unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Problem report #13
@ 2006-04-11 15:49 Dan Nicolaescu
  2006-05-11  2:19 ` Problem report #13 FALSE Kenichi Handa
  0 siblings, 1 reply; 6+ messages in thread
From: Dan Nicolaescu @ 2006-04-11 15:49 UTC (permalink / raw)



CID: 13
Checker: FORWARD_NULL (help)
File: emacs/src/coding.c
Function: encode_coding_string
Description: Variable "(coding)->cmp_data" tracked as NULL was passed to a function that dereferences it.

Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
Also see events: [var_deref_model]
At conditional (1): "(coding)->cmp_data == 0" taking true path

6435 	  if (coding->type != coding_type_ccl
6436 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
6437 	    {

At conditional (2): "(to_byte - from) > shrink_conversion_region_threshhold" taking true path
At conditional (3): "1" taking true path
At conditional (4): "0" taking false path

6438 	      SHRINK_CONVERSION_REGION (&from, &to_byte, coding, SDATA (str),
6439 					1);

At conditional (5): "from == to_byte" taking false path

6440 	      if (from == to_byte)
6441 		{
6442 		  coding_free_composition_data (coding);
6443 		  goto no_need_of_encoding;
6444 		}

At conditional (6): "((0), (str & -8))->size_byte < 0" taking true path

6445 	      shrinked_bytes = from + (SBYTES (str) - to_byte);
6446 	    }
6447 	
6448 	  len = encoding_buffer_size (coding, to_byte - from);

At conditional (7): "len < 16384" taking true path
At conditional (8): "0" taking false path

6449 	  allocate_conversion_buffer (buf, len);
6450 	
6451 	  consumed = consumed_char = produced = produced_char = 0;

At conditional (9): "1" taking true path

6452 	  while (1)
6453 	    {

Event var_deref_model: Variable "(coding)->cmp_data" tracked as NULL was passed to a function that dereferences it. [model]
Also see events: [var_compare_op]

6454 	      result = encode_coding (coding, SDATA (str) + from + consumed,
6455 				      buf.data + produced, to_byte - from - consumed,
6456 				      buf.size - produced);

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Problem report #13 FALSE
  2006-04-11 15:49 Problem report #13 Dan Nicolaescu
@ 2006-05-11  2:19 ` Kenichi Handa
  2006-05-11  2:46   ` Dan Nicolaescu
                     ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Kenichi Handa @ 2006-05-11  2:19 UTC (permalink / raw)


Dan Nicolaescu <dann@ics.uci.edu> writes:

> CID: 13
> Checker: FORWARD_NULL (help)
> File: emacs/src/coding.c
> Function: encode_coding_string
> Description: Variable "(coding)->cmp_data" tracked as NULL was passed to a function that dereferences it.

I see no bug here.   A member of (coding)->cmp_data is
accessed only after checking (coding)->cmp_data is not NULL.

> Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
> Also see events: [var_deref_model]
> At conditional (1): "(coding)->cmp_data == 0" taking true path

> 6435 	  if (coding->type != coding_type_ccl
> 6436 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
> 6437 	    {

Does the checker require it to be writen as below?

> 6436 	      && (coding->cmp_data ? coding->cmp_data->used == 0 : 1))

---
Kenichi Handa
handa@m17n.org

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Problem report #13 FALSE
  2006-05-11  2:19 ` Problem report #13 FALSE Kenichi Handa
@ 2006-05-11  2:46   ` Dan Nicolaescu
  2006-05-11  9:30   ` Andreas Schwab
  2006-05-11  9:40   ` Jason Rumney
  2 siblings, 0 replies; 6+ messages in thread
From: Dan Nicolaescu @ 2006-05-11  2:46 UTC (permalink / raw)
  Cc: emacs-devel

Kenichi Handa <handa@m17n.org> writes:

  > > Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
  > > Also see events: [var_deref_model]
  > > At conditional (1): "(coding)->cmp_data == 0" taking true path
  >
  > > 6435 	  if (coding->type != coding_type_ccl
  > > 6436 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
  > > 6437 	    {
  >
  > Does the checker require it to be writen as below?
  >
  > > 6436 	      && (coding->cmp_data ? coding->cmp_data->used == 0 : 1))

I don't know... 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Problem report #13 FALSE
  2006-05-11  2:19 ` Problem report #13 FALSE Kenichi Handa
  2006-05-11  2:46   ` Dan Nicolaescu
@ 2006-05-11  9:30   ` Andreas Schwab
  2006-05-11 10:58     ` Kenichi Handa
  2006-05-11  9:40   ` Jason Rumney
  2 siblings, 1 reply; 6+ messages in thread
From: Andreas Schwab @ 2006-05-11  9:30 UTC (permalink / raw)
  Cc: emacs-devel

Kenichi Handa <handa@m17n.org> writes:

> Dan Nicolaescu <dann@ics.uci.edu> writes:
>
>> CID: 13
>> Checker: FORWARD_NULL (help)
>> File: emacs/src/coding.c
>> Function: encode_coding_string
>> Description: Variable "(coding)->cmp_data" tracked as NULL was passed to a function that dereferences it.
>
> I see no bug here.   A member of (coding)->cmp_data is
> accessed only after checking (coding)->cmp_data is not NULL.
>
>> Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
>> Also see events: [var_deref_model]
>> At conditional (1): "(coding)->cmp_data == 0" taking true path
>
>> 6435 	  if (coding->type != coding_type_ccl
>> 6436 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
>> 6437 	    {
>
> Does the checker require it to be writen as below?
>
>> 6436 	      && (coding->cmp_data ? coding->cmp_data->used == 0 : 1))

That would be stupid, since it would be a major obfucation.  But that's
not the point of the report, the derefence is supposed to happen in
encode_coding.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Problem report #13 FALSE
  2006-05-11  2:19 ` Problem report #13 FALSE Kenichi Handa
  2006-05-11  2:46   ` Dan Nicolaescu
  2006-05-11  9:30   ` Andreas Schwab
@ 2006-05-11  9:40   ` Jason Rumney
  2 siblings, 0 replies; 6+ messages in thread
From: Jason Rumney @ 2006-05-11  9:40 UTC (permalink / raw)
  Cc: emacs-devel

Kenichi Handa <handa@m17n.org> writes:

>> Function: encode_coding_string
>> Description: Variable "(coding)->cmp_data" tracked as NULL was passed to a function that dereferences it.
>
> I see no bug here.   A member of (coding)->cmp_data is
> accessed only after checking (coding)->cmp_data is not NULL.
>
>> Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
>> Also see events: [var_deref_model]
>> At conditional (1): "(coding)->cmp_data == 0" taking true path
>
>> 6435 	  if (coding->type != coding_type_ccl
>> 6436 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
>> 6437 	    {
>
> Does the checker require it to be writen as below?
>
>> 6436 	      && (coding->cmp_data ? coding->cmp_data->used == 0 : 1))

I don't think so, as that is not the line it is complaining
about. Rather the line:

6454          result = encode_coding (coding, SDATA (str) + from + consumed,
6455                                  buf.data + produced, to_byte - from - 
consumed,
6456                                  buf.size - produced);

So the question is,
1. Do we reach that line when coding->cmp_data is NULL?
2. Does coding->cmp_data really get dereferenced inside encode_coding
   in the case where it is NULL?

Judging by your previous responses to coding related problem reports,
there is probably some other condition that always prevents both of
these, but I don't understand enough about the coding structure to
tell myself.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Problem report #13 FALSE
  2006-05-11  9:30   ` Andreas Schwab
@ 2006-05-11 10:58     ` Kenichi Handa
  0 siblings, 0 replies; 6+ messages in thread
From: Kenichi Handa @ 2006-05-11 10:58 UTC (permalink / raw)
  Cc: emacs-devel

In article <jer730zz5x.fsf@sykes.suse.de>, Andreas Schwab <schwab@suse.de> writes:

> That would be stupid, since it would be a major obfucation.  But that's
> not the point of the report, the derefence is supposed to happen in
> encode_coding.

But, it seems that the derefence happens only where
coding->cmp_data is not NULL or coding->composing is not
COMPOSITION_DISABLED.  And if coding->composing is not
COMPOSITION_DISABLED, we surely allocate coding->cmp_data.

---
Kenichi Handa
handa@m17n.org

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2006-05-11 10:58 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-11 15:49 Problem report #13 Dan Nicolaescu
2006-05-11  2:19 ` Problem report #13 FALSE Kenichi Handa
2006-05-11  2:46   ` Dan Nicolaescu
2006-05-11  9:30   ` Andreas Schwab
2006-05-11 10:58     ` Kenichi Handa
2006-05-11  9:40   ` Jason Rumney

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).