GNU bug report logs - #6214
23.1; json-read-string crashes emacs with long string

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Chong Yidong <cyd <at> stupidchicken.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#6214: closed (23.1; json-read-string crashes emacs with long
 string)
Date: Tue, 18 May 2010 18:08:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Tue, 18 May 2010 14:07:10 -0400
with message-id <87fx1pkrsh.fsf <at> stupidchicken.com>
and subject line Re: bug#6214: 23.1; json-read-string crashes emacs with long string
has caused the GNU bug report #6214,
regarding 23.1; json-read-string crashes emacs with long string
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
6214: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=6214
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Carl Worth <cworth <at> cworth.org>
To: bug-gnu-emacs <at> gnu.org
Cc: Notmuch mailing list <notmuch <at> notmuchmail.org>,
	Carl Worth <cworth <at> cworth.org>, Dirk Hohndel <hohndel <at> infradead.org>
Subject: 23.1; json-read-string crashes emacs with long string
Date: Tue, 18 May 2010 09:08:17 -0700

> Please describe exactly what actions triggered the bug
> and the precise symptoms of the bug:

A user of the emacs-based mail client, Notmuch [*], found that
attempting to display a particular message would consistently
causes a segmentation fault in emacs.

I tracked this down to calling `json-read-string' with a very long
string, (roughly 1 million characters). Rather than including that
enormous string in this message, here's a little snippet of emacs lisp
that creates and reads such a string. So, if evaluated, this code should
trigger the segmentation fault, (assuming a copy of GPLv3 exists at
/usr/share/emacs/23.1/etc/COPYING---adjust the filename if necessary).

;; Caution: Evaluating the block below has been known to crash emacs
(with-temp-buffer
  (require 'json)
  ;; First we just need a lot of text. 32 copies of GPLv3 seems to do it
  (dotimes (i 32)
    (insert-file "/usr/share/emacs/23.1/etc/COPYING"))
  ;; Now create a buffer with a json-encoded version of the text
  (let ((json-string (json-encode-string (buffer-string))))
    (with-temp-buffer
      (insert json-string)
      (goto-char (point-min))
      ;; And try to read the string. This triggers the segfault.
      (json-read-string))))

> If Emacs crashed, and you have the Emacs process in the gdb debugger,
> please include the output from the following gdb commands:
>    `bt full' and `xbacktrace'.

I haven't attempted to debug this within gdb yet, (I'll have to get my
hands on a build of emacs with debugging symbols first). But I wanted to
share things right away, so that perhaps someone else could do further
debugging and follow up.

In the meantime, notmuch folks, if you've got a good idea for modifying
notmuch to avoid this bug I'd be glad to hear it. Adjust followups to
include the notmuch list and not the gnu.org bug address as appropriate.

-Carl

[*] http://notmuchmail.org

PS. Here are some of the details provided by `report-emacs-bug':

In GNU Emacs 23.1.1 (i486-pc-linux-gnu, GTK+ Version 2.18.2)
 of 2010-01-26 on raven, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10799001
configured using `configure  '--build=i486-linux-gnu' '--host=i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs23:/etc/emacs:/usr/local/share/emacs/23.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/23.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/23.1/leim' '--with-x=yes' '--with-x-toolkit=gtk' '--with-toolkit-scroll-bars' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g -O2' 'LDFLAGS=-g' 'CPPFLAGS=''

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: nil
  locale-coding-system: utf-8-unix
  default-enable-multibyte-characters: t

-- 
carl.d.worth <at> intel.com

[Message part 3 (message/rfc822, inline)]

From: Chong Yidong <cyd <at> stupidchicken.com>
To: Carl Worth <cworth <at> cworth.org>
Cc: Notmuch mailing list <notmuch <at> notmuchmail.org>, 6214-done <at> debbugs.gnu.org,
	Dirk Hohndel <hohndel <at> infradead.org>
Subject: Re: bug#6214: 23.1; json-read-string crashes emacs with long string
Date: Tue, 18 May 2010 14:07:10 -0400

Carl Worth <cworth <at> cworth.org> writes:

> A user of the emacs-based mail client, Notmuch [*], found that
> attempting to display a particular message would consistently
> causes a segmentation fault in emacs.
>
> I haven't attempted to debug this within gdb yet, (I'll have to get my
> hands on a build of emacs with debugging symbols first). But I wanted to
> share things right away, so that perhaps someone else could do further
> debugging and follow up.

Looks like a stack overflow in the `string' function.  I've checked in a
fix, thanks for the bug report.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.