Tk Source Code: View Ticket

Ticket UUID:	f52986c6989b8a43a412efb66374b3940e366bac
Title:	SIGABRT from Tk_DeleteErrorHandler()
Type:	Bug	Version:	9.0.0
Submitter:	sbron	Created on:	2024-10-02 09:30:22
Subsystem:	46. Unix Fonts	Assigned To:	fvogel
Priority:	5 Medium	Severity:	Severe
Status:	Closed	Last Modified:	2024-10-11 11:52:13
Resolution:	Fixed	Closed By:	jan.nijtmans
		Closed on:	2024-10-11 11:52:13
Description:	Running TkChat with Tcl/Tk 9.0.0 sometimes aborts when loading many lines of history: Core was generated by `/home/sbron/tcl/tclapps/apps/tkchat/tkchat'. Program terminated with signal SIGABRT, Aborted. (gdb) bt #0 0x00007f4877aa949c in __pthread_kill_implementation () at /lib64/libc.so.6 #1 0x00007f4877a578c2 in raise () at /lib64/libc.so.6 #2 0x00007f4877a3f64f in abort () at /lib64/libc.so.6 #3 0x00007f4877a40517 in _IO_peekc_locked.cold () at /lib64/libc.so.6 #4 0x00007f4877b3daa7 in () at /lib64/libc.so.6 #5 0x00007f4877b3eea2 in () at /lib64/libc.so.6 #6 0x00007f4878cff7df in () at /usr/lib64/libX11.so.6 #7 0x0000000000521611 in Tk_DeleteErrorHandler (handler=0x50abfb0) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkError.c:179 #8 0x00000000004e5e35 in Tk_MeasureChars (tkfont=0x369c320, source=0x56a806 "", numBytes=0, maxLength=-1, flags=0, lengthPtr=0x7fff3c7e5e3c) at /home/sbron/tcl/tk9.0.0/unix/../unix/tkUnixRFont.c:822 #9 0x00000000004b7af4 in MeasureChars (tkfont=0x369c320, source=0x56a805 " ", maxBytes=1, rangeStart=0, rangeLength=1, startX=0, maxX=-1, flags=0, nextXPtr=0x7fff3c7e5ec8) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:8711 #10 0x00000000004b7995 in SizeOfTab (textPtr=0x36e7050, tabStyle=TK_TEXT_TABSTYLE_TABULAR, tabArrayPtr=0x43d2480, indexPtr=0x7fff3c7e8e2c, x=102, maxX=677) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:8578 #11 0x00000000004addfa in LayoutDLine (textPtr=0x36e7050, indexPtr=0x7fff3c7e90a0) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:1612 #12 0x00000000004b1663 in CalculateDisplayLineHeight (textPtr=0x36e7050, indexPtr=0x7fff3c7e90a0, byteCountPtr=0x7fff3c7e901c, mergedLinePtr=0x7fff3c7e9018) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:3811 #13 0x00000000004b18a2 in TkTextUpdateOneLine (textPtr=0x36e7050, linePtr=0x5490850, pixelHeight=0, indexPtr=0x7fff3c7e90a0, partialCalc=1) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:4014 #14 0x00000000004b0d3f in TkTextUpdateLineMetrics (textPtr=0x36e7050, lineNum=647, endLine=2441, doThisMuch=256) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:3323 #15 0x00000000004b0717 in AsyncUpdateLineMetrics (clientData=0x36e7050) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkTextDisp.c:3049 #16 0x00007f4878f547dd in TimerHandlerEventProc () at /home/sbron/usr/lib64/libtcl9.0.so #17 0x00007f4878f2d897 in Tcl_ServiceEvent () at /home/sbron/usr/lib64/libtcl9.0.so #18 0x00007f4878f2dba9 in Tcl_DoOneEvent () at /home/sbron/usr/lib64/libtcl9.0.so #19 0x00000000005236b7 in Tk_MainLoop () at /home/sbron/tcl/tk9.0.0/unix/../generic/tkEvent.c:2127 #20 0x0000000000411d2d in Tk_MainEx (argc=-1, argv=0x7fff3c7e9628, appInitProc=0x411682 <Tcl_AppInit>, interp=0x257a900) at /home/sbron/tcl/tk9.0.0/unix/../generic/tkMain.c:378 #21 0x000000000041167b in main (argc=1, argv=0x7fff3c7e9628) at /home/sbron/tcl/tk9.0.0/unix/../unix/tkAppInit.c:115 Looking at Tk_DeleteErrorHandler(), it seems that the error comes from some kind of garbage collection and may not be related to Tk_MeasureChars() at all. Both the core file and the binary are quite big so I'm not attaching them to the ticket. But I'll be happy to fire up gdb and dump any information that may be helpful to investigate this problem.
User Comments:	jan.nijtmans added on 2024-10-11 11:52:13: Like [335c92cf9d27ab86\|this]? chw added on 2024-10-11 11:03:06: Would you mind to re-add the comment of the originally innocent looking lines again? Although adding no real beef, it provides some guidance for the casual reader at least. jan.nijtmans added on 2024-10-11 10:11:51: Fixed [7a599109d4fc8ea5\|here], and also in 8.6/8.7 Hopefully the abort doesn't show up any more, otherwise feel free to re-open this ticket! sbron added on 2024-10-11 07:12:23: I haven't experienced any aborts of TkChat anymore after I added the patch to Tk_DeleteErrorHandler(). In my test I inserted the zeroing out of errorPtr->errorProc before the block of code that first increments and then checks dispPtr->deleteCount, rather than in between. But that shouldn't make any difference to the functionality, possibly only to the ability of the compiler to optimize the code. jan.nijtmans added on 2024-10-10 22:00:33: Patch looks good to me (FWIW) fvogel added on 2024-10-07 20:51:06: Committed in branch bug-f52986c698. sbron> I still experienced a crash of TkChat after making only the change to sbron> Tk_MeasureChars(). This makes sense. It is consistent with: fvogel> I fail in identifying why this change would prevent Xsync() from fvogel> SIGABRTing during Tk_DeleteErrorHandler(). The second patch looks more like a promising candidate to me. sbron added on 2024-10-07 08:48:20: I still experienced a crash of TkChat after making only the change to Tk_MeasureChars(). I have now also added the Tk_DeleteErrorHandler() change. A couple of restarts of TkChat worked fine. But, as the problem only happens every now and then, I'm unable to conclude if that fixes the problem. I will keep monitoring in the next days. chw added on 2024-10-06 20:21:48: Would you like to consider some innocent looking lines in Tk_DeleteErrorHandler()? https://www.androwish.org/home/file?ci=tip&name=jni/sdl2tk/generic/tkError.c&ln=169-173 They will prevent possible stack bombs. fvogel added on 2024-10-06 19:22:14: Thank you for this proposal Christian! I see the reason for the change you are proposing: don't wait for the next iteration of the while (numBytes > 0) loop to set extents.xOff to zero in case XftTextExtents32() triggered an error. This change looks OK to me since the right value of extents.xOff will then be used afterwards. However, I fail in identifying why this change would prevent Xsync() from SIGABRTing during Tk_DeleteErrorHandler(). Could you please explain? Anyway, despite many many tries, I couldn't check whether this change fixes the reported issue or not. I have lots of difficulties in reproducing the problem (without your fix). Without a reproducible scheme, I'm afraid we cannot demonstrate that the fix works. chw added on 2024-10-05 16:53:39: Would you like to test this inconspicuous logic change in Tk_MeasureChars()? Old: if (!errorFlag) { LOCK; XftTextExtents32(fontPtr->display, ftFont, &c, 1, &extents); UNLOCK; } else { extents.xOff = 0; errorFlag = 0; } New: if (!errorFlag) { LOCK; XftTextExtents32(fontPtr->display, ftFont, &c, 1, &extents); UNLOCK; } if (errorFlag) { extents.xOff = 0; errorFlag = 0; } fvogel added on 2024-10-05 13:14:10: The XSync() line triggering the SIGABRT has been introduced in [3233521135] (side note: this means the issue should be reproducible with core-8-6-branch as well, but I didn't check in practice). @Christian Werner, any thoughts perhaps? sbron added on 2024-10-05 13:06:25: It probably still has the same root cause. If I read the code correctly, Tk_DeleteErrorHandler() collects 10 handlers before it cleans them all up in one go. So the actual problem may have happened earlier than the current call to Tk_MeasureChars(). Maybe doing the cleanup every time provides a better indication of where the problem really happens. fvogel added on 2024-10-05 11:54:24: Not the same sack trace, but still from Tk_MeasureChars. fvogel added on 2024-10-05 11:52:55: By increasing the number of days log (change -13 to, say, -23 in tkchat.tcl:485), I could reproduce an abort few times. As mentioned in the original report, this is not reproducible every time. It is even not so eaesy to trigger, one needs several (identical) attempts. Smells a lot like a race condition. Running in gdb I could get another SIGABRT error, but not the same as the one originally reported. See attached. fvogel added on 2024-10-05 09:03:02: Looking at the code I'm wondering if this could be linked to [1185640fff]. sbron added on 2024-10-05 08:24:45: It doesn't abort for me today either. I guess it may depend on some content in the history. I'll let you know when it happens again. fvogel added on 2024-10-05 08:13:04: Thank you for the recipe. I could follow it and create a wrapped tkchat executable on Linux Debian 11. However I'm afraid I cannot reproduce the reported problem. I ran this executable several times, each time loading as much history as available, but I couldn't get any abort. sbron added on 2024-10-03 07:47:26: These are the commands I used to build a wrapped executable for tkchat, starting from an empty directory: wget -qO- http://prdownloads.sourceforge.net/tcl/tcl9.0.0-src.tar.gz \| tar xzv wget -qO- http://prdownloads.sourceforge.net/tcl/tk9.0.0-src.tar.gz \| tar xzv mkdir tcl9.0.0/static tk9.0.0/static tclapps cd tcl9.0.0/static ../unix/configure --enable-symbols --disable-shared make -j4 cd ../../tk9.0.0/static ../unix/configure --with-tcl=../../tcl9.0.0/static --enable-symbols --disable-shared make cd ../../tclapps fossil open https://core.tcl-lang.org/tclapps/tclapps cd apps/tkchat/tkchat.vfs unzip ../../../../tk9.0.0/static/wish cd .. patch -p2 < /tmp/tkchat.diff echo 'zipfs mkimg tkchat tkchat.vfs tkchat.vfs;exit' \| ../../../tk9.0.0/static/wish sbron added on 2024-10-02 20:38:44: Technically, yes. But I suspect that X11 aborts because it is getting some invalid data from Tk. TkChat is part of tclapps. I just basically ripped out all the starkit stuff from tkchat.vfs/main.tcl. I then zipped it up and added it to a static wish 9.0. I will provide a more detailed procedure tomorrow, if still needed. fvogel added on 2024-10-02 20:04:43: Isn't this an abort in the X11 guts (not Tk)? Can you provide a recipe about how to "run TkChat with Tcl/Tk 9.0.0"? That way I could try to reproduce.

Attachments:

another SIGABRT.txt [download] added by fvogel on 2024-10-05 11:53:29. [details]
tkchat.diff [download] added by sbron on 2024-10-03 07:42:40. [details]