meson
lsp-mdx lsp-matlab lsp-marksman lsp-markdown lsp-magik lsp-fennel
lsp-lua lsp-lisp lsp-kubernetes-helm lsp-kotlin lsp-json lsp-jq
lsp-javascript lsp-idris lsp-haxe lsp-hack lsp-groovy lsp-graphql
lsp-golangci-lint lsp-glsl lsp-gleam lsp-gdscript lsp-fsharp lsp-futhark
lsp-fortran lsp-eslint lsp-erlang lsp-emmet lsp-elm lsp-elixir
lsp-earthly lsp-dockerfile lsp-dhall lsp-d lsp-cypher lsp-cucumber
lsp-copilot lsp-css lsp-c3 lsp-csharp gnutls lsp-crystal lsp-credo
lsp-cobol lsp-cmake lsp-clojure lsp-clangd dom lsp-bufls lsp-go
lsp-completion lsp-beancount lsp-bash lsp-awk lsp-autotools lsp-astro
lsp-asm lsp-ansible lsp-angular lsp-ada lsp-semantic-tokens
lsp-actionscript vc-git files-x vc-dispatcher tabify cl-print help-fns
radix-tree misearch multi-isearch apropos selected-window-contrast
desktop treesit-fold treesit-fold-summary treesit-fold-parsers
treesit-fold-util mule-util lsp-ui lsp-ui-doc goto-addr lsp-ui-imenu
lsp-ui-peek lsp-ui-sideline lsp-ui-util face-remap find-func frameset
winner cus-edit cus-start cus-load magit-submodule magit-blame
magit-stash magit-reflog magit-bisect magit-push magit-pull magit-fetch
magit-clone magit-remote magit-commit magit-sequence magit-notes
magit-worktree magit-tag magit-merge magit-branch magit-reset
magit-files magit-refs magit-status magit epa derived magit-repos
magit-apply magit-wip magit-log which-func magit-diff smerge-mode diff
diff-mode track-changes easy-mmode git-commit log-edit pcvs-util add-log
magit-core magit-margin magit-transient c++-ts-mode c-ts-mode
c-ts-common treesit gud advice lsp lsp-mode lsp-protocol xref project
tree-widget wid-edit spinner network-stream puny nsm markdown-mode color
noutline outline lv inline imenu ht f s ewoc epg rfc6068 epg-config dash
compile text-property-search sql view thingatpt cc-mode cc-fonts
cc-guess cc-menus cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs
use-package-core finder-inf blamer-autoloads async-autoloads
git-link-autoloads git-timemachine-autoloads lsp-ui-autoloads
lsp-mode-autoloads ht-autoloads f-autoloads dash-autoloads lv-autoloads
magit-autorevert autorevert filenotify magit-process with-editor shell
pcomplete comint ansi-osc ring server ansi-color magit-mode transient pp
edmacro kmacro benchmark magit-git magit-base magit-section format-spec
cursor-sensor crm llama comp comp-cstr cond-let compat magit-autoloads
pcase magit-section-autoloads llama-autoloads cond-let-autoloads
markdown-mode-autoloads posframe-autoloads s-autoloads
selected-window-accent-mode-autoloads selected-window-contrast-autoloads
spinner-autoloads treesit-fold-autoloads vc-msg-autoloads
popup-autoloads info with-editor-autoloads package browse-url xdg url
url-proxy url-privacy url-expand url-methods url-history url-cookie
generate-lisp-file url-domsuf url-util mailcap url-handlers url-parse
auth-source cl-seq eieio eieio-core cl-macs password-cache json map
url-vars cl-extra help-mode warnings icons dired-aux dired
dired-loaddefs comp-run comp-common rx time-date subr-x cl-loaddefs
cl-lib term/screen term/xterm xterm byte-opt gv bytecomp byte-compile
rmc iso-transl tooltip cconv eldoc paren electric uniquify ediff-hook
vc-hooks lisp-float-type elisp-mode mwheel term/x-win x-win
term/common-win x-dnd touch-screen tool-bar dnd fontset image regexp-opt
fringe tabulated-list replace newcomment text-mode lisp-mode prog-mode
register page tab-bar menu-bar rfn-eshadow isearch easymenu timer select
scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors
frame minibuffer nadvice seq simple cl-generic indonesian philippine
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite emoji-zwj charscript
charprop case-table epa-hook jka-cmpr-hook help abbrev obarray oclosure
cl-preloaded button loaddefs theme-loaddefs faces cus-face macroexp
files window text-properties overlay sha1 md5 base64 format env
code-pages mule custom widget keymap hashtable-print-readable backquote
threads dbusbind inotify lcms2 dynamic-setting system-font-setting
font-render-setting cairo x-toolkit xinput2 x multi-tty move-toolbar
make-network-process tty-child-frames native-compile emacs)

Memory information:
((conses 16 2986593 313547) (symbols 48 65056 0)
 (strings 32 368692 30495) (string-bytes 1 11023448)
 (vectors 16 177443) (vector-slots 8 2901328 207635)
 (floats 8 9980 155681) (intervals 56 219937 1278) (buffers 1064 1777))
------------------------------------------------------------------------
>
>> The gdb session is alive and can be queried by your requests.
>> 
>> Cheers,
>> 
>> Andrei
>> 
>> 
>> (gdb) bt
>> +bt   
>> #0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
>> #1 0x00005555558bc7e9 in print_object (obj=XIL(0x55559406b720),
>> printcharfun=XIL(0x30), escapeflag=true) at print.c:2460
>
> First things first:
>
>   (gdb) frame 0
>   (gdb) print sym
>   (gdb) xtype
>

+f 0
#0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
/usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259
(gdb) print sym
+print sym
$2 = XIL(0x55559406b720)
(gdb) xtype
+xtype
++xgettype $
+++if (CHECK_LISP_OBJECT_TYPE)
++++set $bugfix = $.i
+++set $type = (enum Lisp_Type) (USE_LSB_TAG ? (EMACS_INT) $bugfix & (1 << GCTYPEBITS) - 1 : (EMACS_UINT) $bugfix >> VALBITS)
++output $type
Lisp_Symbol++echo \n

++if $type == Lisp_Vectorlike


> If the last command says it's a Lisp symbol, then follow with
>
>   (gdb) xsymbol


(gdb) xsymbol 
+xsymbol 
++set $sym = $
++xgetsym $sym
+++xgetptr $sym
++++if (CHECK_LISP_OBJECT_TYPE)
+++++set $bugfix = $sym.i
++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
++print (struct Lisp_Symbol *) $ptr
$3 = (struct Lisp_Symbol *) 0xaaaae9bb11e0
++xprintsym $sym
+++xsymname $sym
++++xgetsym $sym
+++++xgetptr $sym
++++++if (CHECK_LISP_OBJECT_TYPE)
+++++++set $bugfix = $sym.i
++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
++++set $symname = $ptr->u.s.name
Cannot access memory at address 0xaaaae9bb11e8
(gdb) 

Message received at 79854 <at> debbugs.gnu.org:

Received: (at 79854) by debbugs.gnu.org; 18 Nov 2025 13:18:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 18 08:18:16 2025
Received: from localhost ([127.0.0.1]:56995 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vLLb6-0005zX-0b
	for submit <at> debbugs.gnu.org; Tue, 18 Nov 2025 08:18:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42170)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1vLLb3-0005zK-KD
 for 79854 <at> debbugs.gnu.org; Tue, 18 Nov 2025 08:18:14 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1vLLax-0005Rz-AG; Tue, 18 Nov 2025 08:18:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=1o+t5L1G1ZOIXrh/putUV7fBF41vCfWOp1YNRTVq4jg=; b=bP2ve/xXmBIf
 zLCPjcJb5Oo6cOcmSb6ZkANNjLDTLq4kqqV16pkxCIDj/UB0ajbNtMQzHLnBeg2SQOVA5uDJ3uloT
 XeByyehuNb7UaB61Cs5AYUsROxFiCdjucHmlybqT+dR/BZQQnwtzeeuhDkkhP09xKDT9QpWB0k5L9
 PK8w6e9WKlFKdOEAnw+INGx3gVn8NLSnRs1MzkdMjrLgjV80scooc70bqfeW/vAuqUnWakYwdZzZl
 jCUegZtVvIVT2ZTJTHStVgKKHxtkyupBCloPd8/Ouq1PMcigc0otFkApTyf5/RJM0XOFYubJNoyyL
 bKowRtyKotdwgsuNgK989g==;
Date: Tue, 18 Nov 2025 15:18:03 +0200
Message-Id: <86a50jlbsk.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: andrei.elkin@HIDDEN
In-Reply-To: <871plwwglx.fsf@quad> (bug-gnu-emacs@HIDDEN)
Subject: Re: bug#79854: crash in emacs master branch: Segmentation
 fault.ld_to_fill()
References: <871plwwglx.fsf@quad>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 79854
Cc: 79854 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Mon, 17 Nov 2025 22:26:18 +0200
> From: andrei.elkin--- via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@HIDDEN>
> 
> Salve dear gurus!
> 
> Emacs of
>   c9372ced9c0 (HEAD -> master, origin/master, origin/HEAD) : Update ldefs-boot.el.
> is built with
>  $ ./configure --with-x-toolkit=lucid --enable-checking=yes,glyphs --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0' LDFLAGS=-ggdb3 'CXXFLAGS=-ggdb3 -O0' --no-create
> 
> run under gdb to freeze with
> 
> Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.ld_to_fill(),                         |is displayed.  Here is sample code:
>                                                           *va0x00005555558b4259 in SYMBOL_NAME (sym=...) at lisp.h:2364w-code-setup ()
> /usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259                       |    ;; use `ffip-diff-mode' from package find-file-in-project instead of `diff-mode'
> 
> when approximately at time I attempted to copy-paste a piece of text
> from the system clipboard (X11/xfce4 window manager).

What was the piece of text, and which application produced it?

Also, your report lacks the data about the Emacs build and the
underlying OS, which "M-x report-emacs-bug" collects.  That could be
relevant, so please post it.

> The gdb session is alive and can be queried by your requests.
> 
> Cheers,
> 
> Andrei
> 
> 
> (gdb) bt
> +bt   
> #0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
> #1  0x00005555558bc7e9 in print_object (obj=XIL(0x55559406b720), printcharfun=XIL(0x30), escapeflag=true) at print.c:2460

First things first:

  (gdb) frame 0
  (gdb) print sym
  (gdb) xtype

If the last command says it's a Lisp symbol, then follow with

  (gdb) xsymbol

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 17 Nov 2025 20:27:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 17 15:27:01 2025
Received: from localhost ([127.0.0.1]:54084 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1vL5oS-0006bf-NU
	for submit <at> debbugs.gnu.org; Mon, 17 Nov 2025 15:27:01 -0500
Received: from lists.gnu.org ([2001:470:142::17]:55994)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vL5oQ-0006b5-Lt
 for submit <at> debbugs.gnu.org; Mon, 17 Nov 2025 15:26:59 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vL5oC-0008BX-A5
 for bug-gnu-emacs@HIDDEN; Mon, 17 Nov 2025 15:26:45 -0500
Received: from smtpout03.dka.mailcore.net ([185.138.56.203])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <andrei.elkin@HIDDEN>)
 id 1vL5o9-00070r-DT
 for bug-gnu-emacs@HIDDEN; Mon, 17 Nov 2025 15:26:44 -0500
Received: from SMTP.DKA.mailcore.net (unknown [10.1.0.53])
 by SMTPOUT01.DKA.mailcore.net (Postfix) with ESMTP id D7B2AE0029
 for <bug-gnu-emacs@HIDDEN>; Mon, 17 Nov 2025 21:26:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inet.fi; s=mailcore;
 t=1763411198; bh=82YppwNmGIAWSmqSfy/vFbo9Kop8wbyG9zbE43VEzHk=;
 h=From:To:Subject:Date:From;
 b=M5Hby7T/wWc53edAWTh4PJy7oUf5jPBpvJfDOqRtePENvdawVp9+lLL77t6auslJH
 RAE8FIPQ1JEd+OoyW9ozKhJGtDo3GIrQnl+UR7Lck8gAmXRy0GKI8+IJq/DARI8lHR
 K/eQCMBtuFcWC5MW/gCz2+apC1SI/oyghR5Jtkbr4qqJS7hm6XQTdl/0doTKeQ+SEv
 ahzTPVAfoTvHp0tfNM0yTTBfWV8ZN20et9CLf0tZM++P358NarrxTtr8O0K1LmWaBq
 GIg/Ge20Fz7CzgdnN3U2VMhbdVaye0SnvofFWm4ZckGBpCsPpl6ivXPZMdtiU40gHG
 SFPs6UKxB7dfQ==
Received: from quad (mobile-user-2e84b9-5.dhcp.inet.fi [46.132.185.5])
 by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id A03D8400FE
 for <bug-gnu-emacs@HIDDEN>; Mon, 17 Nov 2025 21:26:38 +0100 (CET)
From: andrei.elkin@HIDDEN
To: bug-gnu-emacs@HIDDEN
Subject: crash in emacs master branch: Segmentation fault.ld_to_fill()
Organization: Home sweet home
Date: Mon, 17 Nov 2025 22:26:18 +0200
Message-ID: <871plwwglx.fsf@quad>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=185.138.56.203;
 envelope-from=andrei.elkin@HIDDEN; helo=SMTPOUT03.DKA.mailcore.net
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Salve dear gurus!

Emacs of
  c9372ced9c0 (HEAD -> master, origin/master, origin/HEAD) : Update ldefs-boot.el.
is built with
 $ ./configure --with-x-toolkit=lucid --enable-checking=yes,glyphs --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0' LDFLAGS=-ggdb3 'CXXFLAGS=-ggdb3 -O0' --no-create

run under gdb to freeze with

Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.ld_to_fill(),                         |is displayed.  Here is sample code:
                                                          *va0x00005555558b4259 in SYMBOL_NAME (sym=...) at lisp.h:2364w-code-setup ()
/usr/local/src/emacs/git/WTs/master/src/lisp.h:2364:74044:beg:0x5555558b4259                       |    ;; use `ffip-diff-mode' from package find-file-in-project instead of `diff-mode'

when approximately at time I attempted to copy-paste a piece of text
from the system clipboard (X11/xfce4 window manager).

The gdb session is alive and can be queried by your requests.

Cheers,

Andrei


(gdb) bt
+bt   
#0  0x00005555558b4259 in SYMBOL_NAME (sym=XIL(0x55559406b720)) at lisp.h:2364
#1  0x00005555558bc7e9 in print_object (obj=XIL(0x55559406b720), printcharfun=XIL(0x30), escapeflag=true) at print.c:2460
#2  0x00005555558b901e in print (obj=XIL(0x55559406b720), printcharfun=XIL(0x30), escapeflag=true) at print.c:1323
#3  0x00005555558b7c0f in Fprin1 (object=XIL(0x55559406b720), printcharfun=XIL(0x30), overrides=XIL(0)) at print.c:786
#4  0x00005555558b8a40 in print_error_message (data=XIL(0x5555936f6543), stream=XIL(0x30), context=0x7ffff030fb25 "", caller=XIL(0xdbf0)) at print.c:1162
#5  0x000055555578f45c in Fcommand_error_default_function (data=XIL(0x5555936f6543), context=XIL(0x7fffef9ec9b4), signal=XIL(0xdbf0)) at keyboard.c:1100
#6  0x0000555555880551 in funcall_subr (subr=0x555555ab3fa0 <Scommand_error_default_function>, numargs=3, args=0x7fffeedff050) at eval.c:3249
#7  0x00005555558e3541 in exec_byte_code (fun=XIL(0x7ffff005f1ed), args_template=771, nargs=3, args=0x7fffffffd8d0) at bytecode.c:822
#8  0x0000555555880c15 in funcall_lambda (fun=XIL(0x7ffff005f1ed), nargs=3, arg_vector=0x7fffffffd8b8) at eval.c:3336
#9  0x000055555587fe8f in funcall_general (fun=XIL(0x7ffff005f1ed), numargs=3, args=0x7fffffffd8b8) at eval.c:3128
#10 0x0000555555880154 in Ffuncall (nargs=4, args=0x7fffffffd8b0) at eval.c:3177
#11 0x000055555578f1b3 in cmd_error_internal (data=XIL(0x5555936f6543), context=0x7fffffffd940 "") at keyboard.c:1042
#12 0x000055555578f05e in cmd_error (data=XIL(0x5555936f6543)) at keyboard.c:1010
#13 0x000055555587bebf in internal_condition_case (bfun=0x55555578fa4a <command_loop_1>, handlers=XIL(0x90), hfun=0x55555578ee3d <cmd_error>) at eval.c:1686
#14 0x000055555578f5ed in command_loop_2 (handlers=XIL(0x90)) at keyboard.c:1163
#15 0x000055555587b298 in internal_catch (tag=XIL(0x12750), func=0x55555578f5bf <command_loop_2>, arg=XIL(0x90)) at eval.c:1370
#16 0x000055555578f57b in command_loop () at keyboard.c:1141
#17 0x000055555578e8bf in recursive_edit_1 () at keyboard.c:749
#18 0x000055555578eaf3 in Frecursive_edit () at keyboard.c:832
#19 0x0000555555789ef5 in main (argc=7, argv=0x7fffffffdd58) at emacs.c:2629


(gdb) xbacktrace
+xbacktrace
++set $bt = backtrace_top ()
++while backtrace_p ($bt)
+++set $fun = backtrace_function ($bt)
+++xgettype $fun
++++if (CHECK_LISP_OBJECT_TYPE)
+++++set $bugfix = $fun.i
++++set $type = (enum Lisp_Type) (USE_LSB_TAG ? (EMACS_INT) $bugfix & (1 << GCTYPEBITS) - 1 : (EMACS_UINT) $bugfix >> VALBITS)
+++if $type == Lisp_Symbol
++++xprintsym $fun
+++++xsymname $fun
++++++xgetsym $fun
+++++++xgetptr $fun
++++++++if (CHECK_LISP_OBJECT_TYPE)
+++++++++set $bugfix = $fun.i
++++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
++++++set $symname = $ptr->u.s.name
+++++xgetptr $symname
++++++if (CHECK_LISP_OBJECT_TYPE)
+++++++set $bugfix = $symname.i
++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++++if $ptr != 0
++++++set $sym_name = (struct Lisp_String *) $ptr
++++++xprintstr $sym_name
+++++++if (! $arg0)
++++++++set $data = (char *) $sym_name->u.s.data
++++++++set $strsize = ($sym_name->u.s.size_byte < 0) ? ($sym_name->u.s.size & ~ARRAY_MARK_FLAG) : $sym_name->u.s.size_byte
++++++++if $strsize == 0
+++++++++output ($sym_name->u.s.size > 1000) ? 0 : ($data[0])@($strsize)
"command-error-default-function"++++printf " (0x%x)\n", backtrace_args ($bt)
 (0xeedff050)
+++set $bt = backtrace_next ($bt)
+++set $fun = backtrace_function ($bt)
+++xgettype $fun
++++if (CHECK_LISP_OBJECT_TYPE)
+++++set $bugfix = $fun.i
++++set $type = (enum Lisp_Type) (USE_LSB_TAG ? (EMACS_INT) $bugfix & (1 << GCTYPEBITS) - 1 : (EMACS_UINT) $bugfix >> VALBITS)
+++if $type == Lisp_Symbol
++++xprintsym $fun
+++++xsymname $fun
++++++xgetsym $fun
+++++++xgetptr $fun
++++++++if (CHECK_LISP_OBJECT_TYPE)
+++++++++set $bugfix = $fun.i
++++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++++++set $ptr = ((struct Lisp_Symbol *) ((char *) &lispsym + $ptr))
++++++set $symname = $ptr->u.s.name
+++++xgetptr $symname
++++++if (CHECK_LISP_OBJECT_TYPE)
+++++++set $bugfix = $symname.i
++++++set $ptr = (EMACS_INT) $bugfix & VALMASK
+++++if $ptr != 0
++++++set $sym_name = (struct Lisp_String *) $ptr
++++++xprintstr $sym_name
+++++++if (! $arg0)
++++++++set $data = (char *) $sym_name->u.s.data
++++++++set $strsize = ($sym_name->u.s.size_byte < 0) ? ($sym_name->u.s.size & ~ARRAY_MARK_FLAG) : $sym_name->u.s.size_byte
++++++++if $strsize == 0
+++++++++output ($sym_name->u.s.size > 1000) ? 0 : ($data[0])@($strsize)
"help-command-error-confusable-suggestions"++++printf " (0x%x)\n", backtrace_args ($bt)
 (0xffffd8b8)
+++set $bt = backtrace_next ($bt)