From mboxrd@z Thu Jan  1 00:00:00 1970
Path: main.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Fix to long-standing crashes in GC
Date: 21 May 2004 18:58:07 -0400
Sender: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org
Message-ID: <jwvbrkhcry7.fsf-monnier+emacs@gnu.org>
References: <40A3BC23.8060000@math.ku.dk> <m31xljp104.fsf@kfs-l.imdomain.dk>
	<200405180013.i4I0Ddl15818@raven.dms.auburn.edu>
	<E1BQFr5-0001yZ-5x@fencepost.gnu.org>
	<m33c5wbmvi.fsf@kfs-l.imdomain.dk>
	<E1BQhfc-0003Bw-Dq@fencepost.gnu.org>
NNTP-Posting-Host: deer.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1085294114 14064 80.91.224.253 (23 May 2004 06:35:14 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Sun, 23 May 2004 06:35:14 +0000 (UTC)
Cc: emacs-devel@gnu.org, teirllm@dms.auburn.edu, "Kim F. Storm" <storm@cua.dk>
Original-X-From: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org Sun May 23 08:35:07 2004
Return-path: <emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org>
Original-Received: from quimby.gnus.org ([80.91.224.244])
	by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian))
	id 1BRmZe-0002HI-00
	for <emacs-devel@deer.gmane.org>; Sun, 23 May 2004 08:35:06 +0200
Original-Received: from monty-python.gnu.org ([199.232.76.173])
	by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian))
	id 1BRmZe-0006R1-00
	for <emacs-devel@quimby.gnus.org>; Sun, 23 May 2004 08:35:06 +0200
Original-Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org)
	by monty-python.gnu.org with esmtp (Exim 4.34)
	id 1BRiKP-00060t-IT
	for emacs-devel@quimby.gnus.org; Sat, 22 May 2004 22:03:05 -0400
Original-Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.34)
	id 1BRiJ9-0005tS-5j
	for emacs-devel@gnu.org; Sat, 22 May 2004 22:01:47 -0400
Original-Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.34)
	id 1BRiIZ-0005n3-7h
	for emacs-devel@gnu.org; Sat, 22 May 2004 22:01:43 -0400
Original-Received: from [199.232.41.8] (helo=mx20.gnu.org)
	by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168)
	(Exim 4.34) id 1BRi4d-0003WX-VK; Sat, 22 May 2004 21:46:48 -0400
Original-Received: from [132.204.24.67] (helo=mercure.iro.umontreal.ca)
	by mx20.gnu.org with esmtp (Exim 4.34)
	id 1BRLsj-0007A7-69; Fri, 21 May 2004 22:05:03 -0400
Original-Received: from vor.iro.umontreal.ca (vor.iro.umontreal.ca [132.204.24.42])
	by mercure.iro.umontreal.ca (Postfix) with ESMTP
	id AE85120D9E; Fri, 21 May 2004 18:58:08 -0400 (EDT)
Original-Received: by vor.iro.umontreal.ca (Postfix, from userid 20848)
	id AC7053C63E; Fri, 21 May 2004 18:58:07 -0400 (EDT)
Original-To: rms@gnu.org
In-Reply-To: <E1BQhfc-0003Bw-Dq@fencepost.gnu.org>
Original-Lines: 35
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3.50
X-DIRO-MailScanner-Information: Please contact the ISP for more information
X-DIRO-MailScanner: Found to be clean
X-DIRO-MailScanner-SpamCheck: n'est pas un polluriel,
	SpamAssassin (score=-0.904, requis 5, BAYES_30 -0.90)
X-MailScanner-From: monnier@iro.umontreal.ca
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.4
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://mail.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org
Xref: main.gmane.org gmane.emacs.devel:23839
X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:23839

> Marking a misc object sets the mark bit in it.  If this supposed misc
> object isn't really other data, that will destroy the other data
> there.

misc_live_p is supposed to make sure this never happens.

> Likewise for symbols.  With conservative stack marking, it
> would seem that using a mark bit inside an object is a bug, unless
> mark_object can first verify the object is real.

mark_object is only called after checking that the presumed pointer does
point to a live object of the expected type.

> mark_buffer seems to have a similar problem.

And the same solution is applied.

> I think GETMARKBIT has a similar problem, in that it assumes
> that the cons or float is contained in a real cons block or a real
> float block.  It finds the address of that block by address
> calculations.  If it found random data that points to a supposed
> cons cell in the wrong place, the address calculations will give
> an address that doesn't really correspond to a cons block.

That's what find_mem is for: to make sure it's indeed one of our cons
blocks or float block (and which of the two).

> When it tries to find the mark bits of that block, it can crash
> on an invalid pointer, or even find a valid-looking pointer to
> other data and garble it.

Only if there's a bug in the mem_find code.


        Stefan