bug#37786: 26.3; Emacs crashes when calling function to decode string

[Allen Li]

Robert Pluim <rpluim@gmail.com> writes:

>>>>>> On Thu, 17 Oct 2019 06:22:10 +0200, Lars Ingebrigtsen <larsi@gnus.org> 
>>>>>> said:
>
>     Lars> Allen Li <darkfeline@felesatra.moe> writes:
>     >> The following expression, when evaluated in emacs -Q, causes emacs to
>     >> crash and dump core:
>     >> 
>     >> (mail-decode-encoded-word-string
>     >> #("=?UTF-8?B?4pyoUERYQ09OIFNBTEXinKggRW5qb3kgU3BlY2lhbCBPZmZlcnMg?=
>     >> =?UTF-8?B?V2hpbGUgWW91IFdhaXQh?=" 0 64 (ws-butler-chg chg) 64 65
>     >> (ws-butler-chg chg) 65 97 (ws-butler-chg chg)))
>
>     Lars> I'm unable to reproduce this in Emacs 27 or Emacs 26.3.
>
>     Lars> Could you do this under gdb and post the backtrace?

This is the backtrace using the simpler repro from Robert.

#0  0x0000000000565ae9 in terminate_due_to_signal (sig=6, backtrace_limit=40) 
at emacs.c:363
#1  0x000000000058ca83 in emacs_abort () at sysdep.c:2380
#2  0x000000000045c17e in redisplay_internal () at xdisp.c:13797
#3  0x000000000045e0b7 in redisplay_preserve_echo_area (from_where=13) at 
xdisp.c:14602
#4  0x0000000000667fbe in Fdelete_process (process=XIL(0x6aa3395)) at 
process.c:1054
#5  0x000000000067716b in kill_buffer_processes (buffer=XIL(0)) at 
process.c:7819
#6  0x00000000005683d0 in shut_down_emacs (sig=0, stuff=XIL(0)) at emacs.c:2096
#7  0x000000000052d854 in x_connection_closed (dpy=0x2b77f50, 
error_message=0x7fffffff6fc0 "X protocol error: BadLength (poly request too 
large or internal Xlib length error) on protocol request 139", ioerror=false) 
at xterm.c:9799
#8  0x000000000052da1b in x_error_quitter (display=0x2b77f50, 
event=0x7fffffff7160) at xterm.c:9893
#9  0x000000000052d966 in x_error_handler (display=0x2b77f50, 
event=0x7fffffff7160) at xterm.c:9863
#10 0x00007ffff6ce75db in _XError () at /usr/lib/libX11.so.6
#11 0x00007ffff6ce4388 in  () at /usr/lib/libX11.so.6
#12 0x00007ffff6ce4425 in  () at /usr/lib/libX11.so.6
#13 0x00007ffff6ce4d8a in _XEventsQueued () at /usr/lib/libX11.so.6
#14 0x00007ffff6cd6782 in XPending () at /usr/lib/libX11.so.6
#15 0x00007ffff7671a00 in  () at /usr/lib/libgdk-3.so.0
#16 0x00007ffff6e79a60 in g_main_context_prepare () at /usr/lib/libglib-2.0.so.0
#17 0x00007ffff6e7a0a6 in  () at /usr/lib/libglib-2.0.so.0
#18 0x00007ffff6e7a2fa in g_main_context_pending () at /usr/lib/libglib-2.0.so.0
#19 0x00007ffff79ae550 in gtk_events_pending () at /usr/lib/libgtk-3.so.0
#20 0x000000000052c185 in XTread_socket (terminal=0x1232e40 
<bss_sbrk_buffer+7610880>, hold_quit=0x7fffffff74a0) at xterm.c:9120
#21 0x000000000057685f in gobble_input () at keyboard.c:6909
#22 0x0000000000576da8 in handle_async_input () at keyboard.c:7146
#23 0x0000000000576dc7 in process_pending_signals () at keyboard.c:7160
#24 0x0000000000576e07 in unblock_input_to (level=0) at keyboard.c:7175
#25 0x0000000000576e2b in unblock_input () at keyboard.c:7194
#26 0x00000000006ab340 in xftfont_open (f=0x1279c30 <bss_sbrk_buffer+7901168>, 
entity=XIL(0x5f805b5), pixel_size=15) at xftfont.c:391
#27 0x000000000063107b in font_open_entity (f=0x1279c30 
<bss_sbrk_buffer+7901168>, entity=XIL(0x5f805b5), pixel_size=15) at font.c:2903
#28 0x0000000000632a50 in font_open_for_lface (f=0x1279c30 
<bss_sbrk_buffer+7901168>, entity=XIL(0x5f805b5), attrs=0x32610d0, spec=XIL(0)) 
at font.c:3332
#29 0x00000000006aea8a in fontset_find_font (fontset=XIL(0x1470c35), c=10024, 
face=0x32610d0, charset_id=-1, fallback=true) at fontset.c:707
#30 0x00000000006aefb7 in fontset_font (fontset=XIL(0x1470c35), c=10024, 
face=0x32610d0, id=-1) at fontset.c:788
#31 0x00000000006af6bc in face_for_char (f=0x1279c30 <bss_sbrk_buffer+7901168>, 
face=0x32610d0, c=10024, pos=1, object=XIL(0)) at fontset.c:990
#32 0x0000000000563994 in FACE_FOR_CHAR (f=0x1279c30 <bss_sbrk_buffer+7901168>, 
face=0x32610d0, character=10024, pos=1, object=XIL(0)) at dispextern.h:1818
#33 0x000000000044b256 in get_next_display_element (it=0x7fffffff8ef0) at 
xdisp.c:7288
#34 0x00000000004730c0 in display_line (it=0x7fffffff8ef0, cursor_vpos=0) at 
xdisp.c:21337
#35 0x0000000000467f0f in try_window (window=XIL(0x127ac35), pos=..., flags=1) 
at xdisp.c:17592
#36 0x0000000000465a0d in redisplay_window (window=XIL(0x127ac35), 
just_this_one_p=false) at xdisp.c:17039
#37 0x000000000045e869 in redisplay_window_0 (window=XIL(0x127ac35)) at 
xdisp.c:14799
#38 0x000000000061316d in internal_condition_case_1 (bfun=0x45e827 
<redisplay_window_0>, arg=XIL(0x127ac35), handlers=XIL(0xb5afb3), hfun=0x45e7ef 
<redisplay_window_error>) at eval.c:1356
#39 0x000000000045e7c3 in redisplay_windows (window=XIL(0x127ac35)) at 
xdisp.c:14779
#40 0x000000000045d608 in redisplay_internal () at xdisp.c:14268
#41 0x000000000045b4ee in redisplay () at xdisp.c:13488
#42 0x000000000056db90 in read_char (commandflag=1, map=XIL(0x6564303), 
prev_event=XIL(0), used_mouse_menu=0x7fffffffe1f1, end_time=0x0) at 
keyboard.c:2480
#43 0x000000000057b533 in read_key_sequence (keybuf=0x7fffffffe390, bufsize=30, 
prompt=XIL(0), dont_downcase_last=false, can_return_switch_frame=true, 
fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9147
#44 0x000000000056adfb in command_loop_1 () at keyboard.c:1368
#45 0x00000000006130c6 in internal_condition_case (bfun=0x56a9cf 
<command_loop_1>, handlers=XIL(0x5220), hfun=0x56a17a <cmd_error>) at 
eval.c:1332
#46 0x000000000056a6b0 in command_loop_2 (ignore=XIL(0)) at keyboard.c:1110
#47 0x0000000000612963 in internal_catch (tag=XIL(0xc6c0), func=0x56a683 
<command_loop_2>, arg=XIL(0)) at eval.c:1097
#48 0x000000000056a64e in command_loop () at keyboard.c:1089
#49 0x0000000000569d4b in recursive_edit_1 () at keyboard.c:695
#50 0x0000000000569ecc in Frecursive_edit () at keyboard.c:766
#51 0x00000000005679ae in main (argc=1, argv=0x7fffffffe7f8) at emacs.c:1713


>
> Probably font-related. I suspect "C-x 8 RET 2728" will cause the same
> crash for OP.
>
> Robert

Yep, this also crashes for me.