From mboxrd@z Thu Jan  1 00:00:00 1970
Path: main.gmane.org!not-for-mail
From: Kenichi Handa <handa@m17n.org>
Newsgroups: gmane.emacs.pretest.bugs,gmane.emacs.devel
Subject: Re: editfns.c (Fformat): fix for segfault
Date: Mon, 28 Apr 2003 11:36:24 +0900 (JST)
Sender: emacs-pretest-bug-bounces+gebp-emacs-pretest-bug=gmane.org@gnu.org
Message-ID: <200304280236.LAA10379@etlken.m17n.org>
References: <851xzo9f2l.fsf@pi.meyering.net>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
X-Trace: main.gmane.org 1051497409 24714 80.91.224.249 (28 Apr 2003 02:36:49 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Mon, 28 Apr 2003 02:36:49 +0000 (UTC)
Cc: emacs-devel@gnu.org
Original-X-From: emacs-pretest-bug-bounces+gebp-emacs-pretest-bug=gmane.org@gnu.org Mon Apr 28 04:36:47 2003
Return-path: <emacs-pretest-bug-bounces+gebp-emacs-pretest-bug=gmane.org@gnu.org>
Original-Received: from monty-python.gnu.org ([199.232.76.173])
	by main.gmane.org with esmtp (Exim 3.35 #1 (Debian))
	id 199yVV-0006QE-00
	for <gebp-emacs-pretest-bug@gmane.org>; Mon, 28 Apr 2003 04:36:41 +0200
Original-Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org)
	by monty-python.gnu.org with esmtp (Exim 4.10.13)
	id 199yVx-0008F8-06
	for gebp-emacs-pretest-bug@gmane.org; Sun, 27 Apr 2003 22:37:09 -0400
Original-Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.10.13)
	id 199yVb-00081R-00
	for emacs-pretest-bug@gnu.org; Sun, 27 Apr 2003 22:36:47 -0400
Original-Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.10.13)
	id 199yVS-0007de-00
	for emacs-pretest-bug@gnu.org; Sun, 27 Apr 2003 22:36:39 -0400
Original-Received: from tsukuba.m17n.org ([192.47.44.130])
	by monty-python.gnu.org with esmtp (Exim 4.10.13)
	id 199yVQ-00079h-00; Sun, 27 Apr 2003 22:36:36 -0400
Original-Received: from fs.m17n.org (fs.m17n.org [192.47.44.2])h3S2aPo09134;
	Mon, 28 Apr 2003 11:36:25 +0900 (JST)	(envelope-from handa@m17n.org)
Original-Received: from etlken.m17n.org (etlken.m17n.org [192.47.44.125])
	h3S2aOA17916;	Mon, 28 Apr 2003 11:36:24 +0900 (JST)
Original-Received: (from handa@localhost)
	by etlken.m17n.org (8.8.8+Sun/3.7W-2001040620) id LAA10379;
	Mon, 28 Apr 2003 11:36:24 +0900 (JST)
Original-To: jim@meyering.net
In-reply-to: <851xzo9f2l.fsf@pi.meyering.net> (message from Jim Meyering on
	Sun, 27 Apr 2003 16:42:58 +0200)
User-Agent: SEMI/1.14.3 (Ushinoya) FLIM/1.14.2 (Yagi-Nishiguchi) APEL/10.2
	Emacs/21.2.92 (sparc-sun-solaris2.6) MULE/5.0 (SAKAKI)
Original-cc: emacs-pretest-bug@gnu.org
X-BeenThere: emacs-pretest-bug@gnu.org
X-Mailman-Version: 2.1b5
Precedence: list
List-Id: <emacs-pretest-bug.gnu.org>
List-Help: <mailto:emacs-pretest-bug-request@gnu.org?subject=help>
List-Post: <mailto:emacs-pretest-bug@gnu.org>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/emacs-pretest-bug>,
	<mailto:emacs-pretest-bug-request@gnu.org?subject=subscribe>
List-Archive: <http://mail.gnu.org/pipermail/emacs-pretest-bug>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/emacs-pretest-bug>,
	<mailto:emacs-pretest-bug-request@gnu.org?subject=unsubscribe>
Errors-To: emacs-pretest-bug-bounces+gebp-emacs-pretest-bug=gmane.org@gnu.org
Xref: main.gmane.org gmane.emacs.pretest.bugs:323 gmane.emacs.devel:13492
X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:13492

In article <851xzo9f2l.fsf@pi.meyering.net>, Jim Meyering <jim@meyering.net> writes:

> I tried using a snapshot from today's CVS repository with Gnus.
> I got a segfault within a minute or two:

>   pi$ gdb --args  /p/bin/emacs -f gnus-no-server
>   (gdb) r
>   Starting program: /u/p/bin/emacs -f gnus-no-server

>   Program received signal SIGSEGV, Segmentation fault.
>   0x081718e2 in Fformat (nargs=4, args=0xbfffe194)
>       at /mirror/d/emacs/src/editfns.c:3486
>   3486              discarded[format - format_start] = 1;
>   (gdb) p format
>   $1 = (unsigned char *) 0x91788b4 "%S %d %d y\n"
>   (gdb) p format_start
>   $2 = (unsigned char *) 0x90cff34 "%s %d %d y\n"

Thank you for the report.  I found a problem in the code of
Fformat.

> This patch seems to have fixed it, at least to the extent
> that with it, I can no longer reproduce the problem.
[...]
>    /* Scan the format and store result in BUF.  */
>    format = SDATA (args[0]);
> +  format_start = format;
> +  end = format + SBYTES (args[0]);
>    maybe_combine_byte = 0;
>    while (format != end)
>      {

I think it's not enough.

This is my analysis.  In the first scan, Fchar_to_string or
Fprint1_to_string are called, and they will relocate a data
of a Lisp string (in the current case, args[0]).  When that
happens, the area pointed to by `format' becomes invalid.
So, after each call of them, we must update format,
format_start, and end.  Another way is to copy the byte
sequence of args[0] into some safe area alloced or malloced.

Could some Emacs developper confirm my analysis and, if it
is correct, fix the code along this line.  Currently, I
don't have a time to do that by myself.

---
Ken'ichi HANDA
handa@m17n.org