From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Dmitry Antipov Newsgroups: gmane.emacs.bugs Subject: bug#16457: 24.3.50; crash rendering Arabic Uthmani script Date: Fri, 17 Jan 2014 11:34:11 +0400 Message-ID: <52D8DCF3.5030603@yandex.ru> References: <52D6C466.9080909@yandex.ru> <838uuh3zx7.fsf@gnu.org> <7obnzcor73.fsf@fencepost.gnu.org> <52D791C0.7000405@yandex.ru> <83a9ev3k7x.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1389944114 5095 80.91.229.3 (17 Jan 2014 07:35:14 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 17 Jan 2014 07:35:14 +0000 (UTC) Cc: 16457@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Jan 17 08:35:20 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1W43xY-0005sL-9J for geb-bug-gnu-emacs@m.gmane.org; Fri, 17 Jan 2014 08:35:20 +0100 Original-Received: from localhost ([::1]:36578 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W43xX-0005yS-Ph for geb-bug-gnu-emacs@m.gmane.org; Fri, 17 Jan 2014 02:35:19 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57156) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W43xO-0005yM-Fh for bug-gnu-emacs@gnu.org; Fri, 17 Jan 2014 02:35:17 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1W43xH-0008S0-Fv for bug-gnu-emacs@gnu.org; Fri, 17 Jan 2014 02:35:10 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:40341) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W43xH-0008Qr-CP for bug-gnu-emacs@gnu.org; Fri, 17 Jan 2014 02:35:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1W43xG-0001Re-E8 for bug-gnu-emacs@gnu.org; Fri, 17 Jan 2014 02:35:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Dmitry Antipov Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 17 Jan 2014 07:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 16457 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 16457-submit@debbugs.gnu.org id=B16457.13899440695504 (code B ref 16457); Fri, 17 Jan 2014 07:35:02 +0000 Original-Received: (at 16457) by debbugs.gnu.org; 17 Jan 2014 07:34:29 +0000 Original-Received: from localhost ([127.0.0.1]:54360 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1W43wg-0001Qe-FB for submit@debbugs.gnu.org; Fri, 17 Jan 2014 02:34:29 -0500 Original-Received: from forward1h.mail.yandex.net ([84.201.187.146]:55641) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1W43wb-0001QO-F8 for 16457@debbugs.gnu.org; Fri, 17 Jan 2014 02:34:23 -0500 Original-Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [84.201.187.145]) by forward1h.mail.yandex.net (Yandex) with ESMTP id EEE749E211D; Fri, 17 Jan 2014 11:34:14 +0400 (MSK) Original-Received: from smtp2h.mail.yandex.net (localhost [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id 595B217005CC; Fri, 17 Jan 2014 11:34:12 +0400 (MSK) Original-Received: from unknown (unknown [37.139.80.10]) by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 2dQqrWkZYw-YBkudD2r; Fri, 17 Jan 2014 11:34:11 +0400 (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (Client certificate not present) X-Yandex-Uniq: 4d48d8e1-71ce-4c92-b610-5ee04b147835 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1389944051; bh=tiGyPHXBrH0YOqi1WP5IF9fwA5INpfNLoJxiz//tVfo=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=H5NgnEBJ9bweep0LgQ+ZVH/xBZYtUgsxo6y23OaQFBLmTVmd7Xrh5VnMYpYK/A238 0lsDCiLHFkkJ66wzS1S8KzUfG4M2n3EbHhlZrJrPDuRjefsO/LgW4XL48khpGsU4Om b5ujfSKomNW5kMy+Ledkh/PSyL7shkizeewJPJyw= Authentication-Results: smtp2h.mail.yandex.net; dkim=pass header.i=@yandex.ru User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 In-Reply-To: <83a9ev3k7x.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:83626 Archived-At: On 01/16/2014 09:33 PM, Eli Zaretskii wrote: > This is really strange. First, I cannot reproduce the crash on > MS-Windows, so the problem might be related to the shaping engine > being used (I presume yours is libotf and libm17n). (I tried on both > Windows XP and on Windows 7, which have very different versions of > Uniscribe, and they both work fine.) Yes, with ' --without-m17n-flt' it doesn't crash. > Specifically, cmp_it.nbytes is computed in composition_update_it as > the sum of byte-widths of all the characters being composed: > > cmp_it->width = 0; > for (i = cmp_it->nchars - 1; i >= 0; i--) > { > c = XINT (LGSTRING_CHAR (gstring, cmp_it->from + i)); > cmp_it->nbytes += CHAR_BYTES (c); > cmp_it->width += CHAR_WIDTH (c); > } I'm trying this: === modified file 'src/composite.c' --- src/composite.c 2014-01-12 23:23:55 +0000 +++ src/composite.c 2014-01-17 07:16:11 +0000 @@ -24,6 +24,7 @@ #include +#include #include "lisp.h" #include "character.h" #include "buffer.h" @@ -1410,9 +1411,16 @@ cmp_it->nchars = LGLYPH_TO (glyph) + 1 - from; cmp_it->nbytes = 0; cmp_it->width = 0; + + fprintf (stderr, "%s: from %d, nchars %d, header %p is:\n", __func__, + cmp_it->from, cmp_it->nchars, XPNTR (LGSTRING_HEADER (gstring))); + debug_print (LGSTRING_HEADER (gstring)); + for (i = cmp_it->nchars - 1; i >= 0; i--) { c = XINT (LGSTRING_CHAR (gstring, cmp_it->from + i)); + fprintf (stderr, " at %d: char %d, %d bytes\n", + cmp_it->from + i, c, CHAR_BYTES (c)); cmp_it->nbytes += CHAR_BYTES (c); cmp_it->width += CHAR_WIDTH (c); } And now seeing an illegal access beyond end of gstring header: ;; OK composition_update_it: from 0, nchars 1, header 0x100c958 is: [# 1648 1583 1616 1593 1615 1608 1606 1614] at 0: char 1648, 2 bytes ;; OK composition_update_it: from 2, nchars 2, header 0x100c958 is: [# 1648 1583 1616 1593 1615 1608 1606 1614] at 3: char 1593, 2 bytes at 2: char 1616, 2 bytes ;; OK composition_update_it: from 4, nchars 2, header 0x100c958 is: [# 1648 1583 1616 1593 1615 1608 1606 1614] at 5: char 1608, 2 bytes at 4: char 1615, 2 bytes ;; OK composition_update_it: from 6, nchars 1, header 0x100c958 is: [# 1648 1583 1616 1593 1615 1608 1606 1614] at 6: char 1606, 2 bytes ;; BAD composition_update_it: from 7, nchars 2, header 0x100c958 is: [# 1648 1583 1616 1593 1615 1608 1606 1614] at 8: char 2, 1 bytes at 7: char 1614, 2 bytes IIUC 2 is the garbage at (presumably invalid) position 8. > And the characters in the LGSTRING object are simply copied from the > buffer in fill_gstring_header, when LGSTRING is created: > > for (i = 0; i < len; i++) > { > int c; > > if (NILP (string)) > FETCH_CHAR_ADVANCE_NO_CHECK (c, from, from_byte); > else > FETCH_STRING_CHAR_ADVANCE_NO_CHECK (c, string, from, from_byte); > ASET (header, i + 1, make_number (c)); > } AFAICS gstring header is correct here. > Btw, does the problem go away if you disable cache-long-scans? No. Dmitry