From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Kenichi Handa <handa@m17n.org>
Newsgroups: gmane.emacs.devel
Subject: potential bug in display_mode_element?
Date: Mon, 12 Sep 2005 09:58:52 +0900
Message-ID: <E1EEceq-0000U4-00@etlken>
NNTP-Posting-Host: main.gmane.org
X-Trace: sea.gmane.org 1126486996 12387 80.91.229.2 (12 Sep 2005 01:03:16 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Mon, 12 Sep 2005 01:03:16 +0000 (UTC)
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 12 03:03:12 2005
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1EEcih-0005y5-Dh
	for ged-emacs-devel@m.gmane.org; Mon, 12 Sep 2005 03:02:52 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1EEcig-0005LS-Mr
	for ged-emacs-devel@m.gmane.org; Sun, 11 Sep 2005 21:02:50 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1EEcgE-0004eZ-Sp
	for emacs-devel@gnu.org; Sun, 11 Sep 2005 21:00:19 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1EEcfy-0004XC-Sp
	for emacs-devel@gnu.org; Sun, 11 Sep 2005 21:00:05 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1EEcfx-0004WP-G7
	for emacs-devel@gnu.org; Sun, 11 Sep 2005 21:00:01 -0400
Original-Received: from [192.47.44.130] (helo=tsukuba.m17n.org)
	by monty-python.gnu.org with esmtp
	(TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA:24) (Exim 4.34) id 1EEcfR-0001Dd-Ju
	for emacs-devel@gnu.org; Sun, 11 Sep 2005 20:59:30 -0400
Original-Received: from nfs.m17n.org (nfs.m17n.org [192.47.44.7])
	by tsukuba.m17n.org (8.13.4/8.13.4/Debian-3) with ESMTP id
	j8C0wsFK011111
	for <emacs-devel@gnu.org>; Mon, 12 Sep 2005 09:58:54 +0900
Original-Received: from etlken (etlken.m17n.org [192.47.44.125])
	by nfs.m17n.org (8.13.4/8.13.4/Debian-3) with ESMTP id j8C0wr2E013584
	for <emacs-devel@gnu.org>; Mon, 12 Sep 2005 09:58:54 +0900
Original-Received: from handa by etlken with local (Exim 3.36 #1 (Debian))
	id 1EEceq-0000U4-00
	for <emacs-devel@gnu.org>; Mon, 12 Sep 2005 09:58:52 +0900
Original-To: emacs-devel@gnu.org
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:42830
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/42830>

I got a bug report for emacs-unicode-2, and it seems that
the same bug exists in HEAD too.  The backtrace is this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208118624 (LWP 29169)]
0x080b7349 in display_mode_element (it=0xbfffd1b0, depth=10, field_width=0, precision=-63, elt=164196259, props=138499373, risky=0) at xdisp.c:16136
16136           while ((precision <= 0 || n < precision)
(gdb) xbacktrace
"execute-extended-command"
"call-interactively"
(gdb) bt full
#0  0x080b7349 in display_mode_element (it=0xbfffd1b0, depth=10, field_width=0, precision=-63, elt=164196259, props=138499373, risky=0) at xdisp.c:16136
        c = 0 '\0'
        this = (const unsigned char *) 0xaf7a101 <Address 0xaf7a101 out of bounds>
        lisp_string = (const unsigned char *) 0xaf7a0fc <Address 0xaf7a0fc out of bounds>
        n = 5
        field = 138382657
        prec = 5
        literal = 0

Here the strange thing is that list_string points an address
out of bounds.  It is initialized as this:

	this = SDATA (elt);
	lisp_string = this;

	if (literal)
          /* omitted because not relevant now */

	while ((precision <= 0 || n < precision)
	       && *this
	       && (mode_line_target != MODE_LINE_DISPLAY
		   || it->current_x < it->last_visible_x))
          ...

and never changed in the while loop.  So the only reason I
can think of why the address pointed by list_string becomes
out of bound is that the string data of ELT was relocated in
the loop and the original address was returned to OS.
Actually, display_string is called in the loop, and it will
run Lisp code.

So, I think we meed this change.  What do you think?

*** xdisp.c	10 Sep 2005 09:35:12 +0900	1.1050
--- xdisp.c	10 Sep 2005 18:58:05 +0900	
***************
*** 16036,16042 ****
--- 16036,16047 ----
  	       && (mode_line_target != MODE_LINE_DISPLAY
  		   || it->current_x < it->last_visible_x))
  	  {
+ 	    /* Never change the value of LAST in this block.  */
  	    const unsigned char *last = this;
+ 	    /* String data of ELT may be relocated.  In such a case,
+ 	       OFFSET can be used to make THIS correctly points into
+ 	       the string data of ELT.  */
+ 	    int offset = this - SDATA (elt);
  
  	    /* Advance to end of string or next format specifier.  */
  	    while ((c = *this++) != '\0' && c != '%')
***************
*** 16171,16176 ****
--- 16176,16182 ----
  		else /* c == 0 */
  		  break;
  	      }
+ 	    this = SDATA (elt) + offset + (this - last);
  	  }
        }
        break;

---
Kenichi Handa
handa@m17n.org