From xemacs-m  Fri Jan 31 11:19:02 1997
Received: from portofix.ida.liu.se (portofix.ida.liu.se [130.236.177.25])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id LAA09399
	for <xemacs-beta@xemacs.org>; Fri, 31 Jan 1997 11:19:01 -0600 (CST)
Received: from sen2.ida.liu.se (sen2.ida.liu.se [130.236.176.112]) by portofix.ida.liu.se (8.8.3/8.8.3) with SMTP id SAA25692; Fri, 31 Jan 1997 18:19:00 +0100 (MET)
Received: by sen2.ida.liu.se (SMI-8.6/ida.slave-V1.0b6d6S2)
	id SAA02660; Fri, 31 Jan 1997 18:18:59 +0100
Date: Fri, 31 Jan 1997 18:18:59 +0100
Message-Id: <199701311718.SAA02660@sen2.ida.liu.se>
From: David Byers <davby@ida.liu.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: David Moore <dmoore@UCSD.EDU>
CC: xemacs-beta@xemacs.org
Subject: Re: 20.0-beta92 crash
In-Reply-To: <rvzpxqqwg6.fsf@sdnp5.ucsd.edu>
References: <199701290932.KAA25909@sen2.ida.liu.se>
	<rvzpxqqwg6.fsf@sdnp5.ucsd.edu>
X-Face: (@~#v$c[GP"T}a;|MU<%Dpm5*6yv"NR|7k;uk8MAISFxdZ(Og$C{u(j"9X7v$qonp}SKfhT
 g|5[Pu~/3F7XQEk70gK'4z%1R%%gg7]}=>/jD`qcBeHDgo&HS,^S!&.zoTSxh<>-O6EB?SSy96&m37

>     (progn (standard-display-european 1)
>            (help-with-tutorial-for-mule "Japanese"))
> 

Still crashed in beta-93. I did as suggested and compiled with
HAVE_INLINE set unset and without optimization (so sloooow.) I ran
under gdb to get better information (the full backtrace is at the end
of this message):

    Program received signal SIGSEGV (11), Segmentation fault
    0x1be67c in create_text_block (w=0x4d5800, dl=0x5c6090, bi_start_pos=50, 
        start_col=0, prop=0xefffe6c4, type=1) at redisplay.c:2107
    2107              if (dt && !NILP (DISP_CHAR_ENTRY (dt, data.ch)))
    (gdb) p data.ch
    $7 = 58236
    (gdb) p dt
    $6 = (struct Lisp_Vector *) 0x646000
    (gdb) p *dt
    $8 = {size = 256, contents = {273125380}}
    (gdb) 

DISP_CHAR_ENTRY is in glyphs.h:

    #define DISP_CHAR_ENTRY(dp, c)	((dp)->contents[c])



Now let's start guessing at why and how to fix...

It looks like XEmacs is looking up a character in a display table
(58236 just happens to equal the integer value of the first kanji
character in the tutorial), but there are no checks that the character
is not outside the range of the display table. Perhaps adding a bounds
check to DISP_CHAR_ENTRY is the thing to do:

    #define DISP_CHAR_ENTRY(dp, c)  \
            ((c < (dp)->size) ? (dp)->contents[c] : Qnil)

An interesting point is that if you view the tutorial, kill the
tutorial buffer, _then_ do standard-display-european, you can view the
tutorial again without crashing. I have no idea why.

--
David Byers


The entire C backtrace:

#0  0x1be67c in create_text_block (w=0x4d5800, dl=0x60b090, bi_start_pos=50, 
    start_col=0, prop=0xefffe6c4, type=1) at redisplay.c:2107
#1  0x1b9d68 in generate_display_line (w=0x4d5800, dl=0x60b090, bounds=1, 
    start_pos=50, start_col=0, prop=0xefffe6c4, type=1) at redisplay.c:734
#2  0x1c5894 in regenerate_window (w=0x4d5800, start_pos=50, point=1, type=1)
    at redisplay.c:4264
#3  0x1c83ac in redisplay_window (window=273504256, skip_selected=0)
    at redisplay.c:5165
#4  0x1c8cb4 in redisplay_frame (f=0x53e500, preemption_check=0)
    at redisplay.c:5383
#5  0x1c9198 in redisplay_device (d=0x595e00) at redisplay.c:5465
#6  0x1c99b0 in redisplay_without_hooks () at redisplay.c:5577
#7  0x1c9c04 in redisplay () at redisplay.c:5644
#8  0xe1648 in Fnext_event (event=274765172, prompt=273125380)
    at event-stream.c:2134
#9  0x837e0 in Fcommand_loop_1 () at cmdloop.c:531
#10 0x8350c in command_loop_1 (dummy=273125380) at cmdloop.c:460
#11 0xc6fc0 in condition_case_1 (handlers=273125476, 
    bfun=0x834e0 <command_loop_1>, barg=273125380, hfun=0x82a80 <cmd_error>, 
    harg=273125380) at eval.c:1648
#12 0x82bf4 in command_loop_3 () at cmdloop.c:222
#13 0x82c28 in command_loop_2 (dummy=273125380) at cmdloop.c:233
#14 0xc6a5c in internal_catch (tag=273203172, func=0x82c18 <command_loop_2>, 
    arg=273125380, threw=0x0) at eval.c:1325
#15 0x82f48 in initial_command_loop (load_me=273125380) at cmdloop.c:271
#16 0xc0334 in main_1 (argc=2, argv=0xeffff00c, envp=0xeffff018)
    at emacs.c:1452
#17 0xc1378 in main (argc=2, argv=0xeffff00c, envp=0xeffff018) at emacs.c:1803

