"Manfred Bartz" <MBartz(a)xix.com> writes:
> (gdb) where
> #0 0x40251601 in kill ()
> #1 0x808d449 in fatal_error_signal (sig=11) at emacs.c:272
> #2 <signal handler called>
> #3 0x813b021 in bufpos_to_bytind (buf=0x895a8b0, x=0) at insdel.c:1116
> #4 0x80f1764 in report_extent_modification (buffer=144025776, start=0, end=0, afterp=1) at extents.c:2272
> #5 0x813db40 in signal_after_change (buf=0x895a8b0, start=0, orig_end=32100, new_end=0) at insdel.c:2292
> #6 0x813eba5 in buffer_insert_string_1 (buf=0x895a8b0, pos=32100,
> nonreloc=0xbfffee28 "..."..., reloc=136867036, offset=0, length=1024, flags=0) at insdel.c:2565
> #7 0x813ebe6 in buffer_insert_raw_string_1 (buf=0x895a8b0, pos=-1,
> nonreloc=0xbfffee28 "..."..., length=1024, flags=0) at insdel.c:2585
Jan Vroonhof <vroonhof(a)math.ethz.ch> writes:
> This supposed to be fixed.. in 21.2.27+ (I am not sure those
> parameter values are correct).
>
> Hrvoje?
This might be a different bug from the one I fixed. This crash comes
from signal_after_change() being called with START==0, which triggers
the assert in bufpos_to_bytind. Also, the backtrace seems weird -- I
wonder if it comes from an optimized build?
buffer_insert_raw_string_1() gets pos==-1, but buffer_insert_string_1
gets pos==32100. I don't see code in buffer_insert_raw_string_1()
that handles that, but I suppose the optimizer could have done that.
Now, the really strange thing is the call to signal_after_change().
In my copy of the code, it looks like this:
signal_after_change (buf, pos, pos, pos + cclen);
UNGCPRO;
return cclen;
}
Notice that the first and the second argument are the same. In the
backtrace, they're not.
The only sense I can make out of it is that the crash doesn't come
from that call to signal_after_change(). What could happen is that
buffer_insert_string_1() calls prepare_to_modify_buffer(), which calls
signal_before_change(), which can call cancel_multiple_change(), which
calls signal_after_change().
The funcalls could be invisible due to optimizer having inlined them
in the code -- this is possible because all of the functions involved
are static.
I'm not sure whether this theory holds water, because nothing in the
backtrace seems to point to any code that calls begin_multiple_change.
read_process_output() does play weird games with narrowing, though.