From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: storm@cua.dk (Kim F. Storm)
Newsgroups: gmane.emacs.devel
Subject: Potential GC-related problems in compose_chars_in_text
Date: Mon, 12 Sep 2005 14:41:51 +0200
Message-ID: <m3mzmixxtc.fsf@kfs-l.imdomain.dk>
References: <E1EEceq-0000U4-00@etlken>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1126529303 16391 80.91.229.2 (12 Sep 2005 12:48:23 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Mon, 12 Sep 2005 12:48:23 +0000 (UTC)
Cc: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 12 14:48:16 2005
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Original-Received: from lists.gnu.org ([199.232.76.165])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1EEngh-00014r-SF
	for ged-emacs-devel@m.gmane.org; Mon, 12 Sep 2005 14:45:32 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1EEngh-0006NM-9R
	for ged-emacs-devel@m.gmane.org; Mon, 12 Sep 2005 08:45:31 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1EEnfp-000681-3d
	for emacs-devel@gnu.org; Mon, 12 Sep 2005 08:44:37 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1EEnfk-000667-RS
	for emacs-devel@gnu.org; Mon, 12 Sep 2005 08:44:36 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1EEnfk-00064k-5w
	for emacs-devel@gnu.org; Mon, 12 Sep 2005 08:44:32 -0400
Original-Received: from [195.41.46.237] (helo=pfepc.post.tele.dk)
	by monty-python.gnu.org with esmtp (Exim 4.34) id 1EEne9-0007w5-2R
	for emacs-devel@gnu.org; Mon, 12 Sep 2005 08:42:53 -0400
Original-Received: from kfs-l.imdomain.dk.cua.dk (unknown [80.165.4.124])
	by pfepc.post.tele.dk (Postfix) with SMTP id 1B481262872;
	Mon, 12 Sep 2005 14:42:07 +0200 (CEST)
Original-To: Kenichi Handa <handa@m17n.org>
In-Reply-To: <E1EEceq-0000U4-00@etlken> (Kenichi Handa's message of "Mon,
	12 Sep 2005 09:58:52 +0900")
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:42839
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/42839>


The following code in compose_chars_in_text looks suspicious:

	      if (INTEGERP (val) && XFASTINT (val) == start)
		{
		  to = Fmatch_end (make_number (0));
		  val = call4 (XCDR (elt), val, to, XCAR (elt), string);
		  if (INTEGERP (val) && XINT (val) > 1)
		    {
		      start += XINT (val);
		      if (STRINGP (string))
			ptr = SDATA (string) + string_char_to_byte (string, start);
		      else
			ptr = CHAR_POS_ADDR (start);
		    }
		  else
		    {
		      start++;
		      ptr += len;
>>>> if string is non-nil, and call4 did GC, then ptr may no longer
>>>> point into "string".
		    }
		  break;

Likewise, the `pend' pointer may no longer be valid for the same reason
-- on both branches of the above code!!.


Furthermore, the initialization of pend seems bogus too:

      ptr = SDATA (string) + string_char_to_byte (string, start);
      pend = ptr + SBYTES (string);

Shouldn't that be

      pend = SDATA (string) + SBYTES (string);


Here is a patch (untested):

*** composite.c	14 Aug 2005 14:47:27 +0200	1.35
--- composite.c	12 Sep 2005 14:40:52 +0200	
***************
*** 616,622 ****
        GCPRO1 (string);
        stop = end;
        ptr = SDATA (string) + string_char_to_byte (string, start);
!       pend = ptr + SBYTES (string);
      }
    else
      {
--- 616,622 ----
        GCPRO1 (string);
        stop = end;
        ptr = SDATA (string) + string_char_to_byte (string, start);
!       pend = SDATA (string) + SBYTES (string);
      }
    else
      {
***************
*** 680,689 ****
  		    {
  		      start += XINT (val);
  		      if (STRINGP (string))
! 			ptr = SDATA (string) + string_char_to_byte (string, start);
  		      else
  			ptr = CHAR_POS_ADDR (start);
  		    }
  		  else
  		    {
  		      start++;
--- 680,698 ----
  		    {
  		      start += XINT (val);
  		      if (STRINGP (string))
! 			{
! 			  ptr = SDATA (string) + string_char_to_byte (string, start);
! 			  pend = SDATA (string) + SBYTES (string);
! 			}
  		      else
  			ptr = CHAR_POS_ADDR (start);
  		    }
+ 		  else if (STRINGP (string))
+ 		    {
+ 		      start++;
+ 		      ptr = SDATA (string) + string_char_to_byte (string, start);
+ 		      pend = SDATA (string) + SBYTES (string);
+ 		    }
  		  else
  		    {
  		      start++;

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk