From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: allocate_string_data memory corruption Date: Sun, 22 Jan 2006 11:45:24 -0500 Message-ID: <87u0bw6wwz.fsf-monnier+emacs@gnu.org> References: <87vewha2zl.fsf@stupidchicken.com> <87zmlq6w62.fsf-monnier+emacs@gnu.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1137957092 22017 80.91.229.2 (22 Jan 2006 19:11:32 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 22 Jan 2006 19:11:32 +0000 (UTC) Cc: cyd@stupidchicken.com, emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jan 22 20:11:31 2006 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1F0kcV-0001Ys-JM for ged-emacs-devel@m.gmane.org; Sun, 22 Jan 2006 20:11:24 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1F0kf6-0001TR-Ib for ged-emacs-devel@m.gmane.org; Sun, 22 Jan 2006 14:14:04 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1F0iOC-0008H2-DH for emacs-devel@gnu.org; Sun, 22 Jan 2006 11:48:29 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1F0iO2-0008GS-35 for emacs-devel@gnu.org; Sun, 22 Jan 2006 11:48:20 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1F0iNv-0008GE-KV for emacs-devel@gnu.org; Sun, 22 Jan 2006 11:48:13 -0500 Original-Received: from [209.226.175.54] (helo=tomts10-srv.bellnexxia.net) by monty-python.gnu.org with esmtp (Exim 4.34) id 1F0iSS-00066Y-RJ; Sun, 22 Jan 2006 11:52:53 -0500 Original-Received: from alfajor ([67.71.115.65]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.06.13 201-253-122-130-113-20050324) with ESMTP id <20060122164525.NLHP14963.tomts10-srv.bellnexxia.net@alfajor>; Sun, 22 Jan 2006 11:45:25 -0500 Original-Received: by alfajor (Postfix, from userid 1000) id E0DDCD73B3; Sun, 22 Jan 2006 11:45:24 -0500 (EST) Original-To: rms@gnu.org In-Reply-To: <87zmlq6w62.fsf-monnier+emacs@gnu.org> (Stefan Monnier's message of "Fri, 20 Jan 2006 23:48:30 -0500") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:49399 Archived-At: >> Maybe eassert(!handling_signal) should be added to allocate_string >> (and maybe it will catch the current bug). >> It seems worth a try. > There's actually one candidate: > #1 0x081dd84a in die (msg=0x8319288 "assertion failed: !handling_signal", > file=0x8318980 "alloc.c", line=2744) at alloc.c:6210 > #2 0x081e0f25 in Fcons (car=141994859, cdr=140190650) at alloc.c:2744 > #3 0x08130686 in x_catch_errors (dpy=0x8808db8) at xterm.c:7462 > #4 0x0813bb08 in x_real_positions (f=0x88c2518, xptr=0x47, yptr=0x47) > at xfns.c:580 > #5 0x08133d09 in handle_one_xevent (dpyinfo=0x8814cf0, eventp=0xbfffdbfc, > finish=0xbfffdc88, hold_quit=0xbfffecbc) at xterm.c:5871 > #6 0x081376bb in XTread_socket (sd=0, expected=1, hold_quit=0xbfffecbc) > at xterm.c:6981 > #7 0x08174b69 in read_avail_input (expected=1) at keyboard.c:6703 > #8 0x08174d2a in handle_async_input () at keyboard.c:6855 > if you look at x_catch_errors, you'll see that it allocates one lisp_cons > cell, one lisp_string and one lisp_misc. Whether it's the cause of the > bugs we see, I don't know, but since it's run from the signal handler, it > can be executed at potentially any time. The patch below should remove this particular problem. Stefan --- xterm.c 20 jan 2006 21:48:47 -0500 1.891 +++ xterm.c 22 jan 2006 11:36:08 -0500 @@ -1,6 +1,6 @@ /* X Communication module for terminals which understand the X protocol. Copyright (C) 1989, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, - 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. This file is part of GNU Emacs. @@ -7458,7 +7458,12 @@ /* If non-nil, this should be a string. It means catch X errors and store the error message in this string. */ -static Lisp_Object x_error_message_string; +struct x_error_message_stack { + char string[X_ERROR_MESSAGE_SIZE]; + Display *dpy; + struct x_error_message_stack *prev; +}; +static struct x_error_message_stack *x_error_message; /* An X error handler which stores the error message in x_error_message_string. This is called from x_error_handler if @@ -7470,7 +7475,7 @@ XErrorEvent *error; { XGetErrorText (display, error->error_code, - SDATA (x_error_message_string), + x_error_message->string, X_ERROR_MESSAGE_SIZE); } @@ -7495,16 +7500,23 @@ Display *dpy; { int count = SPECPDL_INDEX (); + struct x_error_message_stack *data = malloc (sizeof (*data)); + Lisp_Object dummy; +#ifdef ENABLE_CHECKING + dummy = make_number ((EMACS_INT)dpy + (EMACS_INT)x_error_message); +#else + dummy = Qnil +#endif /* Make sure any errors from previous requests have been dealt with. */ XSync (dpy, False); - record_unwind_protect (x_catch_errors_unwind, - Fcons (make_save_value (dpy, 0), - x_error_message_string)); + data->dpy = dpy; + data->string[0] = 0; + data->prev = x_error_message; + x_error_message = data; - x_error_message_string = make_uninit_string (X_ERROR_MESSAGE_SIZE); - SSET (x_error_message_string, 0, 0); + record_unwind_protect (x_catch_errors_unwind, dummy); return count; } @@ -7512,11 +7524,11 @@ /* Unbind the binding that we made to check for X errors. */ static Lisp_Object -x_catch_errors_unwind (old_val) - Lisp_Object old_val; +x_catch_errors_unwind (dummy) + Lisp_Object dummy; { - Lisp_Object first = XCAR (old_val); - Display *dpy = XSAVE_VALUE (first)->pointer; + Display *dpy = x_error_message->dpy; + struct x_error_message_stack *tmp; /* The display may have been closed before this function is called. Check if it is still open before calling XSync. */ @@ -7527,7 +7539,12 @@ UNBLOCK_INPUT; } - x_error_message_string = XCDR (old_val); + tmp = x_error_message; + x_error_message = x_error_message->prev; + free (tmp); + + eassert (dummy == make_number ((EMACS_INT)dpy + (EMACS_INT)x_error_message)); + return Qnil; } @@ -7543,8 +7560,8 @@ /* Make sure to catch any errors incurred so far. */ XSync (dpy, False); - if (SREF (x_error_message_string, 0)) - error (format, SDATA (x_error_message_string)); + if (x_error_message->string[0]) + error (format, x_error_message->string); } /* Nonzero if we had any X protocol errors @@ -7557,7 +7574,7 @@ /* Make sure to catch any errors incurred so far. */ XSync (dpy, False); - return SREF (x_error_message_string, 0) != 0; + return x_error_message->string[0] != 0; } /* Forget about any errors we have had, since we did x_catch_errors on DPY. */ @@ -7566,7 +7583,7 @@ x_clear_errors (dpy) Display *dpy; { - SSET (x_error_message_string, 0, 0); + x_error_message->string[0] = 0; } /* Stop catching X protocol errors and let them make Emacs die. @@ -7748,7 +7765,7 @@ Display *display; XErrorEvent *error; { - if (! NILP (x_error_message_string)) + if (x_error_message) x_error_catcher (display, error); else x_error_quitter (display, error); @@ -10818,8 +10835,7 @@ void syms_of_xterm () { - staticpro (&x_error_message_string); - x_error_message_string = Qnil; + x_error_message = NULL; staticpro (&x_display_name_list); x_display_name_list = Qnil;