bug#23522: 25.0.93; SEGFAULT when displaying HELLO

[Michael Welsh Duggan]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Michael Welsh Duggan <mwd@md5i.com>
>> Cc: Michael Welsh Duggan <mwd@cert.org>, <rgm@gnu.org>,
>> <23522@debbugs.gnu.org>
>> Date: Thu, 12 May 2016 16:49:15 -0400
>> 
>> Eli Zaretskii <eliz@gnu.org> writes:
>> 
>> >> From: Michael Welsh Duggan <mwd@cert.org>
>> >> Cc: <rgm@gnu.org>, <23522@debbugs.gnu.org>
>> >> Date: Thu, 12 May 2016 15:58:43 -0400
>> >> 
>> >> (gdb) up
>> >> #4  0x00000000006b47e2 in ftfont_shape_by_flt (lgstring=14496901, 
>> >>     font=0x17b3660, ft_face=0x1739f10, otf=0x16df8d0, matrix=0x17b3758)
>> >>     at ../../../git/emacs/src/ftfont.c:2655
>> >> (gdb) pp lgstring
>> >> [[#<font-object "-unknown-Lohit
>> >> Gujarati-normal-normal-normal-*-13-*-*-*-*-0-iso10646-1"> 2744 2765
>> >> 2724 2759] nil [0 0 2744 98 10 0 9 8 0 nil] [1 1 2765 115 0 -4 3 0 4
>> >> nil] [2 2 2724 81 9 0 8 8 0 nil] [3 3 2759 110 0 -7 -1 12 -7 nil]
>> >> nil nil nil nil]
>> >> (gdb) 
>> >
>> > In the above stack frame, what is the value of g->g (it's a
>> > structure)?
>> 
>> (gdb) p g->g
>> $3 = {
>>   c = 0, 
>>   code = 175, 
>>   from = 0, 
>>   to = 115, <<<<<<<<<<<<<<<<<<<<<<
>
> This value of 'to' looks bogus (too large) to me.  The line that
> segfaults is
>
>       g->g.to = LGLYPH_TO (LGSTRING_GLYPH (lgstring, g->g.to));
>
> and the LGSTRING_GLYPH macro expands to AREF (lgstring, g->g.to+2), so
> we are indexing an lgstring with an index that's 117, too large.  The
> value of lgstring shown above has only 10 elements, which is
> consistent with the definition of an lgstring (see composite.h, around
> line 270).
>
> So the question becomes: where did that value of 'to' come from, and
> how come its value is bogus?  Can you look at the code before the
> faulting line and figure that out?

It's being filled in by mflt_run() at ftfont.c:2646.

> I'm CC'ing Handa-san, who might have insight for this problem.
>
>> > The crash seems to happen when Emacs tries to display line #10 of
>> > HELLO, which begins with " South Asia:".  The first word after that is
>> > the one that causes the crash.  Can you look at another system, where
>> > there's no crash, and tell which font is used for that word?
>> 
>> Looking at previous frames, it looks like the character is char 383:
>
> That's right.
>
>>              position: 383 of 3322 (11%), column: 16
>>             character: સ (displayed as સ) (codepoint 2744, #o5270, #xab8)
>>     preferred charset: mule-unicode-0100-24ff (Unicode characters of the 
>> range U+0100..U+24FF.)
>> code point in charset: 0x3978
>>                script: gujarati
>>                syntax: w     which means: word
>>              category: .:Base, L:Left-to-right (strong)
>>              to input: type "C-x 8 RET ab8" or "C-x 8 RET GUJARATI LETTER SA"
>>           buffer code: #xE0 #xAA #xB8
>>             file code: ESC #x24 #x2C #x31 #x39 #x78 (encoded by coding 
>> system iso-2022-7bit-unix)
>>               display: composed to form "સ્તે" (see below)
>> 
>> Composed with the following character(s) "્તે" using this font:
>>   xft:-unknown-FreeSerif-normal-normal-normal-*-15-*-*-*-*-0-iso10646-1
>> by these glyphs:
>>   [0 3 0 10195 9 0 10 10 0 nil]
>>   [0 3 2724 2103 10 1 10 10 1 nil]
>>   [0 3 2759 2132 0 -8 -2 13 -10 [-1 0 0]]
>
> So why does Emacs use FreeSerif on this system and Lohit Gujarati on
> the faulting one? 

The two systems I have access to are running completely different
distributions of Linux.  I don't have much control over the packages
installed on the system on which Emacs breaks.

> Are both fonts installed on both systems?  Is Lohit
> Gujarati a bad font, by any chance?

No idea.  How can I find out?  The font comes from
/usr/share/fonts/lohit-gujarati/Lohit-Gujarati.ttf .

> Also, do both systems have the same version of libm17n-flt and m17n-db
> libraries?

Almost certainly not.

-- 
Michael Welsh Duggan
(md5i@md5i.com)