From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Tom de Vries <tdevries@suse.de>
Newsgroups: gmane.lisp.guile.bugs
Subject: bug#33044: Invalid read access of chars of wide string in
	scm_seed_to_random_state
Date: Mon, 15 Oct 2018 10:44:58 +0200
Message-ID: <469f2345-5e76-1fc5-1105-f1d508611140@suse.de>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1539600074 6949 195.159.176.226 (15 Oct 2018 10:41:14 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Mon, 15 Oct 2018 10:41:14 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
	Thunderbird/60.2.1
To: 33044@debbugs.gnu.org
Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Mon Oct 15 12:41:09 2018
Return-path: <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Envelope-to: guile-bugs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1gC0JA-0001hJ-Lq
	for guile-bugs@m.gmane.org; Mon, 15 Oct 2018 12:41:08 +0200
Original-Received: from localhost ([::1]:51573 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1gC0LH-0005hS-6U
	for guile-bugs@m.gmane.org; Mon, 15 Oct 2018 06:43:19 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48837)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gC0L6-0005fW-HH
	for bug-guile@gnu.org; Mon, 15 Oct 2018 06:43:09 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gC0L0-0004BK-LX
	for bug-guile@gnu.org; Mon, 15 Oct 2018 06:43:08 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:45588)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gC0L0-0004B1-Go
	for bug-guile@gnu.org; Mon, 15 Oct 2018 06:43:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gC0L0-0001sW-7R
	for bug-guile@gnu.org; Mon, 15 Oct 2018 06:43:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Tom de Vries <tdevries@suse.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guile@gnu.org
Resent-Date: Mon, 15 Oct 2018 10:43:01 +0000
Resent-Message-ID: <handler.33044.B.15396001327153@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 33044
X-GNU-PR-Package: guile
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-guile@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.15396001327153
	(code B ref -1); Mon, 15 Oct 2018 10:43:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 15 Oct 2018 10:42:12 +0000
Original-Received: from localhost ([127.0.0.1]:49844 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gC0KB-0001rH-96
	for submit@debbugs.gnu.org; Mon, 15 Oct 2018 06:42:11 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:35397)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <tdevries@suse.de>) id 1gByUt-0005Fw-NX
	for submit@debbugs.gnu.org; Mon, 15 Oct 2018 04:45:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <tdevries@suse.de>) id 1gByUm-000294-14
	for submit@debbugs.gnu.org; Mon, 15 Oct 2018 04:45:01 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:45244)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <tdevries@suse.de>) id 1gByUk-00028K-MX
	for submit@debbugs.gnu.org; Mon, 15 Oct 2018 04:44:59 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44994)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <tdevries@suse.de>) id 1gByUj-0003ft-HS
	for bug-guile@gnu.org; Mon, 15 Oct 2018 04:44:58 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <tdevries@suse.de>) id 1gByUg-00024g-B0
	for bug-guile@gnu.org; Mon, 15 Oct 2018 04:44:57 -0400
Original-Received: from mx2.suse.de ([195.135.220.15]:46892 helo=mx1.suse.de)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <tdevries@suse.de>) id 1gByUf-00022y-VG
	for bug-guile@gnu.org; Mon, 15 Oct 2018 04:44:54 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Original-Received: from relay1.suse.de (unknown [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id D093FAC1F
	for <bug-guile@gnu.org>; Mon, 15 Oct 2018 08:44:51 +0000 (UTC)
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no
	timestamps) [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Mailman-Approved-At: Mon, 15 Oct 2018 06:42:10 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-guile@gnu.org
List-Id: "Bug reports for GUILE,
	GNU's Ubiquitous Extension Language" <bug-guile.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guile/>
List-Post: <mailto:bug-guile@gnu.org>
List-Help: <mailto:bug-guile-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=subscribe>
Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Original-Sender: "bug-guile" <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.bugs:9194
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.bugs/9194>

Hi,

Consider min.c:
...
#include <locale.h>
#include "libguile.h"

static void *
foo (void *data)
{
  return NULL;
}

int
main (void)
{
  const char *msg = setlocale (LC_CTYPE, "ja_JP.sjis");
  printf ("msg: %s\n", msg);
  scm_with_guile (foo, NULL);
  return 0;
}
...

Compiled with guile-2.2.4:
...
$ gcc min.c -I /home/vries/guile/tarball/guile-2.2.4 -lguile-2.2 -L
/home/vries/guile/tarball/guile-2.2.4/libguile/.libs
-Wl,-rpath=/home/vries/guile/tarball/guile-2.2.4/libguile/.libs -g
...

We run into a segfault:
...
$ ./a.out
msg: ja_JP.sjis
Segmentation fault (core dumped)
...

The backtrace as reported by gdb is:
...
#0  0x00007ffff7b649ba in scm_variable_ref (var=0x0) at variable.c:92
#1  0x00007ffff7b63868 in scm_throw (key=key@entry=0x7a9580,
args=0x7b94c0) at throw.c:266
#2  0x00007ffff7b63e15 in scm_ithrow (key=key@entry=0x7a9580,
args=<optimized out>, no_return=no_return@entry=1)
    at throw.c:611
#3  0x00007ffff7af51a5 in scm_error_scm (key=key@entry=0x7a9580,
subr=<optimized out>,
    message=message@entry=0x7ba8e0, args=args@entry=0x7b9500,
data=data@entry=0x4) at error.c:94
#4  0x00007ffff7af525f in scm_error (key=0x7a9580, subr=subr@entry=0x0,
    message=message@entry=0x7ffff7b93358 "Invalid read access of chars
of wide string: ~s", args=0x7b9500,
    rest=rest@entry=0x4) at error.c:59
#5  0x00007ffff7af5642 in scm_misc_error (subr=subr@entry=0x0,
    message=message@entry=0x7ffff7b93358 "Invalid read access of chars
of wide string: ~s", args=<optimized out>)
    at error.c:299
#6  0x00007ffff7b5aa9a in scm_i_string_chars (str=<optimized out>,
str@entry=0x7ba900) at strings.c:571
#7  0x00007ffff7b3cef8 in scm_seed_to_random_state (seed=0x7ba900) at
random.c:444
#8  0x00007ffff7b3ddaa in scm_init_random () at ../libguile/random.x:3
#9  0x00007ffff7b0eb41 in scm_i_init_guile (base=<optimized out>) at
init.c:451
#10 0x00007ffff7b62128 in scm_i_init_thread_for_guile
(base=0x7fffffffdb10, dynamic_state=0x0) at threads.c:586
#11 0x00007ffff7b62159 in with_guile (base=0x7fffffffdb10,
data=0x7fffffffdb40) at threads.c:654
#12 0x00007ffff73a84a5 in GC_call_with_stack_base () from
/usr/lib64/libgc.so.1
#13 0x00007ffff7b624a8 in scm_i_with_guile (dynamic_state=<optimized
out>, data=<optimized out>,
    func=<optimized out>) at threads.c:704
#14 scm_with_guile (func=<optimized out>, data=<optimized out>) at
threads.c:710
#15 0x0000000000400786 in main () at min.c:15
...

We see that the backtrace happens while handling an "Invalid read access
of chars of wide string: ~s" error here:
...
const char *
scm_i_string_chars (SCM str)
{
  SCM buf;
  size_t start;
  get_str_buf_start (&str, &buf, &start);
  if (scm_i_is_narrow_string (str))
    return (const char *) STRINGBUF_CHARS (buf) + start;
  else
    scm_misc_error (NULL, "Invalid read access of chars of wide string: ~s",
                    scm_list_1 (str));
  return NULL;
}
...

What triggers the error is that here, we create a non-narrow string
using scm_from_locale_string:
...
#8  0x00007ffff7b3ddaa in scm_init_random () at ../libguile/random.x:3
3       scm_var_random_state = scm_c_define ("*random-state*",
scm_seed_to_random_state (scm_from_locale_string
("URL:http://stat.fsu.edu/~geo/diehard.html")));;
...

but then in scm_seed_to_random_state handle it like a narrow string by
calling scm_i_string_chars:
...
#define FUNC_NAME s_scm_seed_to_random_state
{
  SCM res;
  if (SCM_NUMBERP (seed))
    seed = scm_number_to_string (seed, SCM_UNDEFINED);
  SCM_VALIDATE_STRING (1, seed);
  res = make_rstate (scm_c_make_rstate (scm_i_string_chars (seed),
                                        scm_i_string_length (seed)));
  scm_remember_upto_here_1 (seed);
  return res;

}
...

Thanks,
- Tom