bug#25816: Emacs xwidget GC issue with callback

bug#25816: Emacs xwidget GC issue with callback

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 743 bytes --]

When configuring with --with-xwidgets --enable-check-lisp-object-type the Emacs 
build would fail due to a type confusion in src/xwidget.c, which I attempted to 
fix by installing the attached patch. However, as noted in the patch, this code 
appears to have a garbage-collection bug, as it converts a Lisp_Object to a C 
pointer and stores that pointer (for what appears to be an indefinite period of 
time) into a C object that the garbage collector does not know about. If 
garbage-collection reclaims the object before the callback is used, disaster can 
occur. As I don't know the lifetime of the C object I'm reluctant to try to fix 
this myself, so I'm filing this bug report in the hope that an xwidget expert 
can fix it.


[-- Attachment #2: 0001-Port-xwidget-to-DCHECK_LISP_OBJECT_TYPE.txt --]
[-- Type: text/plain, Size: 2455 bytes --]

From 5baceff92d8947ed5b64fadae808b366f5ca1da7 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 20 Feb 2017 08:53:50 -0800
Subject: [PATCH] Port xwidget to -DCHECK_LISP_OBJECT_TYPE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/xwidget.c (webkit_javascript_finished_cb)
(Fxwidget_webkit_execute_script): Don't assume Lisp_Object is an
integer.  This fix is just a hack; I’ll file a bug report about
the underlying problem.
---
 src/xwidget.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/xwidget.c b/src/xwidget.c
index 5c276b1..dc705bb 100644
--- a/src/xwidget.c
+++ b/src/xwidget.c
@@ -389,7 +389,10 @@ webkit_javascript_finished_cb (GObject      *webview,
     /* Register an xwidget event here, which then runs the callback.
        This ensures that the callback runs in sync with the Emacs
        event loop.  */
-    store_xwidget_js_callback_event (xw, (Lisp_Object)lisp_callback,
+    /* FIXME: This might lead to disaster if LISP_CALLBACK’s object
+       was garbage collected before now.  See the FIXME in
+       Fxwidget_webkit_execute_script.  */
+    store_xwidget_js_callback_event (xw, XIL ((intptr_t) lisp_callback),
                                      lisp_value);
 }
 
@@ -714,8 +717,13 @@ argument procedure FUN.*/)
   if (!NILP (fun) && !FUNCTIONP (fun))
     wrong_type_argument (Qinvalid_function, fun);
 
-  void *callback = (FUNCTIONP (fun)) ?
-    &webkit_javascript_finished_cb : NULL;
+  GAsyncReadyCallback callback
+    = FUNCTIONP (fun) ? webkit_javascript_finished_cb : NULL;
+
+  /* FIXME: This hack might lead to disaster if FUN is garbage
+     collected before store_xwidget_js_callback_event makes it visible
+     to Lisp again.  See the FIXME in webkit_javascript_finished_cb.  */
+  gpointer callback_arg = (gpointer) (intptr_t) XLI (fun);
 
   /* JavaScript execution happens asynchronously.  If an elisp
      callback function is provided we pass it to the C callback
@@ -723,8 +731,7 @@ argument procedure FUN.*/)
   webkit_web_view_run_javascript (WEBKIT_WEB_VIEW (xw->widget_osr),
                                   SSDATA (script),
                                   NULL, /* cancelable */
-                                  callback,
-                                  (gpointer) fun);
+                                  callback, callback_arg);
   return Qnil;
 }
 
-- 
2.9.3

bug#25816: Emacs xwidget GC issue with callback

[Andreas Schwab]

On Feb 20 2017, Paul Eggert <eggert@cs.ucla.edu> wrote:

> @@ -714,8 +717,13 @@ argument procedure FUN.*/)
>    if (!NILP (fun) && !FUNCTIONP (fun))
>      wrong_type_argument (Qinvalid_function, fun);
>  
> -  void *callback = (FUNCTIONP (fun)) ?
> -    &webkit_javascript_finished_cb : NULL;
> +  GAsyncReadyCallback callback
> +    = FUNCTIONP (fun) ? webkit_javascript_finished_cb : NULL;
> +
> +  /* FIXME: This hack might lead to disaster if FUN is garbage
> +     collected before store_xwidget_js_callback_event makes it visible
> +     to Lisp again.  See the FIXME in webkit_javascript_finished_cb.  */
> +  gpointer callback_arg = (gpointer) (intptr_t) XLI (fun);

When --with-wide-int, EMACS_INT may be wider than a pointer, and this
discards the type bits.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

bug#25816: Emacs xwidget GC issue with callback

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 238 bytes --]

Andreas Schwab wrote:
> When --with-wide-int, EMACS_INT may be wider than a pointer, and this
> discards the type bits.

Thanks, I installed the attached to document this limitation. Fixing the GC bug 
should remove the limitation.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Verify-xwidget-USE_LSB_TAG-assumption.patch --]
[-- Type: text/x-diff; name="0001-Verify-xwidget-USE_LSB_TAG-assumption.patch", Size: 970 bytes --]

From 57a8346edfbaa7a4002f2ed8cad041588dfcdd9c Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 20 Feb 2017 13:03:12 -0800
Subject: [PATCH] Verify xwidget USE_LSB_TAG assumption

* src/xwidget.c (Fxwidget_webkit_execute_script):
Add verification.  Problem reported by Andreas Schwab (Bug#25816#8).
---
 src/xwidget.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/xwidget.c b/src/xwidget.c
index dc705bb..e6de5da 100644
--- a/src/xwidget.c
+++ b/src/xwidget.c
@@ -720,6 +720,8 @@ argument procedure FUN.*/)
   GAsyncReadyCallback callback
     = FUNCTIONP (fun) ? webkit_javascript_finished_cb : NULL;
 
+  /* FIXME: The following hack assumes USE_LSB_TAG.  */
+  verify (USE_LSB_TAG);
   /* FIXME: This hack might lead to disaster if FUN is garbage
      collected before store_xwidget_js_callback_event makes it visible
      to Lisp again.  See the FIXME in webkit_javascript_finished_cb.  */
-- 
2.7.4