enlightenment bug

So I've been chasing this one a while... happens when I raise certain Java/Swing windows... For some reason this always blows e out of the water rather than invoking the white-box abend handler, dunno why.

Program received signal SIGSEGV, Segmentation fault.
0x080848c9 in eina_list_data_get (list=0x28) at /Development/Programs/e17/build/include/eina-1/eina/eina_inline_list.x:47
47         return list->data;
(gdb) bt
#0  0x080848c9 in eina_list_data_get (list=0x28) at /Development/Programs/e17/build/include/eina-1/eina/eina_inline_list.x:47
#1  0x08088542 in e_border_raise (bd=0x98d3188) at e_border.c:1636
#2  0x080e54f0 in _e_focus_raise_timer (data=0x98d3188) at e_focus.c:200
#3  0xb7708e5c in _ecore_call_task_cb (func=0x80e54c8 <_e_focus_raise_timer>, data=0x98d3188) at ecore_private.h:246
#4  0xb770a06e in _ecore_timer_expired_call (when=1244.7803629980001) at ecore_timer.c:731
#5  0xb7709f00 in _ecore_timer_expired_timers_call (when=1244.7803629980001) at ecore_timer.c:685
#6  0xb77071a6 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1683
#7  0xb7705b78 in ecore_main_loop_begin () at ecore_main.c:861
#8  0x08073329 in main (argc=1, argv=0xbfbc94d4) at e_main.c:945

(gdb) print list
$1 = (const Eina_List *) 0x28
(gdb) list
42
43      static inline void *
44      eina_list_data_get(const Eina_List *list)
45      {
46         if (!list) return NULL;
47         return list->data;
48      }

(gdb) up
#1  0x08088542 in e_border_raise (bd=0x98d3188) at e_border.c:1636
1636            EINA_LIST_REVERSE_FOREACH(bd->transients, l, child)
(gdb) list
1622    EAPI void
1623    e_border_raise(E_Border *bd)
1624    {
1625       E_Event_Border_Stack *ev;
1626       E_Border *last = NULL, *child;
1627       Eina_List *l;
1628
1629       E_OBJECT_CHECK(bd);
1630       E_OBJECT_TYPE_CHECK(bd, E_BORDER_TYPE);
1631
1632       ecore_x_window_shadow_tree_flush();
1633
1634       if (e_config->transient.raise)
1635         {
1636            EINA_LIST_REVERSE_FOREACH(bd->transients, l, child)
1637            {
1638               /* Don't stack iconic transients. If the user wants these shown,
1639                * thats another option.
1640                */
(gdb) print l
$2 = (Eina_List *) 0x28
(gdb) print bd->transients
$3 = (Eina_List *) 0xb74523f0
(gdb) print child
$4 = (E_Border *) 0x1175

Looks like someone forgot to initialise their variable:
e/src/bin/e_border.c:
1627       Eina_List *l;
tsk, tsk, tsk.

Or maybe not... EINA_LIST_REVERSE_FOREACH does more than I thought (I occasionally hate macros).

(aside, eina_list_data_get can return NULL, if that happens e_border_raise will go boom)

looks like one of the entries in bd->transients is duff, let's have a butchers at that then:
(gdb) print bd
$7 = (E_Border *) 0x98d3188
(gdb) print bd->transients
$8 = (Eina_List *) 0xb74523f0
(gdb) print *bd->transients
$9 = {data = 0xa733180, next = 0x985e278, prev = 0x9822f20, accounting = 0x9822f20, __magic = 159441632}
(gdb) print *bd->transients->prev
$10 = {data = 0x28, next = 0x409, prev = 0xb74523f0, accounting = 0xb74523f0, __magic = 0}
(gdb) print *bd->transients->prev->prev
$11 = {data = 0xa733180, next = 0x985e278, prev = 0x9822f20, accounting = 0x9822f20, __magic = 159441632}
(gdb) print *bd->transients->prev->prev->prev
$12 = {data = 0x28, next = 0x409, prev = 0xb74523f0, accounting = 0xb74523f0, __magic = 0}
(gdb) print *bd->transients->prev->prev->prev->prev
$13 = {data = 0xa733180, next = 0x985e278, prev = 0x9822f20, accounting = 0x9822f20, __magic = 159441632}
(gdb) print *bd->transients->prev->prev->prev->prev->prev
$14 = {data = 0x28, next = 0x409, prev = 0xb74523f0, accounting = 0xb74523f0, __magic = 0}
(gdb) print *bd->transients->prev->prev->prev->prev->prev->prev
$15 = {data = 0xa733180, next = 0x985e278, prev = 0x9822f20, accounting = 0x9822f20, __magic = 159441632}
(gdb) print *bd->transients->prev->prev->prev->prev->prev->prev->prev
$16 = {data = 0x28, next = 0x409, prev = 0xb74523f0, accounting = 0xb74523f0, __magic = 0}
(gdb) print *bd->transients->next
$17 = {data = 0x9814bf8, next = 0x19, prev = 0x985e800, accounting = 0x97fde68, __magic = 1348927604}
(gdb) print *bd->transients->next->next
Cannot access memory at address 0x19

hmmm, that's not a pretty list! Infinite loop in the reverse and a guaranteed segfault going forward, lovely.

Who gave us this list then?
(gdb) print *bd
$20 = {e_obj_inherit = {magic = -1220205016, type = 159377376, references = 159377376, del_func = 0x97fe7e0,
    cleanup_func = 0x98cfe48, free_att_func = 0x98d6458, del_att_func = 0x98d10e0, del_fn_list = 0x97f4600, data = 0x983d4d8,
    walking_list = 0, deleted = 1 '\001'}, mouse = {current = {x = 0, y = 0, w = 0, h = 0, mx = 563, my = 239}, last_down = {{
        x = 1162, y = 227, w = 797, h = 1200, mx = 1267, my = 402}, {x = 0, y = 0, w = 0, h = 0, mx = 0, my = 0}, {x = 0, y = 0,
        w = 0, h = 0, mx = 0, my = 0}}, last_up = {{x = 46, y = 64, w = 0, h = 0, mx = 151, my = 239}, {x = 0, y = 0, w = 0,
        h = 0, mx = 0, my = 0}, {x = 0, y = 0, w = 0, h = 0, mx = 0, my = 0}}}, moveinfo = {down = {x = 0, y = 0, w = 0, h = 0,
      mx = 1267, my = 402, button = 1}}, win = 8409539, x = 46, y = 64, w = 797, h = 1200, ref = 0, zone = 0x0, desk = 0x996b0a0,
  handlers = 0x0, fx = {x = 0, y = 0, start = {x = 0, y = 0, t = 0}}, client_inset = {l = 0, r = 0, t = 27, b = 4},
  bg_ecore_evas = 0xa46b308, bg_evas = 0x97d6dc8, bg_win = 8409540, bg_object = 0xa6d0f90, icon_object = 0xa6d6fd0,
  event_win = 8409544, internal_icon = 0x0, internal_icon_key = 0x0, client = {shell_win = 8409545, win = 37748796, x = 0, y = 0,
    w = 797, h = 1169, border = {changed = 0 '\000', user_selected = 0 '\000', name = 0x97ab878 "default"}, shaped = 0 '\000',
    argb = 0 '\000', icccm = {title = 0x0, name = 0x98142c0 "sun-awt-X11-XFramePeer",
      class = 0x97a9d90 "com-ibm-sdwb-cmvc-client-dc-CMVC", icon_name = 0x0, machine = 0x0, min_w = 0, min_h = 0, max_w = 32767,
      max_h = 32767, base_w = -1, base_h = -1, step_w = -1, step_h = -1, start_x = 0, start_y = 0, min_aspect = 0, max_aspect = 0,
      initial_state = ECORE_X_WINDOW_STATE_HINT_NORMAL, state = ECORE_X_WINDOW_STATE_HINT_WITHDRAWN, icon_pixmap = 0,
      icon_mask = 0, icon_window = 0, window_group = 0, transient_for = 0, client_leader = 37748744, gravity = ECORE_X_GRAVITY_NW,
      window_role = 0x0, take_focus = 1 '\001', accepts_focus = 0 '\000', urgent = 0 '\000', delete_request = 1 '\001',
      request_pos = 1 '\001', command = {argc = 0, argv = 0x0}, fetch = {title = 0 '\000', name_class = 0 '\000',
        icon_name = 0 '\000', machine = 0 '\000', hints = 1 '\001', size_pos_hints = 0 '\000', protocol = 0 '\000',
        transient_for = 0 '\000', client_leader = 0 '\000', window_role = 0 '\000', state = 0 '\000', command = 0 '\000'}}, mwm = {
      func = ECORE_X_MWM_HINT_FUNC_ALL, decor = ECORE_X_MWM_HINT_DECOR_ALL, input = ECORE_X_MWM_HINT_INPUT_MODELESS,
      exists = 1 '\001', borderless = 0 '\000', fetch = {hints = 0 '\000'}}, netwm = {pid = -1, desktop = 0, name = 0x989da20 "",
      icon_name = 0x989da20 "", icons = 0x98cf320, num_icons = 1, user_time = 0, strut = {left = 0, right = 0, top = 0,
        bottom = 0, left_start_y = 0, left_end_y = 0, right_start_y = 0, right_end_y = 0, top_start_x = 0, top_end_x = 0,
        bottom_start_x = 0, bottom_end_x = 0}, ping = 0 '\000', sync = {request = 0 '\000', wait = 0, alarm = 0, counter = 0,
        serial = 0, send_time = 0}, state = {modal = 0 '\000', sticky = 0 '\000', maximized_v = 0 '\000', maximized_h = 0 '\000',
        shaded = 0 '\000', skip_taskbar = 0 '\000', skip_pager = 0 '\000', hidden = 0 '\000', fullscreen = 0 '\000',
        stacking = E_STACKING_NONE}, action = {move = 0 '\000', resize = 0 '\000', minimize = 0 '\000', shade = 0 '\000',
        stick = 0 '\000', maximized_h = 0 '\000', maximized_v = 0 '\000', fullscreen = 0 '\000', change_desktop = 0 '\000',
        close = 0 '\000'}, type = ECORE_X_WINDOW_TYPE_UNKNOWN, extra_types = 0x0, extra_types_num = 0, startup_id = 0, fetch = {
        name = 0 '\000', icon_name = 0 '\000', icon = 0 '\000', user_time = 0 '\000', strut = 0 '\000', type = 0 '\000',
        state = 0 '\000'}, update = {state = 0 '\000'}}, e = {state = {centered = 0 '\000'}, fetch = {state = 0 '\000'}},
    qtopia = {fetch = {soft_menu = 0 '\000', soft_menus = 0 '\000'}, soft_menu = 0 '\000', soft_menus = 0 '\000'}, vkbd = {
      fetch = {state = 0 '\000', vkbd = 0 '\000'}, state = ECORE_X_VIRTUAL_KEYBOARD_STATE_UNKNOWN, vkbd = 0 '\000'}, illume = {
      conformant = {fetch = {conformant = 0 '\000'}, conformant = 0 '\000'}, quickpanel = {fetch = {state = 0 '\000', priority = {
            major = 0, minor = 0}, quickpanel = 0 '\000', zone = 0 '\000'}, state = ECORE_X_ILLUME_QUICKPANEL_STATE_UNKNOWN,
        priority = {major = 0, minor = 0}, quickpanel = 0 '\000', zone = 0}, drag = {fetch = {drag = 0 '\000', locked = 0 '\000'},
        drag = 0 '\000', locked = 0 '\000'}}, initial_attributes = {root = 214, x = 1162, y = 200, w = 797, h = 1169, border = 0,
      depth = 24, visible = 0 '\000', viewable = 0 '\000', override = 0 '\000', input_only = 0 '\000', save_under = 0 '\000',
      event_mask = {mine = 15400960, all = 32219260, no_propagate = ECORE_X_EVENT_MASK_NONE}, window_gravity = ECORE_X_GRAVITY_NW,
      pixel_gravity = ECORE_X_GRAVITY_NW, colormap = 32, visual = 0x9763a20}}, shape = 0x98207d8, visible = 0,
  await_hide_event = 0, moving = 0, focused = 0, new_client = 0, re_manage = 0, placed = 1, shading = 0, shaded = 0, iconic = 0,
  deskshow = 0, sticky = 0, shaped = 0, shaped_input = 0, need_shape_merge = 0, need_shape_export = 0, fullscreen = 0,
  need_fullscreen = 0, already_unparented = 1, need_reparent = 0, button_grabbed = 0, delete_requested = 0, ping_ok = 0, hung = 0,
  take_focus = 0, want_focus = 0, user_skip_winlist = 0, need_maximize = 0, maximized = E_MAXIMIZE_NONE, borderless = 0,
  offer_resistance = 1 '\001', bordername = 0x0, lock_user_location = 0, lock_client_location = 0, lock_user_size = 0,
  lock_client_size = 0, lock_user_stacking = 0, lock_client_stacking = 0, lock_user_iconify = 0, lock_client_iconify = 0,
  lock_user_desk = 0, lock_client_desk = 0, lock_user_sticky = 0, lock_client_sticky = 0, lock_user_shade = 0,
  lock_client_shade = 0, lock_user_maximize = 0, lock_client_maximize = 0, lock_user_fullscreen = 0, lock_client_fullscreen = 0,
  lock_border = 0, lock_close = 0, lock_focus_in = 0, lock_focus_out = 0, lock_life = 0, internal = 0, internal_no_remember = 0,
  stolen = 0, internal_ecore_evas = 0x0, ping = 0, changed = 0 '\000', icon_preference = 0 '\000', ignore_first_unmap = 0 '\000',
  resize_mode = 11 '\v', saved = {x = 0, y = 0, w = 0, h = 0, layer = 100, zone = 0, maximized = E_MAXIMIZE_NONE},
  pre_res_change = {valid = 0 '\000', x = 0, y = 0, w = 0, h = 0, saved = {x = 0, y = 0, w = 0, h = 0}}, shade = {start = 0,
    val = 0, x = 0, y = 0, dir = E_DIRECTION_UP, anim = 0x0}, shelf_fix = {x = 0, y = 0, modified = 0}, stick_desks = 0x0,
  border_menu = 0x0, border_locks_dialog = 0x0, border_remember_dialog = 0x0, border_border_dialog = 0x0,
  border_prop_dialog = 0x0, pending_move_resize = 0x0, changes = {visible = 1 '\001', pos = 0 '\000', size = 0 '\000',
    stack = 0 '\000', prop = 0 '\000', border = 0 '\000', reset_gravity = 0 '\000', shading = 0 '\000', shaded = 0 '\000',
    shape = 0 '\000', shape_input = 0 '\000', icon = 0 '\000'}, drag = {start = 0 '\000', x = 0, y = 0}, layer = 100,
  cur_mouse_action = 0x0, raise_timer = 0xa2eb970, ping_poller = 0x0, kill_timer = 0x0, shape_rects_num = 0, shape_rects = 0x0,
  remember = 0x0, modal = 0x0, leader = 0x0, group = 0x0, parent = 0x21, transients = 0xb74523f0, desktop = 0xb74523f0,
  pointer = 0x0, comp_hidden = 0 '\000', post_move = 0 '\000', post_resize = 0 '\000', post_show = 0 '\000', post_job = 0x0,
  argb = 0 '\000', tmp_input_hidden = 1064}

so it looks like the border is roughly sane, except for the transients that is.
go up the stack to see where we were fed the border from:
  195_e_focus_raise_timer(void* data)
  196{
  197   E_Border *bd;
  198
  199   bd = data;
  200   if (!bd->lock_user_stacking) e_border_raise(bd);
  201   bd->raise_timer = NULL;
  202   return ECORE_CALLBACK_CANCEL;

doesn't look like he could have messed up the data... go up the stack again!
(gdb) up
#2  0xb7708e5c in _ecore_call_task_cb (func=0x80e54c8 <_e_focus_raise_timer>, data=0x98d3188) at ecore_private.h:246
246        r = func(data);
  240static inline Eina_Bool
  241_ecore_call_task_cb(Ecore_Task_Cb func, void *data)
  242{
  243   Eina_Bool r;
  244
  245   _ecore_unlock();
  246   r = func(data);
  247   _ecore_lock();

nah, not 'im either. up again!:
(gdb) up
#3  0xb770a06e in _ecore_timer_expired_call (when=1244.7803629980001) at ecore_timer.c:731
731             if (!_ecore_call_task_cb(timer->func, timer->data))

nuts, doesn't look like I'm going to figure this out today...