bug#558: 23.0.60; crash on M-x make-frame-on-display

[Andreas Seltenreich]

> Please write in English if possible, because the Emacs maintainers
> usually do not have translators to read other languages for them.

> Your bug report will be posted to the emacs-pretest-bug@gnu.org mailing list.

> Please describe exactly what actions triggered the bug
> and the precise symptoms of the bug:

1. compiling emacs from CVS using
./configure --with-x-toolkit=no CFLAGS='-O2 -g -fno-crossjumping'
2. running emacs -Q -nw
3. now there's a 1 in 10 chance M-x make-frame-on-display RET :0 RET
will crash emacs with the following symptoms:

--8<---------------cut here---------------start------------->8---
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47821396663536 (LWP 3159)]
0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
(gdb) bt
#0  0x00002b7e4864e28e in XPending () from /usr/lib/libX11.so.6
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, 
hold_quit=0x7fff6301e830) at xterm.c:7193
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, 
resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
#5  0x000000000049f783 in x_display_info_for_name (name=20626963) at xfns.c:4101
#6  0x00000000004a453d in Fx_create_frame (parms=28664357) at xfns.c:3149
#7  0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3042
#8  0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, 
vector=19839377, maxdepth=28) at bytecode.c:678
#9  0x0000000000529f6f in funcall_lambda (fun=7562500, nargs=1, 
arg_vector=0x7fff6301ec38) at eval.c:3229
#10 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3088
#11 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, 
vector=29642081, maxdepth=80) at bytecode.c:678
#12 0x0000000000529f6f in funcall_lambda (fun=8106276, nargs=1, 
arg_vector=0x7fff6301edc8) at eval.c:3229
#13 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3088
#14 0x000000000055f32b in Fbyte_code (bytestr=<value optimized out>, 
vector=10541745, maxdepth=26) at bytecode.c:678
#15 0x0000000000529f6f in funcall_lambda (fun=8103764, nargs=1, 
arg_vector=0x7fff6301ef98) at eval.c:3229
#16 0x000000000052a345 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3088
#17 0x0000000000527522 in Fcall_interactively (function=29659713, 
record_flag=9669105, keys=9736036) at callint.c:857
#18 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3048
#19 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value 
optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#20 0x00000000004c092c in Fexecute_extended_command (prefixarg=9669009) at 
keyboard.c:10533
#21 0x000000000052a4c6 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3042
#22 0x0000000000527522 in Fcall_interactively (function=9739089, 
record_flag=9669009, keys=9736036) at callint.c:857
#23 0x000000000052a4f4 in Ffuncall (nargs=<value optimized out>, args=<value 
optimized out>) at eval.c:3048
#24 0x000000000052a734 in call3 (fn=<value optimized out>, arg1=<value 
optimized out>, arg2=140734854457392, arg3=140734854457464) at eval.c:2868
#25 0x00000000004cd322 in command_loop_1 () at keyboard.c:1910
#26 0x0000000000528d34 in internal_condition_case (bfun=0x4ccf60 
<command_loop_1>, handlers=9756209, hfun=0x4c6ab0 <cmd_error>) at eval.c:1511
#27 0x00000000004c5d9a in command_loop_2 () at keyboard.c:1367
#28 0x0000000000528e37 in internal_catch (tag=<value optimized out>, 
func=0x4c5d80 <command_loop_2>, arg=9669009) at eval.c:1247
#29 0x00000000004c68f3 in command_loop () at keyboard.c:1346
#30 0x00000000004c6c8c in recursive_edit_1 () at keyboard.c:955
#31 0x00000000004c6df0 in Frecursive_edit () at keyboard.c:1017
#32 0x00000000004bc533 in main (argc=3, argv=0x7fff6301fe38) at emacs.c:1762

Lisp Backtrace:
  "x-create-frame" (0x6301eaa8)
  "x-create-frame-with-faces" (0x6301ec38)
  "make-frame" (0x6301edc8)
  "make-frame-on-display" (0x6301ef98)
  "call-interactively" (0x6301f1b8)
  "execute-extended-command" (0x6301f368)
  "call-interactively" (0x6301f578)
(gdb) up
#1  0x000000000049a33f in XTread_socket (terminal=0xefcb70, expected=1, 
hold_quit=0x7fff6301e830) at xterm.c:7193
(gdb) list
7188    #endif
7189        }
7190    #endif
7191    
7192    #ifndef USE_GTK
7193      while (XPending (terminal->display_info.x->display))
7194        {
7195          int finish;
7196    
7197          XNextEvent (terminal->display_info.x->display, &event);
(gdb) p terminal->display_info.x->display
$1 = (Display *) 0x0
(gdb) up
#2  0x00000000004c2f05 in read_avail_input (expected=1) at keyboard.c:7086
(gdb) 
#3  0x00000000004c2fea in handle_async_input () at keyboard.c:7313
(gdb) 
#4  0x0000000000494a37 in x_term_init (display_name=20626963, xrm_option=0x0, 
resource_name=0x1c7c2b0 "emacs") at xterm.c:10128
(gdb) list
10123           init_kboard (terminal->kboard);
10124           terminal->kboard->Vwindow_system = intern ("x");
10125           if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, 
Qunbound))
10126             {
10127               char *vendor = ServerVendor (dpy);
10128               UNBLOCK_INPUT;
10129               terminal->kboard->Vsystem_key_alist
10130                 = call1 (Qvendor_specific_keysyms,
10131                          vendor ? build_string (vendor) : 
empty_unibyte_string);
10132               BLOCK_INPUT;
(gdb) p terminal == terminal_list
$2 = 1
(gdb) p terminal->display_info.x->display
$3 = (Display *) 0x0
(gdb)
--8<---------------cut here---------------end--------------->8---

I can no longer trigger any crashes after patching xterm.c like this:

--8<---------------cut here---------------start------------->8---
*** xterm.c.~1.1000.~   2008-07-13 18:20:31.000000000 +0200
--- xterm.c     2008-07-14 05:22:26.000000000 +0200
***************
*** 10125,10135 ****
--- 10125,10140 ----
        if (!EQ (XSYMBOL (Qvendor_specific_keysyms)->function, Qunbound))
          {
            char *vendor = ServerVendor (dpy);
+           /* temporarily hide the partially initialized terminal */
+           xassert(terminal_list == terminal);
+           terminal_list = terminal->next;
            UNBLOCK_INPUT;
            terminal->kboard->Vsystem_key_alist
              = call1 (Qvendor_specific_keysyms,
                       vendor ? build_string (vendor) : empty_unibyte_string);
            BLOCK_INPUT;
+           terminal->next = terminal_list;
+           terminal_list = terminal;
          }
  
        terminal->kboard->next_kboard = all_kboards;
--8<---------------cut here---------------end--------------->8---

Here's a ChangeLog entry in case this fix is actually correct.

--8<---------------cut here---------------start------------->8---
2008-07-14  Andreas Seltenreich  <seltenreich@gmx.de>

        * xterm.c (x_term_init) [MULTI_KBOARD]: Hide the partially
        initialized terminal while unblocking input for call1 of
        Qvendor_specific_keysyms.
--8<---------------cut here---------------end--------------->8---

regards,
andreas

> In GNU Emacs 23.0.60.6 (x86_64-unknown-linux-gnu)
>  of 2008-07-14 on tengen
> Windowing system distributor `The X.Org Foundation', version 11.0.70101000
> configured using `configure  '--with-x-toolkit=no' '--enable-debug''