bug#16674: 24.3.50; crash: redisplay_internal, update_frame, using client-daemon in tmux

[Mark Oteiza]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Mark Oteiza <mvoteiza@udel.edu>
>> Date: Thu, 06 Feb 2014 16:25:07 -0500
>> 
>> I have had several similar crashes over the past couple weeks, using the
>> daemon and a variety of clients in and out of tmux sessions.  I attached
>> the backtrace the most recent crash.
>> Program terminated with signal 6, Aborted.
>> #0  0x00007f76aff4274b in raise () from /usr/lib/libpthread.so.0
>> (gdb) bt
>> #0  0x00007f76aff4274b in raise () from /usr/lib/libpthread.so.0
>> #1 0x00000000004db076 in terminate_due_to_signal (sig=sig@entry=6,
>> backtrace_limit=backtrace_limit@entry=40) at emacs.c:378
>> #2  0x00000000004f4433 in emacs_abort () at sysdep.c:2127
>> #3  0x00000000004a14c5 in cmcheckmagic (tty=0x2c2d410) at cm.c:120
>
> This is here:
>
>   void
>   cmcheckmagic (struct tty_display_info *tty)
>   {
>     if (curX (tty) == FrameCols (tty))
>       {
>       if (!MagicWrap (tty) || curY (tty) >= FrameRows (tty) - 1)
>         emacs_abort ();  <<<<<<<<<<<<<<<<<<<<<<<<
>
> Can you find out which of the two conditions triggered the abort?

Neither xterm-termite (the terminal emulator's info) nor screen-256color
(the terminfo used inside tmux) have xn.  Because of *how* I managed
to reproduce the crash, I guess it is the second condition.

> Also, what are "client-daemon" and "tmux", and how are they related to
> Emacs?

I have only been able to do this using the emacs daemon and
emacsclients.  I think tmux has something to do with it because it is
possible to manipulate the size of emacsclient frames without them being
focused.  I will try to describe it:

Here I have a single terminal emulator running tmux.  An emacs daemon is
running and I start emacsclient "A".

| A |

In tmux I vertically split the window, so "A" is in the left pane, a new
shell is in the right.  "A" has focus until I start a new client "B" in
the right.

|A| |

|A|B|

Now, "B" has focus. I exit from this client into the shell, and exit the
shell, killing the tmux pane.  At this point, the pane "A" occupies is
the sole pane, but "A" is still only occupying half the window!

|A  |

I can make and destroy tmux panes and constrict the client
"display". The frame won't update until I enter the pane "A" occupies
*and* interact with the client.

This does not happen in 24.3, so this is a regression I imagine I can
bisect if need be.

I took `curY (tty) >= FrameRows (tty) - 1` as a hint, and figured I
could make emacs crash by doing horizontal splits and messing with the
focus and term emulator window size, so emacsclients were out of focus
and displaying the wrong number of rows.  I'm not sure of an EXACT
process to reproduce, but I got a couple crashes pretty quickly by
mixing up these actions.

I seemed to need to have a file open in one of the clients.

> Finally, can you try reproducing this in an unoptimized build?  I'm
> afraid optimized builds lie to GDB about the exact point of crash and
> about backtrace that led to the crash.
>
> Thanks.

I hope this output is more helpful.

Configured using:
 `configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
  --localstatedir=/var --with-x-toolkit=lucid 'CFLAGS=-march=x86-64
   -mtune=generic -O0 -pipe -fstack-protector --param=ssp-buffer-size=4
 -g
  -fvar-tracking-assignments' CPPFLAGS=
   LDFLAGS=-Wl,-O0,--sort-common,--as-needed,-z,relro'

              Thu 2014-02-06 15:21:39 EST    610  1000   100   6 
/usr/bin/emacs-24.3.50
              Fri 2014-02-07 10:01:48 EST  13555  1000   100   6 
/usr/bin/emacs-24.3.50
[master* ~]$ sudo systemd-coredumpctl gdb 13555
TIME                                         PID   UID   GID SIG EXE
              Fri 2014-02-07 10:01:48 EST  13555  1000   100   6 
/usr/bin/emacs-24.3.50
GNU gdb (GDB) 7.6.2
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/emacs-24.3.50...done.

warning: core file may not match specified executable file.
[New LWP 13555]
[New LWP 13556]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x7fffa4dfe000
Core was generated by `emacs --daemon'.
Program terminated with signal 6, Aborted.
#0  0x00007fa61950374b in raise () from /usr/lib/libpthread.so.0
(gdb) bt full
#0  0x00007fa61950374b in raise () from /usr/lib/libpthread.so.0
No symbol table info available.
#1  0x0000000000536755 in terminate_due_to_signal (sig=6, backtrace_limit=40) 
at emacs.c:378
No locals.
#2  0x00000000005599ad in emacs_abort () at sysdep.c:2127
No locals.
#3  0x00000000004e6bc5 in cmcheckmagic (tty=0xcab010) at cm.c:120
No locals.
#4  0x00000000004e9ac9 in tty_write_glyphs (f=0x1251078, string=0x7fa611599760, 
len=149) at term.c:778
        conversion_buffer = 0x1ae6410 ' ' <repeats 177 times>, "\f\001  `(i!"
        coding = 0x19a9ab0
        n = 149
        stringlen = 0
        tty = 0xcab010
#5  0x00000000004f2fcb in write_glyphs (f=0x1251078, string=0x7fa611597b70, 
len=149) at terminal.c:162
No locals.
#6  0x000000000041c56c in update_frame_line (f=0x1251078, vpos=50) at 
dispnew.c:4791
        obody = 0x0
        nbody = 0x7fa611597b70
        op1 = 0x29
        op2 = 0x412d30 <_start>
        np1 = 0x7fffa4cf9e10
        nend = 0x7fa611599760
        tem = 4290101
        osp = 2
        nsp = 14045808
        begmatch = 0
        endmatch = 291518304
        olen = 0
        nlen = 149
        current_matrix = 0xcef6f0
        desired_matrix = 0x143c2f0
        current_row = 0xecedd0
        desired_row = 0xf01cc0
        must_write_whole_line_p = true
        write_spaces_p = true
        colored_spaces_p = true
#7  0x000000000041b6e6 in update_frame_1 (f=0x1251078, force_p=true, 
inhibit_id_p=false) at dispnew.c:4461
        current_matrix = 0xcef6f0
        desired_matrix = 0x143c2f0
        i = 0
        pause_p = false
        preempt_count = 17
#8  0x000000000041850c in update_frame (f=0x1251078, force_p=true, 
inhibit_hairy_id_p=false) at dispnew.c:3073
        paused_p = false
        root_window = 0x138e158
#9  0x000000000044fe61 in redisplay_internal () at xdisp.c:13670
        gcscrollbars = true
        f = 0x1251078
        w = 0x1198c28
---Type <return> to continue, or q <return> to quit---
        sw = 0x1198c28
        fr = 0x1251078
        pending = 0
        must_finish = true
        match_p = true
        tlbufpos = {charpos = 192, bytepos = 192}
        tlendpos = {charpos = 0, bytepos = 0}
        number_of_visible_frames = 3
        count = 2
        sf = 0x1251078
        polling_stopped_here = 1
        tail = 21163478
        frame = 19206269
        consider_all_windows_p = true
        update_miniwindow_p = true
#10 0x0000000000449006 in resize_echo_area_exactly () at xdisp.c:10554
        w = 0xc53a98
        resize_exactly = 12843298
        resized_p = 1
#11 0x000000000053b19c in command_loop_1 () at keyboard.c:1571
        cmd = 12885778
        keybuf = {27821702, 12, 0, 0, 4, 12980578, 12890706, 27848854, 9356513, 
12980578, 140735958462224, 5481800, 140735958462272, 27848854, 140735958462224, 
0,
          140735958462352, 5481560, 140735958462304, 27848854, 12843250, 
12843250, 12967168, 12843250, 0, 0, 140735958462352, 6083840, 12843250, 
8556586760117233664}
        i = 1
        prev_modiff = 22
        prev_buffer = 0xc461b0
        already_adjusted = false
#12 0x00000000005cc00a in internal_condition_case (bfun=0x53aa04 
<command_loop_1>, handlers=12894818, hfun=0x53a2f3 <cmd_error>) at eval.c:1352
        val = 21700624
        c = 0x14b2010
#13 0x000000000053a75e in command_loop_2 (ignore=12843250) at keyboard.c:1170
        val = 0
#14 0x00000000005cb81c in internal_catch (tag=12890754, func=0x53a738 
<command_loop_2>, arg=12843250) at eval.c:1116
        val = 12843250
        c = 0x14b1ee0
#15 0x000000000053a70c in command_loop () at keyboard.c:1149
No locals.
#16 0x0000000000539eee in recursive_edit_1 () at keyboard.c:777
        count = 1
        val = 5480563
#17 0x000000000053a05b in Frecursive_edit () at keyboard.c:841
        count = 0
        buffer = 12843250
#18 0x0000000000538063 in main (argc=2, argv=0x7fffa4cfb298) at emacs.c:1643
        dummy = 140351468168328
        stack_bottom_variable = 0 '\000'
        do_initial_setlocale = true
        dumping = false
        skip_args = 1
        rlim = {rlim_cur = 8720000, rlim_max = 18446744073709551615}
---Type <return> to continue, or q <return> to quit---
        no_loadup = false
        junk = 0x0
        dname_arg = 0x0
        ch_to_dir = 0xf63d4e2e <Address 0xf63d4e2e out of bounds>
        original_pwd = 0x0
(gdb)