From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Emacs 23.1.93 pretest
Date: Sat, 27 Feb 2010 20:45:45 -0500
Message-ID: <87mxyuyvxy.fsf@stupidchicken.com>
References: <87pr3rny7e.fsf@stupidchicken.com> <83fx4n122q.fsf@gnu.org>
	<833a0ndlo0.fsf@gnu.org> <83vddidh73.fsf@gnu.org>
	<83hbp2cxgx.fsf@gnu.org> <87aauugy1g.fsf@stupidchicken.com>
	<83eik6co9l.fsf@gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: dough.gmane.org 1267321649 5021 80.91.229.12 (28 Feb 2010 01:47:29 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 28 Feb 2010 01:47:29 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Feb 28 02:47:25 2010
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1NlYFf-0001zY-FR
	for ged-emacs-devel@m.gmane.org; Sun, 28 Feb 2010 02:47:23 +0100
Original-Received: from localhost ([127.0.0.1]:47704 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1NlYFe-0008Ep-OJ
	for ged-emacs-devel@m.gmane.org; Sat, 27 Feb 2010 20:47:22 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NlYE8-0007dm-39
	for emacs-devel@gnu.org; Sat, 27 Feb 2010 20:45:48 -0500
Original-Received: from [140.186.70.92] (port=40004 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NlYE7-0007d5-AO
	for emacs-devel@gnu.org; Sat, 27 Feb 2010 20:45:47 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <cyd@stupidchicken.com>) id 1NlYE6-0005Wj-Dz
	for emacs-devel@gnu.org; Sat, 27 Feb 2010 20:45:47 -0500
Original-Received: from pantheon-po34.its.yale.edu ([130.132.50.80]:45094)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <cyd@stupidchicken.com>)
	id 1NlYE6-0005We-A2; Sat, 27 Feb 2010 20:45:46 -0500
Original-Received: from furry (162.254.218.209.transedge.com [209.218.254.162])
	(authenticated bits=0)
	by pantheon-po34.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
	o1S1jjV1016131
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Sat, 27 Feb 2010 20:45:45 -0500
Original-Received: by furry (Postfix, from userid 1000)
	id 63016C05D; Sat, 27 Feb 2010 20:45:45 -0500 (EST)
In-Reply-To: <83eik6co9l.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 28 Feb
	2010 00:22:30 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.93 (gnu/linux)
X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4-2.6
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:121460
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/121460>

Eli Zaretskii <eliz@gnu.org> writes:

>> Hmm, this is strange.  This change (actually the succeeding 2010-02-06
>> change to the same place) switches from using alloca to SAFE_ALLOCA
>> (i.e. malloc, since the desired structure is large).  But the only way I
>> can see for this code to crash is if load_charset_map somehow makes a
>> pointer into the allocated structure.  But in that case, the old alloca
>> case should have crashed too.
>
> Yes, it _is_ weird.  But the effect (see below) does look like we are
> freeing memory being used, or maybe overwriting some allocated buffer,
> or in some other way thrashing the arena.

Hmm, I think I may see the problem.  Does this patch help?

=== modified file 'src/charset.c'
*** src/charset.c	2010-02-06 13:23:33 +0000
--- src/charset.c	2010-02-28 01:45:17 +0000
***************
*** 530,535 ****
--- 530,536 ----
       large (larger than MAX_ALLOCA).  */
    SAFE_ALLOCA (head, struct charset_map_entries *,
  	       sizeof (struct charset_map_entries));
+   bzero (head, sizeof (struct charset_map_entries));
    entries = head;
  
    n_entries = 0;
***************
*** 556,561 ****
--- 557,563 ----
  	{
  	  SAFE_ALLOCA (entries->next, struct charset_map_entries *,
  		       sizeof (struct charset_map_entries));
+ 	  bzero (entries->next, sizeof (struct charset_map_entries));
  	  entries = entries->next;
  	}
        idx = n_entries % 0x10000;
***************
*** 595,600 ****
--- 597,603 ----
       large (larger than MAX_ALLOCA).  */
    SAFE_ALLOCA (head, struct charset_map_entries *,
  	       sizeof (struct charset_map_entries));
+   bzero (head, sizeof (struct charset_map_entries));
    entries = head;
  
    n_entries = 0;
***************
*** 631,636 ****
--- 634,640 ----
  	{
  	  SAFE_ALLOCA (entries->next, struct charset_map_entries *,
  		       sizeof (struct charset_map_entries));
+ 	  bzero (entries->next, sizeof (struct charset_map_entries));
  	  entries = entries->next;
  	}
        idx = n_entries % 0x10000;