GNU bug report logs - #77325
Crash in Fjson_parse_buffer: ZV changes underneath it?

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 29 Mar 2025 15:37:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 29 11:37:33 2025
Received: from localhost ([127.0.0.1]:60889 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyYFZ-0005oH-9w
	for submit <at> debbugs.gnu.org; Sat, 29 Mar 2025 11:37:33 -0400
Received: from mail-4322.protonmail.ch ([185.70.43.22]:32343)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1tyYFW-0005ny-84
 for 77325 <at> debbugs.gnu.org; Sat, 29 Mar 2025 11:37:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1743262643; x=1743521843;
 bh=jGixn/XzEJQHAP6iVup2hK04f8LNWp5pr3coNx8HRhw=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
 b=nC9vW0MOBUXx5KEb/PqzDv+qWErfuHRigZ6j3jPBEfMoDM0gBYW3blW94A3rmlGg/
 kyFwLJdvDo38uDXahIMwfnREPBXToEHS/khD2vOTVuTpiuzfUDLOFfEgk1Yz/PKW+A
 E5r/17FrG2BdZv/ZXBw96eX1yfkT7L02rkC03KP+Sp326w61HzfV0v/wQtDF0aKjxT
 psAmCy9wKanV3w+MPPdThVdK1oRR8mQwoPy1DSym9lG5RRk/7Up+iwk1P7K450GGxw
 Ml+2rwGgRMpPZENPMkuB0LPhhyotjmh+XTE4xdRsA5qMm9caxhx5EtunE5SWJGbiPi
 WSYCFF0asiX2g==
Date: Sat, 29 Mar 2025 15:37:17 +0000
To: Eli Zaretskii <eliz@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
Message-ID: <87jz87j1bw.fsf@HIDDEN>
In-Reply-To: <86bjtk6mgd.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
 <86h63d9l0l.fsf@HIDDEN> <874izdjdkw.fsf@HIDDEN>
 <86a5949ul0.fsf@HIDDEN> <87v7rshx3x.fsf@HIDDEN>
 <86bjtk6mgd.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 75c720bef393cbb933e64d05d77fcdc066f77b0b
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Eli Zaretskii" <eliz@HIDDEN> writes:

>> Date: Sat, 29 Mar 2025 11:53:49 +0000
>> From: Pip Cet <pipcet@HIDDEN>
>> Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
>>
>> "Eli Zaretskii" <eliz@HIDDEN> writes:
>>
>> Simply replacing Z_ADDR by ZV_ADDR would still set up the primary region
>> to be [PT, GPT].  If GPT > ZV, that would mean that the primary region
>> extends beyond ZV, which would mean we parse buffer text that should be
>> inaccessible.
>>
>> So, in this case, we need to limit the primary region to end at ZV_ADDR.
>> That's what my patch does.
>>
>> The code for the secondary region is correct, if unnecessary because
>> sending up a paradoxical [GPT, ZV] range if ZV < GPT wouldn't hurt.
>>
>> > In addition, the value of 'end' should be limited to not exceed
>> > ZV_ADDR.  Or what am I missing?
>>
>> That's what my patch does, yes.
>>
>> > IOW, why does json-parse-buffer ignore the restriction?  No other
>> > primitive does, with rare exceptions that are explicitly documented.
>>
>> I assumed it was an accident, and that's why my patch changes it to
>> respect the restriction.
>
> Sorry, I've misread your patch.

No problem at all.

The code does seem a bit complicated for what it's trying to achieve, to
be honest. I think it'd be clearer just to write:

  unsigned char *begin =3D PT_ADDR;
  unsigned char *end =3D min (GPT_ADDR, ZV_ADDR);
  unsigned char *secondary_begin =3D min (GAP_END_ADDR, ZV_ADDR));
  unsigned char *secondary_end =3D ZV_ADDR;

  json_parser_init (&p, conf, begin, end, secondary_begin,
=09=09    secondary_end);

json_parser_init fixes up secondary_begin and secondary_end to be NULL
pointers in this case.

("min (GAP_END_ADDR, ZV_ADDR)" could also be replaced by just
"GAP_END_ADDR", since json_parser_init fixes paradoxical ranges itself,
but I think we should avoid ever creating those where possible.)

But if that's not okay, let me know and I'll push the other patch.

Pip

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 29 Mar 2025 12:38:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 29 08:38:54 2025
Received: from localhost ([127.0.0.1]:57453 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyVSg-0006rI-2C
	for submit <at> debbugs.gnu.org; Sat, 29 Mar 2025 08:38:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:43150)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1tyVSc-0006qw-OC
 for 77325 <at> debbugs.gnu.org; Sat, 29 Mar 2025 08:38:51 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1tyVSX-0004Gx-B7; Sat, 29 Mar 2025 08:38:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=S7KcL2vpxR6hAIttEn44DrRUV/7QDXdmFWg7tu0H7Co=; b=OqLrqalkhzNh
 fQumhlLPpDhUlm281caVvAyLmFnS4cx18clCIpla5sdjt2HLPpRo4Tst2CJFZOHnWNtDsaUrovC5/
 /eLVhaYf4XfrsRZlI/xcApi2jwCuaL4UykPsPzAVdRpJ4rn3yUt6a0yEFhi6Ehd9MgjI0jC/SeSyW
 OCbAHR2Ff/EyNxBP3mHz2y8J6JyIoUe6439lgbxehu3vMh2wMKZt3Y2BcuCy25blhMjOCCbTiPEgZ
 oSAW2dergQ+mpLRXqXrzAHMYhQy1DvTB6/I46p4IX+uEg6EfeBHgSlk4NXk8bgJZOYAOqbOKtU4S8
 u3d4rOt4SfkKdIlLCPJegw==;
Date: Sat, 29 Mar 2025 15:38:42 +0300
Message-Id: <86bjtk6mgd.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Pip Cet <pipcet@HIDDEN>
In-Reply-To: <87v7rshx3x.fsf@HIDDEN> (message from Pip Cet on Sat, 29
 Mar 2025 11:53:49 +0000)
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
 <86h63d9l0l.fsf@HIDDEN> <874izdjdkw.fsf@HIDDEN>
 <86a5949ul0.fsf@HIDDEN> <87v7rshx3x.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sat, 29 Mar 2025 11:53:49 +0000
> From: Pip Cet <pipcet@HIDDEN>
> Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
> 
> "Eli Zaretskii" <eliz@HIDDEN> writes:
> 
> Simply replacing Z_ADDR by ZV_ADDR would still set up the primary region
> to be [PT, GPT].  If GPT > ZV, that would mean that the primary region
> extends beyond ZV, which would mean we parse buffer text that should be
> inaccessible.
> 
> So, in this case, we need to limit the primary region to end at ZV_ADDR.
> That's what my patch does.
> 
> The code for the secondary region is correct, if unnecessary because
> sending up a paradoxical [GPT, ZV] range if ZV < GPT wouldn't hurt.
> 
> > In addition, the value of 'end' should be limited to not exceed
> > ZV_ADDR.  Or what am I missing?
> 
> That's what my patch does, yes.
> 
> > IOW, why does json-parse-buffer ignore the restriction?  No other
> > primitive does, with rare exceptions that are explicitly documented.
> 
> I assumed it was an accident, and that's why my patch changes it to
> respect the restriction.

Sorry, I've misread your patch.  It's fine (but please don't use
braces for a 1-line block).

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 29 Mar 2025 11:54:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 29 07:54:19 2025
Received: from localhost ([127.0.0.1]:57351 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyUlX-0006u9-3z
	for submit <at> debbugs.gnu.org; Sat, 29 Mar 2025 07:54:19 -0400
Received: from mail-10630.protonmail.ch ([79.135.106.30]:58699)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1tyUlG-0006sb-Rd
 for 77325 <at> debbugs.gnu.org; Sat, 29 Mar 2025 07:54:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1743249234; x=1743508434;
 bh=Clz9j0lGuTrIYdCm1zWDbDVITV05NOeFv1CAGfnsb4I=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
 b=BhB+Hxu/7KcZ0p6d210l8tKB48IUxrnCO9ivsqrbnGp8viis83QG2s87aaOkvF0dJ
 wXXJMqzGjIqAW79qeCdOZGRVvXLemNY8rBsr570Y/XxngTFzyHYT+495CseZFfEKTi
 toU1zSypSrAZbCPZXlCP3uSG0axZrjgsuYCgtoOt+oLEQedj1uRMN0gspNj/ftx0Ny
 BL01yR2txE4ol10JAkl9Ur2qwMIVRLPWDDHKpml0nMQ4FEpp1+9yfE9fGcOXZt9fVq
 uZGAPM4jBi4YkqHSBPhqkedWDVuYUhAU4jeQNuVkMQnrZ+CC7hJVcCkAD/UbSdI0j1
 2BQNM2kE04QWA==
Date: Sat, 29 Mar 2025 11:53:49 +0000
To: Eli Zaretskii <eliz@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
Message-ID: <87v7rshx3x.fsf@HIDDEN>
In-Reply-To: <86a5949ul0.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
 <86h63d9l0l.fsf@HIDDEN> <874izdjdkw.fsf@HIDDEN>
 <86a5949ul0.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: f404849f176f9d3c29d79f150691401a9770b037
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Eli Zaretskii" <eliz@HIDDEN> writes:

>> Date: Fri, 28 Mar 2025 17:00:24 +0000
>> From: Pip Cet <pipcet@HIDDEN>
>> Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
>>
>> "Eli Zaretskii" <eliz@HIDDEN> writes:
>>
>> >> Date: Fri, 28 Mar 2025 15:05:22 +0000
>> >> From: Pip Cet <pipcet@HIDDEN>
>> >> Cc: Eli Zaretskii <eliz@HIDDEN>, 77325 <at> debbugs.gnu.org
>> >>
>> >> "Daniel Colascione" <dancol@HIDDEN> writes:
>> >>
>> >> > Didn't have a good repro.  Pip's fix works though.  I was barking u=
p
>> >> > the wrong tree: I'm parsing JSON out of a process buffer in a loop =
and
>> >> > dispatching commands as they come in. One of these commands switche=
d the
>> >> > buffer, so in the next iteration of the loop, I started parsing JSO=
N out
>> >> > of some other random buffer.  It just so happened that other buffer=
 was
>> >> > narrowed, so we crashed.  I'll let Pip do the honors of checking in=
 the
>> >> > fix if he wants.
>> >>
>> >> Eli, is that okay?  I'll simplify the else branch, which has an
>> >> unnecessary "else if" in the original patch.
>> >
>> > Can we discuss why you don't simply replace Z with ZV and BEG with
>> > BEGV?  I'm not sure I understand some parts of the change you
>> > proposed.
>>
>> Because the code assumes GPT <=3D Z, and GPT <=3D ZV isn't always true.
>
> Sorry, I don't understand: if the gap is beyond ZV, then there's no
> "secondary" region for json.c's purposes, which AFAIU is the only
> thing json-parse-buffer needs to know.

It's about the primary selection, not the secondary one.

The code currently reads:

  unsigned char *begin =3D PT_ADDR;
  unsigned char *end =3D GPT_ADDR;
  unsigned char *secondary_begin =3D NULL;
  unsigned char *secondary_end =3D NULL;
  if (GPT_ADDR < Z_ADDR)
    {
      secondary_begin =3D GAP_END_ADDR;
      if (secondary_begin < PT_ADDR)
=09secondary_begin =3D PT_ADDR;
      secondary_end =3D Z_ADDR;
    }

Simply replacing Z_ADDR by ZV_ADDR would still set up the primary region
to be [PT, GPT].  If GPT > ZV, that would mean that the primary region
extends beyond ZV, which would mean we parse buffer text that should be
inaccessible.

So, in this case, we need to limit the primary region to end at ZV_ADDR.
That's what my patch does.

The code for the secondary region is correct, if unnecessary because
sending up a paradoxical [GPT, ZV] range if ZV < GPT wouldn't hurt.

> In addition, the value of 'end' should be limited to not exceed
> ZV_ADDR.  Or what am I missing?

That's what my patch does, yes.

> IOW, why does json-parse-buffer ignore the restriction?  No other
> primitive does, with rare exceptions that are explicitly documented.

I assumed it was an accident, and that's why my patch changes it to
respect the restriction.

Pip

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 29 Mar 2025 07:15:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 29 03:15:02 2025
Received: from localhost ([127.0.0.1]:56533 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyQPF-0005rq-NO
	for submit <at> debbugs.gnu.org; Sat, 29 Mar 2025 03:15:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:36076)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1tyQPC-0005rM-U6
 for 77325 <at> debbugs.gnu.org; Sat, 29 Mar 2025 03:14:59 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1tyQP6-0008F3-Va; Sat, 29 Mar 2025 03:14:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=BnfNiagVEXl2H0GB6kNxHWEf8pqRrbHXukCfpwceRRo=; b=MbDEoGyrR+or
 LHwX4V7Zyi0bVAj9cvQyMvqFLpzxp5/2WLMlMFGyBNriOd3bQzxi5KhuvbYQcSv3OhkqcMI1Vhm/Y
 JaUluvOzxO5mOHj6aUWa7uNRWoL4xTT/MP+qw04D8PBy/Vg7Nv9eSuPXxu9t0nqdaLF2hJIXcxoTi
 AK9iQgz7XqG9cN8iqXnYkz9HRoUQB5LnsFD+WWixihIDZbh3yJp7ZX/HS3qBCFoTWY+S7NsLgxXjS
 3Kmtr8Xr5dDUIYp1P5vqmjEpQ2vPcuSL4NR2uGgxhKVaSudoUGpuY4iEikLOwXkTfFvjnQV20AIZ6
 qs8rAZGD+97ryZ/wSOqpzA==;
Date: Sat, 29 Mar 2025 10:14:51 +0300
Message-Id: <86a5949ul0.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Pip Cet <pipcet@HIDDEN>
In-Reply-To: <874izdjdkw.fsf@HIDDEN> (message from Pip Cet on Fri, 28
 Mar 2025 17:00:24 +0000)
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
 <86h63d9l0l.fsf@HIDDEN> <874izdjdkw.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Fri, 28 Mar 2025 17:00:24 +0000
> From: Pip Cet <pipcet@HIDDEN>
> Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
> 
> "Eli Zaretskii" <eliz@HIDDEN> writes:
> 
> >> Date: Fri, 28 Mar 2025 15:05:22 +0000
> >> From: Pip Cet <pipcet@HIDDEN>
> >> Cc: Eli Zaretskii <eliz@HIDDEN>, 77325 <at> debbugs.gnu.org
> >>
> >> "Daniel Colascione" <dancol@HIDDEN> writes:
> >>
> >> > Didn't have a good repro.  Pip's fix works though.  I was barking up
> >> > the wrong tree: I'm parsing JSON out of a process buffer in a loop and
> >> > dispatching commands as they come in. One of these commands switched the
> >> > buffer, so in the next iteration of the loop, I started parsing JSON out
> >> > of some other random buffer.  It just so happened that other buffer was
> >> > narrowed, so we crashed.  I'll let Pip do the honors of checking in the
> >> > fix if he wants.
> >>
> >> Eli, is that okay?  I'll simplify the else branch, which has an
> >> unnecessary "else if" in the original patch.
> >
> > Can we discuss why you don't simply replace Z with ZV and BEG with
> > BEGV?  I'm not sure I understand some parts of the change you
> > proposed.
> 
> Because the code assumes GPT <= Z, and GPT <= ZV isn't always true.

Sorry, I don't understand: if the gap is beyond ZV, then there's no
"secondary" region for json.c's purposes, which AFAIU is the only
thing json-parse-buffer needs to know.  In addition, the value of
'end' should be limited to not exceed ZV_ADDR.  Or what am I missing?

IOW, why does json-parse-buffer ignore the restriction?  No other
primitive does, with rare exceptions that are explicitly documented.

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 17:00:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 13:00:38 2025
Received: from localhost ([127.0.0.1]:55380 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyD4P-0004fq-R8
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 13:00:38 -0400
Received: from mail-10629.protonmail.ch ([79.135.106.29]:61253)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1tyD4M-0004fY-F0
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 13:00:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1743181226; x=1743440426;
 bh=xewWpnJglmCU2u4NU4gP4Zv4bIgwyQz+7XEywS/d0Us=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
 b=FBRCn3kDigDKAgR+UhUZYA88W0EC8/hlJ5NhpQLjnKX09i/UofX6i08uXlPmuugzv
 wDkRa2BxuM79PTMb9tuWs8M49RQr8cKhval6wHaCkhU01/s5+fXCT6fTfcP5zjroNR
 RlHUYtcBO4QG6AMcYdfUeza8xejS1TPfzp+2Pd5iCJE3oH3HTVJ+989Czlz8Adglsc
 2TCeZR8x9+bKuXxF9SX4z3MPSP4Z+UK51IKRC/15qW60l8saF+1n09ToA6b9H+ZRsL
 dZPcoaaXnxQhRb0gPuAYawqZadDNhv73muGDIGQrTpyWQN/f1WAwuq5AhxTXAXH2En
 PFX/k95ZVDiaw==
Date: Fri, 28 Mar 2025 17:00:24 +0000
To: Eli Zaretskii <eliz@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
Message-ID: <874izdjdkw.fsf@HIDDEN>
In-Reply-To: <86h63d9l0l.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
 <86h63d9l0l.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 8a6ba845104000a22594bdbeab5fa0f5a2a30d67
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Eli Zaretskii" <eliz@HIDDEN> writes:

>> Date: Fri, 28 Mar 2025 15:05:22 +0000
>> From: Pip Cet <pipcet@HIDDEN>
>> Cc: Eli Zaretskii <eliz@HIDDEN>, 77325 <at> debbugs.gnu.org
>>
>> "Daniel Colascione" <dancol@HIDDEN> writes:
>>
>> > Didn't have a good repro.  Pip's fix works though.  I was barking up
>> > the wrong tree: I'm parsing JSON out of a process buffer in a loop and
>> > dispatching commands as they come in. One of these commands switched t=
he
>> > buffer, so in the next iteration of the loop, I started parsing JSON o=
ut
>> > of some other random buffer.  It just so happened that other buffer wa=
s
>> > narrowed, so we crashed.  I'll let Pip do the honors of checking in th=
e
>> > fix if he wants.
>>
>> Eli, is that okay?  I'll simplify the else branch, which has an
>> unnecessary "else if" in the original patch.
>
> Can we discuss why you don't simply replace Z with ZV and BEG with
> BEGV?  I'm not sure I understand some parts of the change you
> proposed.

Because the code assumes GPT <=3D Z, and GPT <=3D ZV isn't always true.

Pip

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 16:30:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 12:30:06 2025
Received: from localhost ([127.0.0.1]:55318 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyCar-0003C5-ET
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 12:30:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49116)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1tyCao-0003B3-2G
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 12:30:03 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1tyCah-0007Gg-TL; Fri, 28 Mar 2025 12:29:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=AFpxDKjGjhNF0aa2ewCoQh+Z1EB6FkRCX3x+X6aAEro=; b=e6R6xxNkZEWb
 kdCkulTPJYu5TlgoAalOZ4c3aoDXPGiBJHiyX2vQJuP/BzXYqD7AqMkYdGzbfpg4UdxtogApm9zdK
 YmU3nr4OvormQ/rFdi9EWUpMfZ60hEf8IepIE8hD1UBoxFFHaYSZ34bAf7nWU3W+6WSlt9nR7IIo7
 1Akg+xfBR03XxYBEuOyRUAN9zCMchugKiiH81hgMfv0h/OJynC50KKopGbIvtIc8CCfIJzwKp1ph+
 23EQITjpWzNRRo1rdCz4rSdZbLaSERFgJkoOHnImjuc87qdJAeH/voyTgSb+EpRGXA5Hgz4gkPwdT
 S+pbVMSdrElrO+AWpsr8OQ==;
Date: Fri, 28 Mar 2025 19:29:14 +0300
Message-Id: <86h63d9l0l.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Pip Cet <pipcet@HIDDEN>
In-Reply-To: <87cye1jiwp.fsf@HIDDEN> (message from Pip Cet on Fri, 28
 Mar 2025 15:05:22 +0000)
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN> <87cye1jiwp.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77325
Cc: dancol@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Fri, 28 Mar 2025 15:05:22 +0000
> From: Pip Cet <pipcet@HIDDEN>
> Cc: Eli Zaretskii <eliz@HIDDEN>, 77325 <at> debbugs.gnu.org
> 
> "Daniel Colascione" <dancol@HIDDEN> writes:
> 
> > Didn't have a good repro.  Pip's fix works though.  I was barking up
> > the wrong tree: I'm parsing JSON out of a process buffer in a loop and
> > dispatching commands as they come in. One of these commands switched the
> > buffer, so in the next iteration of the loop, I started parsing JSON out
> > of some other random buffer.  It just so happened that other buffer was
> > narrowed, so we crashed.  I'll let Pip do the honors of checking in the
> > fix if he wants.
> 
> Eli, is that okay?  I'll simplify the else branch, which has an
> unnecessary "else if" in the original patch.

Can we discuss why you don't simply replace Z with ZV and BEG with
BEGV?  I'm not sure I understand some parts of the change you
proposed.

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 16:22:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 12:22:11 2025
Received: from localhost ([127.0.0.1]:55304 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyCTD-0002tT-C1
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 12:22:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:44686)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1tyCTA-0002tD-4h
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 12:22:09 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1tyCT4-0006PJ-4e; Fri, 28 Mar 2025 12:22:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=fXtvfpKOMX3V8Sn+DS11Q6uzR+X2Em1UFI+Hyc3I8v0=; b=RFL4mpCSr8zo
 98KNHJug6dz+VrWpvciNgmaInMhSZBntmCAD0393p+3G9cJLug+u2COBKHppr0s0n2eAM5JSIuG4k
 5DfRngqYDM8P9AAt49UIidiJKq6AEYps4GTDPpjZzDrteKCTa3VvQknolkf+25EdnDeRFGHSEPoxw
 adOZvK92XcdiAC87IUny8icnFhLugBDYvoNatG69oESJo8To5vScreTR6xmDIU60edj923aAL3jpZ
 IQPiF9JYdRjWJ8GrfWppOOPT6XZfy2HmAfvLRt8ll3JNNqmMBK/bi5/MVnWF7Nhtf5eTF+W/JM4Yh
 b3wZLybUaY5Pd8sEntKrFQ==;
Date: Fri, 28 Mar 2025 19:21:57 +0300
Message-Id: <86jz899lcq.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
In-Reply-To: <m1tt7dfdn5.fsf@HIDDEN> (message from Daniel Colascione on
 Fri, 28 Mar 2025 10:11:58 -0400)
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77325
Cc: pipcet@HIDDEN, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Daniel Colascione <dancol@HIDDEN>
> Cc: 77325 <at> debbugs.gnu.org, Pip Cet <pipcet@HIDDEN>
> Date: Fri, 28 Mar 2025 10:11:58 -0400
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> Didn't have a good repro.  Pip's fix works though.  I was barking up
> the wrong tree: I'm parsing JSON out of a process buffer in a loop and
> dispatching commands as they come in. One of these commands switched the
> buffer, so in the next iteration of the loop, I started parsing JSON out
> of some other random buffer.  It just so happened that other buffer was
> narrowed, so we crashed.  I'll let Pip do the honors of checking in the
> fix if he wants.

I think we should simply replace each BEG with BEGV and each Z with
ZV.  Emacs should never look outside of the current restriction.

> IGC does GC all the time --- but it's not observable because we pump
> messages from the GC only at dedicated points and run GC hooks only in
> response to these messages. however, notice that on the IGC branch that
> we pump GC messages, including finalizer callbacks, on the allocation
> path for, e.g. various pseudovectors.

You mean, we'll run Lisp as part of displaying messages?  Or what do
you mean by "pump GC messages"?

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 15:05:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 11:05:39 2025
Received: from localhost ([127.0.0.1]:55101 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyBH9-0007kr-G7
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 11:05:39 -0400
Received: from mail-24418.protonmail.ch ([109.224.244.18]:22899)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1tyBH6-0007ka-O4
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 11:05:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1743174329; x=1743433529;
 bh=217y7V08Lrd2E3xD+9r1hH7a5Tx7rPYgRNPzvuxRojY=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
 b=luIl0iFz1nZO6MjtB+jS2lw7SFHNh4XW0ZLgydLnhlRM/cYnH1nI5OqqACtumrFig
 4cSrDgUQ1PtSqYovEoXoOYwcE0YGuMhoDTWMU38q24kol3NpOEQSO/IltYQzoMPFL+
 IizyufMGA1rol9QefweZKtcCQhgP+rEO0WKdCcnO3pu2JBZ3Ys/7JhZBihtIHVF2pk
 tKW87+ke2hO0/4I4kXkaS90ydlch/PShjhFXb6Z3zGznPQploE5JXVmJye9olkV4x/
 j2IW8yZ5sukKIfrRBKBLTuSoiusa5vK40rfvSA3O6nVG//oUWx1yuCrOOPmqgXGxnQ
 AAkdpA3cdHAHg==
Date: Fri, 28 Mar 2025 15:05:22 +0000
To: Daniel Colascione <dancol@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
Message-ID: <87cye1jiwp.fsf@HIDDEN>
In-Reply-To: <m1tt7dfdn5.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
 <m1tt7dfdn5.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 6595725db87673d0e5f64a6efeb9d0b0f1f5c054
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: Eli Zaretskii <eliz@HIDDEN>, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Daniel Colascione" <dancol@HIDDEN> writes:

> Eli Zaretskii <eliz@HIDDEN> writes:
>
>>> From: Daniel Colascione <dancol@HIDDEN>
>>> Date: Thu, 27 Mar 2025 21:07:02 -0400
>>>
>>>
>>> Somehow, the buffer changes underneath json_parse.  We pass an
>>> out-of-bounds position to SET_PT_BOTH (position, byte), which either
>>> asserts or crashes.  Not sure how the buffer could have changed ---
>>> maybe a handler-bind?  The JSON parser doesn't seem to do anything
>>> except allocate and signal.
>>
>> Can you post a recipe for reproducing this?
>
> Didn't have a good repro.  Pip's fix works though.  I was barking up
> the wrong tree: I'm parsing JSON out of a process buffer in a loop and
> dispatching commands as they come in. One of these commands switched the
> buffer, so in the next iteration of the loop, I started parsing JSON out
> of some other random buffer.  It just so happened that other buffer was
> narrowed, so we crashed.  I'll let Pip do the honors of checking in the
> fix if he wants.

Eli, is that okay?  I'll simplify the else branch, which has an
unnecessary "else if" in the original patch.

> I initially thought a GC finalizer might have been switching the buffer,
> but turns out GC doesn't actually run for me while parsing.

json.c assumes no GC on the master branch, because it doesn't protect
its object workspace (and possibly for other reasons).

> IGC does GC all the time --- but it's not observable because we pump
> messages from the GC only at dedicated points and run GC hooks only in
> response to these messages. however, notice that on the IGC branch that
> we pump GC messages, including finalizer callbacks, on the allocation
> path for, e.g. various pseudovectors.  That'll cause Lisp to run where
> it wouldn't have before. Is that going to be a problem?  ISTM we can
> either pump messages in maybe_quit() or just rely on igc_on_idle().

Oh, I forgot about that one!  I'll open a new bug so this gets a
number: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D77338

Pip

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 14:12:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 10:12:09 2025
Received: from localhost ([127.0.0.1]:55010 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tyARM-0005EK-Ha
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 10:12:08 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1]:59676)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1tyARF-0005Dj-9s
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 10:12:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:
 Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=WkQRDl+4ctv9rYaWsnkMyHe5nPvlHkQs6AOgSpdgLFg=; b=VSbm2tqNY91GVFUj28rybkz+YM
 QyP/Of4bzV2K7tiFh3WaWcO5uPJJvCWlXKEKus7IL34gXjjp9YgzVQs7zvNlghFSMrga31XSZzj0k
 PWA2ngZY+VMrvvPDbeDwKvbgVfdpBodHwwTgK2M/7HTV7t9tZz2FLgyrIo/bWRPClUq52jWtQFxVa
 ouC5iZ06FW9d9MSudwRbpAabsHQfm88IIq9jXwmyG4pqJ56IRZL/iNpL4xIIx6o3jFiqRbyy7clqY
 Xic/PYExUTGgQ5Wrgi9rXygnqXAWEadXkTHRncFbtE/zpqYJ+sf78pN/o0hBZQ/UXXK2gyG7sZolM
 ZWewHJjw==;
Received: from dancol by dancol.org with local (Exim 4.96)
 (envelope-from <dancol@HIDDEN>) id 1tyAQo-004Jwd-2O;
 Fri, 28 Mar 2025 10:11:34 -0400
From: Daniel Colascione <dancol@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
In-Reply-To: <86tt7da006.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN> <86tt7da006.fsf@HIDDEN>
User-Agent: mu4e 1.12.8; emacs 31.0.50
Date: Fri, 28 Mar 2025 10:11:58 -0400
Message-ID: <m1tt7dfdn5.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: Pip Cet <pipcet@HIDDEN>, 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Daniel Colascione <dancol@HIDDEN>
>> Date: Thu, 27 Mar 2025 21:07:02 -0400
>> 
>> 
>> Somehow, the buffer changes underneath json_parse.  We pass an
>> out-of-bounds position to SET_PT_BOTH (position, byte), which either
>> asserts or crashes.  Not sure how the buffer could have changed ---
>> maybe a handler-bind?  The JSON parser doesn't seem to do anything
>> except allocate and signal.
>
> Can you post a recipe for reproducing this?

Didn't have a good repro.  Pip's fix works though.  I was barking up
the wrong tree: I'm parsing JSON out of a process buffer in a loop and
dispatching commands as they come in. One of these commands switched the
buffer, so in the next iteration of the loop, I started parsing JSON out
of some other random buffer.  It just so happened that other buffer was
narrowed, so we crashed.  I'll let Pip do the honors of checking in the
fix if he wants.

I initially thought a GC finalizer might have been switching the buffer,
but turns out GC doesn't actually run for me while parsing.

IGC does GC all the time --- but it's not observable because we pump
messages from the GC only at dedicated points and run GC hooks only in
response to these messages. however, notice that on the IGC branch that
we pump GC messages, including finalizer callbacks, on the allocation
path for, e.g. various pseudovectors.  That'll cause Lisp to run where
it wouldn't have before. Is that going to be a problem?  ISTM we can
either pump messages in maybe_quit() or just rely on igc_on_idle().

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 11:05:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 07:05:40 2025
Received: from localhost ([127.0.0.1]:53059 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ty7Wu-00047Q-Gp
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 07:05:40 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53972)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1ty7Ws-00047C-6U
 for 77325 <at> debbugs.gnu.org; Fri, 28 Mar 2025 07:05:38 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1ty7Wm-0006Dj-M4; Fri, 28 Mar 2025 07:05:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=DSluQR00G8eE5zJI0mpoyXGnTbhA6WtJJqEmPsq8EZ8=; b=pcZZvMLeY3CS
 tPd0tufiXnxqXAHMDKBi/M6nSA/4DAN9VILaquyVmae8ANwwIoRrNyYAb9LQ9eQJNoaEJ6YvnJ9pD
 8ExXuoRvyCIwP+9eIuZ8ASyqZmuTk3p55+1n6UEEA3dBLXf6yQB6NJB1Iki8Y3rNs/xR2ZYAFjZM5
 gk9LXw6Y8dw/cVO6Mlh1Y25YOgPWDz+KJ8UvFapTADzZLbfSbk+x8hfClSw+Tikf8ioxz9zjRzQY2
 5xC2MkzY+omqsuJrnN0UJEQdPHQYqw4MeR/IKweQfFVq7O1Itm/OWZH/dRd+CU0+eTiB2pO//Llzu
 wyZhL/M+34oKnfI0LMjQBw==;
Date: Fri, 28 Mar 2025 14:05:29 +0300
Message-Id: <86tt7da006.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
In-Reply-To: <m1r02i0xqh.fsf@HIDDEN> (message from Daniel Colascione on
 Thu, 27 Mar 2025 21:07:02 -0400)
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
References: <m1r02i0xqh.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77325
Cc: 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Daniel Colascione <dancol@HIDDEN>
> Date: Thu, 27 Mar 2025 21:07:02 -0400
> 
> 
> Somehow, the buffer changes underneath json_parse.  We pass an
> out-of-bounds position to SET_PT_BOTH (position, byte), which either
> asserts or crashes.  Not sure how the buffer could have changed ---
> maybe a handler-bind?  The JSON parser doesn't seem to do anything
> except allocate and signal.

Can you post a recipe for reproducing this?

>   own_text = {
>     beg = 0x0000000130088000 ""
>     gpt = 1
>     z = 74465
>     gpt_byte = 1
>     z_byte = 76476
>     gap_size = 60247
>     modiff = 15338
>     chars_modiff = 15338
>     save_modiff = 1
>     overlay_modiff = 757
>     compact = 1
>     beg_unchanged = 0
>     end_unchanged = 0
>     unchanged_modified = 4374
>     overlay_unchanged_modified = 755
>     intervals = 0x000000011f38caa8
>     markers = 0x000000011ffa4288
>     inhibit_shrinking = false
>     redisplay = true
>   }
>   text = 0x000000011e011268
>   pt = 1
>   pt_byte = 1
>   begv = 1
>   begv_byte = 1
>   zv = 1
>   zv_byte = 1

This seems to tell that the buffer is narrowed to an empty region.
Does that make sense in the scenario where you had this problem?

> (lldb) print p.point_of_current_line 
> (ptrdiff_t) 1
> (lldb) print p.current_column 
> (ptrdiff_t) 6
> 
> input_begin = 0x0000000130096b57 "\n     6 pass\n     620 skip\n [...]
> input_current = 0x0000000130096b5e " pass\n     620 skip\n

Give BEGV and ZV, this seems to mean we are accessing beyond the
restriction, which should never happen.

Message received at 77325 <at> debbugs.gnu.org:

Received: (at 77325) by debbugs.gnu.org; 28 Mar 2025 02:43:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 27 22:43:54 2025
Received: from localhost ([127.0.0.1]:52079 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1txzhJ-00054w-T5
	for submit <at> debbugs.gnu.org; Thu, 27 Mar 2025 22:43:54 -0400
Received: from mail-24417.protonmail.ch ([109.224.244.17]:21407)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1txzhF-00054W-3E
 for 77325 <at> debbugs.gnu.org; Thu, 27 Mar 2025 22:43:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1743129821; x=1743389021;
 bh=KG/7CFxiwJgp5jdO7LuoM1CE2ZlnsUiiMoCfEkOtJiM=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
 b=cFHfFGq7wTnYav1lAF5QzH3nXNiFW8Gecj11ZQ/Amea7z+P7H2dHi8ZrYnNuZXpDJ
 22Rt2HUpZcvnxpDUSleMalppBDIthD8LLx+rZH4Wc22sRK17KytZDNfomUFOTQ8Zlq
 phEug7Zm0Hp+WWTo0+7I1RDGW81T1SHvyqMcbMDVceffQsgiE3p7i/AcejJL0+AP/1
 CwORfjscPUeggCX6AvGe9BiZixl2E11IpKzlRb6+cf6jUnsFwPGMoy/3p81MmVOuKe
 33oW5aeF9K0Qz8zHx0dIa4E18TwsVRlb75l8isgQ4scvwXKI80EBhwOUBuLzIHtLTV
 +e1a2voo7CsVw==
Date: Fri, 28 Mar 2025 02:43:36 +0000
To: Daniel Colascione <dancol@HIDDEN>
From: Pip Cet <pipcet@HIDDEN>
Subject: Re: bug#77325: Crash in Fjson_parse_buffer: ZV changes underneath it?
Message-ID: <871puhlvtd.fsf@HIDDEN>
In-Reply-To: <m1r02i0xqh.fsf@HIDDEN>
References: <m1r02i0xqh.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: a589fe999ef1a9d578ca6fccd5424e49b43da24e
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 77325
Cc: 77325 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

"Daniel Colascione" <dancol@HIDDEN> writes:

> Somehow, the buffer changes underneath json_parse.  We pass an

Do we know that the buffer changed after we entered json-parse-buffer?
It looks to me like the buffer was narrowed to nothing before we called
json-parse-buffer, like this:

(with-temp-buffer
  (insert "3")
  (narrow-to-region (point-min) (point-min))
  (message "%S" (json-parse-buffer)))

json.c proceeds to read past ZV, all the way to Z, then hits the
assertion just as it did for you, so this code currently causes a crash.

Do you still see the crash if you change json-parse-buffer to honor
buffer narrowing, like this?

From 073c00135e6f0e213fc8671fc0a52a67ee5b56ce Mon Sep 17 00:00:00 2001
From: Pip Cet <pipcet@HIDDEN>
Subject: [PATCH] Respect narrowed buffers when parsing JSON (bug#77325)

* src/json.c (Fjson_parse_buffer): Only read to ZV, not all the way to
Z.
---
 src/json.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/json.c b/src/json.c
index f438d191bde..a0480718ca8 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1757,12 +1757,16 @@ DEFUN ("json-parse-buffer", Fjson_parse_buffer, Sjs=
on_parse_buffer,
   unsigned char *end =3D GPT_ADDR;
   unsigned char *secondary_begin =3D NULL;
   unsigned char *secondary_end =3D NULL;
-  if (GPT_ADDR < Z_ADDR)
+  if (GPT_ADDR < ZV_ADDR)
     {
       secondary_begin =3D GAP_END_ADDR;
       if (secondary_begin < PT_ADDR)
 =09secondary_begin =3D PT_ADDR;
-      secondary_end =3D Z_ADDR;
+      secondary_end =3D ZV_ADDR;
+    }
+  else if (ZV_ADDR < GPT_ADDR)
+    {
+      end =3D ZV_ADDR;
     }
=20
   json_parser_init (&p, conf, begin, end, secondary_begin,
--=20
2.48.1

> input_begin =3D 0x0000000130096b57 "\n     6 pass\n     620 skip\n [...]
> input_current =3D 0x0000000130096b5e " pass\n     620 skip\n
>
> The actual JSON we're parsing appears to be mangled somehow --- raw
> newlines embedded in the output instead of being encapsulated inside
> a string --- but that's a separate bug.

Certainly doesn't look like JSON, but maybe that's why it's outside the
accessible region?

Pip

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 28 Mar 2025 01:07:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 27 21:07:24 2025
Received: from localhost ([127.0.0.1]:51983 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1txyBv-0000eZ-01
	for submit <at> debbugs.gnu.org; Thu, 27 Mar 2025 21:07:23 -0400
Received: from lists.gnu.org ([2001:470:142::17]:51312)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1txyBm-0000eE-VQ
 for submit <at> debbugs.gnu.org; Thu, 27 Mar 2025 21:07:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dancol@HIDDEN>) id 1txyBg-0005LX-VZ
 for bug-gnu-emacs@HIDDEN; Thu, 27 Mar 2025 21:07:09 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dancol@HIDDEN>) id 1txyBe-0002w7-O6
 for bug-gnu-emacs@HIDDEN; Thu, 27 Mar 2025 21:07:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender:
 Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=yHsZMdbpmYCrks0J8W62rwwlz0Ad0IbMx52kv9zMVQ8=; b=KfU0xOlGZ11xEWMbN/IUxazj6C
 roB+xUOzk8BiAMrCur0DrGXtbzTDHhfusM/TFd28tqTmRLOfeN4cbYv47zxWJjAvm8EYEwvFMVpB4
 a/tkBEs5OyDdNHglS9BCmdToMOCuOhEgBKNNRgKo5QOG1bdTrkwd9FdIRCP2VbYTVil51UwtuTOWZ
 7AHN2TJTP6XaWEquw/h5Sn+zHtF6FzWegFPUcvmbPNICX1y0HvpQguDSB04DVNjLDYlzpULRbo92T
 ow6sfooNqysK3FcbT0yO9Y/mryEX/hj9gJoEwWUScnbVDmk3cPTP+zxSbedBbOujBJfjl8Ur7oVfO
 byFz3yfg==;
Received: from dancol by dancol.org with local (Exim 4.96)
 (envelope-from <dancol@HIDDEN>) id 1txyBC-004GV9-1E
 for bug-gnu-emacs@HIDDEN; Thu, 27 Mar 2025 21:06:38 -0400
From: Daniel Colascione <dancol@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: Crash in Fjson_parse_buffer: ZV changes underneath it?
User-Agent: mu4e 1.12.8; emacs 31.0.50
Date: Thu, 27 Mar 2025 21:07:02 -0400
Message-ID: <m1r02i0xqh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2600:3c01:e000:3d8::1;
 envelope-from=dancol@HIDDEN; helo=dancol.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)


Somehow, the buffer changes underneath json_parse.  We pass an
out-of-bounds position to SET_PT_BOTH (position, byte), which either
asserts or crashes.  Not sure how the buffer could have changed ---
maybe a handler-bind?  The JSON parser doesn't seem to do anything
except allocate and signal.

The buffer itself is plenty big enough --- it's just that the accessible
region has somehow shrunk to nothing.

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x000000010026d7a0 emacs`die(msg="charpos <= ZV && charpos >= BEGV", file="intervals.c", line=1873) at alloc.c:7450:12
    frame #1: 0x000000010037e3dc emacs`set_point_both(charpos=8, bytepos=8) at intervals.c:1873:3
    frame #2: 0x00000001003baf1c emacs`SET_PT_BOTH(position=8, byte=8) at buffer.h:182:3
  * frame #3: 0x00000001003bbadc emacs`Fjson_parse_buffer(nargs=6, args=(struct Lisp_Symbol *) $4 = 0x0000000270365e38) at json.c:1779:3
    frame #4: 0x00000001002bcd64 emacs`eval_sub(form=(struct Lisp_Cons
    *) $116 = 0x000000010831a440) at eval.c:2564:10


-> 1873	 eassert (charpos <= ZV && charpos >= BEGV);
   1874	
   1875	 have_overlays = buffer_has_overlays ();
   1876	
(lldb) print charpos
(ptrdiff_t) 8


(lldb) print *current_thread->m_current_buffer
(buffer) {
  header = (size = 4611686018645684300)
  name_ = 0x000000011ed08374 (struct Lisp_String *) $120 = 0x000000011ed08370
  last_name_ = 0x000000011ed08374 (struct Lisp_String *) $120 = 0x000000011ed08370
  filename_ = NULL
  directory_ = 0x0000000103708724 (struct Lisp_String *) $124 = 0x0000000103708720
  backed_up_ = NULL
  save_length_ = 0x0000000000000002 (EMACS_INT) $125 = 0
  auto_save_file_name_ = NULL
  read_only_ = NULL
  mark_ = 0x000000011e0113e5 (struct Lisp_Marker *) $128 = 0x000000011e0113e0
  local_var_alist_ = 0x000000012078c0b3 (struct Lisp_Cons *) $129 = 0x000000012078c0b0
  major_mode_ = 0x000000001f379d28 (struct Lisp_Symbol *) $131 = 0x000000011f8e8bc0
  local_minor_modes_ = 0x000000013042cff3 (struct Lisp_Cons *) $133 = 0x000000013042cff0
  mode_name_ = 0x000000013ee94fe4 (struct Lisp_String *) $134 = 0x000000013ee94fe0
  mode_line_format_ = 0x0000000110141db3 (struct Lisp_Cons *) $135 = 0x0000000110141db0
  header_line_format_ = NULL
  tab_line_format_ = NULL
  keymap_ = 0x00000001205abc33 (struct Lisp_Cons *) $136 = 0x00000001205abc30
  abbrev_table_ = 0x000000013f116a2d (struct Lisp_Obarray *) $139 = 0x000000013f116a28
  syntax_table_ = 0x000000013f116805 (struct Lisp_Vector *) $140 = 0x000000013f116800
  category_table_ = 0x000000010269d35d (struct Lisp_Vector *) $142 = 0x000000010269d358
  tab_width_ = 0x0000000000000022 (EMACS_INT) $143 = 8
  fill_column_ = 0x000000000000011a (EMACS_INT) $144 = 70
  left_margin_ = 0x0000000000000002 (EMACS_INT) $125 = 0
  auto_fill_function_ = NULL
  downcase_table_ = 0x000000010266a17d (struct Lisp_Vector *) $145 = 0x000000010266a178
  upcase_table_ = 0x00000001026590dd (struct Lisp_Vector *) $146 = 0x00000001026590d8
  case_canon_table_ = 0x000000010267b45d (struct Lisp_Vector *) $147 = 0x000000010267b458
  case_eqv_table_ = 0x000000010266a3bd (struct Lisp_Vector *) $148 = 0x000000010266a3b8
  truncate_lines_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  word_wrap_ = NULL
  ctl_arrow_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  bidi_display_reordering_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  bidi_paragraph_direction_ = NULL
  bidi_paragraph_separate_re_ = NULL
  bidi_paragraph_start_re_ = NULL
  selective_display_ = NULL
  selective_display_ellipses_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  overwrite_mode_ = NULL
  abbrev_mode_ = NULL
  display_table_ = NULL
  mark_active_ = NULL
  enable_multibyte_characters_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  buffer_file_coding_system_ = 0x00000000000127e0 (struct Lisp_Symbol *) $153 = 0x0000000100581678
  file_format_ = NULL
  auto_save_file_format_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  cache_long_scans_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  width_table_ = NULL
  pt_marker_ = NULL
  begv_marker_ = NULL
  zv_marker_ = NULL
  point_before_scroll_ = NULL
  file_truename_ = NULL
  invisibility_spec_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  last_selected_window_ = 0x0000000148490c15 (struct window *) $157 = 0x0000000148490c10
  display_count_ = 0x0000000000000006 (EMACS_INT) $159 = 1
  left_margin_cols_ = 0x0000000000000002 (EMACS_INT) $125 = 0
  right_margin_cols_ = 0x0000000000000002 (EMACS_INT) $125 = 0
  left_fringe_width_ = NULL
  right_fringe_width_ = NULL
  fringes_outside_margins_ = NULL
  scroll_bar_width_ = NULL
  scroll_bar_height_ = NULL
  vertical_scroll_bar_type_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  horizontal_scroll_bar_type_ = 0x0000000000000030 (struct Lisp_Symbol *) $150 = 0x000000010056eec8
  indicate_empty_lines_ = NULL
  indicate_buffer_boundaries_ = NULL
  fringe_indicator_alist_ = 0x0000000102656e8b (struct Lisp_Cons *) $160 = 0x0000000102656e88
  fringe_cursor_alist_ = 0x00000001026560db (struct Lisp_Cons *) $161 = 0x00000001026560d8
  display_time_ = 0x0000000110c15e73 (struct Lisp_Cons *) $162 = 0x0000000110c15e70
  scroll_up_aggressively_ = NULL
  scroll_down_aggressively_ = NULL
  cursor_type_ = NULL
  extra_line_spacing_ = NULL
  ts_parser_list_ = NULL
  text_conversion_style_ = NULL
  cursor_in_non_selected_windows_ = 0x0000000000009ba0 (struct Lisp_Symbol *) $164 = 0x0000000100578a38
  own_text = {
    beg = 0x0000000130088000 ""
    gpt = 1
    z = 74465
    gpt_byte = 1
    z_byte = 76476
    gap_size = 60247
    modiff = 15338
    chars_modiff = 15338
    save_modiff = 1
    overlay_modiff = 757
    compact = 1
    beg_unchanged = 0
    end_unchanged = 0
    unchanged_modified = 4374
    overlay_unchanged_modified = 755
    intervals = 0x000000011f38caa8
    markers = 0x000000011ffa4288
    inhibit_shrinking = false
    redisplay = true
  }
  text = 0x000000011e011268
  pt = 1
  pt_byte = 1
  begv = 1
  begv_byte = 1
  zv = 1
  zv_byte = 1
  base_buffer = NULL
  indirections = 0
  window_count = 1
  local_flags = "\0\0\0\0\0\0\0\0\U00000001\0\0\0\0\U00000001\0\U00000001\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\U00000001"
  modtime = (tv_sec = 0, tv_nsec = -2)
  modtime_size = -1
  auto_save_modified = 0
  display_error_modiff = 0
  auto_save_failure_time = 0
  last_window_start = 1
  newline_cache = 0x0000600000666300
  width_run_cache = NULL
  bidi_paragraph_cache = 0x000060000067afc0
  prevent_redisplay_optimizations_p = true
  clip_changed = true
  inhibit_buffer_hooks = false
  long_line_optimizations_p = false
  overlays = 0x00006000013c2a40
  undo_list_ = 0x0000000108985be3 (struct Lisp_Cons *) $166 =
  0x0000000108985be0


(lldb) print p.point_of_current_line 
(ptrdiff_t) 1
(lldb) print p.current_column 
(ptrdiff_t) 6

input_begin = 0x0000000130096b57 "\n     6 pass\n     620 skip\n [...]
input_current = 0x0000000130096b5e " pass\n     620 skip\n

The actual JSON we're parsing appears to be mangled somehow --- raw
newlines embedded in the output instead of being encapsulated inside
a string --- but that's a separate bug.