bug#15405: 24.3; #[] freezes emacs

From: Barry OReilly
Subject: bug#15405: 24.3; #[] freezes emacs
Date: Wed, 18 Sep 2013 13:31:56 -0400

FWIW, only one M-: #[] is necessary in the reproduction recipe.

I used:

diff --git a/src/font.c b/src/font.c
index 68db9f2..0f2d24f 100644
--- a/src/font.c
+++ b/src/font.c
@@ -2619,6 +2619,12 @@ font_delete_unmatched (Lisp_Object vec, Lisp_Object spec, int size)
   enum font_property_index prop;
   int i;
+  bool noninteractive_old = noninteractive;
+  { struct timespec debug_ts; char debug_dateStr[20]; { clock_gettime(CLOCK_REALTIME, &debug_ts); struct tm mytm; localtime_r(&debug_ts.tv_sec, &mytm); strftime(debug_dateStr, 20, "%Y-%m-%dT%H:%M:%S", &mytm); }
+       printf( "%s.%09ld|pid:%d|tid:%ld|%s|%d| DEBUG: vec size=%ld\n", // TODO: debugging
+                         debug_dateStr, debug_ts.tv_nsec, getpid(), pthread_self(), __FILE__, __LINE__, ASIZE(vec) ); fflush(stdout); }
+  Fprin1(vec, Qnil);
+  noninteractive = noninteractive_old;
   for (val = Qnil, i = ASIZE (vec) - 1; i >= 0; i--)
       entity = AREF (vec, i);

2013-09-18T13:15:22.845944000|pid:15278|tid:2868504832|font.c|2625| DEBUG: vec size=4
2013-09-18T13:15:22.847422000|pid:15278|tid:2868504832|font.c|2625| DEBUG: vec size=4611686018628714496
Fatal error 11: Segmentation fault

Clearly the value of i was a 32 bit truncation of that larger value.

#0  0x00000031cfc0e7fd in raise () from /lib64/libpthread.so.0
#1  0x00000000004ced25 in terminate_due_to_signal (sig=11, backtrace_limit=40) at emacs.c:369
#2  0x00000000004e823e in handle_fatal_signal (sig=15650) at sysdep.c:1626
#3  0x00000000004e85f3 in deliver_thread_signal (sig=11) at sysdep.c:1600
#4  deliver_fatal_thread_signal (sig=11) at sysdep.c:1638
#5  <signal handler called>
#6  0x0000000000552715 in font_delete_unmatched (f=0x1102af0, spec=18316141) at lisp.h:1170
#7  font_list_entities (f=0x1102af0, spec=18316141) at font.c:2753
#8  0x0000000000556224 in font_find_for_lface (f=0x1102af0, attrs=0x7fffa07f03d0, spec=11832930, c=-1) at font.c:3212
#9  0x000000000055671b in font_load_for_lface (f=0xe81112, attrs=0xcd4400, spec=8413600) at font.c:3282
#10 0x000000000049fc62 in realize_x_face (cache=0xd654b0, attrs=0x7fffa07f03d0, former_face_id=<value optimized out>) at xfaces.c:5526
#11 realize_face (cache=0xd654b0, attrs=0x7fffa07f03d0, former_face_id=<value optimized out>) at xfaces.c:5419
#12 0x00000000004a0a41 in lookup_face (f=<value optimized out>, attr=0x7fffa07f03d0) at xfaces.c:4408
#13 0x00000000004a1a91 in face_at_string_position (w=<value optimized out>, string=<value optimized out>, pos=<value optimized out>, bufpos=0, region_beg=-1, region_end=-1, endptr=0x7fffa07f0508,
    base_face_id=MODE_LINE_INACTIVE_FACE_ID, mouse_p=0) at xfaces.c:6191
#14 0x0000000000444f45 in display_string (string=0xb503e8 "*scratch*", lisp_string=11861937, face_string=<value optimized out>, face_string_pos=1, start=0, it=0x7fffa07f0750, field_width=12, precision=-8,
    max_x=<value optimized out>, multibyte=0) at xdisp.c:22291
#15 0x000000000044582c in display_mode_element (it=0x7fffa07f0750, depth=4, field_width=0, precision=-8, elt=<value optimized out>, props=11832930, risky=0) at xdisp.c:21044
#16 0x0000000000445e5c in display_mode_element (it=0x7fffa07f0750, depth=3, field_width=0, precision=-8, elt=<value optimized out>, props=11832930, risky=0) at xdisp.c:21216
#17 0x0000000000445e5c in display_mode_element (it=0x7fffa07f0750, depth=1, field_width=0, precision=0, elt=<value optimized out>, props=11832930, risky=0) at xdisp.c:21216
#18 0x0000000000446734 in display_mode_line (w=<value optimized out>, face_id=MODE_LINE_INACTIVE_FACE_ID, format=15318150) at xdisp.c:20733
#19 0x0000000000446a10 in display_mode_lines (w=0x1177950) at xdisp.c:20678
#20 0x0000000000451ee4 in redisplay_window (window=18315605, just_this_one_p=0) at xdisp.c:16122
#21 0x0000000000455386 in redisplay_window_0 (window=15208722) at xdisp.c:13819
#22 0x000000000053f9e3 in internal_condition_case_1 (bfun=0x455360 <redisplay_window_0>, arg=18315605, handlers=12043382, hfun=0x425800 <redisplay_window_error>) at eval.c:1376
#23 0x0000000000431a8d in redisplay_windows (window=13452288) at xdisp.c:13799
#24 0x0000000000431a54 in redisplay_windows (window=13452288) at xdisp.c:13793
#25 0x0000000000456191 in redisplay_internal () at xdisp.c:13410
#26 0x00000000004dc905 in read_char (commandflag=1, map=19881590, prev_event=11832930, used_mouse_menu=0x7fffa07f6baf, end_time=0x0) at keyboard.c:2553
#27 0x00000000004de0f1 in read_key_sequence (keybuf=0x7fffa07f6c10, bufsize=30, prompt=11832930, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true) at keyboard.c:9066
#28 0x00000000004dfb07 in command_loop_1 () at keyboard.c:1436
#29 0x000000000053f88e in internal_condition_case (bfun=0x4df880 <command_loop_1>, handlers=11892674, hfun=0x4d6e70 <cmd_error>) at eval.c:1339
#30 0x00000000004d6ffa in command_loop_2 (ignore=<value optimized out>) at keyboard.c:1163
#31 0x000000000053f74b in internal_catch (tag=<value optimized out>, func=0x4d6fe0 <command_loop_2>, arg=11832930) at eval.c:1113
#32 0x00000000004d63c0 in command_loop () at keyboard.c:1142
#33 recursive_edit_1 () at keyboard.c:781
#34 0x00000000004d7ce6 in Frecursive_edit () at keyboard.c:845
#35 0x00000000004cf9fd in main (argc=<value optimized out>, argv=0x7fffa07f71e8) at emacs.c:1570

