GNU bug report logs - #25816
Emacs xwidget GC issue with callback

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25816 in the body.
You can then email your comments to 25816 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Emacs bug reports and feature requests <bug-gnu-emacs <at> gnu.org>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, Joakim Verona <joakim <at> verona.se>
Subject: Emacs xwidget GC issue with callback
Date: Mon, 20 Feb 2017 09:10:32 -0800

[Message part 1 (text/plain, inline)]

When configuring with --with-xwidgets --enable-check-lisp-object-type the Emacs 
build would fail due to a type confusion in src/xwidget.c, which I attempted to 
fix by installing the attached patch. However, as noted in the patch, this code 
appears to have a garbage-collection bug, as it converts a Lisp_Object to a C 
pointer and stores that pointer (for what appears to be an indefinite period of 
time) into a C object that the garbage collector does not know about. If 
garbage-collection reclaims the object before the callback is used, disaster can 
occur. As I don't know the lifetime of the C object I'm reluctant to try to fix 
this myself, so I'm filing this bug report in the hope that an xwidget expert 
can fix it.

[0001-Port-xwidget-to-DCHECK_LISP_OBJECT_TYPE.txt (text/plain, attachment)]

Message #8 received at 25816 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Schwab <schwab <at> linux-m68k.org>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, Joakim Verona <joakim <at> verona.se>,
 25816 <at> debbugs.gnu.org
Subject: Re: bug#25816: Emacs xwidget GC issue with callback
Date: Mon, 20 Feb 2017 19:01:51 +0100

On Feb 20 2017, Paul Eggert <eggert <at> cs.ucla.edu> wrote:

> @@ -714,8 +717,13 @@ argument procedure FUN.*/)
>    if (!NILP (fun) && !FUNCTIONP (fun))
>      wrong_type_argument (Qinvalid_function, fun);
>  
> -  void *callback = (FUNCTIONP (fun)) ?
> -    &webkit_javascript_finished_cb : NULL;
> +  GAsyncReadyCallback callback
> +    = FUNCTIONP (fun) ? webkit_javascript_finished_cb : NULL;
> +
> +  /* FIXME: This hack might lead to disaster if FUN is garbage
> +     collected before store_xwidget_js_callback_event makes it visible
> +     to Lisp again.  See the FIXME in webkit_javascript_finished_cb.  */
> +  gpointer callback_arg = (gpointer) (intptr_t) XLI (fun);

When --with-wide-int, EMACS_INT may be wider than a pointer, and this
discards the type bits.

Andreas.

-- 
Andreas Schwab, schwab <at> linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Message #11 received at 25816 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Andreas Schwab <schwab <at> linux-m68k.org>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, Joakim Verona <joakim <at> verona.se>,
 25816 <at> debbugs.gnu.org
Subject: Re: bug#25816: Emacs xwidget GC issue with callback
Date: Mon, 20 Feb 2017 13:05:35 -0800

[Message part 1 (text/plain, inline)]

Andreas Schwab wrote:
> When --with-wide-int, EMACS_INT may be wider than a pointer, and this
> discards the type bits.

Thanks, I installed the attached to document this limitation. Fixing the GC bug 
should remove the limitation.

[0001-Verify-xwidget-USE_LSB_TAG-assumption.patch (text/x-diff, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.