bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#40661: Crash in regex search during redisplay

From: Richard Copley
Subject: bug#40661: Crash in regex search during redisplay
Date: Thu, 16 Apr 2020 15:35:20 +0100 
Recipe from emacs -Q:

    Save the text below in a file with extension ".pl".
    Repeatedly: kill the buffer and visit the file again. (You can use
C-x C-v for this.)

Emacs eventually encounters a segfault. Backtrace below.

The text is reduced from a real program that exhibited the problem.
Repeating up to about 20 times is usually enough. You can use a
keyboard macro, [C-x ( C-x C-v RET C-x e e e e e], holding down the
'e' key until you get the crash.

This affects both the master branch and the release branch. Bisected
to this commit:

    938d252d1c6c5e2027aa250c649deb024154f936
    Commit:     Daniel Colascione <dancol@dancol.org>
    CommitDate: Sat Jun 16 13:46:38 2018 -0700

    Make regex matching reentrant; update syntax during match

BEGIN TEXT
use strict;

000000000000000000000000000000000000000000000000000000; # x

sub x { }

000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
0000000000000000000000000000000;

"", @x;
"";

eval {
    use autodie qw(:all);
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000000000000000000000000000000000000000000;
000000000000000000000;
};
END TEXT

Thread 1 received signal SIGSEGV, Segmentation fault.
rpl_re_search_2 (bufp=<optimized out>, bufp@entry=0x4005f3238
<searchbufs+5432>, str1=str1@entry=0x90307fd <error: Cannot access
memory at address 0x90307fd>, size1=<optimized out>, size1@entry=0,
str2=str2@entry=0x90307fd <error: Cannot access memory at address
0x90307fd>, size2=size2@entry=2051, startpos=502, startpos@entry=10,
range=1, regs=0x400534598 <main_thread+152>, stop=503) at
regex-emacs.c:3394
3394                  int len = BYTES_BY_CHAR_HEAD (*p);

(gdb) bt
#0  rpl_re_search_2 (bufp=<optimized out>, bufp@entry=0x4005f3238
<searchbufs+5432>, str1=str1@entry=0x90307fd <error: Cannot access
memory at address 0x90307fd>, size1=<optimized out>, size1@entry=0,
str2=str2@entry=0x90307fd <error: Cannot access memory at address
0x90307fd>, size2=size2@entry=2051, startpos=502, startpos@entry=10,
range=1, regs=0x400534598 <main_thread+152>, stop=503) at
regex-emacs.c:3394
#1  0x00000004000ea2c2 in search_buffer_re
(string=string@entry=XIL(0x48dc3e4), pos=pos@entry=11,
pos_byte=<optimized out>, pos_byte@entry=11, lim=lim@entry=504,
lim_byte=lim_byte@entry=504, n=n@entry=1, trt=trt@entry=XIL(0),
inverse_trt=inverse_trt@entry=XIL(0), posix=posix@entry=false) at
search.c:1233
#2  0x00000004000ee0b1 in search_buffer
(string=string@entry=XIL(0x48dc3e4), pos=11, pos_byte=11,
lim=lim@entry=504, lim_byte=lim_byte@entry=504, n=n@entry=1,
RE=RE@entry=1, trt=XIL(0), inverse_trt=XIL(0),
posix=posix@entry=false) at search.c:1505
#3  0x00000004000ee2a8 in search_command (string=XIL(0x48dc3e4),
bound=<optimized out>, noerror=XIL(0x30), count=<optimized out>,
direction=direction@entry=1, RE=RE@entry=1, posix=posix@entry=false)
at lisp.h:1409
#4  0x00000004000ee425 in Fre_search_forward (regexp=<optimized out>,
bound=<optimized out>, noerror=<optimized out>, count=<optimized out>)
at search.c:2276
#5  0x0000000400120277 in funcall_subr (subr=0x400540540
<Sre_search_forward>, numargs=numargs@entry=3,
args=args@entry=0xbf8938) at eval.c:2875
#6  0x000000040011f052 in Ffuncall (nargs=4, args=args@entry=0xbf8930)
at lisp.h:2113
#7  0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(770),
nargs=nargs@entry=3, args=<optimized out>, args@entry=0xbf8d00) at
bytecode.c:633
#8  0x00000004001214f3 in funcall_lambda (fun=XIL(0x3f61f25),
nargs=nargs@entry=3, arg_vector=arg_vector@entry=0xbf8d00) at
lisp.h:1862
#9  0x000000040011f062 in Ffuncall (nargs=4, args=args@entry=0xbf8cf8)
at eval.c:2796
#10 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(771),
nargs=nargs@entry=3, args=<optimized out>, args@entry=0xbf8fc8) at
bytecode.c:633
#11 0x00000004001214f3 in funcall_lambda (fun=XIL(0x3f61a65),
nargs=nargs@entry=3, arg_vector=arg_vector@entry=0xbf8fc8) at
lisp.h:1862
#12 0x000000040011f062 in Ffuncall (nargs=4, args=args@entry=0xbf8fc0)
at eval.c:2796
#13 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(770),
nargs=nargs@entry=2, args=<optimized out>, args@entry=0xbf91c8) at
bytecode.c:633
#14 0x00000004001214f3 in funcall_lambda (fun=XIL(0x3f61995),
nargs=nargs@entry=2, arg_vector=arg_vector@entry=0xbf91c8) at
lisp.h:1862
#15 0x000000040011f062 in Ffuncall (nargs=3, args=args@entry=0xbf91c0)
at eval.c:2796
#16 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(257),
nargs=nargs@entry=1, args=<optimized out>, args@entry=0xbf9618) at
bytecode.c:633
#17 0x00000004001214f3 in funcall_lambda (fun=XIL(0x8c7d7d5),
nargs=nargs@entry=1, arg_vector=arg_vector@entry=0xbf9618) at
lisp.h:1862
#18 0x000000040011f062 in Ffuncall (nargs=2, args=args@entry=0xbf9610)
at eval.c:2796
#19 0x000000040011f16a in run_hook_wrapped_funcall (nargs=<optimized
out>, args=0xbf9610) at eval.c:2531
#20 0x000000040011e89c in run_hook_with_args (nargs=2, args=0xbf9610,
funcall=funcall@entry=0x40011f14e <run_hook_wrapped_funcall>) at
eval.c:2612
#21 0x000000040011e9d6 in Frun_hook_wrapped (nargs=<optimized out>,
args=<optimized out>) at eval.c:2546
#22 0x00000004001201f2 in funcall_subr (subr=0x400543f00
<Srun_hook_wrapped>, numargs=numargs@entry=2,
args=args@entry=0xbf9610) at eval.c:2847
#23 0x000000040011f052 in Ffuncall (nargs=3, args=args@entry=0xbf9608)
at lisp.h:2113
#24 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(514),
nargs=nargs@entry=2, args=<optimized out>, args@entry=0xbf98a0) at
bytecode.c:633
#25 0x00000004001214f3 in funcall_lambda (fun=XIL(0x400ce1d),
nargs=nargs@entry=2, arg_vector=arg_vector@entry=0xbf98a0) at
lisp.h:1862
#26 0x000000040011f062 in Ffuncall (nargs=3, args=args@entry=0xbf9898)
at eval.c:2796
#27 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(512),
nargs=nargs@entry=2, args=<optimized out>, args@entry=0xbf9c08) at
bytecode.c:633
#28 0x00000004001214f3 in funcall_lambda (fun=XIL(0x400cb2d),
nargs=nargs@entry=2, arg_vector=arg_vector@entry=0xbf9c08) at
lisp.h:1862
#29 0x000000040011f062 in Ffuncall (nargs=3, args=args@entry=0xbf9c00)
at eval.c:2796
#30 0x0000000400157ccc in exec_byte_code (bytestr=<optimized out>,
vector=<optimized out>, maxdepth=<optimized out>,
args_template=args_template@entry=make_fixnum(257),
nargs=nargs@entry=1, args=<optimized out>, args@entry=0xbf9eb8) at
bytecode.c:633
#31 0x00000004001214f3 in funcall_lambda (fun=XIL(0x400c775),
nargs=nargs@entry=1, arg_vector=arg_vector@entry=0xbf9eb8) at
lisp.h:1862
#32 0x000000040011f062 in Ffuncall (nargs=2, args=0xbf9eb0) at eval.c:2796
#33 0x000000040011e5eb in internal_condition_case_n (bfun=0x40011ee70
<Ffuncall>, nargs=nargs@entry=2, args=args@entry=0xbf9eb0,
handlers=handlers@entry=XIL(0x30), hfun=hfun@entry=0x40002c8ba
<safe_eval_handler>) at eval.c:1435
#34 0x000000040001a09b in safe__call
(inhibit_quit=inhibit_quit@entry=false, nargs=nargs@entry=2,
func=XIL(0xfffffffc03a118a0), ap=<optimized out>, ap@entry=0xbf9f50
"\006") at lisp.h:1042
#35 0x0000000400028a8a in safe_call (nargs=nargs@entry=2,
func=<optimized out>) at xdisp.c:2841
#36 0x0000000400028aa3 in safe_call1 (fn=<optimized out>,
arg=arg@entry=make_fixnum(1)) at xdisp.c:2852
#37 0x0000000400028ccf in handle_fontified_prop (it=0xbfa1b0) at xdisp.c:4158
#38 0x000000040002e4d5 in handle_stop (it=0xbfa1b0) at xdisp.c:3686
#39 0x000000040002e5b5 in reseat (it=0xbfa1b0, pos=...,
force_p=<optimized out>) at xdisp.c:6934
#40 0x000000040002efff in init_iterator (it=it@entry=0xbfa1b0,
w=w@entry=0x56eddd0, charpos=1, bytepos=1, row=<optimized out>,
base_face_id=<optimized out>, base_face_id@entry=DEFAULT_FACE_ID) at
xdisp.c:3287
#41 0x000000040003606c in start_display (it=it@entry=0xbfa1b0,
w=w@entry=0x56eddd0, pos=...) at xdisp.c:3303
#42 0x000000040003ea6f in try_window
(window=window@entry=XIL(0x56eddd5), pos=..., flags=flags@entry=1) at
xdisp.c:19077
#43 0x0000000400051dea in redisplay_window (window=XIL(0x56eddd5),
just_this_one_p=just_this_one_p@entry=false) at xdisp.c:18501
#44 0x00000004000538f9 in redisplay_window_0 (window=<optimized out>)
at xdisp.c:16215
#45 0x000000040011e4ed in internal_condition_case_1
(bfun=bfun@entry=0x4000538c6 <redisplay_window_0>,
arg=arg@entry=XIL(0x56eddd5), handlers=<optimized out>,
hfun=hfun@entry=0x400015902 <redisplay_window_error>) at eval.c:1379
#46 0x000000040001c945 in redisplay_windows (window=XIL(0x56eddd5)) at
xdisp.c:16195
#47 0x0000000400044416 in redisplay_internal () at xdisp.c:15663
#48 0x00000004000454a3 in redisplay () at xdisp.c:14891
#49 0x00000004000b49aa in read_char (commandflag=0, map=XIL(0),
map@entry=XIL(0x8cbfda3), prev_event=XIL(0), used_mouse_menu=0x0,
used_mouse_menu@entry=0xbff4cb, end_time=end_time@entry=0x0) at
keyboard.c:2493
#50 0x00000004000b644b in read_key_sequence
(keybuf=keybuf@entry=0xbff5d0, prompt=prompt@entry=XIL(0),
dont_downcase_last=dont_downcase_last@entry=false,
can_return_switch_frame=can_return_switch_frame@entry=true,
fix_current_buffer=fix_current_buffer@entry=true,
prevent_redisplay=prevent_redisplay@entry=false) at keyboard.c:9534
#51 0x00000004000b7785 in command_loop_1 () at lisp.h:1042
#52 0x000000040011e476 in internal_condition_case
(bfun=bfun@entry=0x4000b7552 <command_loop_1>,
handlers=handlers@entry=XIL(0x90), hfun=hfun@entry=0x4000ae1e4
<cmd_error>) at eval.c:1355
#53 0x00000004000a95d4 in command_loop_2 (ignore=<optimized out>) at lisp.h:1042
#54 0x000000040011e3e7 in internal_catch (tag=tag@entry=XIL(0xe070),
func=func@entry=0x4000a95b8 <command_loop_2>, arg=arg@entry=XIL(0)) at
eval.c:1116
#55 0x00000004000a9571 in command_loop () at lisp.h:1042
#56 0x0000000000000000 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Lisp Backtrace:
"re-search-forward" (0xbf8938)
"font-lock-fontify-keywords-region" (0xbf8d00)
"font-lock-default-fontify-region" (0xbf8fc8)
"font-lock-fontify-region" (0xbf91c8)
0x8c7d7d0 PVEC_COMPILED
"run-hook-wrapped" (0xbf9610)
"jit-lock--run-functions" (0xbf98a0)
"jit-lock-fontify-now" (0xbf9c08)
"jit-lock-function" (0xbf9eb8)
"redisplay_internal (C function)" (0x0)

In GNU Emacs 28.0.50 (build 1, x86_64-w64-mingw32)
 of 2020-04-16 built on MACHINE
Repository revision: d5a7df8c02f04102d50a5cd2290262f59f2b1415
Repository branch: master
Windowing system distributor 'Microsoft Corp.', version 10.0.19041
System Description: Microsoft Windows 10 Pro (v10.0.2004.19041.153)

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --config-cache --with-modules --without-pop
 --without-compress-install --without-dbus --without-gconf
 --without-gsettings 'CFLAGS=-Og -g -ggdb -g3''

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY W32NOTIFY ACL GNUTLS LIBXML2
HARFBUZZ ZLIB TOOLKIT_SCROLL_BARS MODULES THREADS JSON PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: ENG
  locale-coding-system: cp1252

Major mode: Perl

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs text-property-search time-date
subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
perl-mode tooltip eldoc electric uniquify ediff-hook vc-hooks
lisp-float-type mwheel dos-w32 ls-lisp disp-table term/w32-win w32-win
w32-vars term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode elisp-mode lisp-mode
prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer
select scroll-bar mouse jit-lock font-lock syntax facemenu font-core
term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice loaddefs
button faces cus-face macroexp files text-properties overlay sha1 md5
base64 format env code-pages mule custom widget hashtable-print-readable
backquote threads w32notify w32 lcms2 multi-tty make-network-process
emacs)

Memory information:
((conses 16 47504 14219)
 (symbols 48 6132 1)
 (strings 32 17070 1654)
 (string-bytes 1 523301)
 (vectors 16 9436)
 (vector-slots 8 132460 12454)
 (floats 8 21 229)
 (intervals 56 238 0)
 (buffers 992 11))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]