GNU bug report logs -
#41936
28.0.50; AREF: assert that the index is inside bounds
Previous Next
Reported by: Tino Calancha <tino.calancha <at> gmail.com>
Date: Thu, 18 Jun 2020 20:13:02 UTC
Severity: normal
Found in version 28.0.50
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41936 in the body.
You can then email your comments to 41936 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
eggert <at> cs.ucla.edu, eliz <at> gnu.org, uyennhi.qm <at> gmail.com, bug-gnu-emacs <at> gnu.org:
bug#41936; Package
emacs.
(Thu, 18 Jun 2020 20:13:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tino Calancha <tino.calancha <at> gmail.com>:
New bug report received and forwarded. Copy sent to
eggert <at> cs.ucla.edu, eliz <at> gnu.org, uyennhi.qm <at> gmail.com, bug-gnu-emacs <at> gnu.org.
Your message specified a Severity: in the pseudo-header, but
the severity value wishlist,patch was not recognised.
The default severity normal is being used instead.
The recognised values are: critical, grave, serious, important, normal, minor, wishlist.
(Thu, 18 Jun 2020 20:13:02 GMT) Full text and rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Severity: wishlist,patch
X-Debbugs-Cc: Paul Eggert <eggert <at> cs.ucla.edu>, Eli Zaretskii <eliz <at> gnu.org>, <uyennhi.qm <at> gmail.com>
I was bitten by an out-of-bounds index at AREF while working
in a new feature.
A similar assert as we do in ASET would have allowed me
to diagnostic the bug in minutes; instead, it took me
few days to realize the bug.
Is it OK for you to add the following patch?
--8<-----------------------------cut here---------------start------------->8---
commit 8d904d41fcb8ef29ac8205761077a11f900916bc
Author: Tino Calancha <tino.calancha <at> gmail.com>
Date: Thu Jun 18 22:01:07 2020 +0200
AREF: assert that the index is inside bounds
* src/lisp.h (gc_asize): Move before first use.
(AREF): Assert the index is inside its bounds.
* test/manual/etags/c-src/emacs/src/lisp.h (AREF):
Same.
diff --git a/src/lisp.h b/src/lisp.h
index 3442699088..21722e4a78 100644
--- a/src/lisp.h
+++ b/src/lisp.h
@@ -1671,6 +1671,13 @@ ASIZE (Lisp_Object array)
return size;
}
+INLINE ptrdiff_t
+gc_asize (Lisp_Object array)
+{
+ /* Like ASIZE, but also can be used in the garbage collector. */
+ return XVECTOR (array)->header.size & ~ARRAY_MARK_FLAG;
+}
+
INLINE ptrdiff_t
PVSIZE (Lisp_Object pv)
{
@@ -1853,6 +1860,7 @@ bool_vector_set (Lisp_Object a, EMACS_INT i, bool b)
INLINE Lisp_Object
AREF (Lisp_Object array, ptrdiff_t idx)
{
+ eassert (0 <= idx && idx < gc_asize (array));
return XVECTOR (array)->contents[idx];
}
@@ -1862,13 +1870,6 @@ aref_addr (Lisp_Object array, ptrdiff_t idx)
return & XVECTOR (array)->contents[idx];
}
-INLINE ptrdiff_t
-gc_asize (Lisp_Object array)
-{
- /* Like ASIZE, but also can be used in the garbage collector. */
- return XVECTOR (array)->header.size & ~ARRAY_MARK_FLAG;
-}
-
INLINE void
ASET (Lisp_Object array, ptrdiff_t idx, Lisp_Object val)
{
diff --git a/test/manual/etags/c-src/emacs/src/lisp.h b/test/manual/etags/c-src/emacs/src/lisp.h
index eceef4c00d..b2e32554c3 100644
--- a/test/manual/etags/c-src/emacs/src/lisp.h
+++ b/test/manual/etags/c-src/emacs/src/lisp.h
@@ -1478,6 +1478,7 @@ enum
INLINE Lisp_Object
AREF (Lisp_Object array, ptrdiff_t idx)
{
+ eassert (0 <= idx && idx < gc_asize (array));
return XVECTOR (array)->contents[idx];
}
--8<-----------------------------cut here---------------end--------------->8---
In GNU Emacs 28.0.50 (build 3, x86_64-pc-linux-gnu, GTK+ Version 3.24.5, cairo version 1.16.0)
of 2020-06-18 built on calancha-pc.dy.bbexcite.jp
Repository revision: ba450b6f462e278fcd3bc96c88f154fce219f5fc
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12004000
System Description: Debian GNU/Linux 10 (buster)
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Thu, 18 Jun 2020 21:07:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Tino Calancha <tino.calancha <at> gmail.com>:
bug acknowledged by developer.
(Thu, 18 Jun 2020 21:07:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 41936-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 6/18/20 1:12 PM, Tino Calancha wrote:
> Is it OK for you to add the following patch?
Yes, good idea. I wondered a while ago (to myself) why AREF doesn't check
subscripts when Emacs is configured with --enable-checking. Now that I think
about it more, it's most likely because AREF was a macro and didn't want to
evaluate its index argument multiple times. We don't need to worry about that
any more.
aref_addr should have a similar check (off by one since one can address one past
the end of an array).
There's no need to change test/manual/etags/c-src/emacs/src/lisp.h as that's
just a data file (and changes can be harmful there as they can mess up the tests).
I installed the attached.
[0001-Check-AREF-and-aref_addr-subscripts.patch (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 17 Jul 2020 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 334 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.