GNU bug report logs -
#3552
23.0.94; backward-prefix-chars: Point before start of properties
Previous Next
Reported by: bojohan+mail <at> dd.chalmers.se (Johan Bockgård)
Date: Sat, 13 Jun 2009 10:45:03 UTC
Severity: important
Tags: confirmed, patch
Merged with 17132,
19379
Found in versions 24.3.50, 24.5, 25.0.50, 25.0.94
Fixed in version 25.1
Done: Noam Postavsky <npostavs <at> users.sourceforge.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 3552 in the body.
You can then email your comments to 3552 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-submit-list <at> lists.donarmstrong.com, Emacs Bugs <bug-gnu-emacs <at> gnu.org>:
bug#3552; Package
emacs.
(Sat, 13 Jun 2009 10:45:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
bojohan+mail <at> dd.chalmers.se (Johan Bockgård):
New bug report received and forwarded. Copy sent to
Emacs Bugs <bug-gnu-emacs <at> gnu.org>.
(Sat, 13 Jun 2009 10:45:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> emacsbugs.donarmstrong.com (full text, mbox):
emacs -Q /tmp/empty.pl
@x
C-M-b
=> error "Point before start of properties"
The syntax of "@" in perl-mode is `. p' (punctuation/prefix char).
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Fri, 03 Jun 2016 03:35:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 3552 <at> debbugs.gnu.org (full text, mbox):
found 3552 24.5
found 3552 25.0.94
tag 3552 + confirmed
quit
Still a problem with latest Emacs 25 pretest, and on Windows 8, Emacs
25.0.94 this actually crashes Emacs too.
bug Marked as found in versions 24.5.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Fri, 03 Jun 2016 03:35:02 GMT)
Full text and
rfc822 format available.
bug Marked as found in versions 25.0.94.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Fri, 03 Jun 2016 03:35:02 GMT)
Full text and
rfc822 format available.
Added tag(s) confirmed.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Fri, 03 Jun 2016 03:35:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sat, 04 Jun 2016 13:36:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 3552 <at> debbugs.gnu.org (full text, mbox):
# bumping severity due to crash potential
severity 3352 important
tag 3352 + patch
quit
On Thu, Jun 2, 2016 at 11:34 PM, Noam Postavsky
<npostavs <at> users.sourceforge.net> wrote:
> Still a problem with latest Emacs 25 pretest, and on Windows 8, Emacs
> 25.0.94 this actually crashes Emacs too.
Running under valgrind I get "invalid read of size 1" in
Fbackward_prefix_chars on GNU/Linux as well (see below). I think this
is a long standing bug that allows reading from before beginning of
the buffer. It was introduced way back in 1998, 1fd3172dd4819
"(Fbackward_prefix_chars): Set point properly while scanning."
diff --git a/src/syntax.c b/src/syntax.c
index 4ac1c8d..0235767 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -2174,12 +2174,16 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
DEC_BOTH (pos, pos_byte);
- while (pos + 1 > beg && !char_quoted (pos, pos_byte)
+ while (!char_quoted (pos, pos_byte)
/* Previous statement updates syntax table. */
&& ((c = FETCH_CHAR (pos_byte), SYNTAX (c) == Squote)
|| SYNTAX_PREFIX (c)))
{
- DEC_BOTH (pos, pos_byte);
+ opoint = pos;
+ opoint_byte = pos_byte;
+
+ if (pos + 1 > beg)
+ DEC_BOTH (pos, pos_byte);
}
SET_PT_BOTH (opoint, opoint_byte);
The (pos + 1 > beg) check originally followed the decrementing of pos,
but after that commit the check came before (and also doesn't end the
loop anymore). Therefore, if (pos == beg), we decrement and then try
to look at the syntax of the character at position (beg-1). This may
segfault, or trigger the "point before start of properties" error in
update_interval (eventually called from char_quoted).
I propose the following patch be applied to the emacs-25 branch:
@@ -3109,8 +3109,9 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
- DEC_BOTH (pos, pos_byte);
+ DEC_BOTH (pos, pos_byte);
+ if (pos < beg)
+ break;
}
SET_PT_BOTH (opoint, opoint_byte);
This fixes the originally reported error, and the invalid read, cf the
valgrind output mentioned above:
==2557== Invalid read of size 1
==2557== at 0x56691D: Fbackward_prefix_chars (syntax.c:3113)
==2557== by 0x541543: Ffuncall (eval.c:2690)
==2557== by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
==2557== by 0x54167E: Ffuncall (eval.c:2742)
==2557== by 0x5704D9: exec_byte_code (bytecode.c:880)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
==2557== by 0x54167E: Ffuncall (eval.c:2742)
==2557== by 0x53D941: Ffuncall_interactively (callint.c:252)
==2557== by 0x5414E2: Ffuncall (eval.c:2673)
==2557== by 0x53F07D: Fcall_interactively (callint.c:840)
==2557== by 0x54157F: Ffuncall (eval.c:2700)
==2557== Address 0x146aab9f is 1 bytes before a block of size 2,146 alloc'd
==2557== at 0x4C2CB1D: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==2557== by 0x527F90: lrealloc (alloc.c:1427)
==2557== by 0x529628: xrealloc (alloc.c:856)
==2557== by 0x4F837F: enlarge_buffer_text (buffer.c:4974)
==2557== by 0x4FB610: make_gap_larger (insdel.c:393)
==2557== by 0x4FB6D7: make_gap (insdel.c:491)
==2557== by 0x4FC5D7: insert_from_string_1 (insdel.c:926)
==2557== by 0x4FD157: insert_from_string (insdel.c:872)
==2557== by 0x535103: general_insert_function (editfns.c:2468)
==2557== by 0x53514C: Finsert (editfns.c:2504)
==2557== by 0x571D28: exec_byte_code (bytecode.c:1509)
==2557== by 0x541151: funcall_lambda (eval.c:2855)
Severity set to 'important' from 'normal'
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Sat, 04 Jun 2016 14:02:01 GMT)
Full text and
rfc822 format available.
Added tag(s) patch.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Sat, 04 Jun 2016 14:02:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sat, 04 Jun 2016 15:23:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 3552 <at> debbugs.gnu.org (full text, mbox):
On Sat, Jun 4, 2016 at 9:35 AM, Noam Postavsky
<npostavs <at> users.sourceforge.net> wrote:
> I propose the following patch be applied to the emacs-25 branch:
Sorry, that's not quite right, I didn't realize DEC_BOTH also reads
from the buffer, here is a patch that actually fixes the invalid read:
@@ -3109,8 +3109,10 @@ DEFUN ("backward-prefix-chars",
Fbackward_prefix_chars, Sbackward_prefix_chars,
opoint = pos;
opoint_byte = pos_byte;
- if (pos + 1 > beg)
+ if (pos > beg)
DEC_BOTH (pos, pos_byte);
+ else
+ break;
}
SET_PT_BOTH (opoint, opoint_byte);
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sat, 04 Jun 2016 17:56:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 3552 <at> debbugs.gnu.org (full text, mbox):
> From: Noam Postavsky <npostavs <at> users.sourceforge.net>
> Date: Sat, 4 Jun 2016 11:22:23 -0400
>
> - if (pos + 1 > beg)
> + if (pos > beg)
> DEC_BOTH (pos, pos_byte);
> + else
> + break;
I would use
if (pos <= beg)
break;
DEC_BOTH (pos, pos_byte);
But I don't insist.
Thanks.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sat, 04 Jun 2016 21:26:01 GMT)
Full text and
rfc822 format available.
Message #30 received at 3552 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Jun 4, 2016 at 1:55 PM, Eli Zaretskii <eliz <at> gnu.org> wrote:
> I would use
>
> if (pos <= beg)
> break;
> DEC_BOTH (pos, pos_byte);
Oh yeah, that makes sense; parallels with the same check at the
beginning of the function. Full patch attached.
[0001-Fbackward_prefix_chars-stay-within-buffer-bounds.patch (text/x-diff, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sun, 05 Jun 2016 10:00:02 GMT)
Full text and
rfc822 format available.
Message #33 received at 3552 <at> debbugs.gnu.org (full text, mbox):
> * src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
> buffer is reached (Bug #3552).
Make it
* src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
buffer is reached (Bug#3552, Bug#19379).
martin
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Sun, 05 Jun 2016 13:36:02 GMT)
Full text and
rfc822 format available.
Message #36 received at 3552 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
forcemerge 3552 17132 19379
quit
On Sun, Jun 5, 2016 at 3:36 AM, martin rudalics <rudalics <at> gmx.at> wrote:
> Make it
>
> * src/syntax.c (Fbackward_prefix_chars): Stop the loop when beginning of
> buffer is reached (Bug#3552, Bug#19379).
Heh, seeing that I decided to search the bug database for
backwards-prefix-chars and found also Bug #17132. Updated patch
attached.
[0001-Fbackward_prefix_chars-stay-within-buffer-bounds.patch (text/x-diff, attachment)]
Forcibly Merged 3552 17132 19379.
Request was from
Noam Postavsky <npostavs <at> users.sourceforge.net>
to
control <at> debbugs.gnu.org.
(Sun, 05 Jun 2016 13:37:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Thu, 16 Jun 2016 02:08:02 GMT)
Full text and
rfc822 format available.
Message #41 received at 3552 <at> debbugs.gnu.org (full text, mbox):
Is it okay to install this to emacs-25? While the bug is
long-standing, I think it's important enough to go in the release
since it can crash Emacs.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#3552; Package
emacs.
(Thu, 16 Jun 2016 15:05:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 3552 <at> debbugs.gnu.org (full text, mbox):
> From: Noam Postavsky <npostavs <at> users.sourceforge.net>
> Date: Wed, 15 Jun 2016 22:07:43 -0400
> Cc: Eli Zaretskii <eliz <at> gnu.org>, 3552 <at> debbugs.gnu.org
>
> Is it okay to install this to emacs-25?
I was sure you already did.
Yes, please.
Reply sent
to
Noam Postavsky <npostavs <at> users.sourceforge.net>:
You have taken responsibility.
(Fri, 17 Jun 2016 03:22:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
bojohan+mail <at> dd.chalmers.se (Johan Bockgård):
bug acknowledged by developer.
(Fri, 17 Jun 2016 03:22:02 GMT)
Full text and
rfc822 format available.
Message #49 received at 3552-done <at> debbugs.gnu.org (full text, mbox):
Version: 25.1
On Thu, Jun 16, 2016 at 11:05 AM, Eli Zaretskii <eliz <at> gnu.org> wrote:
>> From: Noam Postavsky <npostavs <at> users.sourceforge.net>
>> Date: Wed, 15 Jun 2016 22:07:43 -0400
>> Cc: Eli Zaretskii <eliz <at> gnu.org>, 3552 <at> debbugs.gnu.org
>>
>> Is it okay to install this to emacs-25?
>
> I was sure you already did.
>
> Yes, please.
Now pushed as b49cb0ab
Reply sent
to
Noam Postavsky <npostavs <at> users.sourceforge.net>:
You have taken responsibility.
(Fri, 17 Jun 2016 03:22:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Richard <theonewiththeevillook <at> yahoo.fr>:
bug acknowledged by developer.
(Fri, 17 Jun 2016 03:22:03 GMT)
Full text and
rfc822 format available.
Reply sent
to
Noam Postavsky <npostavs <at> users.sourceforge.net>:
You have taken responsibility.
(Fri, 17 Jun 2016 03:22:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
martin rudalics <rudalics <at> gmx.at>:
bug acknowledged by developer.
(Fri, 17 Jun 2016 03:22:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 15 Jul 2016 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 344 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.