Problem report #23

Problem report #23

[Dan Nicolaescu]

CID: 23
Checker: FORWARD_NULL (help)
File: emacs/src/coding.c
Function: code_convert_region
Description: Variable "(coding)->cmp_data" tracked as NULL was dereferenced.

Event var_compare_op: Added "(coding)->cmp_data" due to comparison "(coding)->cmp_data == 0"
Also see events: [var_deref_op]
At conditional (1): "(coding)->cmp_data == 0" taking true path

5682 	  if (coding->type != coding_type_ccl
5683 	      && (! coding->cmp_data || coding->cmp_data->used == 0))
5684 	    {
5685 	      int from_byte_orig = from_byte, to_byte_orig = to_byte;
5686 	

At conditional (2): "from < ((current_buffer)->text)->gpt" taking true path
At conditional (3): "((current_buffer)->text)->gpt < to" taking true path

5687 	      if (from < GPT && GPT < to)
5688 		move_gap_both (from, from_byte);

At conditional (4): "(to_byte - from_byte) > shrink_conversion_region_threshhold" taking true path
At conditional (5): "encodep != 0" taking false path
At conditional (6): "0" taking false path

5689 	      SHRINK_CONVERSION_REGION (&from_byte, &to_byte, coding, NULL, encodep);

At conditional (7): "from_byte == to_byte" taking true path
At conditional (8): "encodep != 0" taking false path
At conditional (9): "(coding)->post_read_conversion == Qnil" taking true path
At conditional (10): "(coding)->common_flags & 1 == 0" taking false path

5690 	      if (from_byte == to_byte
5691 		  && (encodep || NILP (coding->post_read_conversion))
5692 		  && ! CODING_REQUIRE_FLUSHING (coding))
5693 		{
5694 		  coding->produced = len_byte;
5695 		  coding->produced_char = len;
5696 		  if (!replace)
5697 		    /* We must record and adjust for this new text now.  */
5698 		    adjust_after_insert (from, from_byte_orig, to, to_byte_orig, len);
5699 		  coding_free_composition_data (coding);
5700 		  return 0;
5701 		}
5702 	
5703 	      head_skip = from_byte - from_byte_orig;
5704 	      tail_skip = to_byte_orig - to_byte;
5705 	      total_skip = head_skip + tail_skip;
5706 	      from += head_skip;
5707 	      to -= tail_skip;
5708 	      len -= total_skip; len_byte -= total_skip;
5709 	    }
5710 	
5711 	  /* For conversion, we must put the gap before the text in addition to
5712 	     making the gap larger for efficient decoding.  The required gap
5713 	     size starts from 2000 which is the magic number used in make_gap.
5714 	     But, after one batch of conversion, it will be incremented if we
5715 	     find that it is not enough .  */
5716 	  require = 2000;
5717 	

At conditional (11): "((current_buffer)->text)->gap_size < require" taking true path

5718 	  if (GAP_SIZE  < require)
5719 	    make_gap (require - GAP_SIZE);
5720 	  move_gap_both (from, from_byte);
5721 	
5722 	  inserted = inserted_byte = 0;
5723 	
5724 	  GAP_SIZE += len_byte;
5725 	  ZV -= len;
5726 	  Z -= len;
5727 	  ZV_BYTE -= len_byte;
5728 	  Z_BYTE -= len_byte;
5729 	

At conditional (12): "(((current_buffer)->text)->gpt - 1) < ((current_buffer)->text)->beg_unchanged" taking true path

5730 	  if (GPT - BEG < BEG_UNCHANGED)
5731 	    BEG_UNCHANGED = GPT - BEG;

At conditional (13): "(((current_buffer)->text)->z - ((current_buffer)->text)->gpt) < ((current_buffer)->text)->end_unchanged" taking true path

5732 	  if (Z - GPT < END_UNCHANGED)
5733 	    END_UNCHANGED = Z - GPT;
5734 	

At conditional (14): "encodep == 0" taking true path
At conditional (15): "(coding)->src_multibyte != 0" taking true path

5735 	  if (!encodep && coding->src_multibyte)
5736 	    {
5737 	      /* Decoding routines expects that the source text is unibyte.
5738 		 We must convert 8-bit characters of multibyte form to
5739 		 unibyte.  */
5740 	      int len_byte_orig = len_byte;
5741 	      len_byte = str_as_unibyte (GAP_END_ADDR - len_byte, len_byte);

At conditional (16): "len_byte < len_byte_orig" taking true path

5742 	      if (len_byte < len_byte_orig)
5743 		safe_bcopy (GAP_END_ADDR - len_byte_orig, GAP_END_ADDR - len_byte,
5744 			    len_byte);
5745 	      coding->src_multibyte = 0;
5746 	    }
5747 	
5748 	  for (;;)
5749 	    {
5750 	      int result;
5751 	
5752 	      /* The buffer memory is now:
5753 		 +--------+converted-text+---------+-------original-text-------+---+
5754 		 |<-from->|<--inserted-->|---------|<--------len_byte--------->|---|
5755 			  |<---------------------- GAP ----------------------->|  */
5756 	      src = GAP_END_ADDR - len_byte;
5757 	      dst = GPT_ADDR + inserted_byte;
5758 	

At conditional (17): "encodep != 0" taking false path

5759 	      if (encodep)
5760 		result = encode_coding (coding, src, dst, len_byte, 0);
5761 	      else
5762 		{

At conditional (18): "(coding)->composing != 0" taking true path

5763 		  if (coding->composing != COMPOSITION_DISABLED)

Event var_deref_op: Variable "(coding)->cmp_data" tracked as NULL was dereferenced.
Also see events: [var_compare_op]

5764 		    coding->cmp_data->char_offset = from + inserted;
5765 		  result = decode_coding (coding, src, dst, len_byte, 0);
5766 		}
5767 	

Re: Problem report #23 FALSE

[Kenichi Handa]

In article <200604111549.k3BFnVRs015129@scanner2.ics.uci.edu>, Dan Nicolaescu <dann@ics.uci.edu> writes:

> CID: 23
> Checker: FORWARD_NULL (help)
> File: emacs/src/coding.c
> Function: code_convert_region
> Description: Variable "(coding)->cmp_data" tracked as NULL was dereferenced.

I see no bug here (same as Problem report #13).  This part
may be not clear:

> At conditional (18): "(coding)->composing != 0" taking true path

> 5763 		  if (coding->composing != COMPOSITION_DISABLED)

> Event var_deref_op: Variable "(coding)->cmp_data" tracked as NULL was dereferenced.
> Also see events: [var_compare_op]

> 5764 		    coding->cmp_data->char_offset = from + inserted;
> 5765 		  result = decode_coding (coding, src, dst, len_byte, 0);
> 5766 		}
> 5767 	

But, the code surely allocates coding->cmp_data if
(coding->composing != COMPOSITION_DISABLED) at line 5677.

---
Kenichi Handa
handa@m17n.org