From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 17 12:26:17 2019 Received: (at submit) by debbugs.gnu.org; 17 Oct 2019 16:26:17 +0000 Received: from localhost ([127.0.0.1]:48820 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iL8bH-0001GS-6C for submit@debbugs.gnu.org; Thu, 17 Oct 2019 12:26:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:39639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iL8bF-0001GK-39 for submit@debbugs.gnu.org; Thu, 17 Oct 2019 12:26:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38704) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iL8b9-00016a-PJ for bug-gnu-emacs@gnu.org; Thu, 17 Oct 2019 12:26:02 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_40,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iL8b7-0008CK-Sw for bug-gnu-emacs@gnu.org; Thu, 17 Oct 2019 12:25:59 -0400 Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:21439) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iL8b7-0008AK-JK for bug-gnu-emacs@gnu.org; Thu, 17 Oct 2019 12:25:57 -0400 Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id F23C38122F for ; Thu, 17 Oct 2019 12:25:52 -0400 (EDT) Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 677C781155 for ; Thu, 17 Oct 2019 12:25:51 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1571329551; bh=bFI9UZyjaCxMImsasKuISPgLQ3vX8ujTvrT38qPVtb4=; h=From:To:Subject:Date:From; b=X15QmomxMrD7kw6Aht65RWaAYUfy93NcmMIbbdlPYhnnJGrfA0G3pIWUvG73S07Wo uNKjn3fIdYDsTMqB7mbLZ0E/fL59o/+l8quVSVQvrFwsJY18AElHyWQtFOo7DAOWCx ghrxf1cPkzSDyD5IjNEA2Uoycnr70PdIeeKNvM256FvOERiLxuutpShxvSIlxYWGHV 7xBvGzgvoERD72fQJLPFw8FuFAx5coN3Nbq9jwVLo4JNIXbU/NBxx5lJ+Jyy7XPORj 65dL4tPNefK2lw2zt2O4eUaft2LodW3la0P8blsiAXPz1eLI/oKHfr0JZWW0kMxTak O0O6HgoA1tJWw== Received: from lechazo (lechon.iro.umontreal.ca [132.204.27.242]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 491AD1203A2 for ; Thu, 17 Oct 2019 12:25:51 -0400 (EDT) From: Stefan Monnier To: bug-gnu-emacs@gnu.org Subject: 26.1; Fixnum overflow on dpyinfo->last_user_time Date: Thu, 17 Oct 2019 12:25:43 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 132.204.25.50 X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) I just got an assertion failure: lisp.h:1151: Emacs fatal error: assertion failed: !FIXNUM_OVERFLOW_P (n) where the backtrace looks like: #0 0x0817867e in terminate_due_to_signal (sig=6, backtrace_limit=2147483647) at emacs.c:371 #1 0x081edce8 in die (msg=0x82e20f1 "!FIXNUM_OVERFLOW_P (n)", file=0x82e2008 "lisp.h", line=1151) at alloc.c:7374 #2 0x0813a4ee in make_fixnum (n=) at lisp.h:1152 #3 0x0813bb41 in list2i (x=x@entry=1, y=) at lisp.h:3938 #4 0x08148f7c in x_ewmh_activate_frame (f=f@entry=0x8d67980) at xterm.c:11614 #5 0x0814906f in x_focus_frame (f=0x8d67980, noactivate=false) at xterm.c:11664 The relevant data being: (gdb) p dpyinfo->last_user_time $1 = 537117447 (gdb) which was passed to list2i via: x_send_client_event (frame, make_fixnum (0), frame, dpyinfo->Xatom_net_active_window, make_fixnum (32), list2i (1, dpyinfo->last_user_time)); Obviously, on 64bit systems this is not a problem, but on 32bit systems such overflows can happen as I just found out. I changed `list2i` to use `make_int` instead of `make_fixnum` and it seems to have fixed the immediate problem, but the same problem showed up further down in make_lispy_position because the event's timestamp was similarly large. So I'm now using the patch below, which seems "good enough" but I also see other places where we do: selection_data = list4 (selection_name, selection_value, INT_TO_INTEGER (timestamp), frame); so maybe we should be using `INT_TO_INTEGER` rather than `make_int`? Now, AFAICT the exact value of those timestamps doesn't really matter, so rather than make_int we could use a wrap-around version of make_fixnum which truncates the higher bits instead of signaling an error on overflow. Stefan diff --git a/src/keyboard.c b/src/keyboard.c index d07376e8bea..fef2c094f26 100644 --- a/src/keyboard.c +++ b/src/keyboard.c @@ -5301,7 +5301,7 @@ make_lispy_position (struct frame *f, Lisp_Object x, Lisp_Object y, Fcons (posn, Fcons (Fcons (make_fixnum (xret), make_fixnum (yret)), - Fcons (make_fixnum (t), + Fcons (make_int (t), extra_info)))); } @@ -5326,7 +5326,7 @@ static Lisp_Object make_scroll_bar_position (struct input_event *ev, Lisp_Object type) { return list5 (ev->frame_or_window, type, Fcons (ev->x, ev->y), - make_fixnum (ev->timestamp), + make_int (ev->timestamp), builtin_lisp_symbol (scroll_bar_parts[ev->part])); } @@ -5639,7 +5639,7 @@ make_lispy_event (struct input_event *event) position = list4 (event->frame_or_window, Qmenu_bar, Fcons (event->x, event->y), - make_fixnum (event->timestamp)); + make_int (event->timestamp)); return list2 (item, position); } diff --git a/src/lisp.h b/src/lisp.h index 66e631392e4..fd41b1b97b1 100644 --- a/src/lisp.h +++ b/src/lisp.h @@ -3929,26 +3929,26 @@ extern void visit_static_gc_roots (struct gc_root_visitor visitor); INLINE Lisp_Object list1i (EMACS_INT x) { - return list1 (make_fixnum (x)); + return list1 (make_int (x)); } INLINE Lisp_Object list2i (EMACS_INT x, EMACS_INT y) { - return list2 (make_fixnum (x), make_fixnum (y)); + return list2 (make_int (x), make_int (y)); } INLINE Lisp_Object list3i (EMACS_INT x, EMACS_INT y, EMACS_INT w) { - return list3 (make_fixnum (x), make_fixnum (y), make_fixnum (w)); + return list3 (make_int (x), make_int (y), make_int (w)); } INLINE Lisp_Object list4i (EMACS_INT x, EMACS_INT y, EMACS_INT w, EMACS_INT h) { - return list4 (make_fixnum (x), make_fixnum (y), - make_fixnum (w), make_fixnum (h)); + return list4 (make_int (x), make_int (y), + make_int (w), make_int (h)); } extern Lisp_Object make_uninit_bool_vector (EMACS_INT); From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 18 16:33:17 2019 Received: (at 37795-done) by debbugs.gnu.org; 18 Oct 2019 20:33:17 +0000 Received: from localhost ([127.0.0.1]:51617 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLYw0-0000sW-UW for submit@debbugs.gnu.org; Fri, 18 Oct 2019 16:33:17 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLYvy-0000sI-Ps for 37795-done@debbugs.gnu.org; Fri, 18 Oct 2019 16:33:16 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5449E1606B0; Fri, 18 Oct 2019 13:33:08 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FjkoMqoXHG88; Fri, 18 Oct 2019 13:33:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 518911606A8; Fri, 18 Oct 2019 13:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RnQ6EYefGl7X; Fri, 18 Oct 2019 13:33:07 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2F6F11606AC; Fri, 18 Oct 2019 13:33:07 -0700 (PDT) To: Stefan Monnier From: Paul Eggert Subject: re: 26.1; Fixnum overflow on dpyinfo->last_user_time Organization: UCLA Computer Science Department Message-ID: <1d2e2e5b-150e-c634-aba1-a23d9c0ca313@cs.ucla.edu> Date: Fri, 18 Oct 2019 13:33:06 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------177E41661F6468CF04B80F85" Content-Language: en-US X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37795-done Cc: 37795-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------177E41661F6468CF04B80F85 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for reporting that. I installed the attached patches, which are along the lines that you suggested. They also fix a similar bug in xterm.c's x_ewmh_activate_frame. > I also see other places where we do: > > selection_data = list4 (selection_name, selection_value, > INT_TO_INTEGER (timestamp), frame); > > so maybe we should be using `INT_TO_INTEGER` rather than `make_int`? Yes for Time values, since Time might be (usually is?) unsigned and might exceed INTMAX_MAX. However, list1i etc. accept signed integers so make_int is fine for them. Changing list1i etc. to use intmax_t and make_int is a small performance hit in some cases, but is probably worth it given the reliability implications of ignoring integer overflow. > AFAICT the exact value of those timestamps doesn't really matter, Some Emacs code subtracts Time values and assumes wraparound overflow, so if we shoehorn them into fixnums we would need to take that into account. Probably better to leave things be. --------------177E41661F6468CF04B80F85 Content-Type: text/x-patch; charset=UTF-8; name="0001-Fix-integer-overflow-bug-in-Time-conversion.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-Fix-integer-overflow-bug-in-Time-conversion.patch" >From a7478d4768081efe8abc787e250acfd231b738d2 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 18 Oct 2019 13:07:49 -0700 Subject: [PATCH 1/2] Fix integer-overflow bug in Time conversion Problem reported by Stefan Monnier (Bug#37795). * src/keyboard.c (make_lispy_position) (make_scroll_bar_position, make_lispy_event): * src/xterm.c (x_ewmh_activate_frame): Use INT_TO_INTEGER to convert Time to a Lisp integer, since the value might not be a fixnum. --- src/keyboard.c | 6 +++--- src/xterm.c | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/keyboard.c b/src/keyboard.c index d67d18a801..db583ec530 100644 --- a/src/keyboard.c +++ b/src/keyboard.c @@ -5242,7 +5242,7 @@ make_lispy_position (struct frame *f, Lisp_Object x, Lisp_Object y, Fcons (posn, Fcons (Fcons (make_fixnum (xret), make_fixnum (yret)), - Fcons (make_fixnum (t), + Fcons (INT_TO_INTEGER (t), extra_info)))); } @@ -5267,7 +5267,7 @@ toolkit_menubar_in_use (struct frame *f) make_scroll_bar_position (struct input_event *ev, Lisp_Object type) { return list5 (ev->frame_or_window, type, Fcons (ev->x, ev->y), - make_fixnum (ev->timestamp), + INT_TO_INTEGER (ev->timestamp), builtin_lisp_symbol (scroll_bar_parts[ev->part])); } @@ -5579,7 +5579,7 @@ make_lispy_event (struct input_event *event) position = list4 (event->frame_or_window, Qmenu_bar, Fcons (event->x, event->y), - make_fixnum (event->timestamp)); + INT_TO_INTEGER (event->timestamp)); return list2 (item, position); } diff --git a/src/xterm.c b/src/xterm.c index 5d8b1482a6..045589534f 100644 --- a/src/xterm.c +++ b/src/xterm.c @@ -11589,7 +11589,8 @@ x_ewmh_activate_frame (struct frame *f) x_send_client_event (frame, make_fixnum (0), frame, dpyinfo->Xatom_net_active_window, make_fixnum (32), - list2i (1, dpyinfo->last_user_time)); + list2 (make_fixnum (1), + INT_TO_INTEGER (dpyinfo->last_user_time))); } } -- 2.21.0 --------------177E41661F6468CF04B80F85 Content-Type: text/x-patch; charset=UTF-8; name="0002-Generalize-list1i-etc.-to-all-signed-integer-types.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename*0="0002-Generalize-list1i-etc.-to-all-signed-integer-types.patc"; filename*1="h" >From c963f6b7bd4cfffd98894ea05220a6fb80abfb3e Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Fri, 18 Oct 2019 13:21:11 -0700 Subject: [PATCH 2/2] Generalize list1i etc. to all signed integer types * src/lisp.h (list1i, list2i, list3i, list4i): Accept intmax_t instead of EMACS_INT, and use make_int instead of make_fixnum. This should help avoid integer-overflow problems akin to the Time bug (Bug#37795). --- src/lisp.h | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/lisp.h b/src/lisp.h index fe20add2d7..04fa1d64ea 100644 --- a/src/lisp.h +++ b/src/lisp.h @@ -3862,28 +3862,27 @@ #define pure_list(...) \ /* Build a frequently used 1/2/3/4-integer lists. */ INLINE Lisp_Object -list1i (EMACS_INT x) +list1i (intmax_t a) { - return list1 (make_fixnum (x)); + return list1 (make_int (a)); } INLINE Lisp_Object -list2i (EMACS_INT x, EMACS_INT y) +list2i (intmax_t a, intmax_t b) { - return list2 (make_fixnum (x), make_fixnum (y)); + return list2 (make_int (a), make_int (b)); } INLINE Lisp_Object -list3i (EMACS_INT x, EMACS_INT y, EMACS_INT w) +list3i (intmax_t a, intmax_t b, intmax_t c) { - return list3 (make_fixnum (x), make_fixnum (y), make_fixnum (w)); + return list3 (make_int (a), make_int (b), make_int (c)); } INLINE Lisp_Object -list4i (EMACS_INT x, EMACS_INT y, EMACS_INT w, EMACS_INT h) +list4i (intmax_t a, intmax_t b, intmax_t c, intmax_t d) { - return list4 (make_fixnum (x), make_fixnum (y), - make_fixnum (w), make_fixnum (h)); + return list4 (make_int (a), make_int (b), make_int (c), make_int (d)); } extern Lisp_Object make_uninit_bool_vector (EMACS_INT); -- 2.21.0 --------------177E41661F6468CF04B80F85-- From unknown Sat Jun 14 19:24:16 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 16 Nov 2019 12:24:09 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator