bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#30931: 27.0.50; Crash in "Automatic GC"

From: Noam Postavsky
Subject: bug#30931: 27.0.50; Crash in "Automatic GC"
Date: Fri, 30 Mar 2018 01:39:30 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) 
Noam Postavsky <npostavs@gmail.com> writes:

> Michał Kondraciuk <k.michal@zoho.com> writes:
>
>> I don't know if it helps, but I was able to reproduce a crash in the
>> same place (mark_object()) with bare Emacs, however only in 27.0.50.
>
> This is very helpful, thank you.

Okay, with this recipe, I was able to put a breakpoint in free_marker
and find where the problem is: save_restriction_save creates markers to
represent the current restriction, record_marker_adjustments (called
from delete-region) puts all buffer markers onto the buffer undo list,
and save_restriction_restore frees the markers created in
save_restriction_save.

    save_restriction_save (void)
    {
    [...]
          beg = build_marker (current_buffer, BEGV, BEGV_BYTE);
          end = build_marker (current_buffer, ZV, ZV_BYTE);

    record_marker_adjustments (ptrdiff_t from, ptrdiff_t to)
    {
    [...]
      for (m = BUF_MARKERS (current_buffer); m; m = m->next)
        {
        [...]
                  XSETMISC (marker, m);
                  bset_undo_list
                    (current_buffer,
                     Fcons (Fcons (marker, make_number (adjustment)),
                            BVAR (current_buffer, undo_list)));

    save_restriction_restore (Lisp_Object data)
    {
    [...]
          /* These aren't needed anymore, so don't wait for GC.  */
          free_marker (XCAR (data));
          free_marker (XCDR (data));

So the following is enough to trigger the bug:

  (with-temp-buffer
    (insert "1234567890")
    (setq buffer-undo-list nil)
    (narrow-to-region 2 5)
    (save-restriction
      (widen)
      (delete-region 1 6))
    (princ (format "%S" buffer-undo-list) #'external-debugging-output)
    (type-of (car (nth 1 buffer-undo-list))))

Surprisingly, printing works on a Lisp_Misc_Free object, so this prints

    (("12345" . 1) (#<misc free cell> . -1) (#<misc free cell> . 1))

before aborting in Ftype_of.  Calling garbage-collect instead of type-of
also aborts.  Calling neither seems to be okay, since in that case the
Lisp_Misc_Free objects somehow turn into #<marker in no buffer>.

For solving this, I guess the easiest would be to have
save_restriction_restore do (set-marker m nil) instead of free_marker.
Might make more sense to avoid putting those markers onto the undo list
in the first place though.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]