Emacs 25.1 fc25 often crashes with emacs-auctex (#1398718)

This commit is contained in:
Jan Synacek 2016-12-12 10:32:55 +01:00
parent 430d29bb0b
commit 12a7e9af6d
2 changed files with 281 additions and 1 deletions

View File

@ -0,0 +1,274 @@
Backport the following upstream patches:
http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=9afea93ed536fb9110ac62b413604cf4c4302199
http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=71ca4f6a43bad06192cbc4bb8c7a2d69c179b7b0
http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=1047496722a58ef5b736dae64d32adeb58c5055c
http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=96ac0c3ebce825e60595794f99e703ec8302e240
http://git.savannah.gnu.org/cgit/emacs.git/patch/?id=43986d16fb6ad78a627250e14570ea70bdb1f23a
Resolves: #1398718
commit 9afea93ed536fb9110ac62b413604cf4c4302199
Author: Eli Zaretskii <eliz@gnu.org>
Date: Sun Oct 23 16:54:00 2016 +0300
Attempt to catch reads from a buffer that is relocated
* src/xml.c (parse_region): Add assertion to ensure buffer text is
not relocated while libxml2 is reading it. (Bug#24764)
diff --git a/src/xml.c b/src/xml.c
index b1175d1..1ef84bd 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -181,6 +181,7 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
Lisp_Object result = Qnil;
const char *burl = "";
ptrdiff_t istart, iend, istart_byte, iend_byte;
+ unsigned char *buftext;
xmlCheckVersion (LIBXML_VERSION);
@@ -200,18 +201,24 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
burl = SSDATA (base_url);
}
+ buftext = BYTE_POS_ADDR (istart_byte);
if (htmlp)
- doc = htmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
+ doc = htmlReadMemory ((char *)buftext,
iend_byte - istart_byte, burl, "utf-8",
HTML_PARSE_RECOVER|HTML_PARSE_NONET|
HTML_PARSE_NOWARNING|HTML_PARSE_NOERROR|
HTML_PARSE_NOBLANKS);
else
- doc = xmlReadMemory ((char *) BYTE_POS_ADDR (istart_byte),
+ doc = xmlReadMemory ((char *)buftext,
iend_byte - istart_byte, burl, "utf-8",
XML_PARSE_NONET|XML_PARSE_NOWARNING|
XML_PARSE_NOBLANKS |XML_PARSE_NOERROR);
+ /* If the assertion below fails, malloc was called inside the above
+ libxml2 functions, and ralloc.c caused relocation of buffer text,
+ so we could have read from unrelated memory. */
+ eassert (buftext == BYTE_POS_ADDR (istart_byte));
+
if (doc != NULL)
{
Lisp_Object r = Qnil;
commit 71ca4f6a43bad06192cbc4bb8c7a2d69c179b7b0
Author: Eli Zaretskii <eliz@gnu.org>
Date: Sun Oct 23 19:52:56 2016 +0300
Avoid relocating buffers while libxml2 reads its text
* src/xml.c (parse_region) [REL_ALLOC]: Freeze the ralloc arena
while libxml2 reads the current buffer's text. (Bug#24764)
diff --git a/src/xml.c b/src/xml.c
index 1ef84bd..612b16c 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -202,6 +202,11 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
}
buftext = BYTE_POS_ADDR (istart_byte);
+#ifdef REL_ALLOC
+ /* Prevent ralloc.c from relocating the current buffer while libxml2
+ functions below read its text. */
+ r_alloc_inhibit_buffer_relocation (1);
+#endif
if (htmlp)
doc = htmlReadMemory ((char *)buftext,
iend_byte - istart_byte, burl, "utf-8",
@@ -214,6 +219,9 @@ parse_region (Lisp_Object start, Lisp_Object end, Lisp_Object base_url,
XML_PARSE_NONET|XML_PARSE_NOWARNING|
XML_PARSE_NOBLANKS |XML_PARSE_NOERROR);
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
/* If the assertion below fails, malloc was called inside the above
libxml2 functions, and ralloc.c caused relocation of buffer text,
so we could have read from unrelated memory. */
commit 1047496722a58ef5b736dae64d32adeb58c5055c
Author: Eli Zaretskii <eliz@gnu.org>
Date: Mon Oct 24 16:59:34 2016 +0300
Another fix for using pointer to buffer text
* src/search.c (Freplace_match): Move the call to BYTE_POS_ADDR
after the call to xpalloc, to avoid the danger of buffer text
relocation after its address was taken. (Bug#24358)
diff --git a/src/search.c b/src/search.c
index 5c04916..f8acd40 100644
--- a/src/search.c
+++ b/src/search.c
@@ -2640,6 +2640,7 @@ since only regular expressions have distinguished subexpressions. */)
const unsigned char *add_stuff = NULL;
ptrdiff_t add_len = 0;
ptrdiff_t idx = -1;
+ ptrdiff_t begbyte;
if (str_multibyte)
{
@@ -2702,11 +2703,10 @@ since only regular expressions have distinguished subexpressions. */)
set up ADD_STUFF and ADD_LEN to point to it. */
if (idx >= 0)
{
- ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+ begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
move_gap_both (search_regs.start[idx], begbyte);
- add_stuff = BYTE_POS_ADDR (begbyte);
}
/* Now the stuff we want to add to SUBSTED
@@ -2719,6 +2719,11 @@ since only regular expressions have distinguished subexpressions. */)
add_len - (substed_alloc_size - substed_len),
STRING_BYTES_BOUND, 1);
+ /* We compute this after the call to xpalloc, because that
+ could cause buffer text be relocated when ralloc.c is used. */
+ if (idx >= 0)
+ add_stuff = BYTE_POS_ADDR (begbyte);
+
/* Now add to the end of SUBSTED. */
if (add_stuff)
{
commit 96ac0c3ebce825e60595794f99e703ec8302e240
Author: Eli Zaretskii <eliz@gnu.org>
Date: Mon Oct 24 21:37:20 2016 +0300
Yet another fix for using pointers into buffer text
* src/search.c (boyer_moore): Update pointers to buffer text
after call to set_search_regs. (Bug#24358)
diff --git a/src/search.c b/src/search.c
index f8acd40..b50e7f0 100644
--- a/src/search.c
+++ b/src/search.c
@@ -2014,13 +2014,20 @@ boyer_moore (EMACS_INT n, unsigned char *base_pat,
cursor += dirlen - i - direction; /* fix cursor */
if (i + direction == 0)
{
- ptrdiff_t position, start, end;
+ ptrdiff_t position, start, end, cursor_off;
cursor -= direction;
position = pos_byte + cursor - p2 + ((direction > 0)
? 1 - len_byte : 0);
+ /* set_search_regs might call malloc, which could
+ cause ralloc.c relocate buffer text. We need to
+ update pointers into buffer text due to that. */
+ cursor_off = cursor - p2;
set_search_regs (position, len_byte);
+ p_limit = BYTE_POS_ADDR (limit);
+ p2 = BYTE_POS_ADDR (pos_byte);
+ cursor = p2 + cursor_off;
if (NILP (Vinhibit_changing_match_data))
{
commit 43986d16fb6ad78a627250e14570ea70bdb1f23a
Author: Noam Postavsky <npostavs@gmail.com>
Date: Mon Oct 24 21:22:07 2016 -0400
Inhibit buffer relocation during regex searches
* src/search.c (looking_at_1, fast_looking_at, search_buffer): Prevent
relocation of buffer contents during calls to re_search_2. This ensures
the pointers into buffer text won't be invalidated by
r_alloc_sbrk (called from malloc with configurations where
REL_ALLOC=yes).
diff --git a/src/search.c b/src/search.c
index fa5ac44..15504be 100644
--- a/src/search.c
+++ b/src/search.c
@@ -308,12 +308,20 @@ looking_at_1 (Lisp_Object string, bool posix)
re_match_object = Qnil;
+#ifdef REL_ALLOC
+ /* Prevent ralloc.c from relocating the current buffer while
+ searching it. */
+ r_alloc_inhibit_buffer_relocation (1);
+#endif
i = re_match_2 (bufp, (char *) p1, s1, (char *) p2, s2,
PT_BYTE - BEGV_BYTE,
(NILP (Vinhibit_changing_match_data)
? &search_regs : NULL),
ZV_BYTE - BEGV_BYTE);
immediate_quit = 0;
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
if (i == -2)
matcher_overflow ();
@@ -561,8 +569,16 @@ fast_looking_at (Lisp_Object regexp, ptrdiff_t pos, ptrdiff_t pos_byte,
buf = compile_pattern (regexp, 0, Qnil, 0, multibyte);
immediate_quit = 1;
+#ifdef REL_ALLOC
+ /* Prevent ralloc.c from relocating the current buffer while
+ searching it. */
+ r_alloc_inhibit_buffer_relocation (1);
+#endif
len = re_match_2 (buf, (char *) p1, s1, (char *) p2, s2,
pos_byte, NULL, limit_byte);
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
immediate_quit = 0;
return len;
@@ -1213,6 +1229,12 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
}
re_match_object = Qnil;
+#ifdef REL_ALLOC
+ /* Prevent ralloc.c from relocating the current buffer while
+ searching it. */
+ r_alloc_inhibit_buffer_relocation (1);
+#endif
+
while (n < 0)
{
ptrdiff_t val;
@@ -1254,6 +1276,9 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
else
{
immediate_quit = 0;
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
return (n);
}
n++;
@@ -1296,11 +1321,17 @@ search_buffer (Lisp_Object string, ptrdiff_t pos, ptrdiff_t pos_byte,
else
{
immediate_quit = 0;
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
return (0 - n);
}
n--;
}
immediate_quit = 0;
+#ifdef REL_ALLOC
+ r_alloc_inhibit_buffer_relocation (0);
+#endif
return (pos);
}
else /* non-RE case */

View File

@ -5,7 +5,7 @@ Summary: GNU Emacs text editor
Name: emacs
Epoch: 1
Version: 25.1
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv3+ and CC0-1.0
URL: http://www.gnu.org/software/emacs/
Group: Applications/Editors
@ -27,6 +27,8 @@ Patch2: emacs-pdf-default.patch
Patch3: emacs-system-crypto-policies.patch
# rhbz#1271407 (upstreamed)
Patch4: emacs-samba.patch
# rhbz#1398718 (upstreamed)
Patch5: emacs-auctex-compilation.patch
BuildRequires: atk-devel
BuildRequires: cairo-devel
@ -170,6 +172,7 @@ packages that add functionality to Emacs.
%patch2 -p1 -b .pdf-default.patch
%patch3 -p1 -b .system-crypto-policies
%patch4 -p1 -b .samba
%patch5 -p1 -b .auctex-compilation
autoconf
# We prefer our emacs.desktop file
@ -449,6 +452,9 @@ update-desktop-database &> /dev/null || :
%dir %{_datadir}/emacs/site-lisp/site-start.d
%changelog
* Mon Dec 12 2016 Jan Synáček <jsynacek@redhat.com> - 1:25.1-3
- Emacs 25.1 fc25 often crashes with emacs-auctex (#1398718)
* Wed Oct 12 2016 Jan Synáček <jsynacek@redhat.com> - 1:25.1-2
- emacs leaves behind corrupted symlinks on CIFS share (#1271407)