From unknown Sun Jun 22 00:04:14 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#32951 <32951@debbugs.gnu.org> To: bug#32951 <32951@debbugs.gnu.org> Subject: Status: emacs Lock-Up-Crash Bug report and patch Reply-To: bug#32951 <32951@debbugs.gnu.org> Date: Sun, 22 Jun 2025 07:04:14 +0000 retitle 32951 emacs Lock-Up-Crash Bug report and patch reassign 32951 emacs submitter 32951 Scott Corley severity 32951 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 06 01:50:21 2018 Received: (at submit) by debbugs.gnu.org; 6 Oct 2018 05:50:21 +0000 Received: from localhost ([127.0.0.1]:38290 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g8fTo-0006qA-8t for submit@debbugs.gnu.org; Sat, 06 Oct 2018 01:50:21 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42603) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g8cMk-0001mS-W5 for submit@debbugs.gnu.org; Fri, 05 Oct 2018 22:30:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g8cMe-0002i7-7m for submit@debbugs.gnu.org; Fri, 05 Oct 2018 22:30:45 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37170) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1g8cMe-0002hh-1O for submit@debbugs.gnu.org; Fri, 05 Oct 2018 22:30:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52171) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g8cMc-0004qn-IQ for bug-gnu-emacs@gnu.org; Fri, 05 Oct 2018 22:30:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g8cMZ-0002cd-9H for bug-gnu-emacs@gnu.org; Fri, 05 Oct 2018 22:30:42 -0400 Received: from mail-ua1-x943.google.com ([2607:f8b0:4864:20::943]:39005) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g8cMY-0002bE-Ud for bug-gnu-emacs@gnu.org; Fri, 05 Oct 2018 22:30:39 -0400 Received: by mail-ua1-x943.google.com with SMTP id g18-v6so5371236uam.6 for ; Fri, 05 Oct 2018 19:30:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scorley-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xFiO6QAI72srtzkxTCnbuc931d9wgxY3EEtn9tFtX5c=; b=SYLJoNRCMsrbeQnGesR1mndC9Xu49ml2iwJ9XjBJcps0opXEZFjXqDmQbG6CapzYEW RuX09l1pelUe7htgpmg1QZleMsSxPksb4AQKS0BqUR7R7dAECigsIUOvTs9dlVfNVvDc UMDxeCLN1g3b6bvHtVKY06sPWmMvOn+v50omOLGz/e/JzP5SnkQqHZ1XQLTARJx8hy/Q 627hOa6U8qOUkR4UahvVBj/mLm5EvJKWCAGBbkM/dy8R/76PPhDgu3Oki1ChUyQXsB7h YGLw2I0S1xvCt3S0QkU/UKxAX6jJzxawLMiA0hfLurjuvCS/04Y0ZtyaO6E8zP/jxfD9 0e9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xFiO6QAI72srtzkxTCnbuc931d9wgxY3EEtn9tFtX5c=; b=olzldjMyALoNnWScN7QQsaSn4OhqPwQ6qIDcva5dHDARjQP6zZ/Rq/MU1I4wiKQR0b DTEfVPdOE3TfNtEAlFP+j5qS0Gh9IAAqnYg39QcMzvQwtSRvwTYRkmhH/KuH4Un7213i 6SK1wSwiRHbi0DzbniBMMzN/wgjZAh9KIjtw8+LmixYRnHr8Mb7uM25076IeBklT+ocx 5g7yb9kVpFAiwu6cKazmIYqlVbz50mu8F5faPofF4W34vF89cZ2H+4AFLUHf8eokOweO TtSKOQJu9GlHxHQfd9Cj6RN4wsGwp4vaTfkrxUvmjrIs+mAQQ3+ABXVEVsWIIN1yZdwI 0bZQ== X-Gm-Message-State: ABuFfoi7QCoVRxZ2Es9sxmVfMUNllMRaY15959tsHtHRs+OAwDZFD7LR 2hnYmhPI92il/qOpVROAaVNCWV/Yz/s= X-Google-Smtp-Source: ACcGV63xedkqpYzt0Nwxr90RA8WtOrt96cnsB4kVHJEt5/BbsGJm2XIR0UkK8sAEVrMZDhH7k2GftA== X-Received: by 2002:ab0:e0c:: with SMTP id g12mr5703397uak.124.1538793037869; Fri, 05 Oct 2018 19:30:37 -0700 (PDT) Received: from mail-vk1-f177.google.com (mail-vk1-f177.google.com. [209.85.221.177]) by smtp.gmail.com with ESMTPSA id r123-v6sm5671896vka.16.2018.10.05.19.30.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Oct 2018 19:30:37 -0700 (PDT) Received: by mail-vk1-f177.google.com with SMTP id 125-v6so3416926vkx.13 for ; Fri, 05 Oct 2018 19:30:37 -0700 (PDT) X-Received: by 2002:a1f:1694:: with SMTP id 142-v6mr5345635vkw.43.1538793037074; Fri, 05 Oct 2018 19:30:37 -0700 (PDT) MIME-Version: 1.0 From: Scott Corley Date: Fri, 5 Oct 2018 21:30:25 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: emacs Lock-Up-Crash Bug report and patch To: bug-gnu-emacs@gnu.org Content-Type: multipart/alternative; boundary="0000000000005bacb20577862c62" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.7 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 06 Oct 2018 01:50:18 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.7 (-----) --0000000000005bacb20577862c62 Content-Type: text/plain; charset="UTF-8" If an emacs window exceeds 255 lines, it causes an unsigned char overflow in scroll.c:do_direct_scrolling The effect of this overflow is that do_direct_scrolling enters an infinite loop. This causes emacs to lock up in an unrecoverable way, and the process has to be killed. This bug can be reproduced in a number of ways: 1. Open up emacs on a very large display and expand the emacs window so that it is larger than 255 lines. Do some editing, add text to the window, enough that do_direct_scrolling is invoked. For example, opening and editing emacs/INSTALL will eventually cause the lockup. You may need to navigate through the file and/or delete and edit some lines. Once do_direct_scrolling function is invoked, it will enter an infinite loop and lock up emacs. (new 43" monitor in portrait mode is how I first encountered this bug). This happens in "-nw" mode and in X display mode. 2. If you don't have a large display, open up an X windows instance of emacs and decrease the font size until the window has more than 255 lines. Follow the editing example in (1) above, and emacs will lock up. 3. You can also reproduce in '-nw' mode on a normal size display by opening up a terminal window with a very small font size, enough to have more than 255 vertical lines. I can reproduce the bug using all of these methods on these and similar systems: Red Hat Enterprise Linux Server Release 7.3 (Maipo) Intel Xeon CPU E5-2667 V3 GNU Emacs 24.3.1 GNU Emacs 27.0.50 (built from master) macOS Mojave 2013 MacBook Pro Intel Core i7 GNU Emacs 25.3.1 Cause of unsigned char overflow: struct matrix_elt, used by do_direct_scrolling, in scroll.c, has three fields that are declared as unsigned char. It looks like they were previously declared as signed char, then changed to unsigned char, perhaps to fix a previous incarnation of this overflow. The fields in question are 'insertcount', 'deletecount' and 'writecount'. The patch below changes these fields to 'int'. The alloction of 'matrix_elt' is a small memory footprint (see allocation in scroll.c function 'scrolling_1') I can't see a justification for keeping these fields 'unsigned char'. On most systems, it is actually a challenge to create an emacs window larger than 255 lines, which is why I'm guessing this overflow hasn't come up before (I couldn't find bug report mentioning it). However, on a system with a 4k display in portrait mode, it is pretty easy to accidentally create a window this large. For example, if I am using a tmux display with reasonably-sized pane on a 4k monitor in portrait mode, and I happen to zoom the tmux pane to full screen, the emacs window will now be larger than 255 lines, emacs will enter an infinite loop, and the process will need to be killed. The overflow was confirmed by attaching to a crashed/looping emacs process with gdb, and stepping through the code, on different operating systems and machines. Changelog: 2018-10-05 Scott Corley * scroll.c (struct matrix_elt): change unsigned char fields to int fixes overflow lockup crash with window sizes > 255 lines. Here is the patch: --- src/scroll.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/scroll.c b/src/scroll.c index a29f2d37f5..240005b4e3 100644 --- a/src/scroll.c +++ b/src/scroll.c @@ -41,13 +41,13 @@ struct matrix_elt int deletecost; /* Number of inserts so far in this run of inserts, for the cost in insertcost. */ - unsigned char insertcount; + int insertcount; /* Number of deletes so far in this run of deletes, for the cost in deletecost. */ - unsigned char deletecount; + int deletecount; /* Number of writes so far since the last insert or delete for the cost in writecost. */ - unsigned char writecount; + int writecount; }; static void do_direct_scrolling (struct frame *, -- Thanks, Scott --0000000000005bacb20577862c62 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If an emacs window exceeds 255 lines, it = causes an unsigned char overflow in
scroll.c:do_direct_scrolling

= The effect of this overflow is that do_direct_scrolling enters
an infini= te loop.
This causes emacs to lock up in an unrecoverable way, and the p= rocess has to
be killed.

This bug can be reproduced in a number o= f ways:

1. Open up emacs on a very large display and expand the emac= s window so that
=C2=A0 =C2=A0it is larger than 255 lines. Do some editi= ng, add text to the window,
=C2=A0 =C2=A0enough that do_direct_scrolling= is invoked.

=C2=A0 =C2=A0For example, opening and editing emacs/INS= TALL will eventually cause
=C2=A0 =C2=A0the lockup. You may need to navi= gate through the file and/or delete and
=C2=A0 =C2=A0edit some lines.=C2=A0 =C2=A0Once do_direct_scrolling function is invoked, it will enter a= n infinite
=C2=A0 =C2=A0loop and lock up emacs.

=C2=A0 =C2=A0(new= 43" monitor in portrait mode is how I first encountered this bug).=C2=A0 =C2=A0This happens in "-nw" mode and in X display mode.
2. If you don't have a large display, open up an X windows instan= ce of
=C2=A0 =C2=A0emacs and decrease the font size until the window has= more than 255
=C2=A0 =C2=A0lines. Follow the editing example in (1) abo= ve, and emacs will lock up.

3. You can also reproduce in '-nw= 9; mode on a normal size display by opening
=C2=A0 =C2=A0up a terminal w= indow with a very small font size, enough to have more
=C2=A0 =C2=A0than= 255 vertical lines.

I can reproduce the bug using all of these meth= ods on
these and similar systems:

=C2=A0 =C2=A0Red Hat Enterprise= Linux Server Release 7.3 (Maipo)
=C2=A0 =C2=A0Intel Xeon CPU E5-2667 V3=
=C2=A0 =C2=A0GNU Emacs 24.3.1
=C2=A0 =C2=A0GNU Emacs 27.0.50 (built = from master)

=C2=A0 =C2=A0macOS Mojave
=C2=A0 =C2=A02013 MacBook = Pro
=C2=A0 =C2=A0Intel Core i7
=C2=A0 =C2=A0GNU Emacs 25.3.1

C= ause of unsigned char overflow:

struct matrix_elt, used by do_direct= _scrolling, in scroll.c, has three fields
that are declared as unsigned = char. It looks like they were previously
declared as signed char, then c= hanged to unsigned char, perhaps to fix a
previous incarnation of this o= verflow.

The fields in question are 'insertcount', 'dele= tecount' and 'writecount'.

The patch below changes these= fields to 'int'. The alloction of 'matrix_elt'
is a sma= ll memory footprint
(see allocation in scroll.c function 'scrolling_= 1')
I can't see a justification for keeping these fields 'un= signed char'.

On most systems, it is actually a challenge to cre= ate an emacs window larger
than 255 lines, which is why I'm guessing= this overflow hasn't come up before
(I couldn't find bug report= mentioning it). However, on a system with a 4k
display in portrait mode= , it is pretty easy to accidentally create a window
this large.

<= div>For example, if I am using a tmux display with reasonably-sized pane on= a
4k monitor in portrait mode, and I happen to zoom the tmux pan= e to full
screen, the emacs window will now be larger than 255 li= nes, emacs will enter
an infinite loop, and the process will need= to be killed.

The overflow was confirmed by attaching to a crashe= d/looping emacs
process with gdb, and stepping through the code, on diff= erent operating
systems and machines.

Changelog:

2018-10-= 05 =C2=A0 Scott Corley <scott@scorl= ey.com>
* scroll.c (struct matrix_elt): change unsigned char fie= lds to int
=C2=A0 fixes overflow lockup crash with window sizes &= gt; 255 lines.

Here is the patch:

---
=C2=A0src/scr= oll.c | 6 +++---
=C2=A01 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/scroll.c b/src/scroll.c
index a29f2d37f5..240005b= 4e3 100644
--- a/src/scroll.c
+++ b/src/scroll.c
@@ -41,13 +41,13 = @@ struct matrix_elt
=C2=A0 =C2=A0 =C2=A0int deletecost;
=C2=A0 =C2= =A0 =C2=A0/* Number of inserts so far in this run of inserts,
=C2=A0 =C2= =A0 =C2=A0 =C2=A0 for the cost in insertcost. =C2=A0*/
- =C2=A0 =C2=A0un= signed char insertcount;
+ =C2=A0 =C2=A0int insertcount;
=C2=A0 =C2= =A0 =C2=A0/* Number of deletes so far in this run of deletes,
=C2=A0 =C2= =A0 =C2=A0 =C2=A0 for the cost in deletecost. =C2=A0*/
- =C2=A0 =C2=A0un= signed char deletecount;
+ =C2=A0 =C2=A0int deletecount;
=C2=A0 =C2= =A0 =C2=A0/* Number of writes so far since the last insert
=C2=A0 =C2=A0= =C2=A0 =C2=A0 or delete for the cost in writecost. */
- =C2=A0 =C2=A0un= signed char writecount;
+ =C2=A0 =C2=A0int writecount;
=C2=A0 =C2=A0}= ;

=C2=A0static void do_direct_scrolling (struct frame *,
--
Thanks,
Scott
--0000000000005bacb20577862c62-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 07 03:14:42 2018 Received: (at 32951-done) by debbugs.gnu.org; 7 Oct 2018 07:14:42 +0000 Received: from localhost ([127.0.0.1]:39010 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g93Gz-0005UC-Vd for submit@debbugs.gnu.org; Sun, 07 Oct 2018 03:14:42 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:58460) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g93Gy-0005Tx-EM for 32951-done@debbugs.gnu.org; Sun, 07 Oct 2018 03:14:40 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 94837161634; Sun, 7 Oct 2018 00:14:34 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id g3xTB7N_PlDO; Sun, 7 Oct 2018 00:14:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 93B6E1616E0; Sun, 7 Oct 2018 00:14:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dG2nucKHs3DE; Sun, 7 Oct 2018 00:14:33 -0700 (PDT) Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com [23.242.74.103]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 695DC161634; Sun, 7 Oct 2018 00:14:33 -0700 (PDT) To: Scott Corley From: Paul Eggert Subject: Re: emacs Lock-Up-Crash Bug report and patch Organization: UCLA Computer Science Department Message-ID: Date: Sun, 7 Oct 2018 00:14:33 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 32951-done Cc: 32951-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Thanks for the bug report and fix. I verified that the patch fixes the lockup, installed the patch into the Emacs master branch, and am closing the bug report. It might be a good idea to backport this to the emacs-26 branch, but that's Eli's call. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 07 10:39:35 2018 Received: (at 32951) by debbugs.gnu.org; 7 Oct 2018 14:39:35 +0000 Received: from localhost ([127.0.0.1]:39511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g9ADW-00052y-PC for submit@debbugs.gnu.org; Sun, 07 Oct 2018 10:39:34 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41322) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g9ADU-00052m-In for 32951@debbugs.gnu.org; Sun, 07 Oct 2018 10:39:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g9ADO-0004ki-KP for 32951@debbugs.gnu.org; Sun, 07 Oct 2018 10:39:27 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41611) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g9ADH-0004hs-QG; Sun, 07 Oct 2018 10:39:19 -0400 Received: from [176.228.60.248] (port=1606 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1g9ADH-0007jo-De; Sun, 07 Oct 2018 10:39:19 -0400 Date: Sun, 07 Oct 2018 17:39:10 +0300 Message-Id: <837eit254h.fsf@gnu.org> From: Eli Zaretskii To: Paul Eggert In-reply-to: (message from Paul Eggert on Sun, 7 Oct 2018 00:14:33 -0700) Subject: Re: bug#32951: emacs Lock-Up-Crash Bug report and patch References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32951 Cc: scott@scorley.com, 32951@debbugs.gnu.org, eggert@cs.ucla.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) > From: Paul Eggert > Date: Sun, 7 Oct 2018 00:14:33 -0700 > Cc: 32951-done@debbugs.gnu.org > > Thanks for the bug report and fix. I verified that the patch fixes the lockup, > installed the patch into the Emacs master branch, and am closing the bug report. > > It might be a good idea to backport this to the emacs-26 branch, but that's > Eli's call. It should have been installed on the emacs-26 branch to begin with. Thanks. From unknown Sun Jun 22 00:04:14 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 05 Nov 2018 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator