From unknown Sun Aug 17 09:10:48 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#3772 <3772@debbugs.gnu.org> To: bug#3772 <3772@debbugs.gnu.org> Subject: Status: 23.0.95; Segmentation fault: ffap/image/C-x d Reply-To: bug#3772 <3772@debbugs.gnu.org> Date: Sun, 17 Aug 2025 16:10:48 +0000 retitle 3772 23.0.95; Segmentation fault: ffap/image/C-x d reassign 3772 emacs submitter 3772 jidanni@jidanni.org severity 3772 normal thanks From jidanni@jidanni.org Mon Jul 6 16:37:20 2009 Received: (at submit) by emacsbugs.donarmstrong.com; 6 Jul 2009 23:37:20 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: ** X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=2.7 required=4.0 tests=IMPRONONCABLE_2, SARE_RECV_SPAM_DOMN0b autolearn=no version=3.2.5-bugs.debian.org_2005_01_02 Received: from fencepost.gnu.org (fencepost.gnu.org [140.186.70.10]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n66NbFdB012221 for ; Mon, 6 Jul 2009 16:37:16 -0700 Received: from mail.gnu.org ([199.232.76.166]:53868 helo=mx10.gnu.org) by fencepost.gnu.org with esmtp (Exim 4.67) (envelope-from ) id 1MNxkI-0003vd-RD for emacs-pretest-bug@gnu.org; Mon, 06 Jul 2009 19:37:14 -0400 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1MNxkG-0006bH-Qn for emacs-pretest-bug@gnu.org; Mon, 06 Jul 2009 19:37:14 -0400 Received: from caiajhbdccah.dreamhost.com ([208.97.132.207]:54366 helo=homiemail-a1.g.dreamhost.com) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1MNxkG-0006a3-3j for emacs-pretest-bug@gnu.org; Mon, 06 Jul 2009 19:37:12 -0400 Received: from jidanni.org (218-163-3-21.dynamic.hinet.net [218.163.3.21]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by homiemail-a1.g.dreamhost.com (Postfix) with ESMTP id 6F6F0119E02; Mon, 6 Jul 2009 16:37:08 -0700 (PDT) From: jidanni@jidanni.org To: emacs-pretest-bug@gnu.org Cc: rfrancoise@debian.org Subject: 23.0.95; Segmentation fault: ffap/image/C-x d Date: Tue, 07 Jul 2009 07:37:05 +0800 Message-ID: <87vdm55qou.fsf@jidanni.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 1) 1. Pick a large (16KB) .JPG from http://jidanni.org/geo/taipower/images/ , e.g,. $ cd /tmp && wget \ http://jidanni/jidanni.org/geo/taipower/images/19990716ab67wow.jpg $ emacs-snapshot -Q /tmp/19990716ab67wow.jpg M-x ffap-bindings C-x d Segfault... running again: (gdb) run -Q /tmp/19990716ab67wow.jpg Program received signal SIGSEGV, Segmentation fault. 0xb755b6b8 in bcopy () from /lib/i686/cmov/libc.so.6 >please include the output from the following gdb commands: `bt full' and `xbacktrace'. (gdb) bt full #0 0xb755b6b8 in bcopy () from /lib/i686/cmov/libc.so.6 #1 0x08170638 in ?? () No symbol table info available... (gdb) xbacktrace Undefined command: "xbacktrace". Try "help". In GNU Emacs 23.0.95.1 (i486-pc-linux-gnu, GTK+ Version 2.16.4) of 2009-07-04 on elegiac, modified by Debian (emacs-snapshot package, version 1:20090703-1) Celeron(R) CPU 2.60GHz From cyd@stupidchicken.com Tue Jul 7 15:07:45 2009 Received: (at 3772) by emacsbugs.donarmstrong.com; 7 Jul 2009 22:07:45 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=1.0 required=4.0 tests=AWL,FOURLA,IMPRONONCABLE_1, MURPHY_WRONG_WORD1,MURPHY_WRONG_WORD2,PHONENUMBER autolearn=no version=3.2.5-bugs.debian.org_2005_01_02 Received: from pantheon-po34.its.yale.edu (pantheon-po34.its.yale.edu [130.132.50.80]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n67M7d6O032073 for <3772@emacsbugs.donarmstrong.com>; Tue, 7 Jul 2009 15:07:40 -0700 Received: from furry (dhcp128036014241.central.yale.edu [128.36.14.241]) (authenticated bits=0) by pantheon-po34.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id n67M7XCM006042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Jul 2009 18:07:33 -0400 Received: by furry (Postfix, from userid 1000) id 0F28CC09B; Tue, 7 Jul 2009 18:07:33 -0400 (EDT) From: Chong Yidong To: Jason Rumney Cc: jidanni@jidanni.org, 3772@debbugs.gnu.org Subject: Re: 23.0.95; Segmentation fault: ffap/image/C-x d Date: Tue, 07 Jul 2009 18:07:32 -0400 Message-ID: <87y6r0cfkr.fsf@stupidchicken.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed) > $ cd /tmp && wget \ > http://jidanni.org/geo/taipower/images/19990716ab67wow.jpg > $ emacs-snapshot -Q /tmp/19990716ab67wow.jpg > M-x ffap-bindings > C-x d > Segfault... I can reproduce this. From bisecting prior revisions, I think the problem first appeared with this change: 2009-03-24 Jason Rumney * fileio.c (Fsubstitute_in_file_name): Always work on a copy. Calculate total size precisely. Decode environment variables before substituting. (Bug#38) If I revert this change---the CVS diff is shown below---then the problem goes away. Though, with such memory problems, that's no guarantee that this change is directly responsibe for the bug. Jason, could you quickly double-check this checkin? Thanks. Index: fileio.c =================================================================== RCS file: /sources/emacs/emacs/src/fileio.c,v retrieving revision 1.650 retrieving revision 1.651 diff -c -r1.650 -r1.651 *** fileio.c 19 Mar 2009 06:26:07 -0000 1.650 --- fileio.c 24 Mar 2009 14:14:54 -0000 1.651 *************** *** 1629,1639 **** --- 1629,1642 ---- unsigned char *target = NULL; int total = 0; int substituted = 0; + int multibyte; unsigned char *xnm; Lisp_Object handler; CHECK_STRING (filename); + multibyte = STRING_MULTIBYTE (filename); + /* If the file name has special constructs in it, call the corresponding file handler. */ handler = Ffind_file_name_handler (filename, Qsubstitute_in_file_name); *************** *** 1641,1648 **** return call2 (handler, Qsubstitute_in_file_name, filename); nm = SDATA (filename); ! #ifdef DOS_NT nm = strcpy (alloca (strlen (nm) + 1), nm); CORRECT_DIR_SEPS (nm); substituted = (strcmp (nm, SDATA (filename)) != 0); #endif --- 1644,1654 ---- return call2 (handler, Qsubstitute_in_file_name, filename); nm = SDATA (filename); ! /* Always work on a copy of the string, in case GC happens during ! decode of environment variables, causing the original Lisp_String ! data to be relocated. */ nm = strcpy (alloca (strlen (nm) + 1), nm); + #ifdef DOS_NT CORRECT_DIR_SEPS (nm); substituted = (strcmp (nm, SDATA (filename)) != 0); #endif *************** *** 1655,1663 **** again. Important with filenames like "/home/foo//:/hello///there" which whould substitute to "/:/hello///there" rather than "/there". */ return Fsubstitute_in_file_name ! (make_specified_string (p, -1, endp - p, ! STRING_MULTIBYTE (filename))); ! /* See if any variables are substituted into the string and find the total length of their values in `total' */ --- 1661,1667 ---- again. Important with filenames like "/home/foo//:/hello///there" which whould substitute to "/:/hello///there" rather than "/there". */ return Fsubstitute_in_file_name ! (make_specified_string (p, -1, endp - p, multibyte)); /* See if any variables are substituted into the string and find the total length of their values in `total' */ *************** *** 1703,1710 **** /* Get variable value */ o = (unsigned char *) egetenv (target); if (o) ! { /* Eight-bit chars occupy upto 2 bytes in multibyte. */ ! total += strlen (o) * (STRING_MULTIBYTE (filename) ? 2 : 1); substituted = 1; } else if (*p == '}') --- 1707,1722 ---- /* Get variable value */ o = (unsigned char *) egetenv (target); if (o) ! { ! /* Don't try to guess a maximum length - UTF8 can use up to ! four bytes per character. This code is unlikely to run ! in a situation that requires performance, so decoding the ! env variables twice should be acceptable. Note that ! decoding may cause a garbage collect. */ ! Lisp_Object orig, decoded; ! orig = make_unibyte_string (o, strlen (o)); ! decoded = DECODE_FILE (orig); ! total += SBYTES (decoded); substituted = 1; } else if (*p == '}') *************** *** 1762,1782 **** *x++ = '$'; strcpy (x, target); x+= strlen (target); } - else if (STRING_MULTIBYTE (filename)) - { - /* If the original string is multibyte, - convert what we substitute into multibyte. */ - while (*o) - { - int c = *o++; - c = unibyte_char_to_multibyte (c); - x += CHAR_STRING (c, x); - } - } else { ! strcpy (x, o); ! x += strlen (o); } } --- 1774,1795 ---- *x++ = '$'; strcpy (x, target); x+= strlen (target); } else { ! Lisp_Object orig, decoded; ! int orig_length, decoded_length; ! orig_length = strlen (o); ! orig = make_unibyte_string (o, orig_length); ! decoded = DECODE_FILE (orig); ! decoded_length = SBYTES (decoded); ! strncpy (x, SDATA (decoded), decoded_length); ! x += decoded_length; ! ! /* If environment variable needed decoding, return value ! needs to be multibyte. */ ! if (decoded_length != orig_length ! || strncmp (SDATA (decoded), o, orig_length)) ! multibyte = 1; } } *************** *** 1789,1795 **** need to quote some $ to $$ first. */ xnm = p; ! return make_specified_string (xnm, -1, x - xnm, STRING_MULTIBYTE (filename)); badsubst: error ("Bad format environment-variable substitution"); --- 1802,1808 ---- need to quote some $ to $$ first. */ xnm = p; ! return make_specified_string (xnm, -1, x - xnm, multibyte); badsubst: error ("Bad format environment-variable substitution"); From cyd@stupidchicken.com Tue Jul 7 15:29:18 2009 Received: (at 3772-done) by emacsbugs.donarmstrong.com; 7 Jul 2009 22:29:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on rzlab.ucr.edu X-Spam-Level: X-Spam-Bayes: score:0.5 Bayes not run. spammytokens:Tokens not available. hammytokens:Tokens not available. X-Spam-Status: No, score=-0.4 required=4.0 tests=AWL autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from pantheon-po34.its.yale.edu (pantheon-po34.its.yale.edu [130.132.50.80]) by rzlab.ucr.edu (8.14.3/8.14.3/Debian-5) with ESMTP id n67MTEXe003003 for <3772-done@emacsbugs.donarmstrong.com>; Tue, 7 Jul 2009 15:29:15 -0700 Received: from furry (dhcp128036014241.central.yale.edu [128.36.14.241]) (authenticated bits=0) by pantheon-po34.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id n67MT8pH015065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Jul 2009 18:29:08 -0400 Received: by furry (Postfix, from userid 1000) id 0BAD4C09B; Tue, 7 Jul 2009 18:29:09 -0400 (EDT) From: Chong Yidong To: Jason Rumney Cc: jidanni@jidanni.org, 3772-done@debbugs.gnu.org Subject: Re: 23.0.95; Segmentation fault: ffap/image/C-x d Date: Tue, 07 Jul 2009 18:29:09 -0400 Message-ID: <8763e4rutm.fsf@stupidchicken.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed) > I can reproduce this. From bisecting prior revisions, I think the > problem first appeared with this change: > > 2009-03-24 Jason Rumney > > * fileio.c (Fsubstitute_in_file_name): Always work on a copy. > Calculate total size precisely. Decode environment variables > before substituting. (Bug#38) OK, I found the problem. The way the string data was copied was incorrect: nm = SDATA (filename); nm = strcpy (alloca (strlen (nm) + 1), nm); This should have been nm = (unsigned char *) alloca (SBYTES (filename) + 1); bcopy (SDATA (filename), nm, SBYTES (filename) + 1); I've checked a fix into CVS. From unknown Sun Aug 17 09:10:48 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: $requester Subject: Internal Control Message-Id: bug archived. Date: Wed, 05 Aug 2009 14:24:10 +0000 User-Agent: Fakemail v42.6.9 # A New Hope # A log time ago, in a galaxy far, far away # something happened. # # Magically this resulted in the following # action being taken, but this fake control # message doesn't tell you why it happened # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator