GNU bug report logs - #24751
26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size")

Previous Next

Package: emacs;

Reported by: npostavs <at> users.sourceforge.net

Date: Fri, 21 Oct 2016 03:54:01 UTC

Severity: normal

Tags: fixed, patch

Found in version 26.0.50

Fixed in version 26.1

Done: npostavs <at> users.sourceforge.net

Bug is archived. No further changes may be made.

Full log

Message #38 received at 24751 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: npostavs <at> users.sourceforge.net
Cc: 24751 <at> debbugs.gnu.org
Subject: Re: bug#24751: 26.0.50;
 Regex stack overflow not detected properly (gets "Variable binding
 depth exceeds max-specpdl-size")
Date: Thu, 17 Nov 2016 18:21:24 +0200

> From: npostavs <at> users.sourceforge.net
> Cc: 24751 <at> debbugs.gnu.org
> Date: Wed, 16 Nov 2016 18:25:22 -0500
> 
> One more question, is this comment (around line 1198) now obsolete?  (if
> not, it sounds like we might still have some serious problems)
> 
> /* Define MATCH_MAY_ALLOCATE unless we need to make sure that the
>    searching and matching functions should not call alloca.  On some
>    systems, alloca is implemented in terms of malloc, and if we're
>    using the relocating allocator routines, then malloc could cause a
>    relocation, which might (if the strings being searched are in the
>    ralloc heap) shift the data out from underneath the regexp
>    routines.
> 
>    Here's another reason to avoid allocation: Emacs
>    processes input from X in a signal handler; processing X input may
>    call malloc; if input arrives while a matching routine is calling
>    malloc, then we're scrod.  But Emacs can't just block input while
>    calling matching routines; then we don't notice interrupts when
>    they come in.  So, Emacs blocks input around all regexp calls
>    except the matching calls, which it leaves unprotected, in the
>    faith that they will not malloc.  */

The second part is obsolete: we no longer do anything significant from
a signal handler, we just set a flag.

The first part is not obsolete, but its reasoning is backwards:
SAFE_ALLOCA indeed can call malloc, but it could only cause relocation
if REGEX_MALLOC is defined (and ralloc.c is compiled in).  And when
you define REGEX_MALLOC, MATCH_MAY_ALLOCATE is undefined.  So the text
there should be revised.

> Also this one (around line 430)
> 
> /* Should we use malloc or alloca?  If REGEX_MALLOC is not defined, we
>    use `alloca' instead of `malloc'.  This is because using malloc in
>    re_search* or re_match* could cause memory leaks when C-g is used in
>    Emacs; also, malloc is slower and causes storage fragmentation.  On
>    the other hand, malloc is more portable, and easier to debug.
> 
>    Because we sometimes use alloca, some routines have to be macros,
>    not functions -- `alloca'-allocated space disappears at the end of the
>    function it is called in.  */

This is correct AFAIU, but perhaps it's worth adding that even if
SAFE_ALLOCA decides to call malloc, it takes care to set up
unwind-protect scheme that will free the allocated memory upon C-g (or
any other throw-type op), and avoid leaking memory.

Thanks.
This bug report was last modified 8 years and 213 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.