bug#5856: 24.0.50; Crash in redisplay

[Eli Zaretskii]

> Date: Thu, 08 Apr 2010 18:13:20 +0200
> From: Jan Djärv <jan.h.d@swipnet.se>
> CC: 5856@debbugs.gnu.org
> 
> > How many of these "C-x b"s caused the list of possible completions to
> > exceed one screen line?  If the answer is "many" or "all", then could
> > you try to figure out or recall if there was anything special about
> > the ones that caused crashes?
> 
> Somewhere between "many" and "all".  It is the same list of files I was 
> editing.  They mostly start on x (xsettings, xtern, xfns, xlwmenu, and so 
> on), 
> so it probably looked pretty much the same each time.
> 
> There was nothing special about the one that caused a crash I can think of.
> It seems it just takes time. I just got a crash again, but this time I hadn't 
> started it from gdb, unfortunately.  Also, about 3-5 hours before it crashed 
> this time.

I think I found the problem.  The invalid glyph that caused the crash
was not supposed to be dereferenced.  Its pointer is exactly the same
as `end', as your backtrace shows:

  #0  0x000000000044d2f1 in set_cursor_from_row (w=0x1378d60, row=0x1fbf550, 
  matrix=0x18217a0, delta=0, delta_bytes=0, dy=0, dvpos=0) at 
  /home/jhd/src/emacs/fixes/src/xdisp.c:12775
           glyph = 0x1fa5cd0
           end = 0x1fa5cd0

But `end' points beyond the last glyph in the TEXT_AREA of the glyph
row:

  struct glyph *end = glyph + row->used[TEXT_AREA];

If we dereference this pointer, we could be referencing uninitialized
memory, e.g. if there are no margins (i.e. no glyphs in the row after
TEXT_AREA).

The old code was careful not to dereference such a pointer, but when I
rewrote set_cursor_from_row, I failed to copy those precautions.

I installed a fix.  Please see if it stops these crashes, and if so,
please close the bug report.

Thanks.