* Problem report #64
@ 2006-04-09 7:00 Dan Nicolaescu
2006-04-10 1:51 ` Kenichi Handa
0 siblings, 1 reply; 2+ messages in thread
From: Dan Nicolaescu @ 2006-04-09 7:00 UTC (permalink / raw)
ERROR
CID: 64
Checker: USE_AFTER_FREE (help)
File: emacs/src/fileio.c
Function: Finsert_file_contents
Description: Using freed pointer "conversion_buffer"
Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
Also see events: [use_after_free][double_free][double_free][use_after_free]
4326 xfree (conversion_buffer);
4327 coding_free_composition_data (&coding);
At conditional (1): "how_much == -1" taking false path
4328 if (how_much == -1)
4329 error ("IO error reading %s: %s",
4330 SDATA (orig_filename), emacs_strerror (errno));
At conditional (2): "how_much == -2" taking false path
4331 else if (how_much == -2)
4332 error ("maximum buffer size exceeded");
4333 }
4334
4335 /* Compare the beginning of the converted file
4336 with the buffer text. */
4337
4338 bufpos = 0;
Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][use_after_free][double_free][double_free]
At conditional (3): "bufpos < inserted" taking true path
At conditional (4): "same_at_start < same_at_end" taking false path
4339 while (bufpos < inserted && same_at_start < same_at_end
4340 && FETCH_BYTE (same_at_start) == conversion_buffer[bufpos])
4341 same_at_start++, bufpos++;
4342
4343 /* If the file matches the buffer completely,
4344 there's no need to replace anything. */
4345
At conditional (5): "bufpos == inserted" taking false path
4346 if (bufpos == inserted)
4347 {
Event double_free: Double free of pointer "conversion_buffer" in call to "xfree" [model]
Also see events: [freed_arg][use_after_free][double_free][use_after_free]
4348 xfree (conversion_buffer);
4349 coding_free_composition_data (&coding);
4350 emacs_close (fd);
4351 specpdl_ptr--;
4352 /* Truncate the buffer to the size of the file. */
4353 del_range_byte (same_at_start, same_at_end, 0);
4354 inserted = 0;
4355 goto handled;
4356 }
4357
4358 /* Extend the start of non-matching text area to multibyte
4359 character boundary. */
At conditional (6): "(current_buffer)->enable_multibyte_characters != Qnil" taking true path
4360 if (! NILP (current_buffer->enable_multibyte_characters))
At conditional (7): "same_at_start > (current_buffer)->begv_byte" taking true path
At conditional (8): "same_at_start >= ((current_buffer)->text)->gpt_byte" taking true path
At conditional (9): "*((((current_buffer)->text)->beg + (((same_at_start >= ((current_buffer)->text)->gpt_byte) ? ((current_buffer)->text)->gap_size : (0)) + same_at_start)) - 1) >= 160" taking true path
At conditional (10): "same_at_start > (current_buffer)->begv_byte" taking true path
At conditional (11): "same_at_start >= ((current_buffer)->text)->gpt_byte" taking true path
At conditional (12): "*((((current_buffer)->text)->beg + (((same_at_start >= ((current_buffer)->text)->gpt_byte) ? ((current_buffer)->text)->gap_size : (0)) + same_at_start)) - 1) >= 160" taking false path
4361 while (same_at_start > BEGV_BYTE
4362 && ! CHAR_HEAD_P (FETCH_BYTE (same_at_start)))
4363 same_at_start--;
4364
4365 /* Scan this bufferful from the end, comparing with
4366 the Emacs buffer. */
4367 bufpos = inserted;
4368
4369 /* Compare with same_at_start to avoid counting some buffer text
4370 as matching both at the file's beginning and at the end. */
Event use_after_free: Using freed pointer "conversion_buffer"
Also see events: [freed_arg][double_free][double_free][use_after_free]
At conditional (13): "bufpos > 0" taking true path
At conditional (14): "same_at_end > same_at_start" taking true path
At conditional (15): "(same_at_end - 1) >= ((current_buffer)->text)->gpt_byte" taking true path
4371 while (bufpos > 0 && same_at_end > same_at_start
4372 && FETCH_BYTE (same_at_end - 1) == conversion_buffer[bufpos - 1])
4373 same_at_end--, bufpos--;
4374
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Problem report #64
2006-04-09 7:00 Problem report #64 Dan Nicolaescu
@ 2006-04-10 1:51 ` Kenichi Handa
0 siblings, 0 replies; 2+ messages in thread
From: Kenichi Handa @ 2006-04-10 1:51 UTC (permalink / raw)
In article <200604090700.k3970GVZ005576@scanner2.ics.uci.edu>, Dan Nicolaescu <dann@ics.uci.edu> writes:
> ERROR
> CID: 64
> Checker: USE_AFTER_FREE (help)
> File: emacs/src/fileio.c
> Function: Finsert_file_contents
> Description: Using freed pointer "conversion_buffer"
> Event freed_arg: Pointer "conversion_buffer" freed by function "xfree" [model]
> Also see events: [use_after_free][double_free][double_free][use_after_free]
After freeing conversion_buffer, we always call
report_file_error or error which doesn't return. So, this
is not a bug.
---
Kenichi Handa
handa@m17n.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-04-10 1:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-09 7:00 Problem report #64 Dan Nicolaescu
2006-04-10 1:51 ` Kenichi Handa
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).