bug#44313: 27.1.50; ns_mouse_position EXC_BAD_ACCESS crash

[Aaron Jensen]

On Fri, Oct 30, 2020 at 6:29 AM Eli Zaretskii <eliz@gnu.org> wrote:
> If f is non-NULL, I don't think it could case EXC_BAD_ACCESS, unless f
> is garbled and points outside of the process's address space.  Which
> is why we need to see the value of f and whether the address it points
> to could be accessed.

Looks like it's non-NULL and it can't be accessed.

(lldb) p f
(frame *) $12 = 0x00000009040f6c5d
(lldb) p *f
error: Couldn't apply expression side effects : Couldn't dematerialize
a result variable: couldn't read its memory
(lldb) p (f)->output_method
error: supposed to interpret, but failed: Interpreter couldn't read from memory

> For this, we need to see the Lisp-level backtrace at the crash.
> Sadly, AFAIK lldb doesn't support the commands in src/.gdbinit, so the
> only way to generate this I know of is to manually show the function
> called by each Funcall in the C backtrace.  Which is quite tedious.

Here is the lisp trace, deepest first:

(unsigned char *) $14 = 0x00000001003f413d "mouse-fixup-help-message"
(unsigned char *) $15 = 0x00000001003e2c94 "mouse-pixel-position"

And the whole trace:

* thread #1, queue = 'com.apple.main-thread', stop reason =
EXC_BAD_ACCESS (code=1, address=0x9040f6d4d)
  * frame #0: 0x0000000100378558
emacs`ns_mouse_position(fp=0x00007ffeefbfd3e8, insist=-1,
bar_window=0x00007ffeefbfd3e0, part=0x00007ffeefbfd3c4,
x=0x00007ffeefbfd3d8, y=0x00007ffeefbfd3d0, time=0x00007ffeefbfd3b8)
at nsterm.m:2536:12
    frame #1: 0x000000010001fefc emacs`Fmouse_pixel_position at frame.c:2494:7
    frame #2: 0x00000001002693c6
emacs`funcall_subr(subr=0x0000000100412bc8, numargs=0,
args=0x00007ffeefbfd588) at eval.c:2866:19
    frame #3: 0x0000000100268204 emacs`Ffuncall(nargs=1,
args=0x00007ffeefbfd580) at eval.c:2795:11
    frame #4: 0x00000001002d951e
emacs`exec_byte_code(bytestr=0x0000000104a2a0a4,
vector=0x0000000104a29fa5, maxdepth=0x000000000000002a,
args_template=0x0000000000000406, nargs=1, args=0x00007ffeefbfdcf8) at
bytecode.c:633:12
    frame #5: 0x000000010026985c
emacs`funcall_lambda(fun=0x0000000104a29f75, nargs=1,
arg_vector=0x00007ffeefbfdcf0) at eval.c:2990:11
    frame #6: 0x000000010026824e emacs`Ffuncall(nargs=2,
args=0x00007ffeefbfdce8) at eval.c:2797:11
    frame #7: 0x0000000100268d2f emacs`call1(fn=0x00000000000094b0,
arg1=0x00000001497f07f4) at eval.c:2655:10
    frame #8: 0x0000000100169ebf
emacs`show_help_echo(help=0x00000001497f07f4,
window=0x000000028c2d1c05, object=0x00000001b3a638e5,
pos=0x00000000000007ce) at keyboard.c:2093:14
    frame #9: 0x000000010016cb33 emacs`read_char(commandflag=1,
map=0x000000029d82b233, prev_event=0x0000000000000000,
used_mouse_menu=0x00007ffeefbfe7ef, end_time=0x0000000000000000) at
keyboard.c:3117:7
    frame #10: 0x0000000100166719
emacs`read_key_sequence(keybuf=0x00007ffeefbfeaf0,
prompt=0x0000000000000000, dont_downcase_last=false,
can_return_switch_frame=true, fix_current_buffer=true,
prevent_redisplay=false) at keyboard.c:9554:12
    frame #11: 0x0000000100165139 emacs`command_loop_1 at keyboard.c:1350:15
    frame #12: 0x0000000100261b4f
emacs`internal_condition_case(bfun=(emacs`command_loop_1 at
keyboard.c:1236), handlers=0x0000000000000090, hfun=(emacs`cmd_error
at keyboard.c:919)) at eval.c:1356:25
    frame #13: 0x000000010017ce8c
emacs`command_loop_2(ignore=0x0000000000000000) at keyboard.c:1091:11
    frame #14: 0x00000001002614ba
emacs`internal_catch(tag=0x000000000000c840,
func=(emacs`command_loop_2 at keyboard.c:1087),
arg=0x0000000000000000) at eval.c:1117:25
    frame #15: 0x00000001001640ca emacs`command_loop at keyboard.c:1070:2
    frame #16: 0x0000000100163f50 emacs`recursive_edit_1 at keyboard.c:714:9
    frame #17: 0x0000000100164299 emacs`Frecursive_edit at keyboard.c:786:3
    frame #18: 0x0000000100161764 emacs`main(argc=1,
argv=0x00007ffeefbff0a0) at emacs.c:2066:3
    frame #19: 0x00007fff6a33dcc9 libdyld.dylib`start + 1