GNU bug report logs -
#56108
29.0.50; ASAN use-after-free in re_match_2_internal
Previous Next
Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Date: Mon, 20 Jun 2022 14:10:01 UTC
Severity: normal
Found in version 29.0.50
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 56108 in the body.
You can then email your comments to 56108 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Mon, 20 Jun 2022 14:10:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Gerd Möllmann <gerd.moellmann <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Mon, 20 Jun 2022 14:10:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
FWIW, here is another non-reproducible crash with ASAN.
In short, shrink_regexp_cache realloc'd something leading to a malloc +
free, and something is still holding a pointer the old memory. Or so it
looks to me.
=22069==ERROR: AddressSanitizer: heap-use-after-free on address 0x000105b493a5 at pc 0x00010057549c bp 0x00016fde0b90 sp 0x00016fde0b88
READ of size 1 at 0x000105b493a5 thread T0
#0 0x100575498 in re_match_2_internal regex-emacs.c:5021
#1 0x100568c38 in rpl_re_search_2 regex-emacs.c:3382
#2 0x1005678c4 in rpl_re_search regex-emacs.c:3176
#3 0x10054cc68 in fast_string_match_internal search.c:489
#4 0x1004f20b0 in fast_string_match lisp.h:4747
#5 0x1004f1b28 in Ffind_file_name_handler fileio.c:324
#6 0x1004f82d4 in Fexpand_file_name fileio.c:1018
#7 0x1006ddc50 in openp lread.c:1849
#8 0x1006dae98 in Fload lread.c:1312
#9 0x1006e3c64 in save_match_data_load lread.c:1641
#10 0x1006408d0 in load_with_autoload_queue eval.c:2245
#11 0x100677534 in Frequire fns.c:3146
0x000105b493a5 is located 293 bytes inside of 558-byte region [0x000105b49280,0x000105b494ae)
freed by thread T0 here:
#0 0x1031c7ddc in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fddc)
#1 0x100598388 in lrealloc alloc.c:1376
#2 0x1005982c4 in xrealloc alloc.c:790
#3 0x10054a490 in shrink_regexp_cache search.c:150
#4 0x1005aaeb0 in garbage_collect alloc.c:6172
#5 0x1005aa6cc in maybe_garbage_collect alloc.c:6088
#6 0x1006416c0 in maybe_gc lisp.h:5548
#7 0x10063a99c in Ffuncall eval.c:2948
#8 0x10064a144 in funcall_nil eval.c:2635
#9 0x10064a0b4 in run_hook_with_args eval.c:2812
#10 0x100649b84 in Frun_hook_with_args eval.c:2677
#11 0x100649ad0 in run_hook eval.c:2825
#12 0x1004da650 in signal_before_change insdel.c:2155
#13 0x1004d9c40 in prepare_to_modify_buffer_1 insdel.c:2009
#14 0x1004c810c in prepare_to_modify_buffer insdel.c:2020
#15 0x1005081ec in Finsert_file_contents fileio.c:4601
#16 0x10064b758 in funcall_subr eval.c:2999
#17 0x10072fa40 in exec_byte_code bytecode.c:809
#18 0x10065361c in fetch_and_exec_byte_code eval.c:3040
#19 0x10064c344 in funcall_lambda eval.c:3112
#20 0x10064ac18 in funcall_general eval.c:2903
#21 0x10063aa70 in Ffuncall eval.c:2953
#22 0x100643c0c in Fapply eval.c:2577
#23 0x10064bde0 in funcall_subr eval.c:3018
#24 0x10072fa40 in exec_byte_code bytecode.c:809
#25 0x10065361c in fetch_and_exec_byte_code eval.c:3040
#26 0x10064c344 in funcall_lambda eval.c:3112
#27 0x1006437c0 in apply_lambda eval.c:3062
#28 0x100633734 in eval_sub eval.c:2503
#29 0x100640ef8 in Feval eval.c:2314
previously allocated by thread T0 here:
#0 0x1031c7ddc in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fddc)
#1 0x100598388 in lrealloc alloc.c:1376
#2 0x1005982c4 in xrealloc alloc.c:790
#3 0x10054a490 in shrink_regexp_cache search.c:150
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Mon, 20 Jun 2022 19:11:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Date: Mon, 20 Jun 2022 16:07:55 +0200
>
> FWIW, here is another non-reproducible crash with ASAN.
>
> In short, shrink_regexp_cache realloc'd something leading to a malloc +
> free, and something is still holding a pointer the old memory. Or so it
> looks to me.
I don't understand why some callers of compile_pattern mark the cache
entry as busy, but some others don't. If a cache entry that is in use
is not marked as busy, then any GC can decide to shrink the cache by
freeing that entry.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 08:14:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 20. Jun 2022, 21:10 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> > I don't understand why some callers of compile_pattern mark the cache
> > entry as busy, but some others don't. If a cache entry that is in use
> > is not marked as busy, then any GC can decide to shrink the cache by
> > freeing that entry.
struct re_pattern_buffer *bufp;
...
bufp = &compile_pattern (regexp,
...
The address operator is there to confuse the Russians.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 13:40:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Wed, 22 Jun 2022 10:13:08 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> On 20. Jun 2022, 21:10 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
>
> I don't understand why some callers of compile_pattern mark the cache
> entry as busy, but some others don't. If a cache entry that is in use
> is not marked as busy, then any GC can decide to shrink the cache by
> freeing that entry.
>
> struct re_pattern_buffer *bufp;
> ...
> bufp = &compile_pattern (regexp,
> ...
>
> The address operator is there to confuse the Russians.
Hmm... did you mean by that to explain why some callers of
compile_pattern don't mark the new cache entry as "busy"? Because if
so, I guess I'm one of the "confused Russians", as I don't understand
the explanation. Please elaborate.
Or maybe _I_ should elaborate. By "marking an entry busy" I meant the
call to freeze_pattern, not a call to freeze_buffer_relocation (the
latter is mostly a no-op nowadays, as almost all the supported
platforms don't use ralloc.c). So it isn't the C pointer we keep
around to compile_pattern's result that bothered me, it's the fact
that the pattern cache entry created by compile_pattern is not
protected from being freed by shrink_regexp_cache that is called by
GC. AFAIU, that entry must be protected for the whole time the
compiled pattern is in use by re_match_2 or any of its callers.
Does the above make sense?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 14:11:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 22. Jun 2022, 15:39 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> > Date: Wed, 22 Jun 2022 10:13:08 +0200
> > From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> > Cc: 56108 <at> debbugs.gnu.org
> >
> > On 20. Jun 2022, 21:10 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> >
> > I don't understand why some callers of compile_pattern mark the cache
> > entry as busy, but some others don't. If a cache entry that is in use
> > is not marked as busy, then any GC can decide to shrink the cache by
> > freeing that entry.
> >
> > struct re_pattern_buffer *bufp;
> > ...
> > bufp = &compile_pattern (regexp,
> > ...
> >
> > The address operator is there to confuse the Russians.
> >
> > Hmm... did you mean by that to explain why some callers of
> > compile_pattern don't mark the new cache entry as "busy"? Because if
> > so, I guess I'm one of the "confused Russians", as I don't understand
> > the explanation. Please elaborate.
> >
Sorry, looking at this again, I'm now also completely confused.
I see, all in search.c:
static struct regexp_cache *
compile_pattern (Lisp_Object pattern, struct re_registers *regp,
and then, later
struct re_pattern_buffer *bufp;
bufp = &compile_pattern
How the heck does this compile?
> >
> > Or maybe _I_ should elaborate. By "marking an entry busy" I meant the
> > call to freeze_pattern,
Yes, I've seen that.
> > not a call to freeze_buffer_relocation (the
> > latter is mostly a no-op nowadays, as almost all the supported
> > platforms don't use ralloc.c). So it isn't the C pointer we keep
> > around to compile_pattern's result that bothered me, it's the fact
> > that the pattern cache entry created by compile_pattern is not
> > protected from being freed by shrink_regexp_cache that is called by
> > GC. AFAIU, that entry must be protected for the whole time the
> > compiled pattern is in use by re_match_2 or any of its callers.
> >
> > Does the above make sense?
Yes, it's the same I see.
Functions fast_string_match_internal* don't freeze in the sense you explained. What I don't see so far is what could lead to a GC in these cases, between the compile_pattern and the use of its result...
Did you find other places where there's no freeze?
Can Emacs GC while handling a signal?
Does Emacs use threads nowadays?
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 14:25:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Wed, 22 Jun 2022 16:10:23 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> Functions fast_string_match_internal* don't freeze in the sense you explained. What I don't see so far is
> what could lead to a GC in these cases, between the compile_pattern and the use of its result...
I don't know if something inside re_match_2_internal can call
something that would trigger GC. There's too much stuff going on
there, what with syntax tables and whatnot.
> Did you find other places where there's no freeze?
string_match_1, I think.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 15:13:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Maybe I have something. Could you please check?
Please read the following list from the bottom up, i.e. re_match... calls maybe_quit etc.
maybe_gc
Ffuncall
call2
signal_or_quit (eval.c:1741)
quit (eval.c:1697)
process_quit_flag (eval.c:1657)
probably_quit (eval.c:1864)
maybe_quit (lisp.h:3681)
re_match_2_internal (regexp-emacs.c:4691)
If this is true a GC can be triggered under very specific circumstances involving edebug, if the comment in signal_or_quit is right.
And I might have used edebug, I'm not 100% sure anymore.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Wed, 22 Jun 2022 16:21:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Wed, 22 Jun 2022 17:11:55 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> Maybe I have something. Could you please check?
>
> Please read the following list from the bottom up, i.e. re_match... calls maybe_quit etc.
>
> maybe_gc
> Ffuncall
> call2
> signal_or_quit (eval.c:1741)
> quit (eval.c:1697)
> process_quit_flag (eval.c:1657)
> probably_quit (eval.c:1864)
> maybe_quit (lisp.h:3681)
> re_match_2_internal (regexp-emacs.c:4691)
>
> If this is true a GC can be triggered under very specific circumstances involving edebug, if the comment in
> signal_or_quit is right.
>
> And I might have used edebug, I'm not 100% sure anymore.
Sounds plausible. signal-hook-function should be non-nil to trigger
the call2 call inside signal_or_quit. In addition to Edebug, Tramp
also sets that.
So yes, it could happen, with some "luck".
I think the next step is to add the missing freeze_pattern calls and
see if that fixes the problem?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 05:54:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 22. Jun 2022, 18:20 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> >
> > I think the next step is to add the missing freeze_pattern calls and
> > see if that fixes the problem?
I think the missing freezes are 100% a bug, and they should be fixed.
Do you want to do that or should I?
(BTW, I just now noticed the "->buf" at the end of the "bufp = &compile_pattern (regexp,...)" that I complained about. That explains it. Nice :-/.)
Another side question, if I may: Have you perhaps heard of someone producing a static call graph for Emacs, or better yet, specific functions in Emacs? Maybe using objdump -D or something similar?
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 06:59:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Thu, 23 Jun 2022 07:53:29 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> On 22. Jun 2022, 18:20 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
>
> I think the next step is to add the missing freeze_pattern calls and
> see if that fixes the problem?
>
> I think the missing freezes are 100% a bug, and they should be fixed.
I agree.
> Do you want to do that or should I?
Feel free to do it, I generally prefer that people who see the problem
and could at least potentially test the solution also make the change
to fix it.
> Another side question, if I may: Have you perhaps heard of someone producing a static call graph for
> Emacs, or better yet, specific functions in Emacs? Maybe using objdump -D or something similar?
Does this make sense in a dynamic program such as Emacs? We call into
Lisp quite a lot from C, and from there you can arrive anywhere, no?
And objdump cannot capture Lisp levels.
That is, btw, the main problem with maintaining Emacs internals
nowadays: it is hard, almost impossible, to know, just by looking at C
code, whether GC or any other Lisp-related activity could happen
between two arbitrary lines of C. We have more and more hooks called
from C that could potentially call any Lisp, and we have more and more
direct calls into Lisp from the most intimate parts of Emacs, like the
display engine and the main loop in keyboard.c. This basically makes
any analysis of whether or not some code fragment could cause GC
futile: even if today it's impossible, it can easily become possible
tomorrow, with some innocent-looking change. This is exacerbated by
the fact that GCPROs are long gone, so the caution we used to
exercised 20 years ago to make sure GC doesn't surprise us is no
longer needed nor practiced.
But no, I don't think anyone tried to see what kind of graph could be
obtained. Maybe it's worthwhile, who knows? we might learn something
useful regardless.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 07:18:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Cc: 56108 <at> debbugs.gnu.org
> Date: Thu, 23 Jun 2022 09:57:53 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
>
> > Do you want to do that or should I?
>
> Feel free to do it, I generally prefer that people who see the problem
> and could at least potentially test the solution also make the change
> to fix it.
Actually, let's first bring Stefan on board of this discussion.
Stefan, do you happen to know why some of the callers of
compile_pattern don't call freeze_pattern to protect the new cache
entry? Is it just an omission or do we miss something here?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 08:25:01 GMT)
Full text and
rfc822 format available.
Message #38 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 23. Jun 2022, 08:58 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> > Do you want to do that or should I?
> >
> > Feel free to do it, I generally prefer that people who see the problem
> > and could at least potentially test the solution also make the change
> > to fix it.
> >
Ok
> >
> > Another side question, if I may: Have you perhaps heard of someone producing a static call graph for
> > Emacs, or better yet, specific functions in Emacs? Maybe using objdump -D or something similar?
> >
> > Does this make sense in a dynamic program such as Emacs? We call into
> > Lisp quite a lot from C, and from there you can arrive anywhere, no?
> > And objdump cannot capture Lisp levels.
True, but for GC at least, I think it would make it easier to tell if it can potentially happen. One would see a call to GC in the static call graph. Not for arbitrary lines, of course, you know what I mean...
> >
> > That is, btw, the main problem with maintaining Emacs internals
> > nowadays: it is hard, almost impossible, to know, just by looking at C
> > code, whether GC or any other Lisp-related activity could happen
> > between two arbitrary lines of C. We have more and more hooks called
> > from C that could potentially call any Lisp, and we have more and more
> > direct calls into Lisp from the most intimate parts of Emacs, like the
> > display engine and the main loop in keyboard.c. This basically makes
> > any analysis of whether or not some code fragment could cause GC
> > futile: even if today it's impossible, it can easily become possible
> > tomorrow, with some innocent-looking change. This is exacerbated by
> > the fact that GCPROs are long gone, so the caution we used to
> > exercised 20 years ago to make sure GC doesn't surprise us is no
> > longer needed nor practiced.
> >
All true, I just want to remark that I have no fond memories of GCPRO, and of debugging stuff caused by missing ones. Glad to hear they're finally completely dead now.
> >
> > But no, I don't think anyone tried to see what kind of graph could be
> > obtained. Maybe it's worthwhile, who knows? we might learn something
> > useful regardless.
Thanks
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 08:39:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Thu, 23 Jun 2022 10:24:31 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> Another side question, if I may: Have you perhaps heard of someone producing a static call graph for
> Emacs, or better yet, specific functions in Emacs? Maybe using objdump -D or something
> similar?
>
> Does this make sense in a dynamic program such as Emacs? We call into
> Lisp quite a lot from C, and from there you can arrive anywhere, no?
> And objdump cannot capture Lisp levels.
>
> True, but for GC at least, I think it would make it easier to tell if it can potentially happen. One would see a
> call to GC in the static call graph. Not for arbitrary lines, of course, you know what I mean...
Fair enough. But for that purpose, we need to consider each call into
Lisp, either directly or via a hook, as potentially triggering GC.
Moreover, if some code can signal an error or throw to a higher level,
that could cause GC via the handlers installed by the various
unwind-protect forms. So signaling/throwing are also GC triggers, at
least in some situations, and I'm not sure how relevant that is to
what you had in mind.
(People also tend to forget that GC doesn't only deletes "garbage"
objects, it also has other potentially "surprising" effects: it can
compact strings, relocate string data and buffer text, shrink regexp
pattern cache and font caches, etc.)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 08:50:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 23. Jun 2022, 10:38 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> > Fair enough. But for that purpose, we need to consider each call into
> > Lisp, either directly or via a hook, as potentially triggering GC.
> >
True.
> >
> > Moreover, if some code can signal an error or throw to a higher level,
> > that could cause GC via the handlers installed by the various
> > unwind-protect forms. So signaling/throwing are also GC triggers, at
> > least in some situations, and I'm not sure how relevant that is to
> > what you had in mind.
> >
Also true.
I don't have something specific in mind, but I might give it a spin, partly because I tend to forget which things can call Lisp (like maybe_quit), partly because it was so boring to follow the calls in this bug, and partly because I can, or could ;-).
> >
> > (People also tend to forget that GC doesn't only deletes "garbage"
> > objects, it also has other potentially "surprising" effects: it can
> > compact strings, relocate string data and buffer text, shrink regexp
> > pattern cache and font caches, etc.)
Yeah. ISTR some fun after I changed the Lisp string implementation for conservative GC.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Thu, 23 Jun 2022 21:30:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Stefan, do you happen to know why some of the callers of
> compile_pattern don't call freeze_pattern to protect the new cache
> entry? Is it just an omission or do we miss something here?
Before `freeze_pattern`, the design was that nothing could happen while
running the regexp matcher (no GC, no execution of Lisp code).
Commit 938d252d1c6c5e2027aa250c649deb024154f936 changed that so that
searching inside a *buffer* could end up running ELisp code (and hence
also GC). AFAIK this still can't happen when searching in strings.
[ IIRC The need to run ELisp is so as to apply `syntax-table` text
properties on demand via `syntax-propertize`. ]
So I think freeze_pattern should be used in all cases where
`compile_pattern` is used to search inside a buffer, but it shouldn't be
necessary when searching within a string.
At least, that's my recollection.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Fri, 24 Jun 2022 05:57:02 GMT)
Full text and
rfc822 format available.
Message #50 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> From: Stefan Monnier <monnier <at> iro.umontreal.ca>
> Cc: gerd.moellmann <at> gmail.com, 56108 <at> debbugs.gnu.org
> Date: Thu, 23 Jun 2022 17:29:13 -0400
>
> Before `freeze_pattern`, the design was that nothing could happen while
> running the regexp matcher (no GC, no execution of Lisp code).
>
> Commit 938d252d1c6c5e2027aa250c649deb024154f936 changed that so that
> searching inside a *buffer* could end up running ELisp code (and hence
> also GC). AFAIK this still can't happen when searching in strings.
> [ IIRC The need to run ELisp is so as to apply `syntax-table` text
> properties on demand via `syntax-propertize`. ]
>
> So I think freeze_pattern should be used in all cases where
> `compile_pattern` is used to search inside a buffer, but it shouldn't be
> necessary when searching within a string.
I think at least the scenario uncovered by Gerd, shown in this
backtrace-like form:
> maybe_gc
> Ffuncall
> call2
> signal_or_quit (eval.c:1741)
> quit (eval.c:1697)
> process_quit_flag (eval.c:1657)
> probably_quit (eval.c:1864)
> maybe_quit (lisp.h:3681)
> re_match_2_internal (regexp-emacs.c:4691)
could happen even when searching within strings. And in general, as I
tried to explain up-thread, relying on what cannot happen _today_ wrt
GC is not future-proof, the way Emacs development advances.
So I think we should install a change that calls freeze_pattern for
every pattern-cache entry as long as it is in use.
Gerd, would you please show the patch for that?
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Fri, 24 Jun 2022 06:03:01 GMT)
Full text and
rfc822 format available.
Message #53 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 24. Jun 2022, 07:56 +0200, Eli Zaretskii <eliz <at> gnu.org>, wrote:
> > Gerd, would you please show the patch for that?
It's not ready yet. I'll send something later.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Fri, 24 Jun 2022 09:36:01 GMT)
Full text and
rfc822 format available.
Message #56 received at 56108 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Please find patch attached.
Some notes about the patch:
• TRT, I think, would be to change the whole cacheing to use Lisp objects etc. I couldn't persuade myself to do that.
• A less right thing, but better than the patch, would be to protect the cache entry in re_match_2_internal. But that requires interface changes because re_match_2_internal currently doesn't know about cash entries. I couldn't bring myself to do that either.
Another note: Should some document mention that trailing whitespace are not allowed in the git repo? I couldn't find that anywhere.
[Message part 2 (text/html, inline)]
[0001-Prevent-reexp-cache-entry-GC-in-more-cases.patch (application/octet-stream, attachment)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Fri, 24 Jun 2022 15:41:01 GMT)
Full text and
rfc822 format available.
Message #59 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Date: Fri, 24 Jun 2022 11:35:18 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> Another note: Should some document mention that trailing whitespace are not allowed in the git repo? I
> couldn't find that anywhere.
I think it should be in CONTRIBUTE. But it should describe all the
checks done by our Git hooks in .git/hooks/, not just the
trailing-whitespace check.
I will write that if no one beats me to it.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Sat, 25 Jun 2022 09:19:01 GMT)
Full text and
rfc822 format available.
Message #62 received at 56108 <at> debbugs.gnu.org (full text, mbox):
> Cc: monnier <at> iro.umontreal.ca, 56108 <at> debbugs.gnu.org
> Date: Fri, 24 Jun 2022 18:40:33 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
>
> > Date: Fri, 24 Jun 2022 11:35:18 +0200
> > From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> > Cc: 56108 <at> debbugs.gnu.org
> >
> > Another note: Should some document mention that trailing whitespace are not allowed in the git repo? I
> > couldn't find that anywhere.
>
> I think it should be in CONTRIBUTE. But it should describe all the
> checks done by our Git hooks in .git/hooks/, not just the
> trailing-whitespace check.
>
> I will write that if no one beats me to it.
Now done.
Reply sent
to
Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility.
(Mon, 27 Jun 2022 13:27:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Gerd Möllmann <gerd.moellmann <at> gmail.com>:
bug acknowledged by developer.
(Mon, 27 Jun 2022 13:27:01 GMT)
Full text and
rfc822 format available.
Message #67 received at 56108-done <at> debbugs.gnu.org (full text, mbox):
> Date: Fri, 24 Jun 2022 11:35:18 +0200
> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Cc: 56108 <at> debbugs.gnu.org
>
> Please find patch attached.
>
> Some notes about the patch:
>
> * TRT, I think, would be to change the whole cacheing to use Lisp objects etc. I couldn't persuade myself
> to do that.
> * A less right thing, but better than the patch, would be to protect the cache entry in re_match_2_internal.
> But that requires interface changes because re_match_2_internal currently doesn't know about cash
> entries. I couldn't bring myself to do that either.
Good points.
Since there were no more comments, I've now installed this, and I'm
marking the bug done.
P.S. Gerd, please in the future try to remember to mention the bug
number in the commit log message. (I added it this time, but I cannot
be trusted to catch that every time ;-)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#56108; Package
emacs.
(Mon, 27 Jun 2022 13:30:03 GMT)
Full text and
rfc822 format available.
Message #70 received at 56108-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
> P.S. Gerd, please in the future try to remember to mention the bug
> number in the commit log message. (I added it this time, but I cannot
> be trusted to catch that every time ;-)
I will try to remember, but I cannot be trusted either ;-).
Thanks!
[signature.asc (application/pgp-signature, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 26 Jul 2022 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 340 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.