From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Barry OReilly Newsgroups: gmane.emacs.bugs Subject: bug#15405: 24.3; #[] freezes emacs Date: Fri, 20 Sep 2013 11:33:13 -0400 Message-ID: References: <8361tynp73.fsf@gnu.org> <834n9inoa0.fsf@gnu.org> <871u4mcf2h.fsf@rosalinde.fritz.box> <831u4mnlit.fsf@gnu.org> <83txhilymg.fsf@gnu.org> <83ob7pmh28.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a11c353ac81facb04e6d26302 X-Trace: ger.gmane.org 1379691259 6239 80.91.229.3 (20 Sep 2013 15:34:19 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 20 Sep 2013 15:34:19 +0000 (UTC) Cc: stephen.berman@gmx.net, 15405@debbugs.gnu.org, Leo Liu To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Sep 20 17:34:19 2013 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VN2io-0000vp-Ur for geb-bug-gnu-emacs@m.gmane.org; Fri, 20 Sep 2013 17:34:19 +0200 Original-Received: from localhost ([::1]:56476 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VN2io-0004zV-J6 for geb-bug-gnu-emacs@m.gmane.org; Fri, 20 Sep 2013 11:34:18 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59703) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VN2if-0004yT-Hg for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2013 11:34:15 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VN2iZ-0007WA-3E for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2013 11:34:09 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:43078) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VN2iY-0007W4-W8 for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2013 11:34:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1VN2iY-00083v-Fc for bug-gnu-emacs@gnu.org; Fri, 20 Sep 2013 11:34:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Barry OReilly Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 20 Sep 2013 15:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 15405 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 15405-submit@debbugs.gnu.org id=B15405.137969120230943 (code B ref 15405); Fri, 20 Sep 2013 15:34:02 +0000 Original-Received: (at 15405) by debbugs.gnu.org; 20 Sep 2013 15:33:22 +0000 Original-Received: from localhost ([127.0.0.1]:51371 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VN2ht-000831-Mq for submit@debbugs.gnu.org; Fri, 20 Sep 2013 11:33:22 -0400 Original-Received: from mail-we0-f169.google.com ([74.125.82.169]:51386) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1VN2hr-00082p-Ql for 15405@debbugs.gnu.org; Fri, 20 Sep 2013 11:33:20 -0400 Original-Received: by mail-we0-f169.google.com with SMTP id t60so673706wes.28 for <15405@debbugs.gnu.org>; Fri, 20 Sep 2013 08:33:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dQS2VuMETLkXLuN4sSSEtS3b2Gp96rIJ2esm6r59aOY=; b=epQTS3wYFsu6GYudTZlUtIa014AZuhbmQGB+Eozzq7lNz6Gn4NiV63oFpASUJWdXC5 kbqA6JUxbvJhpNgDGfoE3fSXKwrGaxG4WK7OSuH+pAikdfBeomN7FTnQYxKcKBoxR1V4 eWJRvx4yu9rMXLV6GW5eUeVGTZeYEOQ/1c20j3bEmi7rmU/iC78rBXZPODUZPBGuiDF1 BRMtSriKGjp/7AxwdDvlKDBaNXkVEpxI4+bdKrhu8egPCkJ3FDt9/PL1Ah5N6Yhk0jvw txD8AzJs2rUcKpF9UMUidZ50Gx8BlYaF66x2ghi8Df9nYUHTha1PUtlv3+wLw06kybU3 KS7w== X-Received: by 10.180.183.108 with SMTP id el12mr3139705wic.55.1379691193824; Fri, 20 Sep 2013 08:33:13 -0700 (PDT) Original-Received: by 10.194.234.234 with HTTP; Fri, 20 Sep 2013 08:33:13 -0700 (PDT) In-Reply-To: <83ob7pmh28.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:78611 Archived-At: --001a11c353ac81facb04e6d26302 Content-Type: text/plain; charset=ISO-8859-1 Here's what happens: - read1 reads the #[] and proceeds to create a vector of zero length - allocate_vectorlike has a special case for zero length vectors: if (len == 0) p = XVECTOR (zero_vector); - zero_vector is a global variable, so all zero length vectors point to it. This can be seen when evalling: (eq [] []) ; Evalutes to t (eq [1 2 3] [1 2 3]) ; Evaluates to nil - After read1 creates the zero_vector, it sets bits in the size field to indicate it is a PVEC_COMPILED pseudo vector - The global zero_vector is thereafter a PVEC_COMPILED pseudo vector, including the empty vector of the font data - Later, the font_list_entities function checks the size of the font data vector using ASIZE. It does not expect a pseudo vector, so it makes no such checks. - Because the pseudo vector bits are set, the size is very large - Indexing too far into the font data vector results in a core dump What should the behavior be? Perhaps (eval #[]) should evaluate to [] instead of #[]? Maybe an eassert in font_list_entities that its vector is not a pseudo vector couldn't hurt either? --001a11c353ac81facb04e6d26302 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Here's what happens:
=A0=A0 - read1 reads the #[] a= nd proceeds to create a vector of zero
=A0=A0=A0=A0 length
=A0=A0 - a= llocate_vectorlike has a special case for zero length vectors:
=A0=A0=A0= =A0=A0=A0 if (len =3D=3D 0)
=A0=A0=A0=A0=A0=A0=A0=A0 p =3D XVECTOR (zero_vector);
=A0=A0 - zero_vect= or is a global variable, so all zero length vectors
=A0=A0=A0=A0 point t= o it. This can be seen when evalling:
=A0=A0=A0=A0=A0=A0 (eq [] []) ; Ev= alutes to t
=A0=A0=A0=A0=A0=A0 (eq [1 2 3] [1 2 3]) ; Evaluates to nil =A0=A0 - After read1 creates the zero_vector, it sets bits in the size
= =A0=A0=A0=A0 field to indicate it is a PVEC_COMPILED pseudo vector
=A0= =A0 - The global zero_vector is thereafter a PVEC_COMPILED pseudo
=A0=A0= =A0=A0 vector, including the empty vector of the font data
=A0=A0 - Later, the font_list_entities function checks the size of the
= =A0=A0=A0=A0 font data vector using ASIZE. It does not expect a pseudo vect= or,
=A0=A0=A0=A0 so it makes no such checks.
=A0=A0 - Because the pse= udo vector bits are set, the size is very large
=A0=A0 - Indexing too far into the font data vector results in a core dump<= br>
What should the behavior be? Perhaps (eval #[]) should evaluate to [= ]
instead of #[]?

Maybe an eassert in font_list_entities that its= vector is not a pseudo
vector couldn't hurt either?

--001a11c353ac81facb04e6d26302--