Problem report #74

Problem report #74

[Dan Nicolaescu]

Some more problem reports have appeared due to a software upgrade.
Please take a look.


CID: 74
Checker: FORWARD_NULL (help)
File: base/src/emacs/src/lread.c
Function: readevalloop
Description: Variable "b" tracked as NULL was passed to a function
that dereferences it.


static void
1346 	readevalloop (readcharfun, stream, sourcename, evalfun,
1347 		      printflag, unibyte, readfun, start, end)
1348 	     Lisp_Object readcharfun;
1349 	     FILE *stream;
1350 	     Lisp_Object sourcename;
1351 	     Lisp_Object (*evalfun) ();
1352 	     int printflag;
1353 	     Lisp_Object unibyte, readfun;
1354 	     Lisp_Object start, end;
1355 	{
1356 	  register int c;
1357 	  register Lisp_Object val;
1358 	  int count = SPECPDL_INDEX ();
1359 	  struct gcpro gcpro1, gcpro2, gcpro3, gcpro4;
1360 	  struct buffer *b = 0;
1361 	  int bpos;
1362 	  int continue_reading_p;
1363 	  /* Nonzero if reading an entire buffer.  */
1364 	  int whole_buffer = 0;
1365 	  /* 1 on the first time around.  */
1366 	  int first_sexp = 1;
1367 	
1368 	  if (MARKERP (readcharfun))
1369 	    {
1370 	      if (NILP (start))
1371 		start = readcharfun;	
1372 	    }
1373 	
1374 	  if (BUFFERP (readcharfun))
1375 	    b = XBUFFER (readcharfun);
1376 	  else if (MARKERP (readcharfun))
1377 	    b = XMARKER (readcharfun)->buffer;
1378 	
1379 	  specbind (Qstandard_input, readcharfun); /* GCPROs readcharfun.  */
1380 	  specbind (Qcurrent_load_list, Qnil);
1381 	  record_unwind_protect (readevalloop_1, load_convert_to_unibyte ? Qt : Qnil);
1382 	  load_convert_to_unibyte = !NILP (unibyte);
1383 	
1384 	  readchar_backlog = -1;
1385 	
1386 	  GCPRO4 (sourcename, readfun, start, end);
1387 	
1388 	  LOADHIST_ATTACH (sourcename);
1389 	
1390 	  continue_reading_p = 1;

At conditional (15): "continue_reading_p != 0" taking true path

1391 	  while (continue_reading_p)
1392 	    {
1393 	      int count1 = SPECPDL_INDEX ();
1394 	

At conditional (16): "b != 0" taking false path

1395 	      if (b != 0 && NILP (b->name))
1396 		error ("Reading from killed buffer");
1397 	

At conditional (17): "start != Qnil" taking true path

1398 	      if (!NILP (start))
1399 		{
1400 		  /* Switch to the buffer we are reading from.  */
1401 		  record_unwind_protect (save_excursion_restore, save_excursion_save ());

Event var_deref_model: Variable "b" tracked as NULL was passed to a function that dereferences it. [model]
Also see events: [var_compare_op]

1402 		  set_buffer_internal (b);
1403 	
1404 		  /* Save point in it.  */
1405 		  record_unwind_protect (save_excursion_restore, save_excursion_save ());
1406 		  /* Save ZV in it.  */
1407 		  record_unwind_protect (save_restriction_restore, save_restriction_save ());
1408 		  /* Those get unbound after we read one expression.  */
1409 	
1410 		  /* Set point and ZV around stuff to be read.  */
1411 		  Fgoto_char (start);
1412 		  if (!NILP (end))
1413 		    Fnarrow_to_region (make_number (BEGV), end);
1414 	
1415 		  /* Just for cleanliness, convert END to a marker
1416 		     if it is an integer.  */
1417 		  if (INTEGERP (end))
1418 		    end = Fpoint_max_marker ();
1419 		}
1420 	
1421 	      /* On the first cycle, we can easily test here
1422 		 whether we are reading the whole buffer.  */

Event var_compare_op: Added "b" due to comparison "b != 0"
Also see events: [var_deref_model]
At conditional (1): "b != 0" taking false path

1423 	      if (b && first_sexp)
1424 		whole_buffer = (PT == BEG && ZV == Z);
1425 	
1426 	      instream = stream;
1427 	    read_next:
1428 	      c = READCHAR;

At conditional (2): "c == 59" taking false path

1429 	      if (c == ';')
1430 		{
1431 		  while ((c = READCHAR) != '\n' && c != -1);
1432 		  goto read_next;
1433 		}

At conditional (3): "c < 0" taking false path

1434 	      if (c < 0)
1435 		{
1436 		  unbind_to (count1, Qnil);
1437 		  break;
1438 		}
1439 	
1440 	      /* Ignore whitespace here, so we can detect eof.  */

At conditional (4): "c == 32" taking false path
At conditional (5): "c == 9" taking false path
At conditional (6): "c == 10" taking false path
At conditional (7): "c == 12" taking false path
At conditional (8): "c == 13" taking false path

1441 	      if (c == ' ' || c == '\t' || c == '\n' || c == '\f' || c == '\r')
1442 		goto read_next;
1443 	

At conditional (9): "Vpurify_flag != Qnil" taking true path
At conditional (10): "c == 40" taking true path

1444 	      if (!NILP (Vpurify_flag) && c == '(')
1445 		{
1446 		  record_unwind_protect (unreadpure, Qnil);
1447 		  val = read_list (-1, readcharfun);
1448 		}
1449 	      else
1450 		{
1451 		  UNREAD (c);
1452 		  read_objects = Qnil;
1453 		  if (!NILP (readfun))
1454 		    {
1455 		      val = call1 (readfun, readcharfun);
1456 	
1457 		      /* If READCHARFUN has set point to ZV, we should
1458 		         stop reading, even if the form read sets point
1459 			 to a different value when evaluated.  */
1460 		      if (BUFFERP (readcharfun))
1461 			{
1462 			  struct buffer *b = XBUFFER (readcharfun);
1463 			  if (BUF_PT (b) == BUF_ZV (b))
1464 			    continue_reading_p = 0;
1465 			}
1466 		    }
1467 		  else if (! NILP (Vload_read_function))
1468 		    val = call1 (Vload_read_function, readcharfun);
1469 		  else
1470 		    val = read_internal_start (readcharfun, Qnil, Qnil);
1471 		}
1472 	

At conditional (11): "start != Qnil" taking true path
At conditional (12): "continue_reading_p != 0" taking true path

1473 	      if (!NILP (start) && continue_reading_p)
1474 		start = Fpoint_marker ();
1475 	
1476 	      /* Restore saved point and BEGV.  */
1477 	      unbind_to (count1, Qnil);
1478 	
1479 	      /* Now eval what we just read.  */
1480 	      val = (*evalfun) (val);
1481 	

At conditional (13): "printflag != 0" taking true path

1482 	      if (printflag)
1483 		{
1484 		  Vvalues = Fcons (val, Vvalues);

At conditional (14): "Vstandard_output == Qt" taking true path

1485 		  if (EQ (Vstandard_output, Qt))
1486 		    Fprin1 (val, Qnil);
1487 		  else
1488 		    Fprint (val, Qnil);
1489 		}
1490 	
1491 	      first_sexp = 0;
1492 	    }
1493 	
1494 	  build_load_history (sourcename, 
1495 			      stream || whole_buffer);
1496 	
1497 	  UNGCPRO;
1498 	
1499 	  unbind_to (count, Qnil);
1500 	}

Re: Problem report #74

[Andreas Schwab]

Dan Nicolaescu <dann@ics.uci.edu> writes:

> At conditional (17): "start != Qnil" taking true path
>
> 1398 	      if (!NILP (start))
> 1399 		{
> 1400 		  /* Switch to the buffer we are reading from.  */
> 1401 		  record_unwind_protect (save_excursion_restore, save_excursion_save ());
>
> Event var_deref_model: Variable "b" tracked as NULL was passed to a function that dereferences it. [model]
> Also see events: [var_compare_op]

start is only non-nil iff readcharfun is a buffer, so this cannot happen.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Problem report #74

[Stuart D. Herring]

> 1374 	  if (BUFFERP (readcharfun))
> 1375 	    b = XBUFFER (readcharfun);

> At conditional (16): "b != 0" taking false path

> At conditional (17): "start != Qnil" taking true path

readevalloop is only ever called with non-nil start when a buffer is
passed for readcharfun, so b will not be NULL then.  No bug, although the
function is somewhat fragile.  It's internal (static, even), so it's
probably okay.  But maybe a comment should be added, at least?  "If you
pass start!=Qnil, you must pass a buffer for readcharfun."

Davis

-- 
This product is sold by volume, not by mass.  If it appears too dense or
too sparse, it is because mass-energy conversion has occurred during
shipping.

Re: Problem report #74

[Richard Stallman]

      But maybe a comment should be added, at least?  "If you
    pass start!=Qnil, you must pass a buffer for readcharfun."

I added an abort and a comment.  Thanks.