From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Dmitry Antipov Newsgroups: gmane.emacs.devel Subject: Re: RFC on proposal fix [Re: Crash caused by insert-file-contents, both trunk (bzr 111532) and 24.2.92 affected] Date: Fri, 18 Jan 2013 09:11:58 +0400 Message-ID: <50F8D99E.8020503@yandex.ru> References: <50F52EC0.2030309@yandex.ru> <8338y2qsyi.fsf@gnu.org> <50F593E8.2030105@yandex.ru> <83vcay8g2n.fsf@gnu.org> <50F830F6.1070805@yandex.ru> <83pq137l6o.fsf@gnu.org> <50F83F08.1060709@yandex.ru> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1358485931 28624 80.91.229.3 (18 Jan 2013 05:12:11 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 18 Jan 2013 05:12:11 +0000 (UTC) Cc: Eli Zaretskii To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jan 18 06:12:29 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tw4Fg-0003Fm-Hd for ged-emacs-devel@m.gmane.org; Fri, 18 Jan 2013 06:12:28 +0100 Original-Received: from localhost ([::1]:35239 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tw4FP-00021W-RP for ged-emacs-devel@m.gmane.org; Fri, 18 Jan 2013 00:12:11 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:54651) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tw4FN-00021R-6U for emacs-devel@gnu.org; Fri, 18 Jan 2013 00:12:10 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tw4FL-0001gr-DB for emacs-devel@gnu.org; Fri, 18 Jan 2013 00:12:09 -0500 Original-Received: from forward11.mail.yandex.net ([95.108.130.93]:54834) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tw4FG-0001fd-6T; Fri, 18 Jan 2013 00:12:02 -0500 Original-Received: from smtp12.mail.yandex.net (smtp12.mail.yandex.net [95.108.131.191]) by forward11.mail.yandex.net (Yandex) with ESMTP id 8B827E816E9; Fri, 18 Jan 2013 09:11:58 +0400 (MSK) Original-Received: from smtp12.mail.yandex.net (localhost [127.0.0.1]) by smtp12.mail.yandex.net (Yandex) with ESMTP id 49DDD16A0554; Fri, 18 Jan 2013 09:11:58 +0400 (MSK) Original-Received: from unknown (unknown [37.139.80.10]) by smtp12.mail.yandex.net (nwsmtp/Yandex) with ESMTP id BvIOG1ue-BwIOhtcC; Fri, 18 Jan 2013 09:11:58 +0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1358485918; bh=n92rHrL9tX/sIf2/ITmusLpqH3SYlwesdPsPa26zeWk=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aWY/uBMn+QCmPUUN3lA9qZTjLBvWM3oG4uTKwgw+hPryO+mdmINHAop8Z+LW9m8YS KGGPBwdPtDxgh1wBNd/0zHXBr2Eq0IcwBrjP0rSlGPDZEJyTyOKPOtTfVcnR7fH7hd ZBRxd2jkz7+hzmSs58CuWoL74D7kytxZfAXmNQX8= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 In-Reply-To: <50F83F08.1060709@yandex.ru> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy] X-Received-From: 95.108.130.93 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156459 Archived-At: On 01/17/2013 10:12 PM, Dmitry Antipov wrote: > On 01/17/2013 09:50 PM, Eli Zaretskii wrote: > >> Can you tell which problems you found in the original code that these >> changes are supposed to fix? > > 1) Original code do emacs_read to ((char *) BEG_ADDR + PT_BYTE - BEG_BYTE + offset > without adjusting gap size, z and zv; this (IIUC) fools make_gap and so > enlarge_buffer_text; we end up with the gap which is less than expected, > read_non_regular do emacs_read into the buffer beyond allocated buffer text, > which finally causes EFAULT from emacs_read or heap corruption. This is diagnosed with valgrind 3.8.1 as: 24.2.92, valgrind --tool=memcheck ./src/temacs -Q, (insert-file-contents "/dev/sda") ==> ==6807== Syscall param read(buf) points to unaddressable byte(s) ==6807== at 0x377DA0E090: __read_nocancel (syscall-template.S:82) ==6807== by 0x56BC87: emacs_read (sysdep.c:2189) ==6807== by 0x58F20F: read_non_regular (fileio.c:3283) ==6807== by 0x5E4212: internal_condition_case_1 (eval.c:1327) ==6807== by 0x59157D: Finsert_file_contents (fileio.c:4111) ==6807== by 0x5E5EB0: eval_sub (eval.c:2154) ==6807== by 0x5E57E5: Feval (eval.c:2005) ==6807== by 0x5E731E: Ffuncall (eval.c:2778) ==6807== by 0x62E169: exec_byte_code (bytecode.c:900) ==6807== by 0x5E7D00: funcall_lambda (eval.c:3007) ==6807== by 0x5E74EB: Ffuncall (eval.c:2824) ==6807== by 0x5E66D1: Fapply (eval.c:2309) ==6807== Address 0x1f7a2f10 is 0 bytes after a block of size 133,264 alloc'd ==6807== at 0x4A08A0E: realloc (vg_replace_malloc.c:662) ==6807== by 0x5C180D: xrealloc (alloc.c:708) ==6807== by 0x579A97: enlarge_buffer_text (buffer.c:5073) ==6807== by 0x57D5F2: make_gap_larger (insdel.c:401) ==6807== by 0x57DAC8: make_gap (insdel.c:497) ==6807== by 0x591524: Finsert_file_contents (fileio.c:4101) ==6807== by 0x5E5EB0: eval_sub (eval.c:2154) ==6807== by 0x5E57E5: Feval (eval.c:2005) ==6807== by 0x5E731E: Ffuncall (eval.c:2778) ==6807== by 0x62E169: exec_byte_code (bytecode.c:900) ==6807== by 0x5E7D00: funcall_lambda (eval.c:3007) ==6807== by 0x5E74EB: Ffuncall (eval.c:2824) ==6807== valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed. valgrind: This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. Bzr trunk 111545, valgrind --tool=memcheck ./src/temacs -Q, (insert-file-contents "/dev/sda") ==> ==6993== Syscall param read(buf) points to unaddressable byte(s) ==6993== at 0x377DA0E090: __read_nocancel (syscall-template.S:82) ==6993== by 0x547C35: emacs_read (unistd.h:45) ==6993== by 0x563DBE: read_non_regular (fileio.c:3423) ==6993== by 0x5B38AA: internal_condition_case_1 (eval.c:1231) ==6993== by 0x567BBE: Finsert_file_contents (fileio.c:4250) ==6993== by 0x5B4993: eval_sub (eval.c:2054) ==6993== by 0x5B73AD: Feval (eval.c:1902) ==6993== by 0x5B598D: Ffuncall (eval.c:2678) ==6993== by 0x5FC782: exec_byte_code (bytecode.c:898) ==6993== by 0x5B5304: funcall_lambda (eval.c:2841) ==6993== by 0x5B57AA: Ffuncall (eval.c:2736) ==6993== by 0x5B687D: Fapply (eval.c:2209) ==6993== Address 0x1f806890 is 0 bytes after a block of size 133,264 alloc'd ==6993== at 0x4A08A0E: realloc (vg_replace_malloc.c:662) ==6993== by 0x594F91: xrealloc (alloc.c:696) ==6993== by 0x55636C: enlarge_buffer_text (buffer.c:5052) ==6993== by 0x5595D7: make_gap (insdel.c:393) ==6993== by 0x567C82: Finsert_file_contents (fileio.c:4243) ==6993== by 0x5B4993: eval_sub (eval.c:2054) ==6993== by 0x5B73AD: Feval (eval.c:1902) ==6993== by 0x5B598D: Ffuncall (eval.c:2678) ==6993== by 0x5FC782: exec_byte_code (bytecode.c:898) ==6993== by 0x5B5304: funcall_lambda (eval.c:2841) ==6993== by 0x5B57AA: Ffuncall (eval.c:2736) ==6993== by 0x5B687D: Fapply (eval.c:2209) ==6993== valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed. valgrind: This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. Dmitry