Ubuntu
emacs21 package

emacs21-x crashed with SIGSEGV when killing mail compose window in gnus (intrepid regression)

Bug #290479 reported by James Troup
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
emacs21 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: emacs21

Ever since I upgraded to intrepid, I've been reliably able to kill emacs21 by:

 (1) starting gnus
 (2) starting to compose a mail (m or M-x gnus-group-mail)
 (3) enter any content at all
 (4) killing the buffer (C-x k)

Without step (3), it won't SIGSEV. emacs21 in hardy didn't have this
problem. emacs22 in intrepid doesn't either. It's not specific to my config as I can reproduce as a new user.

ProblemType: Crash
Architecture: i386
Disassembly: 0xb80ca430:
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/emacs21-x
Package: emacs21 21.4a+1-5.5
ProcAttrCurrent: unconfined
ProcCmdline: emacs21 -nw -f gnus-no-server
ProcEnviron:
 SHELL=/bin/bash
 PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 LANG=en_GB.UTF-8
Signal: 11
SourcePackage: emacs21
Stacktrace: #0 0xb80ca430 in ?? ()
StacktraceTop: ?? ()
ThreadStacktrace:

Title: emacs21-x crashed with SIGSEGV
Uname: Linux 2.6.27-7-generic i686
UserGroups:

Revision history for this message
James Troup (elmo) wrote :
Revision history for this message
Apport retracing service (apport) wrote : Symbolic stack trace

StacktraceTop:?? ()

Revision history for this message
Kees Cook (kees) wrote :

#0 0xf7b93d41 in kill () from /lib/libc.so.6
#1 0x080e5543 in fatal_error_signal (sig=11)
    at /build/buildd/emacs21-21.4a+1/src/emacs.c:368
#2 <signal handler called>
#3 0xf7bdbf0b in strlen () from /lib/libc.so.6
#4 0x0817f4c7 in doprnt1 (lispstrings=0,
    buffer=0xff8cc20c "Buffer \b,�)\030,�)\030\234\225�8�r,\030@��\b\210�\214�`\220\023\b�r,\030�y,(,�)\030@��\b,�)\030/", bufsize=92,
    format=0x819b850 "Buffer %s modified; kill anyway? ",
    format_end=0x819b871 "", nargs=5, args=0xff8cc204)
    at /build/buildd/emacs21-21.4a+1/src/doprnt.c:249
#5 0x0813c749 in format1 (
    string1=0x819b850 "Buffer %s modified; kill anyway? ")
    at /build/buildd/emacs21-21.4a+1/src/editfns.c:3566

Revision history for this message
Marc Horowitz (marc-mit) wrote :

I've got the same problem. I have a simpler recipe to reproduce, not involving gnus:

touch /tmp/somefile
emacs21 -nw -q /tmp/somefile
x C-x k RET

Basically, any attempt to kill a modified buffer crashes emacs.

I looked at the code, and it looks like format1() is making some non-portable assumptions about the way the stack is laid out by the compiler (editfns.c, around line 3547, with ifdef'd code removed):

Lisp_Object
format1 (string1)
     char *string1;
{
  char buf[100];
  doprnt (buf, sizeof buf, string1, (char *)0, 5, &string1 + 1);
  return build_string (buf);
}

My suspicion is that this has changed recently, and emacs is crashing as a result.

Doing arithmetic on the address of a stack argument is just bad juju.

Revision history for this message
dino99 (9d9) wrote :

This version has died long ago; no more supported

Changed in emacs21 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.