Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected

Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected

[Dmitry Antipov]

Steps to reproduce:

./src/emacs -Q
M-x eval-expression RET (insert-file-contents "/dev/sda")

(assuming /dev/sda is a readable block device).

For trunk, the backtrace is:

#0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
#1  0x0000000000525d38 in terminate_due_to_signal (sig=sig@entry=11, backtrace_limit=backtrace_limit@entry=40)
     at /home/dima/work/stuff/emacs/trunk/src/emacs.c:342
#2  0x0000000000546188 in handle_fatal_signal (sig=11) at /home/dima/work/stuff/emacs/trunk/src/sysdep.c:1653
#3  deliver_thread_signal (sig=11, handler=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/sysdep.c:1629
#4  deliver_fatal_thread_signal (sig=11) at /home/dima/work/stuff/emacs/trunk/src/sysdep.c:1665
#5  <signal handler called>
#6  0x00000000004ce56f in char_table_ref (table=..., c=c@entry=4195088) at /home/dima/work/stuff/emacs/trunk/src/chartab.c:234
#7  0x00000000006265bc in composition_compute_stop_pos (cmp_it=0x7fff169924d8, charpos=209, charpos@entry=192, bytepos=216,
     endpos=692, string=..., string@entry=...) at /home/dima/work/stuff/emacs/trunk/src/composite.c:1053
#8  0x000000000062767d in composition_reseat_it (cmp_it=cmp_it@entry=0x7fff169924d8, charpos=192, bytepos=192, endpos=139249,
     w=0x12c0648, face=0x1b8fb10, string=...) at /home/dima/work/stuff/emacs/trunk/src/composite.c:1224
#9  0x0000000000456a68 in next_element_from_buffer (it=0x7fff16991c70) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:8003
#10 0x000000000044b2fa in get_next_display_element (it=it@entry=0x7fff16991c70) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:6623
#11 0x00000000004515eb in display_line (it=it@entry=0x7fff16991c70) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:19437
#12 0x0000000000459f82 in try_window (window=..., window@entry=..., pos=..., flags=flags@entry=1)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:16301
#13 0x00000000004712a3 in redisplay_window (window=..., just_this_one_p=just_this_one_p@entry=0)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:15827
#14 0x0000000000474873 in redisplay_window_0 (window=..., window@entry=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13881
#15 0x00000000005b38bb in internal_condition_case_1 (bfun=bfun@entry=0x474840 <redisplay_window_0>, arg=..., handlers=...,
     hfun=hfun@entry=0x430130 <redisplay_window_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1231
#16 0x0000000000437f5e in redisplay_windows (window=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13861
#17 0x0000000000437eea in redisplay_windows (window=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13855
#18 0x000000000045b195 in redisplay_internal () at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13453
#19 0x000000000045d945 in redisplay () at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:12731
#20 0x0000000000534134 in read_char (commandflag=1, nmaps=nmaps@entry=2, maps=maps@entry=0x7fff16998d00, prev_event=...,
     used_mouse_menu=used_mouse_menu@entry=0x7fff16998e33, end_time=end_time@entry=0x0)
     at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:2428
#21 0x0000000000536cb9 in read_key_sequence (keybuf=keybuf@entry=0x7fff16998f20, prompt=...,
     dont_downcase_last=dont_downcase_last@entry=false, can_return_switch_frame=can_return_switch_frame@entry=true,
     fix_current_buffer=fix_current_buffer@entry=true, bufsize=30) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:9241
#22 0x0000000000539900 in command_loop_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1460
#23 0x00000000005b3773 in internal_condition_case (bfun=bfun@entry=0x5396c0 <command_loop_1>, handlers=...,
     hfun=hfun@entry=0x52b6a0 <cmd_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1193
#24 0x000000000052997e in command_loop_2 (ignore=..., ignore@entry=...) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1175
#25 0x00000000005b3650 in internal_catch (tag=..., func=func@entry=0x529960 <command_loop_2>, arg=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:964
#26 0x000000000052afb3 in command_loop () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1146
#27 recursive_edit_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:787
#28 0x000000000052b3cc in Frecursive_edit () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:851
#29 0x00000000005b59aa in Ffuncall (nargs=<optimized out>, args=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2672
#30 0x00000000005fc753 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=4611686018645491712,
     args=0x2, args@entry=0x7fff16999778) at /home/dima/work/stuff/emacs/trunk/src/bytecode.c:898
#31 0x00000000005b5305 in funcall_lambda (fun=..., nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fff16999778)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2841
#32 0x00000000005b57ab in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fff16999770)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2736
#33 0x00000000005b687e in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fff16999830)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2209
#34 0x00000000005b5c9e in apply1 (fn=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2443
#35 0x00000000005b5e46 in call_debugger (arg=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:222
#36 0x00000000005b63e6 in maybe_call_debugger (data=..., sig=..., conditions=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:1611
#37 Fsignal (error_symbol=..., data=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1431
#38 0x00000000005b64a9 in xsignal (error_symbol=..., error_symbol@entry=..., data=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:1466
#39 0x00000000005b6dc7 in xsignal1 (error_symbol=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1481
#40 0x00000000005b6e39 in verror (m=<optimized out>, ap=ap@entry=0x7fff1699a8d8) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1680
#41 0x00000000005b6ecc in error (m=m@entry=0x6fd9d9 "IO error reading %s: %s") at /home/dima/work/stuff/emacs/trunk/src/eval.c:1692
#42 0x00000000005684c3 in Finsert_file_contents (filename=..., visit=..., beg=..., end=..., replace=...)
     at /home/dima/work/stuff/emacs/trunk/src/fileio.c:4329
#43 0x00000000005b4994 in eval_sub (form=..., form@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2054
#44 0x00000000005b73ae in Feval (form=..., lexical=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1902
#45 0x00000000005b598e in Ffuncall (nargs=<optimized out>, args=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2678
#46 0x00000000005fc753 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=4611686018645491712,
     args=0x2, args@entry=0x7fff169af1a8) at /home/dima/work/stuff/emacs/trunk/src/bytecode.c:898
#47 0x00000000005b5305 in funcall_lambda (fun=..., nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fff169af1a8)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2841
#48 0x00000000005b57ab in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fff169af1a0)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2736
#49 0x00000000005b687e in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fff169af260)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2209
#50 0x00000000005b5c9e in apply1 (fn=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2443
#51 0x00000000005b13b4 in Fcall_interactively (function=..., record_flag=..., keys=...)
     at /home/dima/work/stuff/emacs/trunk/src/callint.c:377
#52 0x00000000005b597c in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fff169af400)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2682
#53 0x00000000005b5b64 in call3 (fn=..., arg1=..., arg1@entry=..., arg2=..., arg2@entry=..., arg3=..., arg3@entry=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2500
#54 0x0000000000528ab5 in Fcommand_execute (cmd=..., record_flag=..., keys=..., special=...)
     at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:10251
#55 0x0000000000539bbd in command_loop_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1588
#56 0x00000000005b3773 in internal_condition_case (bfun=bfun@entry=0x5396c0 <command_loop_1>, handlers=...,
     hfun=hfun@entry=0x52b6a0 <cmd_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1193
#57 0x000000000052997e in command_loop_2 (ignore=..., ignore@entry=...) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1175
#58 0x00000000005b3650 in internal_catch (tag=..., func=func@entry=0x529960 <command_loop_2>, arg=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:964
#59 0x000000000052b02e in command_loop () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1154
#60 recursive_edit_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:787
#61 0x000000000052b3cc in Frecursive_edit () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:851
#62 0x0000000000417f85 in main (argc=2, argv=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/emacs.c:1554

For 24.2.92, the backtrace looks nearly the same:

#0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
#1  0x00000000004deb28 in terminate_due_to_signal (sig=sig@entry=11, backtrace_limit=backtrace_limit@entry=40) at emacs.c:344
#2  0x00000000004f8478 in handle_fatal_signal (sig=11) at sysdep.c:1638
#3  deliver_thread_signal (sig=11, handler=<optimized out>) at sysdep.c:1614
#4  deliver_fatal_thread_signal (sig=11) at sysdep.c:1650
#5  <signal handler called>
#6  0x0000000000499c52 in char_table_ref (table=<optimized out>, c=4195088) at chartab.c:234
#7  0x00000000005ab4c8 in composition_compute_stop_pos (cmp_it=0x7fffc90e0e98, charpos=209, charpos@entry=192, bytepos=216,
     endpos=692, string=string@entry=12079650) at composite.c:1053
#8  0x00000000005ac49d in composition_reseat_it (cmp_it=cmp_it@entry=0x7fffc90e0e98, charpos=192, bytepos=192, endpos=139249,
     w=<optimized out>, face=0xc701b0, string=12079650) at composite.c:1224
#9  0x0000000000446ec8 in next_element_from_buffer (it=0x7fffc90e0630) at xdisp.c:7992
#10 0x000000000043d9e2 in get_next_display_element (it=it@entry=0x7fffc90e0630) at xdisp.c:6612
#11 0x0000000000442dea in display_line (it=it@entry=0x7fffc90e0630) at xdisp.c:19475
#12 0x0000000000449782 in try_window (window=window@entry=18402949, pos=..., flags=flags@entry=1) at xdisp.c:16352
#13 0x000000000045b853 in redisplay_window (window=18402949, just_this_one_p=just_this_one_p@entry=0) at xdisp.c:15878
#14 0x000000000045db03 in redisplay_window_0 (window=window@entry=18402949) at xdisp.c:13933
#15 0x0000000000552a1b in internal_condition_case_1 (bfun=0x45dad0 <redisplay_window_0>, arg=18402949, handlers=12050374,
     hfun=0x42a4b0 <redisplay_window_error>) at eval.c:1327
#16 0x000000000042f91e in redisplay_windows (window=4195088) at xdisp.c:13913
#17 0x000000000042f940 in redisplay_windows (window=4195088) at xdisp.c:13907
#18 0x000000000044a471 in redisplay_internal () at xdisp.c:13492
#19 0x000000000044beb5 in redisplay () at xdisp.c:12692
#20 0x00000000004e9522 in read_char (commandflag=1, nmaps=nmaps@entry=2, maps=maps@entry=0x7fffc90e7650, prev_event=12079650,
     used_mouse_menu=used_mouse_menu@entry=0x7fffc90e7763, end_time=0x0, end_time@entry=0x7fffc90e7650) at keyboard.c:2429
#21 0x00000000004eb8d3 in read_key_sequence (keybuf=keybuf@entry=0x7fffc90e7840, prompt=12079650,
     dont_downcase_last=dont_downcase_last@entry=false, can_return_switch_frame=can_return_switch_frame@entry=true,
     fix_current_buffer=fix_current_buffer@entry=true, bufsize=30) at keyboard.c:9231
#22 0x00000000004ed8ce in command_loop_1 () at keyboard.c:1459
#23 0x00000000005528d3 in internal_condition_case (bfun=bfun@entry=0x4ed6e0 <command_loop_1>, handlers=12131330,
     hfun=hfun@entry=0x4e2f40 <cmd_error>) at eval.c:1289
#24 0x00000000004e16de in command_loop_2 (ignore=ignore@entry=12079650) at keyboard.c:1168
#25 0x00000000005527b0 in internal_catch (tag=202662897254400, func=func@entry=0x4e16c0 <command_loop_2>, arg=12079650)
     at eval.c:1060
#26 0x00000000004e29b3 in command_loop () at keyboard.c:1139
#27 recursive_edit_1 () at keyboard.c:779
#28 0x00000000004e2d45 in Frecursive_edit () at keyboard.c:843
#29 0x000000000055447a in Ffuncall (nargs=<optimized out>, args=<optimized out>) at eval.c:2772
#30 0x00000000005895a3 in exec_byte_code (bytestr=12230933, vector=83, maxdepth=4611686018695757824,
     args_template=4611686018695757824, nargs=4611686018430533632, args=0x400310, args@entry=0x0) at bytecode.c:900
#31 0x0000000000553fc1 in funcall_lambda (fun=17644901, nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fffc90e7f98)
     at eval.c:3007
#32 0x00000000005542db in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fffc90e7f90) at eval.c:2836
#33 0x00000000005552ad in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fffc90e8040) at eval.c:2309
#34 0x00000000005547c0 in apply1 (fn=12196898, arg=arg@entry=19184070) at eval.c:2543
#35 0x0000000000554976 in call_debugger (arg=19184070) at eval.c:223
#36 0x0000000000554d98 in maybe_call_debugger (data=19184118, sig=12131330, conditions=8596294) at eval.c:1707
#37 Fsignal (error_symbol=error_symbol@entry=12131330, data=19184118) at eval.c:1527
#38 0x0000000000554f59 in xsignal (error_symbol=error_symbol@entry=12131330, data=<optimized out>) at eval.c:1562
#39 0x0000000000555647 in xsignal1 (error_symbol=12131330, arg=arg@entry=14430769) at eval.c:1577
#40 0x00000000005556b9 in verror (m=<optimized out>, ap=ap@entry=0x7fffc90e90e8) at eval.c:1776
#41 0x000000000055574c in error (m=m@entry=0x5e8c03 "IO error reading %s: %s") at eval.c:1788
#42 0x0000000000513b8f in Finsert_file_contents (filename=14436673, visit=12079650, beg=12079650, end=12079650,
     replace=<optimized out>) at fileio.c:3768
#43 0x0000000000553925 in eval_sub (form=form@entry=19187158) at eval.c:2154
#44 0x0000000000555a25 in Feval (form=19187158, lexical=<optimized out>) at eval.c:2005
#45 0x0000000000554461 in Ffuncall (nargs=<optimized out>, args=<optimized out>) at eval.c:2778
#46 0x00000000005895a3 in exec_byte_code (bytestr=12230933, vector=0, maxdepth=4611686018695757824,
     args_template=4611686018695757824, nargs=4611686018430533632, args=0x400310, args@entry=0x0) at bytecode.c:900
#47 0x0000000000553fc1 in funcall_lambda (fun=9492837, nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fffc90fd988)
     at eval.c:3007
#48 0x00000000005542db in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fffc90fd980) at eval.c:2836
#49 0x00000000005552ad in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fffc90fda30) at eval.c:2309
#50 0x00000000005547c0 in apply1 (fn=fn@entry=15603250, arg=arg@entry=19184406) at eval.c:2543
#51 0x00000000005503ac in Fcall_interactively (function=15603250, record_flag=12079650, keys=12114869) at callint.c:377
#52 0x000000000055444f in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fffc90fdbc0) at eval.c:2782
#53 0x0000000000554684 in call3 (fn=<optimized out>, arg1=<optimized out>, arg2=<optimized out>, arg3=<optimized out>) at eval.c:2600
#54 0x00000000004e0c8d in Fcommand_execute (cmd=<optimized out>, record_flag=<optimized out>, keys=<optimized out>,
     special=<optimized out>) at keyboard.c:10241
#55 0x00000000004eda7a in command_loop_1 () at keyboard.c:1587
#56 0x00000000005528d3 in internal_condition_case (bfun=bfun@entry=0x4ed6e0 <command_loop_1>, handlers=12131330,
     hfun=hfun@entry=0x4e2f40 <cmd_error>) at eval.c:1289
#57 0x00000000004e16de in command_loop_2 (ignore=ignore@entry=12079650) at keyboard.c:1168
#58 0x00000000005527b0 in internal_catch (tag=202662897254400, func=func@entry=0x4e16c0 <command_loop_2>, arg=12079650)
     at eval.c:1060
#59 0x00000000004e2a27 in command_loop () at keyboard.c:1147
#60 recursive_edit_1 () at keyboard.c:779
#61 0x00000000004e2d45 in Frecursive_edit () at keyboard.c:843
#62 0x0000000000416f2f in main (argc=2, argv=<optimized out>) at emacs.c:1547

Dmitry

Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected

[Eli Zaretskii]

> Date: Tue, 15 Jan 2013 14:26:08 +0400
> From: Dmitry Antipov <dmantipov@yandex.ru>
> 
> Steps to reproduce:
> 
> ./src/emacs -Q
> M-x eval-expression RET (insert-file-contents "/dev/sda")
> 
> (assuming /dev/sda is a readable block device).

I get "Permission denied" on the block devices that I can find on
machines to which I have access.

But even if that wasn't so, there's no reason to assume that the same
data will be found on every hard disk everywhere in the world.

If you fetch the first 1KB from that device (using dd or whatever) to
a regular file, and do the same with that file, does the crash still
happen?  If so, please post that file.

> #6  0x00000000004ce56f in char_table_ref (table=..., c=c@entry=4195088) at /home/dima/work/stuff/emacs/trunk/src/chartab.c:234
                                                       ^^^^^^^^^^^^^^^^^
This preposterous value is the immediate cause of the crash.  But the
question is: how did we came to that value, thinking it's a
characters.  Usually, this is the result of interpreting unibyte data
as multibyte.  We need to establish how did that happen in this case.

Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected

[Dmitry Antipov]

On 01/15/2013 09:03 PM, Eli Zaretskii wrote:

> I get "Permission denied" on the block devices that I can find on
> machines to which I have access.
>
> But even if that wasn't so, there's no reason to assume that the same
> data will be found on every hard disk everywhere in the world.

I agree that there isn't too much sense to read block devices with
an editor :-). But, for example, /dev/kmsg (which is a character
device on my system) contains pretty readable data:

$ cat /dev/kmsg | head -n 10

6,1598,43074022331,-;cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
6,1599,43074022334,-;cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
6,1600,43074022335,-;cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
6,1601,43074022337,-;cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
6,1602,43074022338,-;cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
6,1603,43074022339,-;cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
6,1604,43074881294,-;wlan0: authenticate with 1c:7e:e5:94:6d:e0
6,1605,43074897510,-;wlan0: send auth to 1c:7e:e5:94:6d:e0 (try 1/3)
6,1606,43074902587,-;wlan0: authenticated
6,1607,43074913679,-;wlan0: associate with 1c:7e:e5:94:6d:e0 (try 1/3)

On 24.2.92, (insert-file-contents "/dev/kmsg") ==>

#0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
#1  0x0000000000546905 in terminate_due_to_signal (sig=11, backtrace_limit=40) at emacs.c:344
#2  0x000000000056b5f5 in handle_fatal_signal (sig=11) at sysdep.c:1638
#3  0x000000000056b5ca in deliver_thread_signal (sig=11, handler=0x56b5db <handle_fatal_signal>) at sysdep.c:1614
#4  0x000000000056b62b in deliver_fatal_thread_signal (sig=11) at sysdep.c:1650
#5  <signal handler called>
#6  0x0000000000650791 in remove_properties (plist=10701014, list=12882466, i=0x0, object=12909269) at textprop.c:439
#7  0x00000000006535ec in Fremove_text_properties (start=768, end=343928, properties=10701014, object=12909269) at textprop.c:1488
#8  0x00000000005e7379 in Ffuncall (nargs=4, args=0x7fff035a6478) at eval.c:2786
#9  0x000000000062e16a in exec_byte_code (bytestr=10700681, vector=10700717, maxdepth=20, args_template=12882466, nargs=0, args=0x0)
     at bytecode.c:900
#10 0x00000000005e7d01 in funcall_lambda (fun=10700629, nargs=0, arg_vector=0x7fff035a6ac8) at eval.c:3007
#11 0x00000000005e74ec in Ffuncall (nargs=1, args=0x7fff035a6ac0) at eval.c:2824
#12 0x00000000005e62cb in Fapply (nargs=2, args=0x7fff035a6ac0) at eval.c:2252
#13 0x00000000005e71cf in Ffuncall (nargs=3, args=0x7fff035a6ab8) at eval.c:2756
#14 0x000000000062e16a in exec_byte_code (bytestr=10746961, vector=10747013, maxdepth=16, args_template=12882466, nargs=0, args=0x0)
     at bytecode.c:900
#15 0x000000000062d537 in Fbyte_code (bytestr=10746961, vector=10747013, maxdepth=16) at bytecode.c:475
#16 0x00000000005e5e44 in eval_sub (form=10746934) at eval.c:2146
#17 0x00000000005e3f2e in internal_lisp_condition_case (var=12882466, bodyform=10746934, handlers=9519550) at eval.c:1243
#18 0x000000000062f074 in exec_byte_code (bytestr=10746673, vector=10746709, maxdepth=20, args_template=12882466, nargs=0, args=0x0)
     at bytecode.c:1096
#19 0x00000000005e7d01 in funcall_lambda (fun=10746621, nargs=1, arg_vector=0x7fff035a76c8) at eval.c:3007
#20 0x00000000005e74ec in Ffuncall (nargs=2, args=0x7fff035a76c0) at eval.c:2824
#21 0x00000000005e6c89 in call1 (fn=12922594, arg1=19502869) at eval.c:2569
#22 0x0000000000551350 in timer_check_2 (timers=12882466, idle_timers=20036214) at keyboard.c:4387
#23 0x00000000005514a6 in timer_check () at keyboard.c:4454
#24 0x000000000054f238 in readable_events (flags=1) at keyboard.c:3351
#25 0x0000000000555833 in get_input_pending (flags=1) at keyboard.c:6680
#26 0x000000000055cba5 in detect_input_pending_run_timers (do_display=true) at keyboard.c:10273
#27 0x000000000063abc5 in wait_reading_process_output (time_limit=28, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=12882466,
     wait_proc=0x0, just_wait_proc=0) at process.c:4743
#28 0x0000000000422a3a in sit_for (timeout=112, reading=true, display_option=1) at dispnew.c:5978
#29 0x000000000054d8b0 in read_char (commandflag=1, nmaps=2, maps=0x7fff035a8150, prev_event=12882466,
     used_mouse_menu=0x7fff035a8337, end_time=0x0) at keyboard.c:2669
#30 0x000000000055a734 in read_key_sequence (keybuf=0x7fff035a85b0, bufsize=30, prompt=12882466, dont_downcase_last=false,
     can_return_switch_frame=true, fix_current_buffer=true) at keyboard.c:9231
#31 0x000000000054b146 in command_loop_1 () at keyboard.c:1459
#32 0x00000000005e4098 in internal_condition_case (bfun=0x54ad5f <command_loop_1>, handlers=12934146, hfun=0x54a654 <cmd_error>)
     at eval.c:1289
#33 0x000000000054aa78 in command_loop_2 (ignore=12882466) at keyboard.c:1168
#34 0x00000000005e3a6c in internal_catch (tag=12999426, func=0x54aa52 <command_loop_2>, arg=12882466) at eval.c:1060
#35 0x000000000054a9d9 in command_loop () at keyboard.c:1139
#36 0x000000000054a1a1 in recursive_edit_1 () at keyboard.c:779
#37 0x000000000054a347 in Frecursive_edit () at keyboard.c:843
#38 0x00000000005e72db in Ffuncall (nargs=1, args=0x7fff035a8b38) at eval.c:2772
#39 0x000000000062e16a in exec_byte_code (bytestr=16895857, vector=19539589, maxdepth=108, args_template=12882466, nargs=0, args=0x0)
     at bytecode.c:900
#40 0x00000000005e7d01 in funcall_lambda (fun=19503437, nargs=2, arg_vector=0x7fff035a90d8) at eval.c:3007
#41 0x00000000005e74ec in Ffuncall (nargs=3, args=0x7fff035a90d0) at eval.c:2824
#42 0x00000000005e66d2 in Fapply (nargs=2, args=0x7fff035a91b0) at eval.c:2309
#43 0x00000000005e6c1f in apply1 (fn=12999714, arg=20028742) at eval.c:2543
#44 0x00000000005e2466 in call_debugger (arg=20028742) at eval.c:223
#45 0x00000000005e4da2 in maybe_call_debugger (conditions=9400166, sig=12934146, data=20028822) at eval.c:1707
#46 0x00000000005e486e in Fsignal (error_symbol=12934146, data=20028822) at eval.c:1527
#47 0x00000000005e4986 in xsignal (error_symbol=12934146, data=20028822) at eval.c:1562
#48 0x00000000005e49db in xsignal1 (error_symbol=12934146, arg=41969025) at eval.c:1577
#49 0x00000000005e4fbc in verror (m=0x6ad708 "IO error reading %s: %s", ap=0x7fff035aa348) at eval.c:1776
#50 0x00000000005e505b in error (m=0x6ad708 "IO error reading %s: %s") at eval.c:1788
#51 0x0000000000591898 in Finsert_file_contents (filename=41974721, visit=12882466, beg=12882466, end=12882466, replace=12882466)
     at fileio.c:4188
#52 0x00000000005e5eb1 in eval_sub (form=20031830) at eval.c:2154
#53 0x00000000005e57e6 in Feval (form=20031830, lexical=12882466) at eval.c:2005
#54 0x00000000005e731f in Ffuncall (nargs=3, args=0x7fff035bed48) at eval.c:2778
#55 0x000000000062e16a in exec_byte_code (bytestr=10296817, vector=10296853, maxdepth=20, args_template=12882466, nargs=0, args=0x0)
     at bytecode.c:900
#56 0x00000000005e7d01 in funcall_lambda (fun=10296709, nargs=2, arg_vector=0x7fff035bf238) at eval.c:3007
#57 0x00000000005e74ec in Ffuncall (nargs=3, args=0x7fff035bf230) at eval.c:2824
#58 0x00000000005e66d2 in Fapply (nargs=2, args=0x7fff035bf310) at eval.c:2309
#59 0x00000000005e6c1f in apply1 (fn=16425202, arg=20029078) at eval.c:2543
#60 0x00000000005e0061 in Fcall_interactively (function=16425202, record_flag=12882466, keys=12917685) at callint.c:377
#61 0x00000000005e734a in Ffuncall (nargs=4, args=0x7fff035bf660) at eval.c:2782
#62 0x00000000005e6d33 in call3 (fn=13018882, arg1=16425202, arg2=12882466, arg3=12882466) at eval.c:2600
#63 0x000000000055cb09 in Fcommand_execute (cmd=16425202, record_flag=12882466, keys=12882466, special=12882466) at keyboard.c:10241
#64 0x000000000054b5b2 in command_loop_1 () at keyboard.c:1587
#65 0x00000000005e4098 in internal_condition_case (bfun=0x54ad5f <command_loop_1>, handlers=12934146, hfun=0x54a654 <cmd_error>)
     at eval.c:1289
#66 0x000000000054aa78 in command_loop_2 (ignore=12882466) at keyboard.c:1168
#67 0x00000000005e3a6c in internal_catch (tag=12929986, func=0x54aa52 <command_loop_2>, arg=12882466) at eval.c:1060
#68 0x000000000054aa28 in command_loop () at keyboard.c:1147
#69 0x000000000054a1a1 in recursive_edit_1 () at keyboard.c:779
#70 0x000000000054a347 in Frecursive_edit () at keyboard.c:843
#71 0x00000000005481ca in main (argc=2, argv=0x7fff035bfe08) at emacs.c:1547

(but ./src/emacs -Q /dev/kmsg ==> empty buffer and "File exists, but cannot be read" message).

For trunk with --enable-checking, (insert-file-contents "/dev/kmsg") ==>

/home/dima/work/stuff/emacs/trunk/src/intervals.c:675: Emacs fatal error: assertion failed: relative_position <= TOTAL_LENGTH (tree)
Fatal error 6: Aborted

#0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
#1  0x0000000000525d38 in terminate_due_to_signal (sig=sig@entry=6, backtrace_limit=backtrace_limit@entry=2147483647)
     at /home/dima/work/stuff/emacs/trunk/src/emacs.c:342
#2  0x0000000000594cb4 in die (msg=<optimized out>, file=<optimized out>, line=<optimized out>)
     at /home/dima/work/stuff/emacs/trunk/src/alloc.c:6558
#3  0x0000000000616e66 in find_interval (tree=0x0, position=252) at /home/dima/work/stuff/emacs/trunk/src/intervals.c:675
#4  0x000000000061d6a1 in Ftext_properties_at (position=..., object=...) at /home/dima/work/stuff/emacs/trunk/src/textprop.c:555
#5  0x000000000061d7ac in Fget_text_property (position=..., position@entry=..., prop=..., prop@entry=..., object=...,
     object@entry=...) at /home/dima/work/stuff/emacs/trunk/src/textprop.c:575
#6  0x000000000061da78 in get_char_property_and_overlay (position=..., prop=..., object=..., overlay=overlay@entry=0x0)
     at /home/dima/work/stuff/emacs/trunk/src/textprop.c:641
#7  0x000000000061de8b in Fget_char_property (position=..., position@entry=..., prop=..., object=..., object@entry=...)
     at /home/dima/work/stuff/emacs/trunk/src/textprop.c:655
#8  0x0000000000443b79 in compute_display_string_pos (position=position@entry=0x7fff93cb9660, string=string@entry=0x7fff93cb9700,
     frame_window_p=frame_window_p@entry=1, disp_prop=disp_prop@entry=0x7fff93cb96e4)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:3533
#9  0x00000000004d1e57 in bidi_fetch_char (bytepos=bytepos@entry=252, charpos=charpos@entry=252,
     disp_pos=disp_pos@entry=0x7fff93cb96f0, disp_prop=disp_prop@entry=0x7fff93cb96e4, string=string@entry=0x7fff93cb9700,
     frame_window_p=frame_window_p@entry=true, ch_len=ch_len@entry=0x7fff93cb96e8, nchars=nchars@entry=0x7fff93cb96f8)
     at /home/dima/work/stuff/emacs/trunk/src/bidi.c:943
#10 0x00000000004d4343 in bidi_level_of_next_char (bidi_it=bidi_it@entry=0x7fff93cbbff8)
     at /home/dima/work/stuff/emacs/trunk/src/bidi.c:2192
#11 0x00000000004d536b in bidi_move_to_visually_next (bidi_it=bidi_it@entry=0x7fff93cbbff8)
     at /home/dima/work/stuff/emacs/trunk/src/bidi.c:2354
#12 0x0000000000448743 in set_iterator_to_next (it=it@entry=0x7fff93cbb650, reseat_p=reseat_p@entry=1)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:7120
#13 0x0000000000451ba7 in display_line (it=it@entry=0x7fff93cbb650) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:19825
#14 0x0000000000459f82 in try_window (window=..., window@entry=..., pos=..., flags=flags@entry=1)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:16301
#15 0x00000000004712a3 in redisplay_window (window=..., just_this_one_p=just_this_one_p@entry=0)
     at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:15827
#16 0x0000000000474873 in redisplay_window_0 (window=..., window@entry=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13881
#17 0x00000000005b38bb in internal_condition_case_1 (bfun=bfun@entry=0x474840 <redisplay_window_0>, arg=..., handlers=...,
     hfun=hfun@entry=0x430130 <redisplay_window_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1231
#18 0x0000000000437f5e in redisplay_windows (window=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13861
#19 0x0000000000437eea in redisplay_windows (window=...) at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13855
#20 0x000000000045b195 in redisplay_internal () at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:13453
#21 0x000000000045d945 in redisplay () at /home/dima/work/stuff/emacs/trunk/src/xdisp.c:12731
#22 0x0000000000534134 in read_char (commandflag=1, nmaps=nmaps@entry=2, maps=maps@entry=0x7fff93cc26e0, prev_event=...,
     used_mouse_menu=used_mouse_menu@entry=0x7fff93cc2813, end_time=end_time@entry=0x0)
     at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:2428
#23 0x0000000000536cb9 in read_key_sequence (keybuf=keybuf@entry=0x7fff93cc2900, prompt=...,
     dont_downcase_last=dont_downcase_last@entry=false, can_return_switch_frame=can_return_switch_frame@entry=true,
     fix_current_buffer=fix_current_buffer@entry=true, bufsize=30) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:9241
#24 0x0000000000539900 in command_loop_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1460
#25 0x00000000005b3773 in internal_condition_case (bfun=bfun@entry=0x5396c0 <command_loop_1>, handlers=...,
     hfun=hfun@entry=0x52b6a0 <cmd_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1193
#26 0x000000000052997e in command_loop_2 (ignore=..., ignore@entry=...) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1175
#27 0x00000000005b3650 in internal_catch (tag=..., func=func@entry=0x529960 <command_loop_2>, arg=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:964
#28 0x000000000052afb3 in command_loop () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1146
#29 recursive_edit_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:787
#30 0x000000000052b3cc in Frecursive_edit () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:851
#31 0x00000000005b59aa in Ffuncall (nargs=<optimized out>, args=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2672
#32 0x00000000005fc753 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=4611686018645491712,
     args=0x16, args@entry=0x7fff93cc3158) at /home/dima/work/stuff/emacs/trunk/src/bytecode.c:898
#33 0x00000000005b5305 in funcall_lambda (fun=..., nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fff93cc3158)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2841
#34 0x00000000005b57ab in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fff93cc3150)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2736
#35 0x00000000005b687e in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fff93cc3210)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2209
#36 0x00000000005b5c9e in apply1 (fn=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2443
#37 0x00000000005b5e46 in call_debugger (arg=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:222
#38 0x00000000005b63e6 in maybe_call_debugger (data=..., sig=..., conditions=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:1611
#39 Fsignal (error_symbol=..., data=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1431
#40 0x00000000005b64a9 in xsignal (error_symbol=..., error_symbol@entry=..., data=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:1466
#41 0x00000000005b6dc7 in xsignal1 (error_symbol=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1481
#42 0x00000000005b6e39 in verror (m=<optimized out>, ap=ap@entry=0x7fff93cc42b8) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1680
#43 0x00000000005b6ecc in error (m=m@entry=0x6fd9d9 "IO error reading %s: %s") at /home/dima/work/stuff/emacs/trunk/src/eval.c:1692
#44 0x00000000005684c3 in Finsert_file_contents (filename=..., visit=..., beg=..., end=..., replace=...)
     at /home/dima/work/stuff/emacs/trunk/src/fileio.c:4329
#45 0x00000000005b4994 in eval_sub (form=..., form@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2054
#46 0x00000000005b73ae in Feval (form=..., lexical=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1902
#47 0x00000000005b598e in Ffuncall (nargs=<optimized out>, args=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2678
#48 0x00000000005fc753 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=4611686018645491712,
     args=0x16, args@entry=0x7fff93cd8b88) at /home/dima/work/stuff/emacs/trunk/src/bytecode.c:898
#49 0x00000000005b5305 in funcall_lambda (fun=..., nargs=nargs@entry=2, arg_vector=arg_vector@entry=0x7fff93cd8b88)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2841
#50 0x00000000005b57ab in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fff93cd8b80)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2736
#51 0x00000000005b687e in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fff93cd8c40)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2209
#52 0x00000000005b5c9e in apply1 (fn=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:2443
#53 0x00000000005b13b4 in Fcall_interactively (function=..., record_flag=..., keys=...)
     at /home/dima/work/stuff/emacs/trunk/src/callint.c:377
#54 0x00000000005b597c in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fff93cd8de0)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2682
#55 0x00000000005b5b64 in call3 (fn=..., arg1=..., arg1@entry=..., arg2=..., arg2@entry=..., arg3=..., arg3@entry=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:2500
#56 0x0000000000528ab5 in Fcommand_execute (cmd=..., record_flag=..., keys=..., special=...)
     at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:10251
#57 0x0000000000539bbd in command_loop_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1588
#58 0x00000000005b3773 in internal_condition_case (bfun=bfun@entry=0x5396c0 <command_loop_1>, handlers=...,
     hfun=hfun@entry=0x52b6a0 <cmd_error>) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1193
#59 0x000000000052997e in command_loop_2 (ignore=..., ignore@entry=...) at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1175
#60 0x00000000005b3650 in internal_catch (tag=..., func=func@entry=0x529960 <command_loop_2>, arg=...)
     at /home/dima/work/stuff/emacs/trunk/src/eval.c:964
#61 0x000000000052b02e in command_loop () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:1154
#62 recursive_edit_1 () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:787
#63 0x000000000052b3cc in Frecursive_edit () at /home/dima/work/stuff/emacs/trunk/src/keyboard.c:851
#64 0x0000000000417f85 in main (argc=2, argv=<optimized out>) at /home/dima/work/stuff/emacs/trunk/src/emacs.c:1554

I also saw crashes with heap corruption messages from glibc malloc.

I can save /dev/kmsg to a file and then do insert-file-contents from that file -
it works just fine, both with trunk and 24.2.92.

Dmitry

Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected

[Eli Zaretskii]

> Date: Tue, 15 Jan 2013 21:37:44 +0400
> From: Dmitry Antipov <dmantipov@yandex.ru>
> 
> On 24.2.92, (insert-file-contents "/dev/kmsg") ==>
> 
> #0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
> #1  0x0000000000546905 in terminate_due_to_signal (sig=11, backtrace_limit=40) at emacs.c:344
> #2  0x000000000056b5f5 in handle_fatal_signal (sig=11) at sysdep.c:1638
> #3  0x000000000056b5ca in deliver_thread_signal (sig=11, handler=0x56b5db <handle_fatal_signal>) at sysdep.c:1614
> #4  0x000000000056b62b in deliver_fatal_thread_signal (sig=11) at sysdep.c:1650
> #5  <signal handler called>
> #6  0x0000000000650791 in remove_properties (plist=10701014, list=12882466, i=0x0, object=12909269) at textprop.c:439
> #7  0x00000000006535ec in Fremove_text_properties (start=768, end=343928, properties=10701014, object=12909269) at textprop.c:1488

That seems to be an entirely different crash.  It happened as part of
signaling an error:

> #46 0x00000000005e486e in Fsignal (error_symbol=12934146, data=20028822) at eval.c:1527
> #47 0x00000000005e4986 in xsignal (error_symbol=12934146, data=20028822) at eval.c:1562
> #48 0x00000000005e49db in xsignal1 (error_symbol=12934146, arg=41969025) at eval.c:1577
> #49 0x00000000005e4fbc in verror (m=0x6ad708 "IO error reading %s: %s", ap=0x7fff035aa348) at eval.c:1776
> #50 0x00000000005e505b in error (m=0x6ad708 "IO error reading %s: %s") at eval.c:1788
> #51 0x0000000000591898 in Finsert_file_contents (filename=41974721, visit=12882466, beg=12882466, end=12882466, replace=12882466)
>      at fileio.c:4188

> (but ./src/emacs -Q /dev/kmsg ==> empty buffer and "File exists, but cannot be read" message).
> 
> For trunk with --enable-checking, (insert-file-contents "/dev/kmsg") ==>
> 
> /home/dima/work/stuff/emacs/trunk/src/intervals.c:675: Emacs fatal error: assertion failed: relative_position <= TOTAL_LENGTH (tree)
> Fatal error 6: Aborted
> 
> #0  0x000000377da0eebb in raise () from /lib64/libpthread.so.0
> #1  0x0000000000525d38 in terminate_due_to_signal (sig=sig@entry=6, backtrace_limit=backtrace_limit@entry=2147483647)
>      at /home/dima/work/stuff/emacs/trunk/src/emacs.c:342
> #2  0x0000000000594cb4 in die (msg=<optimized out>, file=<optimized out>, line=<optimized out>)
>      at /home/dima/work/stuff/emacs/trunk/src/alloc.c:6558
> #3  0x0000000000616e66 in find_interval (tree=0x0, position=252) at /home/dima/work/stuff/emacs/trunk/src/intervals.c:675
> #4  0x000000000061d6a1 in Ftext_properties_at (position=..., object=...) at /home/dima/work/stuff/emacs/trunk/src/textprop.c:555
> #5  0x000000000061d7ac in Fget_text_property (position=..., position@entry=..., prop=..., prop@entry=..., object=...,
>      object@entry=...) at /home/dima/work/stuff/emacs/trunk/src/textprop.c:575
> #6  0x000000000061da78 in get_char_property_and_overlay (position=..., prop=..., object=..., overlay=overlay@entry=0x0)
>      at /home/dima/work/stuff/emacs/trunk/src/textprop.c:641
> #7  0x000000000061de8b in Fget_char_property (position=..., position@entry=..., prop=..., object=..., object@entry=...)

Again, looks like a crash related to intervals, after signaling an error:

> #40 0x00000000005b64a9 in xsignal (error_symbol=..., error_symbol@entry=..., data=...)
>      at /home/dima/work/stuff/emacs/trunk/src/eval.c:1466
> #41 0x00000000005b6dc7 in xsignal1 (error_symbol=..., arg=..., arg@entry=...) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1481
> #42 0x00000000005b6e39 in verror (m=<optimized out>, ap=ap@entry=0x7fff93cc42b8) at /home/dima/work/stuff/emacs/trunk/src/eval.c:1680
> #43 0x00000000005b6ecc in error (m=m@entry=0x6fd9d9 "IO error reading %s: %s") at /home/dima/work/stuff/emacs/trunk/src/eval.c:1692
> #44 0x00000000005684c3 in Finsert_file_contents (filename=..., visit=..., beg=..., end=..., replace=...)
>      at /home/dima/work/stuff/emacs/trunk/src/fileio.c:4329

> I also saw crashes with heap corruption messages from glibc malloc.

Maybe we have some memory corruption problem which happens when we try
reading devices.

> I can save /dev/kmsg to a file and then do insert-file-contents from that file -
> it works just fine, both with trunk and 24.2.92.

So the problem likely is triggered by non-regular files.

RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Dmitry Antipov]

[-- Attachment #1: Type: text/plain, Size: 250 bytes --]

This is what I'm testing now. I'm trying to a) read _everything_ with
internal_condition_case_1 to avoid C-g mess, b) have consistent buffer
text state after each successful read, and c) always decode all read
data to avoid redisplay crash.

Dmitry


[-- Attachment #2: insert_file_contents.patch --]
[-- Type: text/plain, Size: 7100 bytes --]

=== modified file 'src/fileio.c'
--- src/fileio.c	2013-01-17 06:29:40 +0000
+++ src/fileio.c	2013-01-17 16:54:32 +0000
@@ -3408,13 +3408,13 @@
   return Qnil;
 }
 
-/* Read from a non-regular file.  STATE is a Lisp_Save_Value
+/* Check quit and read from file.  STATE is a Lisp_Save_Value
    object where slot 0 is the file descriptor, slot 1 specifies
    an offset to put the read bytes, and slot 2 is the maximum
    amount of bytes to read.  Value is the number of bytes read.  */
 
 static Lisp_Object
-read_non_regular (Lisp_Object state)
+read_contents (Lisp_Object state)
 {
   int nbytes;
 
@@ -3425,15 +3425,15 @@
 			+ XSAVE_INTEGER (state, 1)),
 		       XSAVE_INTEGER (state, 2));
   immediate_quit = 0;
+  /* Fast recycle this object for the likely next call.  */
+  free_misc (state);
   return make_number (nbytes);
 }
 
-
-/* Condition-case handler used when reading from non-regular files
-   in insert-file-contents.  */
+/* Condition-case handler used when reading files in insert-file-contents.  */
 
 static Lisp_Object
-read_non_regular_quit (Lisp_Object ignore)
+read_contents_quit (Lisp_Object ignore)
 {
   return Qnil;
 }
@@ -3506,7 +3506,7 @@
   Lisp_Object p;
   ptrdiff_t total = 0;
   bool not_regular = 0;
-  int save_errno = 0;
+  int save_errno = 0, read_errno = 0;
   char read_buf[READ_BUF_SIZE];
   struct coding_system coding;
   char buffer[1 << 14];
@@ -4213,88 +4213,71 @@
 			   Fcons (orig_filename, Qnil));
     }
 
-  /* In the following loop, HOW_MUCH contains the total bytes read so
-     far for a regular file, and not changed for a special file.  But,
-     before exiting the loop, it is set to a negative value if I/O
-     error occurs.  */
+  /* In the following loop, HOW_MUCH contains the total bytes read
+     so far for a regular file, and not changed for a special file.  */
   how_much = 0;
 
   /* Total bytes inserted.  */
   inserted = 0;
 
-  /* Here, we don't do code conversion in the loop.  It is done by
-     decode_coding_gap after all data are read into the buffer.  */
-  {
-    ptrdiff_t gap_size = GAP_SIZE;
-
-    while (how_much < total)
-      {
-	/* try is reserved in some compilers (Microsoft C) */
-	ptrdiff_t trytry = min (total - how_much, READ_BUF_SIZE);
-	ptrdiff_t this;
-
-	if (not_regular)
-	  {
-	    Lisp_Object nbytes;
-
-	    /* Maybe make more room.  */
-	    if (gap_size < trytry)
-	      {
-		make_gap (total - gap_size);
-		gap_size = GAP_SIZE;
-	      }
-
-	    /* Read from the file, capturing `quit'.  When an
-	       error occurs, end the loop, and arrange for a quit
-	       to be signaled after decoding the text we read.  */
-	    nbytes = internal_condition_case_1
-	      (read_non_regular,
-	       make_save_value ("iii", (ptrdiff_t) fd, inserted, trytry),
-	       Qerror, read_non_regular_quit);
-
-	    if (NILP (nbytes))
-	      {
-		read_quit = 1;
-		break;
-	      }
-
-	    this = XINT (nbytes);
-	  }
-	else
-	  {
-	    /* Allow quitting out of the actual I/O.  We don't make text
-	       part of the buffer until all the reading is done, so a C-g
-	       here doesn't do any harm.  */
-	    immediate_quit = 1;
-	    QUIT;
-	    this = emacs_read (fd,
-			       ((char *) BEG_ADDR + PT_BYTE - BEG_BYTE
-				+ inserted),
-			       trytry);
-	    immediate_quit = 0;
-	  }
-
-	if (this <= 0)
-	  {
-	    how_much = this;
-	    break;
-	  }
-
-	gap_size -= this;
-
-	/* For a regular file, where TOTAL is the real size,
-	   count HOW_MUCH to compare with it.
-	   For a special file, where TOTAL is just a buffer size,
-	   so don't bother counting in HOW_MUCH.
-	   (INSERTED is where we count the number of characters inserted.)  */
-	if (! not_regular)
-	  how_much += this;
-	inserted += this;
-      }
-  }
-
-  /* Now we have read all the file data into the gap.
-     If it was empty, undo marking the buffer modified.  */
+  /* Here we don't do code conversion in the loop.  It is done by
+     decode_coding_gap after all data are read into the buffer, or
+     read is interrupted due to quit or I/O error.  */
+  while (how_much < total)
+    {
+      ptrdiff_t nread, maxread = min (total - how_much, READ_BUF_SIZE);
+      Lisp_Object result;
+
+      /* For a special file, gap is enlarged as we read,
+	 so GAP_SIZE should be checked every time.  */
+      if (not_regular && (GAP_SIZE < maxread))
+	make_gap (maxread - GAP_SIZE);
+
+      /* Read from the file, capturing `quit'.  */
+      result = internal_condition_case_1
+	(read_contents,
+	 make_save_value ("iii", (ptrdiff_t) fd, inserted, maxread),
+	 Qerror, read_contents_quit);
+      if (NILP (result))
+	{
+	  /* Quit was signaled.  End the loop and arrange
+	     real quit after decoding the text we read.  */
+	  read_quit = 1;
+	  break;
+	}
+      nread = XINT (result);
+      if (nread <= 0)
+	{
+	  /* End of file or I/O error.  End the loop and
+	     save error code in case of I/O error.  */
+	  if (nread < 0)
+	    read_errno = errno;
+	  break;
+	}
+
+      /* Adjust gap and end positions.  */
+      GAP_SIZE -= nread;
+      GPT += nread;
+      ZV += nread;
+      Z += nread;
+      GPT_BYTE += nread;
+      ZV_BYTE += nread;
+      Z_BYTE += nread;
+      if (GAP_SIZE > 0)
+	*(GPT_ADDR) = 0;
+
+      /* For a regular file, where TOTAL is the real size, count HOW_MUCH to
+	 compare with it.  For a special file, where TOTAL is just a buffer
+	 size, don't bother counting in HOW_MUCH, but always accumulate the
+	 number of bytes read in INSERTED.  */
+      if (! not_regular)
+	how_much += nread;
+      inserted += nread;
+    }
+
+  /* Now we have either read all the file data into the gap,
+     or stop reading on I/O error or quit.  If nothing was
+     read, undo marking the buffer modified.  */
 
   if (inserted == 0)
     {
@@ -4307,28 +4290,11 @@
   else
     Vdeactivate_mark = Qt;
 
-  /* Make the text read part of the buffer.  */
-  GAP_SIZE -= inserted;
-  GPT      += inserted;
-  GPT_BYTE += inserted;
-  ZV       += inserted;
-  ZV_BYTE  += inserted;
-  Z        += inserted;
-  Z_BYTE   += inserted;
-
-  if (GAP_SIZE > 0)
-    /* Put an anchor to ensure multi-byte form ends at gap.  */
-    *GPT_ADDR = 0;
-
   emacs_close (fd);
 
   /* Discard the unwind protect for closing the file.  */
   specpdl_ptr--;
 
-  if (how_much < 0)
-    error ("IO error reading %s: %s",
-	   SDATA (orig_filename), emacs_strerror (errno));
-
  notfound:
 
   if (NILP (coding_system))
@@ -4617,14 +4583,18 @@
       report_file_error ("Opening input file", Fcons (orig_filename, Qnil));
     }
 
+  /* There was an error reading file.  */
+  if (read_errno)
+    error ("IO error reading %s: %s",
+	   SDATA (orig_filename), emacs_strerror (read_errno));
+
+  /* Quit was signaled.  */
   if (read_quit)
     Fsignal (Qquit, Qnil);
 
-  /* ??? Retval needs to be dealt with in all cases consistently.  */
+  /* Otherwise make the consistent return value.  */
   if (NILP (val))
-    val = Fcons (orig_filename,
-		 Fcons (make_number (inserted),
-			Qnil));
+    val = list2 (orig_filename, make_number (inserted));
 
   RETURN_UNGCPRO (unbind_to (count, val));
 }

Re: RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Eli Zaretskii]

> Date: Thu, 17 Jan 2013 21:12:22 +0400
> From: Dmitry Antipov <dmantipov@yandex.ru>
> CC: Eli Zaretskii <eliz@gnu.org>
> 
> This is what I'm testing now. I'm trying to a) read _everything_ with
> internal_condition_case_1 to avoid C-g mess, b) have consistent buffer
> text state after each successful read, and c) always decode all read
> data to avoid redisplay crash.

Can you tell which problems you found in the original code that these
changes are supposed to fix?

Re: RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Dmitry Antipov]

On 01/17/2013 09:50 PM, Eli Zaretskii wrote:

> Can you tell which problems you found in the original code that these
> changes are supposed to fix?

1) Original code do emacs_read to ((char *) BEG_ADDR + PT_BYTE - BEG_BYTE + offset
    without adjusting gap size, z and zv; this (IIUC) fools make_gap and so
    enlarge_buffer_text; we end up with the gap which is less than expected,
    read_non_regular do emacs_read into the buffer beyond allocated buffer text,
    which finally causes EFAULT from emacs_read or heap corruption.

2) Original code throws I/O error too early without decoding the data possibly
    read before. When not-yet-decoded part of buffer text is displayed, redisplay
    is likely to crash.

Dmitry

Re: RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Dmitry Antipov]

On 01/17/2013 10:12 PM, Dmitry Antipov wrote:

> On 01/17/2013 09:50 PM, Eli Zaretskii wrote:
>
>> Can you tell which problems you found in the original code that these
>> changes are supposed to fix?
>
> 1) Original code do emacs_read to ((char *) BEG_ADDR + PT_BYTE - BEG_BYTE + offset
>     without adjusting gap size, z and zv; this (IIUC) fools make_gap and so
>     enlarge_buffer_text; we end up with the gap which is less than expected,
>     read_non_regular do emacs_read into the buffer beyond allocated buffer text,
>     which finally causes EFAULT from emacs_read or heap corruption.

This is diagnosed with valgrind 3.8.1 as:

24.2.92, valgrind --tool=memcheck ./src/temacs -Q, (insert-file-contents "/dev/sda") ==>

==6807== Syscall param read(buf) points to unaddressable byte(s)
==6807==    at 0x377DA0E090: __read_nocancel (syscall-template.S:82)
==6807==    by 0x56BC87: emacs_read (sysdep.c:2189)
==6807==    by 0x58F20F: read_non_regular (fileio.c:3283)
==6807==    by 0x5E4212: internal_condition_case_1 (eval.c:1327)
==6807==    by 0x59157D: Finsert_file_contents (fileio.c:4111)
==6807==    by 0x5E5EB0: eval_sub (eval.c:2154)
==6807==    by 0x5E57E5: Feval (eval.c:2005)
==6807==    by 0x5E731E: Ffuncall (eval.c:2778)
==6807==    by 0x62E169: exec_byte_code (bytecode.c:900)
==6807==    by 0x5E7D00: funcall_lambda (eval.c:3007)
==6807==    by 0x5E74EB: Ffuncall (eval.c:2824)
==6807==    by 0x5E66D1: Fapply (eval.c:2309)
==6807==  Address 0x1f7a2f10 is 0 bytes after a block of size 133,264 alloc'd
==6807==    at 0x4A08A0E: realloc (vg_replace_malloc.c:662)
==6807==    by 0x5C180D: xrealloc (alloc.c:708)
==6807==    by 0x579A97: enlarge_buffer_text (buffer.c:5073)
==6807==    by 0x57D5F2: make_gap_larger (insdel.c:401)
==6807==    by 0x57DAC8: make_gap (insdel.c:497)
==6807==    by 0x591524: Finsert_file_contents (fileio.c:4101)
==6807==    by 0x5E5EB0: eval_sub (eval.c:2154)
==6807==    by 0x5E57E5: Feval (eval.c:2005)
==6807==    by 0x5E731E: Ffuncall (eval.c:2778)
==6807==    by 0x62E169: exec_byte_code (bytecode.c:900)
==6807==    by 0x5E7D00: funcall_lambda (eval.c:3007)
==6807==    by 0x5E74EB: Ffuncall (eval.c:2824)
==6807==

valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

Bzr trunk 111545, valgrind --tool=memcheck ./src/temacs -Q, (insert-file-contents "/dev/sda") ==>

==6993== Syscall param read(buf) points to unaddressable byte(s)
==6993==    at 0x377DA0E090: __read_nocancel (syscall-template.S:82)
==6993==    by 0x547C35: emacs_read (unistd.h:45)
==6993==    by 0x563DBE: read_non_regular (fileio.c:3423)
==6993==    by 0x5B38AA: internal_condition_case_1 (eval.c:1231)
==6993==    by 0x567BBE: Finsert_file_contents (fileio.c:4250)
==6993==    by 0x5B4993: eval_sub (eval.c:2054)
==6993==    by 0x5B73AD: Feval (eval.c:1902)
==6993==    by 0x5B598D: Ffuncall (eval.c:2678)
==6993==    by 0x5FC782: exec_byte_code (bytecode.c:898)
==6993==    by 0x5B5304: funcall_lambda (eval.c:2841)
==6993==    by 0x5B57AA: Ffuncall (eval.c:2736)
==6993==    by 0x5B687D: Fapply (eval.c:2209)
==6993==  Address 0x1f806890 is 0 bytes after a block of size 133,264 alloc'd
==6993==    at 0x4A08A0E: realloc (vg_replace_malloc.c:662)
==6993==    by 0x594F91: xrealloc (alloc.c:696)
==6993==    by 0x55636C: enlarge_buffer_text (buffer.c:5052)
==6993==    by 0x5595D7: make_gap (insdel.c:393)
==6993==    by 0x567C82: Finsert_file_contents (fileio.c:4243)
==6993==    by 0x5B4993: eval_sub (eval.c:2054)
==6993==    by 0x5B73AD: Feval (eval.c:1902)
==6993==    by 0x5B598D: Ffuncall (eval.c:2678)
==6993==    by 0x5FC782: exec_byte_code (bytecode.c:898)
==6993==    by 0x5B5304: funcall_lambda (eval.c:2841)
==6993==    by 0x5B57AA: Ffuncall (eval.c:2736)
==6993==    by 0x5B687D: Fapply (eval.c:2209)
==6993==

valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

Dmitry

Re: RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Eli Zaretskii]

> Date: Thu, 17 Jan 2013 22:12:24 +0400
> From: Dmitry Antipov <dmantipov@yandex.ru>
> Cc: emacs-devel@gnu.org
> 
> On 01/17/2013 09:50 PM, Eli Zaretskii wrote:
> 
> > Can you tell which problems you found in the original code that these
> > changes are supposed to fix?
> 
> 1) Original code do emacs_read to ((char *) BEG_ADDR + PT_BYTE - BEG_BYTE + offset
>     without adjusting gap size, z and zv; this (IIUC) fools make_gap and so
>     enlarge_buffer_text; we end up with the gap which is less than expected,
>     read_non_regular do emacs_read into the buffer beyond allocated buffer text,
>     which finally causes EFAULT from emacs_read or heap corruption.

I'm not sure I see how the gap size fails to be updated.  There's a
call to make_gap just before read_non_regular is called.  Or did you
mean GAP_SIZE?  If the latter, then the comments there explain why
this is not done.

> 2) Original code throws I/O error too early without decoding the data possibly
>     read before. When not-yet-decoded part of buffer text is displayed, redisplay
>     is likely to crash.

But until GAP_SIZE and ZV are updated, the inserted text is not
really part of the buffer, right?  So what is the problem here?

24.2.92 fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Dmitry Antipov]

[-- Attachment #1: Type: text/plain, Size: 2005 bytes --]

On 01/18/2013 11:34 PM, Eli Zaretskii wrote:

> I'm not sure I see how the gap size fails to be updated.  There's a
> call to make_gap just before read_non_regular is called.  Or did you
> mean GAP_SIZE?  If the latter, then the comments there explain why
> this is not done.

Argh. We fool itself with gap_size (src/fileio.c, 24.2.92):

   4098              /* Maybe make more room.  */
   4099              if (gap_size < trytry)
   4100                {
   4101                  make_gap (total - gap_size);
   4102                  gap_size = GAP_SIZE;           /* !!! here */
   4103                }

After that, local gap_size (e.g. amount of bytes which may be used to
read next chunk from the file) is GAP_SIZE - inserted, not GAP_SIZE.

> But until GAP_SIZE and ZV are updated, the inserted text is not
> really part of the buffer, right?  So what is the problem here?

Here is the original code (src/fileio.c, 24.2.92):

   4169    /* Make the text read part of the buffer.  */
   4170    GAP_SIZE -= inserted;
   4171    GPT      += inserted;
   4172    GPT_BYTE += inserted;
   4173    ZV       += inserted;
   4174    ZV_BYTE  += inserted;
   4175    Z        += inserted;
   4176    Z_BYTE   += inserted;
   4177                                                                    /* !!! `inserted' bytes becomes "really inserted" */
   4178    if (GAP_SIZE > 0)
   4179      /* Put an anchor to ensure multi-byte form ends at gap.  */
   4180      *GPT_ADDR = 0;
   4181
   4182    emacs_close (fd);
   4183
   4184    /* Discard the unwind protect for closing the file.  */
   4185    specpdl_ptr--;
   4186
   4187    if (how_much < 0)
   4188      error ("IO error reading %s: %s",                             /* error leaves `inserted' bytes not decoded !!! */
   4189             SDATA (orig_filename), emacs_strerror (errno));

Attached is the fix for 24.2.92, and I believe that this is important
for the next pretest. For trunk, I'll revert 111547 and do the similar fix.

Dmitry


[-- Attachment #2: insert_file_contents.patch --]
[-- Type: text/plain, Size: 2381 bytes --]

diff -x '*.o' -ur ../.orig-emacs-24.2.92/src/ChangeLog src/ChangeLog
--- ../.orig-emacs-24.2.92/src/ChangeLog	2013-01-05 23:06:21.000000000 +0400
+++ src/ChangeLog	2013-01-21 12:48:58.244932711 +0400
@@ -1,3 +1,13 @@
+2013-01-21  Dmitry Antipov  <dmantipov@yandex.ru>
+
+	Fix crash when inserting data from non-regular files.  See
+	http://lists.gnu.org/archive/html/emacs-devel/2013-01/msg00406.html
+	for the error description produced by valgrind.
+	* fileio.c (Finsert_file_contents): Adjust gap_size correctly.
+	Do not signal an I/O error too early and so do not leave not yet
+	decoded characters in a buffer, which was the reason of redisplay
+	crash.  Adjust comment.
+
 2013-01-05  Eli Zaretskii  <eliz@gnu.org>
 
 	* xdisp.c (dump_glyph): Align glyph data better.  Use "pD" instead
diff -x '*.o' -ur ../.orig-emacs-24.2.92/src/fileio.c src/fileio.c
--- ../.orig-emacs-24.2.92/src/fileio.c	2013-01-02 00:37:17.000000000 +0400
+++ src/fileio.c	2013-01-21 12:31:51.405273880 +0400
@@ -4098,8 +4098,8 @@
 	    /* Maybe make more room.  */
 	    if (gap_size < trytry)
 	      {
-		make_gap (total - gap_size);
-		gap_size = GAP_SIZE;
+		make_gap (trytry - gap_size);
+		gap_size = GAP_SIZE - inserted;
 	      }
 
 	    /* Read from the file, capturing `quit'.  When an
@@ -4152,8 +4152,9 @@
       }
   }
 
-  /* Now we have read all the file data into the gap.
-     If it was empty, undo marking the buffer modified.  */
+  /* Now we have either read all the file data into the gap,
+     or stop reading on I/O error or quit.  If nothing was
+     read, undo marking the buffer modified.  */
 
   if (inserted == 0)
     {
@@ -4166,6 +4167,15 @@
   else
     Vdeactivate_mark = Qt;
 
+  emacs_close (fd);
+
+  /* Discard the unwind protect for closing the file.  */
+  specpdl_ptr--;
+
+  if (how_much < 0)
+    error ("IO error reading %s: %s",
+	   SDATA (orig_filename), emacs_strerror (errno));
+
   /* Make the text read part of the buffer.  */
   GAP_SIZE -= inserted;
   GPT      += inserted;
@@ -4179,15 +4189,6 @@
     /* Put an anchor to ensure multi-byte form ends at gap.  */
     *GPT_ADDR = 0;
 
-  emacs_close (fd);
-
-  /* Discard the unwind protect for closing the file.  */
-  specpdl_ptr--;
-
-  if (how_much < 0)
-    error ("IO error reading %s: %s",
-	   SDATA (orig_filename), emacs_strerror (errno));
-
  notfound:
 
   if (NILP (coding_system))

Re: 24.2.92 fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Glenn Morris]

Dmitry Antipov wrote:

> Attached is the fix for 24.2.92, and I believe that this is important
> for the next pretest. 

Sorry, I missed the context.
What problem is this fixing?
How is it triggered?
What version of Emacs did the problem first appear in?
How safe do you think the fix is?

Re: 24.2.92 fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Dmitry Antipov]

On 01/22/2013 05:54 AM, Glenn Morris wrote:

> Sorry, I missed the context.
> What problem is this fixing?

Crash caused by insert-file-contents from non-regular file
(http://lists.gnu.org/archive/html/emacs-devel/2013-01/msg00324.html
and below in thread).

> How is it triggered?

On GNU/Linux, (insert-file-contents "XXX") where XXX is a character
or block device file (/dev/kmsg, /dev/sda, whatever else).

> What version of Emacs did the problem first appear in?

I found that both in 24.2.92 and trunk bzr 111532, and suspect
a long-standing bug from 2001 or so.

> How safe do you think the fix is?

I did a quite representative testing against a few character and
block devices found on my system, and the crash is gone. So I
consider it as good enough until otherwise proved :-).

Dmitry

Re: 24.2.92 fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected]

[Stefan Monnier]

>> What version of Emacs did the problem first appear in?
> I found that both in 24.2.92 and trunk bzr 111532, and suspect
> a long-standing bug from 2001 or so.

So there's no hurry, fixing it in trunk is sufficient.


        Stefan