GNU bug report logs - #23704
25.1.50; Emacs crash in syntax.c

Previous Next

Package: emacs;

Reported by: vincent.belaiche <at> gmail.com (Vincent Belaïche)

Date: Mon, 6 Jun 2016 05:27:02 UTC

Severity: normal

Tags: patch

Found in version 25.1.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Andreas Schwab <schwab <at> suse.de>
Cc: 23704 <at> debbugs.gnu.org, vincent.belaiche <at> gmail.com
Subject: bug#23704: 25.1.50; Emacs crash in syntax.c
Date: Mon, 06 Jun 2016 17:52:41 +0300

> From: Andreas Schwab <schwab <at> suse.de>
> Date: Mon, 06 Jun 2016 09:36:07 +0200
> Cc: 23704 <at> debbugs.gnu.org
> 
> > 2233                  if (! fastmap[SYNTAX (*p)])
> 
> I think I have seen a similar crash with the emacs-25 branch as well,
> but only once, and I couldn't reproduce it so far.

If my reading of the code is correct, we have pointers to buffer text
and the gap lying around, while invoking code that can GC (which
compacts buffers).  For example, the sequence of calls

   SETUP_SYNTAX_TABLE
    -> SETUP_BUFFER_SYNTAX_TABLE
        -> update_syntax_table_forward
           -> parse_sexp_propertize

could call Lisp, and that happens after we already computed the values
of p, endp, and stop.  Likewise the call to UPDATE_SYNTAX_TABLE_FORWARD
we make inside the loop.

If GC decides to compact the gap, it could well make a previously
valid pointer invalid.

Could that be the reason?
This bug report was last modified 9 years and 41 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.