From: Eli Zaretskii <eliz@gnu.org>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: emacs-devel@gnu.org
Subject: Re: Willing to debug bug #3542 (23.0.94; File access via UNC path slow again under Windows)
Date: Tue, 14 Jul 2009 22:57:35 +0300 [thread overview]
Message-ID: <83my77qbps.fsf@gnu.org> (raw)
In-Reply-To: <jwvvdlv878n.fsf-monnier+emacs@gnu.org>
> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: schwab@linux-m68k.org, emacs-devel@gnu.org
> Date: Tue, 14 Jul 2009 14:18:53 -0400
>
> > directory_nbytes = SBYTES (directory);
> > if (directory_nbytes == 0
> > || !IS_ANY_SEP (SREF (directory, directory_nbytes - 1)))
> > needsep = 1;
> > [...]
> > int nbytes = len + directory_nbytes + needsep;
> > fullname = make_uninit_multibyte_string (nbytes, nbytes);
> > bcopy (SDATA (directory), SDATA (fullname),
> > directory_nbytes);
>
> make_uninit_multibyte_string calls allocate_string_data which does
>
> STRING_DATA (s)[nbytes] = '\0';
>
> so the destination of the `bcopy' already has the terminating NUL.
Perhaps most of the places where we use these paradigms are okay due
to all these subtle corners that together make everything work. But
IMHO it's inherently unsafe to use character arrays that are not true
C strings as if they were C strings. For one, it violates the mental
model each C programmer has about strings, and that can easily lead to
misunderstanding, confusion, and bugs. For example (from dbusbind.c):
char x[DBUS_MAXIMUM_SIGNATURE_LENGTH];
[...]
strcpy (x, SDATA (CAR_SAFE (XD_NEXT_VALUE (elt))));
[...]
sprintf (signature, "%c%s", dtype, x);
or
case DBUS_TYPE_SIGNATURE:
{
char *val = SDATA (Fstring_make_unibyte (object));
XD_DEBUG_MESSAGE ("%c %s", dtype, val);
How can one convince herself that this code is safe without knowing
too much about the Lisp strings whose data gets handled here as C
strings? Can they have embedded nulls or cannot they?
Same here (editfns.c):
if (SBYTES (val) > message_length)
{
message_length = SBYTES (val);
message_text = (char *)xrealloc (message_text, message_length);
}
bcopy (SDATA (val), message_text, SBYTES (val));
message2 (message_text, SBYTES (val),
STRING_MULTIBYTE (val));
message_text[] is not a C string here, because it's not
null-terminated (and doesn't have enough space to be terminated).
Without looking at the implementation of message2, whose 1st arg is a
`char *', how can one know that there's no bug here?
Or here (search.c):
raw_pattern_size = SCHARS (string);
raw_pattern_size_byte = SCHARS (string);
raw_pattern = (unsigned char *) alloca (raw_pattern_size + 1);
copy_text (SDATA (string), raw_pattern,
SBYTES (string), 1, 0);
raw_pattern[] is not null-terminated, and we then use it, directly and
indirectly, in many places. Without studying each use, there's no way
you can determine that there cannot be a bug here.
Etc., etc. -- I see other places where maybe it works, maybe it
doesn't. One needs to study the code very carefully and look at many
functions up and down the call stack, just to determine if a few lines
don't constitute a bug.
next prev parent reply other threads:[~2009-07-14 19:57 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-05 21:01 Willing to debug bug #3542 (23.0.94; File access via UNC path slow again under Windows) Mathias Dahl
2009-07-05 22:58 ` Chong Yidong
2009-07-06 14:30 ` Mathias Dahl
2009-07-06 14:55 ` Chong Yidong
2009-07-07 11:00 ` Mathias Dahl
2009-07-07 11:14 ` Miles Bader
2009-07-06 3:06 ` Eli Zaretskii
2009-07-06 7:38 ` Mathias Dahl
2009-07-06 20:01 ` Eli Zaretskii
2009-07-08 15:01 ` Eli Zaretskii
2009-07-08 20:47 ` Mathias Dahl
2009-07-09 11:37 ` Jason Rumney
2009-07-09 11:53 ` Mathias Dahl
2009-07-09 16:11 ` Drew Adams
2009-07-09 16:25 ` Jason Rumney
2009-07-09 17:03 ` Drew Adams
2009-07-09 18:59 ` Eli Zaretskii
2009-07-09 18:47 ` Eli Zaretskii
2009-07-09 21:33 ` Chong Yidong
2009-07-10 8:54 ` Eli Zaretskii
2009-07-11 19:17 ` Stefan Monnier
2009-07-11 20:22 ` Eli Zaretskii
2009-07-13 12:17 ` Stefan Monnier
2009-07-13 13:38 ` Andreas Schwab
2009-07-13 19:00 ` Eli Zaretskii
2009-07-13 18:56 ` Eli Zaretskii
2009-07-14 0:51 ` Stefan Monnier
2009-07-13 13:57 ` Andreas Schwab
2009-07-13 19:02 ` Eli Zaretskii
2009-07-13 19:39 ` Andreas Schwab
2009-07-13 20:13 ` Eli Zaretskii
2009-07-13 21:04 ` Andreas Schwab
2009-07-13 23:29 ` Chong Yidong
2009-07-14 0:31 ` YAMAMOTO Mitsuharu
2009-07-14 0:54 ` Stefan Monnier
2009-07-14 3:18 ` Eli Zaretskii
2009-07-14 4:28 ` Miles Bader
2009-07-14 19:14 ` Eli Zaretskii
2009-07-14 19:32 ` Davis Herring
2009-07-14 20:03 ` Eli Zaretskii
2009-07-14 20:27 ` Miles Bader
2009-07-14 21:05 ` Eli Zaretskii
2009-07-15 9:19 ` David Kastrup
2009-07-14 4:31 ` Haojun Bao
2009-07-14 18:18 ` Stefan Monnier
2009-07-14 19:57 ` Eli Zaretskii [this message]
2009-07-09 19:11 ` Eli Zaretskii
2009-07-09 19:13 ` Eli Zaretskii
2009-07-09 12:56 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83my77qbps.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.