From mboxrd@z Thu Jan 1 00:00:00 1970 Path: main.gmane.org!not-for-mail From: news-spam@referential.org.uk (Gareth Jones) Newsgroups: gmane.emacs.bugs Subject: Incorrect sub-char-table length can cause segfault Date: 03 Apr 2003 18:50:33 +0100 Sender: bug-gnu-emacs-bounces+gnu-bug-gnu-emacs=m.gmane.org@gnu.org Message-ID: Reply-To: Gareth Jones NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1049392441 28737 80.91.224.249 (3 Apr 2003 17:54:01 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Thu, 3 Apr 2003 17:54:01 +0000 (UTC) Original-X-From: bug-gnu-emacs-bounces+gnu-bug-gnu-emacs=m.gmane.org@gnu.org Thu Apr 03 19:53:59 2003 Return-path: Original-Received: from monty-python.gnu.org ([199.232.76.173]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1918uV-0007T8-00 for ; Thu, 03 Apr 2003 19:53:59 +0200 Original-Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.10.13) id 1918uZ-0004J8-09 for gnu-bug-gnu-emacs@m.gmane.org; Thu, 03 Apr 2003 12:54:03 -0500 Original-Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.10.13) id 1918sB-0003D9-00 for bug-gnu-emacs@gnu.org; Thu, 03 Apr 2003 12:51:35 -0500 Original-Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.10.13) id 1918ra-0002mh-00 for bug-gnu-emacs@gnu.org; Thu, 03 Apr 2003 12:51:00 -0500 Original-Received: from probity.mcc.ac.uk ([130.88.200.94]) by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.10.13) id 1918rF-0002ch-00 for bug-gnu-emacs@gnu.org; Thu, 03 Apr 2003 12:50:37 -0500 Original-Received: from gwa3.wiau.man.ac.uk ([130.88.234.219]) by probity.mcc.ac.uk with esmtp (Exim 4.12) id 1918rD-000A9Z-00 for bug-gnu-emacs@gnu.org; Thu, 03 Apr 2003 18:50:35 +0100 Original-To: bug-gnu-emacs@gnu.org Original-Lines: 75 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1918rD-000A9Z-00*T8bbB0hw06w* X-BeenThere: bug-gnu-emacs@gnu.org X-Mailman-Version: 2.1b5 Precedence: list List-Id: Bug reports for GNU Emacs, the Swiss army knife of text editors List-Help: List-Post: List-Subscribe: , List-Archive: List-Unsubscribe: , Errors-To: bug-gnu-emacs-bounces+gnu-bug-gnu-emacs=m.gmane.org@gnu.org Xref: main.gmane.org gmane.emacs.bugs:4714 X-Report-Spam: http://spam.gmane.org/gmane.emacs.bugs:4714 In GNU Emacs 21.3.1 (i686-pc-linux-gnu, X toolkit, Xaw3d scroll bars) of 2003-03-28 on gwa3 Important settings: locale-coding-system: iso-latin-1 default-enable-multibyte-characters: t I think I've reported this bug previously in Emacs 21.2 or 21.1, but not in as much detail. Anyway, it is still present in 21.3. The following will usually, though not always, cause Emacs to segfault: (progn (setq print-circle t) (setq test-str " | ") (setq test-syntax-table (make-syntax-table)) (put-text-property 0 1 'syntax-table test-syntax-table test-str) (put-text-property 2 3 'syntax-table test-syntax-table test-str) (setq test-str-as-string (prin1-to-string test-str))) ; Now this will usually cause a segfault or an infinite loop, if not, ; try running it again (read test-str-as-string) This means that Emacs can crash when I use `session-save-session' if there is text in the kill ring with the syntax-table property set. cperl-mode, among others, does this. Although the bug only appears if print-circle is t, I think the fundamental problem is not directly related to the printing or reading code. I explain my reasoning below. Consider the make_sub_char_table function at alloc.c:2394: it creates a vector with SUB_CHAR_TABLE_STANDARD_SLOTS elements. Similarly, when read with `read1' a sub-char-table clearly has SUB_CHAR_TABLE_STANDARD_SLOTS elements (lread.c:1855) Now in the aref function (data.c:1771) a sub-char-table satisfies CHAR_TABLE_P. So if `idxval' is greater than SUB_CHAR_TABLE_STANDARD_SLOTS (= 130) but less than CHAR_TABLE_ORDINARY_SLOTS (= 384) then line 1783 causes a read outside the allocated memory. Furthermore, the length function (fns.c:143) returns a length of MAX_CHAR for a sub-char-table. Bearing this in mind, look at substitute_object_recurse (lread.c:2477): this will recurse down a char-table and when it finds a sub-char-table it will get its length using Flength (MAX_CHAR) and then use Faref to read at every index from 0 up to MAX_CHAR. This often causes a segfault. It doesn't always, because often the memory read is valid so the problem can be slightly intermittent. It seems to me that any index less than the length given by `length' should be a valid argument to `aref' and `aset' and the bug is that this assumption is not valid. One way to fix the bug is to alter `length', as shown below. diff -c /opt/src/emacs-21.2/src/fns.c /mnt/dosd/src/emacs-21.2/src/fns.c *** /opt/src/emacs-21.2/src/fns.c Sat Sep 1 10:21:16 2001 --- /mnt/dosd/src/emacs-21.2/src/fns.c Wed Jul 3 12:12:25 2002 *************** *** 140,145 **** --- 140,147 ---- XSETFASTINT (val, XSTRING (sequence)->size); else if (VECTORP (sequence)) XSETFASTINT (val, XVECTOR (sequence)->size); + else if (SUB_CHAR_TABLE_P (sequence)) + XSETFASTINT (val, SUB_CHAR_TABLE_ORDINARY_SLOTS); else if (CHAR_TABLE_P (sequence)) XSETFASTINT (val, MAX_CHAR); else if (BOOL_VECTOR_P (sequence)) Diff finished at Thu Apr 3 17:33:59 Gareth Jones