bug#24640: Crashes in 25.1

On 8 October 2016 at 16:34, Eli Zaretskii <eliz@gnu.org> wrote:

> From: Reuben Thomas <rrt@sc3d.org>
> Date: Sat, 8 Oct 2016 16:26:30 +0100
> Cc: 24640@debbugs.gnu.org
>
> Well, can you tell why it crashed this time? IOW, what was the
> immediate cause of SIGSEGV?
>
> Exactly the same as before: crashed while lazy-reloading in desktop.el. At the same point as before, as far as
> I can tell.

No, I meant the immediate cause of SIGSEGV, one frame below the one
which invokes the signal handler. There must be some bad data there,
what it is?

Here's the current C backtrace:

#0 0x000000000054aa44 in mark_object (arg=<optimised out>) at alloc.c:6488
#1 0x000000000054a8fe in mark_object (arg=<optimised out>) at alloc.c:6452
#2 0x000000000054a8fe in mark_object (arg=<optimised out>) at alloc.c:6452
#3 0x000000000054a9cb in mark_object (arg=<optimised out>) at alloc.c:6539
#4 0x000000000054a9cb in mark_object (arg=<optimised out>) at alloc.c:6539
#5 0x000000000054b20c in Fgarbage_collect (end=0x7fffffff9a28) at alloc.c:5745
#6 0x000000000054b20c in Fgarbage_collect () at alloc.c:5979
#7 0x000000000059979e in exec_byte_code () at lisp.h:4656
#8 0x000000000059979e in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=6, args=<optimised out>, args@entry=0x937914 <pure+912340>) at bytecode.c:714
#9 0x0000000000562976 in funcall_lambda (fun=140737488330544, nargs=nargs@entry=6, arg_vector=0x937914 <pure+912340>,
    arg_vector@entry=0x7fffffff9ea0) at eval.c:2855
#10 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=7, args=args@entry=0x7fffffff9e98) at eval.c:2754
#11 0x00000000005641d4 in Fapply (nargs=7, args=0x7fffffff9e98) at eval.c:2278
#12 0x0000000000562d41 in Ffuncall (nargs=8, args=args@entry=0x7fffffff9e90) at eval.c:2673
#13 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=3, args=<optimised out>, args@entry=0x236a3d4) at bytecode.c:880
#14 0x0000000000562976 in funcall_lambda (fun=140737488331264, nargs=nargs@entry=3, arg_vector=0x236a3d4,
    arg_vector@entry=0x7fffffffa188) at eval.c:2855
#15 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fffffffa180) at eval.c:2754
#16 0x00000000005641d4 in Fapply (nargs=4, args=0x7fffffffa180) at eval.c:2278
#17 0x0000000000562d41 in Ffuncall (nargs=5, args=args@entry=0x7fffffffa178) at eval.c:2673
#18 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=2, args=<optimised out>, args@entry=0x240e244) at bytecode.c:880
#19 0x0000000000562976 in funcall_lambda (fun=140737488332048, nargs=nargs@entry=2, arg_vector=0x240e244,
    arg_vector@entry=0x7fffffffa318) at eval.c:2855
#20 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=3, args=0x7fffffffa310) at eval.c:2754
#21 0x0000000000564020 in Fapply (nargs=<optimised out>, args=0x7fffffffa488) at eval.c:2321
#22 0x0000000000562d41 in Ffuncall (nargs=3, args=args@entry=0x7fffffffa480) at eval.c:2673
#23 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=3, args=<optimised out>, args@entry=0x22fa6f4) at bytecode.c:880
#24 0x0000000000562976 in funcall_lambda (fun=140737488332496, nargs=nargs@entry=3, arg_vector=0x22fa6f4,
    arg_vector@entry=0x7fffffffa638) at eval.c:2855
#25 0x0000000000562c3b in Ffuncall (nargs=4, args=args@entry=0x7fffffffa630) at eval.c:2754
#26 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=1, args=<optimised out>, args@entry=0x2b7d384) at bytecode.c:880
#27 0x0000000000562976 in funcall_lambda (fun=140737488332992, nargs=nargs@entry=1, arg_vector=0x2b7d384,
    arg_vector@entry=0x7fffffffa800) at eval.c:2855
#28 0x0000000000562c3b in Ffuncall (nargs=2, args=args@entry=0x7fffffffa7f8) at eval.c:2754
#29 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=1, args=<optimised out>, args@entry=0x2b7d564) at bytecode.c:880
#30 0x0000000000562976 in funcall_lambda (fun=140737488333712, nargs=nargs@entry=1, arg_vector=0x2b7d564,
    arg_vector@entry=0x7fffffffab08) at eval.c:2855
#31 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7fffffffab00) at eval.c:2754
#32 0x00000000005641d4 in Fapply (nargs=2, args=0x7fffffffab00) at eval.c:2278
#33 0x0000000000562d41 in Ffuncall (nargs=3, args=args@entry=0x7fffffffaaf8) at eval.c:2673
#34 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=args_template@entry=0, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x0) at bytecode.c:880
#35 0x000000000056283f in funcall_lambda (fun=10562237, nargs=nargs@entry=3, arg_vector=arg_vector@entry=0x7fffffffad20)
    at eval.c:2921
#36 0x0000000000562c3b in Ffuncall (nargs=4, args=args@entry=0x7fffffffad18) at eval.c:2754
#37 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=args_template@entry=0, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x0) at bytecode.c:880
#38 0x000000000056283f in funcall_lambda (fun=10569021, nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fffffffaf60)
    at eval.c:2921
#39 0x0000000000562c3b in Ffuncall (nargs=3, args=args@entry=0x7fffffffaf58) at eval.c:2754
#40 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=args_template@entry=0, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x0) at bytecode.c:880
#41 0x000000000056283f in funcall_lambda (fun=10570821, nargs=nargs@entry=0, arg_vector=arg_vector@entry=0x7fffffffb1a8)
    at eval.c:2921
#42 0x0000000000562c3b in Ffuncall (nargs=1, args=args@entry=0x7fffffffb1a0) at eval.c:2754
#43 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x2e5f674) at bytecode.c:880
#44 0x0000000000562976 in funcall_lambda (fun=140737488335872, nargs=nargs@entry=0, arg_vector=0x2e5f674,
    arg_vector@entry=0x7fffffffb388) at eval.c:2855
#45 0x0000000000562c3b in Ffuncall (nargs=1, args=args@entry=0x7fffffffb380) at eval.c:2754
#46 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x2e605a4) at bytecode.c:880
#47 0x0000000000562976 in funcall_lambda (fun=140737488336320, nargs=nargs@entry=0, arg_vector=0x2e605a4,
    arg_vector@entry=0x7fffffffb530) at eval.c:2855
#48 0x0000000000562c3b in Ffuncall (nargs=1, args=args@entry=0x7fffffffb528) at eval.c:2754
#49 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_temp---Type <return> to continue, or q <return> to quit---
late=<optimised out>, nargs=nargs@entry=1, args=<optimised out>, args@entry=0x2e56384) at bytecode.c:880
#50 0x0000000000562976 in funcall_lambda (fun=140737488336944, nargs=nargs@entry=1, arg_vector=0x2e56384,
    arg_vector@entry=0x7fffffffb7b0) at eval.c:2855
#51 0x0000000000562c3b in Ffuncall (nargs=2, args=args@entry=0x7fffffffb7a8) at eval.c:2754
#52 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=10, args=<optimised out>, args@entry=0x2ca3794) at bytecode.c:880
#53 0x0000000000562976 in funcall_lambda (fun=140737488337792, nargs=nargs@entry=10, arg_vector=0x2ca3794,
    arg_vector@entry=0x7fffffffb948) at eval.c:2855
#54 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=11, args=0x7fffffffb940) at eval.c:2754
#55 0x0000000000564020 in Fapply (nargs=<optimised out>, args=0x7fffffffbb00) at eval.c:2321
#56 0x0000000000562d41 in Ffuncall (nargs=3, args=args@entry=0x7fffffffbaf8) at eval.c:2673
#57 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x2ca8ab4) at bytecode.c:880
#58 0x0000000000562976 in funcall_lambda (fun=140737488338240, nargs=nargs@entry=0, arg_vector=0x2ca8ab4,
    arg_vector@entry=0x7fffffffbcb0) at eval.c:2855
#59 0x0000000000562c3b in Ffuncall (nargs=1, args=args@entry=0x7fffffffbca8) at eval.c:2754
#60 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=<optimised out>, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x2caaed4) at bytecode.c:880
#61 0x0000000000562976 in funcall_lambda (fun=140737488338960, nargs=nargs@entry=0, arg_vector=0x2caaed4,
    arg_vector@entry=0x7fffffffbf88) at eval.c:2855
#62 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=1, args=args@entry=0x7fffffffbf80) at eval.c:2754
#63 0x00000000005641bc in Fapply (nargs=2, args=0x7fffffffbf80) at eval.c:2274
#64 0x0000000000562d41 in Ffuncall (nargs=3, args=args@entry=0x7fffffffbf78) at eval.c:2673
#65 0x00000000005975d3 in exec_byte_code (bytestr=<optimised out>, vector=<optimised out>, maxdepth=<optimised out>, args_template=args_template@entry=0, nargs=nargs@entry=0, args=<optimised out>, args@entry=0x0) at bytecode.c:880
#66 0x000000000056283f in funcall_lambda (fun=10146693, nargs=nargs@entry=1, arg_vector=arg_vector@entry=0x7fffffffc198)
    at eval.c:2921
#67 0x0000000000562c3b in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7fffffffc190) at eval.c:2754
#68 0x0000000000562f3a in call1 (fn=fn@entry=45264, arg1=arg1@entry=46400381) at eval.c:2552
#69 0x00000000004f49c8 in timer_check (idle_timers=<optimised out>, timers=<optimised out>) at keyboard.c:4427
#70 0x00000000004f49c8 in timer_check () at keyboard.c:4489
#71 0x00000000004f4d89 in readable_events (flags=flags@entry=1) at keyboard.c:3328
#72 0x00000000004f6608 in get_input_pending (flags=flags@entry=1) at keyboard.c:6725
#73 0x00000000004f8d78 in detect_input_pending_run_timers (do_display=do_display@entry=true) at keyboard.c:9862
#74 0x00000000005a2abb in wait_reading_process_output (time_limit=time_limit@entry=30, nsecs=nsecs@entry=0, read_kbd=read_kbd@entry=-1, do_display=do_display@entry=true, wait_for_cell=wait_for_cell@entry=0, wait_proc=wait_proc@entry=0x0, just_wait_proc=0) at process.c:4958
#75 0x0000000000422e12 in sit_for (timeout=<optimised out>, reading=reading@entry=true, display_option=display_option@entry=1) at dispnew.c:5762
#76 0x00000000004fb273 in read_char (commandflag=commandflag@entry=1, map=map@entry=76268163, prev_event=0, used_mouse_menu=used_mouse_menu@entry=0x7fffffffce3b, end_time=end_time@entry=0x0) at keyboard.c:2714
#77 0x00000000004fbeda in read_key_sequence (keybuf=keybuf@entry=0x7fffffffcf10, prompt=prompt@entry=0, dont_downcase_last=dont_downcase_last@entry=false, can_return_switch_frame=can_return_switch_frame@entry=true, fix_current_buffer=fix_current_buffer@entry=true, prevent_redisplay=prevent_redisplay@entry=false, bufsize=30) at keyboard.c:9063
#78 0x00000000004fdb26 in command_loop_1 () at keyboard.c:1365
#79 0x00000000005615b2 in internal_condition_case (bfun=bfun@entry=0x4fd920 <command_loop_1>, handlers=handlers@entry=19056, hfun=hfun@entry=0x4f4080 <cmd_error>) at eval.c:1309
#80 0x00000000004ef54c in command_loop_2 (ignore=ignore@entry=0) at keyboard.c:1107
#81 0x0000000000561553 in internal_catch (tag=tag@entry=45840, func=func@entry=0x4ef530 <command_loop_2>, arg=arg@entry=0)
    at eval.c:1074
#82 0x00000000004ef509 in command_loop () at keyboard.c:1086
#83 0x00000000004f3c77 in recursive_edit_1 () at keyboard.c:692
#84 0x00000000004f3fb8 in Frecursive_edit () at keyboard.c:763
#85 0x0000000000418dfe in main (argc=1, argv=0x7fffffffd298) at emacs.c:1626

Sorry I didn't post that before, the "bt" command only gives the Lisp backtrace, and I didn't think to try "where".

In frame #0, the code reads:

if (XMISCANY (obj)->gcmarkbit)
break;

at this point obj is 33, XMISCANY(obj) is 20, and gdb tells me "Cannot access memory at address 0x20".

If it helps, I'm happy to arrange some sort of live chat to get through the debugging process quicker.

http://rrt.sc3d.org

From:	Reuben Thomas
Subject:	bug#24640: Crashes in 25.1
Date:	Sat, 8 Oct 2016 23:08:51 +0100