Module assertions: check for garbage collections

It's technically possible to write a user pointer finalizer that calls into Emacs module functions. This would be disastrous because it would allow arbitrary Lisp code to run during garbage collection. Therefore extend the module assertions to check for this case. * src/emacs-module.c (module_assert_thread): Also check whether a garbage collection is in progress. * test/data/emacs-module/mod-test.c (invalid_finalizer) (Fmod_test_invalid_finalizer): New test module functions. (emacs_module_init): Register new test function. * test/src/emacs-module-tests.el (module--test-assertion) (module--with-temp-directory): New helper macros. (module--test-assertions--load-non-live-object): Rename existing unit test, use helper macros. (module--test-assertions--call-emacs-from-gc): New unit test.
author: Philipp Stephani 2017-07-04 22:50:46 +0200
committer: Philipp Stephani 2017-07-08 15:25:01 +0200
commit: b7dab24b7953f7a31b806f83e15043c94aaa7745 (patch)
tree: fc31284ef0fac82accddc573069652b1c8adccf0 /test
parent: a87d767c7acc43b3679d87d2d225b1edeb69326c (diff)
download: emacs-b7dab24b7953f7a31b806f83e15043c94aaa7745.tar.gz
emacs-b7dab24b7953f7a31b806f83e15043c94aaa7745.zip
2 files changed, 81 insertions, 29 deletions
diff --git a/test/data/emacs-module/mod-test.c b/test/data/emacs-module/mod-test.c
index eee9466c5d6..42e1c2bd4ae 100644
--- a/test/data/emacs-module/mod-test.c
+++ b/test/data/emacs-module/mod-test.c
@@ -235,6 +235,27 @@ Fmod_test_invalid_load (emacs_env *env, ptrdiff_t nargs, emacs_value *args,
  return invalid_stored_value;
 }
+/* An invalid finalizer: Finalizers are run during garbage collection,
+   where Lisp code can’t be executed.  -module-assertions tests for
+   this case.  */
+static emacs_env *current_env;
+static void
+invalid_finalizer (void *ptr)
+{
+  current_env->intern (current_env, "nil");
+}
+static emacs_value
+Fmod_test_invalid_finalizer (emacs_env *env, ptrdiff_t nargs, emacs_value *args,
+                             void *data)
+{
+  current_env = env;
+  env->make_user_ptr (env, invalid_finalizer, NULL);
+  return env->funcall (env, env->intern (env, "garbage-collect"), 0, NULL);
+}
 /* Lisp utilities for easier readability (simple wrappers).  */
@@ -300,6 +321,8 @@ emacs_module_init (struct emacs_runtime *ert)
  DEFUN ("mod-test-vector-eq", Fmod_test_vector_eq, 2, 2, NULL, NULL);
  DEFUN ("mod-test-invalid-store", Fmod_test_invalid_store, 0, 0, NULL, NULL);
  DEFUN ("mod-test-invalid-load", Fmod_test_invalid_load, 0, 0, NULL, NULL);
+  DEFUN ("mod-test-invalid-finalizer", Fmod_test_invalid_finalizer, 0, 0,
+         NULL, NULL);
 #undef DEFUN
diff --git a/test/src/emacs-module-tests.el b/test/src/emacs-module-tests.el
index a4994b6223b..988a7a178c6 100644
--- a/test/src/emacs-module-tests.el
+++ b/test/src/emacs-module-tests.el
@@ -182,37 +182,66 @@ changes."
  (should (equal (help-function-arglist #'mod-test-sum)
                 '(arg1 arg2))))
-(ert-deftest module--test-assertions ()
+(defmacro module--with-temp-directory (name &rest body)
-  "Check that -module-assertions work."
+  "Bind NAME to the name of a temporary directory and evaluate BODY.
+NAME must be a symbol.  Delete the temporary directory after BODY
+exits normally or non-locally.  NAME will be bound to the
+directory name (not the directory file name) of the temporary
+directory."
+  (declare (indent 1))
+  (cl-check-type name symbol)
+  `(let ((,name (file-name-as-directory
+                 (make-temp-file "emacs-module-test" :directory))))
+     (unwind-protect
+         (progn ,@body)
+       (delete-directory ,name :recursive))))
+(defmacro module--test-assertion (pattern &rest body)
+  "Test that PATTERN matches the assertion triggered by BODY.
+Run Emacs as a subprocess, load the test module `mod-test-file',
+and evaluate BODY.  Verify that Emacs aborts and prints a module
+assertion message that matches PATTERN.  PATTERN is evaluated and
+must evaluate to a regular expression string."
+  (declare (indent 1))
+  ;; To contain any core dumps.
+  `(module--with-temp-directory tempdir
+     (with-temp-buffer
+       (let* ((default-directory tempdir)
+              (status (call-process mod-test-emacs nil t nil
+                                    "-batch" "-Q" "-module-assertions" "-eval"
+                                    ,(prin1-to-string
+                                      `(progn
+                                         (require 'mod-test ,mod-test-file)
+                                         ,@body)))))
+         (should (stringp status))
+         ;; eg "Aborted" or "Abort trap: 6"
+         (should (string-prefix-p "Abort" status))
+         (search-backward "Emacs module assertion: ")
+         (goto-char (match-end 0))
+         (should (string-match-p ,pattern
+                                 (buffer-substring-no-properties
+                                  (point) (point-max))))))))
+(ert-deftest module--test-assertions--load-non-live-object ()
+  "Check that -module-assertions verify that non-live objects
+aren’t accessed."
  (skip-unless (file-executable-p mod-test-emacs))
  ;; This doesn’t yet cause undefined behavior.
  (should (eq (mod-test-invalid-store) 123))
-  ;; To contain any core dumps.
+  (module--test-assertion (rx "Emacs value not found in "
-  (let ((tempdir (make-temp-file "emacs-module-test" t)))
+                              (+ digit) " values of "
-    (unwind-protect
+                              (+ digit) " environments\n" eos)
-        (with-temp-buffer
+    ;; Storing and reloading a local value causes undefined behavior,
-          (should (string-match-p
+    ;; which should be detected by the module assertions.
-                   "Abort" ; eg "Aborted" or "Abort trap: 6"
+    (mod-test-invalid-store)
-                   (let ((default-directory tempdir))
+    (mod-test-invalid-load)))
-                     (call-process mod-test-emacs nil t nil
-                                   "-batch" "-Q" "-module-assertions" "-eval"
+(ert-deftest module--test-assertions--call-emacs-from-gc ()
-                                   (prin1-to-string
+  "Check that -module-assertions prevents calling Emacs functions
-                                    `(progn
+during garbage collection."
-                                       (require 'mod-test ,mod-test-file)
+  (skip-unless (file-executable-p mod-test-emacs))
-                                       ;; Storing and reloading a local
+  (module--test-assertion
-                                       ;; value causes undefined behavior,
+      (rx "Module function called during garbage collection\n" eos)
-                                       ;; which should be detected by the
+    (mod-test-invalid-finalizer)))
-                                       ;; module assertions.
-                                       (mod-test-invalid-store)
-                                       (mod-test-invalid-load)))))))
-          (search-backward "Emacs module assertion:")
-          (should (string-match-p (rx bos "Emacs module assertion: "
-                                      "Emacs value not found in "
-                                      (+ digit) " values of "
-                                      (+ digit) " environments" eos)
-                                  (buffer-substring-no-properties
-                                   (line-beginning-position)
-                                   (line-end-position)))))
-      (delete-directory tempdir t))))
 ;;; emacs-module-tests.el ends here
author	Philipp Stephani	2017-07-04 22:50:46 +0200
committer	Philipp Stephani	2017-07-08 15:25:01 +0200
commit	b7dab24b7953f7a31b806f83e15043c94aaa7745 (patch)
tree	fc31284ef0fac82accddc573069652b1c8adccf0 /test
parent	a87d767c7acc43b3679d87d2d225b1edeb69326c (diff)
download	emacs-b7dab24b7953f7a31b806f83e15043c94aaa7745.tar.gz emacs-b7dab24b7953f7a31b806f83e15043c94aaa7745.zip

diff --git a/test/data/emacs-module/mod-test.c b/test/data/emacs-module/mod-test.c index eee9466c5d6..42e1c2bd4ae 100644 --- a/test/data/emacs-module/mod-test.c +++ b/test/data/emacs-module/mod-test.c
@@ -235,6 +235,27 @@ Fmod_test_invalid_load (emacs_env env, ptrdiff_t nargs, emacs_value args,
235	return invalid_stored_value;	235	return invalid_stored_value;
236	}	236	}
237		237
		238	/* An invalid finalizer: Finalizers are run during garbage collection,
		239	where Lisp code can’t be executed. -module-assertions tests for
		240	this case. */
		241
		242	static emacs_env *current_env;
		243
		244	static void
		245	invalid_finalizer (void *ptr)
		246	{
		247	current_env->intern (current_env, "nil");
		248	}
		249
		250	static emacs_value
		251	Fmod_test_invalid_finalizer (emacs_env env, ptrdiff_t nargs, emacs_value args,
		252	void *data)
		253	{
		254	current_env = env;
		255	env->make_user_ptr (env, invalid_finalizer, NULL);
		256	return env->funcall (env, env->intern (env, "garbage-collect"), 0, NULL);
		257	}
		258
238		259
239	/* Lisp utilities for easier readability (simple wrappers). */	260	/* Lisp utilities for easier readability (simple wrappers). */
240		261
@@ -300,6 +321,8 @@ emacs_module_init (struct emacs_runtime *ert)
300	DEFUN ("mod-test-vector-eq", Fmod_test_vector_eq, 2, 2, NULL, NULL);	321	DEFUN ("mod-test-vector-eq", Fmod_test_vector_eq, 2, 2, NULL, NULL);
301	DEFUN ("mod-test-invalid-store", Fmod_test_invalid_store, 0, 0, NULL, NULL);	322	DEFUN ("mod-test-invalid-store", Fmod_test_invalid_store, 0, 0, NULL, NULL);
302	DEFUN ("mod-test-invalid-load", Fmod_test_invalid_load, 0, 0, NULL, NULL);	323	DEFUN ("mod-test-invalid-load", Fmod_test_invalid_load, 0, 0, NULL, NULL);
		324	DEFUN ("mod-test-invalid-finalizer", Fmod_test_invalid_finalizer, 0, 0,
		325	NULL, NULL);
303		326
304	#undef DEFUN	327	#undef DEFUN
305		328


diff --git a/test/src/emacs-module-tests.el b/test/src/emacs-module-tests.el index a4994b6223b..988a7a178c6 100644 --- a/test/src/emacs-module-tests.el +++ b/test/src/emacs-module-tests.el
@@ -182,37 +182,66 @@ changes."
182	(should (equal (help-function-arglist #'mod-test-sum)	182	(should (equal (help-function-arglist #'mod-test-sum)
183	'(arg1 arg2))))	183	'(arg1 arg2))))
184		184
185	(ert-deftest module--test-assertions ()	185	(defmacro module--with-temp-directory (name &rest body)
186	"Check that -module-assertions work."	186	"Bind NAME to the name of a temporary directory and evaluate BODY.
		187	NAME must be a symbol. Delete the temporary directory after BODY
		188	exits normally or non-locally. NAME will be bound to the
		189	directory name (not the directory file name) of the temporary
		190	directory."
		191	(declare (indent 1))
		192	(cl-check-type name symbol)
		193	`(let ((,name (file-name-as-directory
		194	(make-temp-file "emacs-module-test" :directory))))
		195	(unwind-protect
		196	(progn ,@body)
		197	(delete-directory ,name :recursive))))
		198
		199	(defmacro module--test-assertion (pattern &rest body)
		200	"Test that PATTERN matches the assertion triggered by BODY.
		201	Run Emacs as a subprocess, load the test module `mod-test-file',
		202	and evaluate BODY. Verify that Emacs aborts and prints a module
		203	assertion message that matches PATTERN. PATTERN is evaluated and
		204	must evaluate to a regular expression string."
		205	(declare (indent 1))
		206	;; To contain any core dumps.
		207	`(module--with-temp-directory tempdir
		208	(with-temp-buffer
		209	(let* ((default-directory tempdir)
		210	(status (call-process mod-test-emacs nil t nil
		211	"-batch" "-Q" "-module-assertions" "-eval"
		212	,(prin1-to-string
		213	`(progn
		214	(require 'mod-test ,mod-test-file)
		215	,@body)))))
		216	(should (stringp status))
		217	;; eg "Aborted" or "Abort trap: 6"
		218	(should (string-prefix-p "Abort" status))
		219	(search-backward "Emacs module assertion: ")
		220	(goto-char (match-end 0))
		221	(should (string-match-p ,pattern
		222	(buffer-substring-no-properties
		223	(point) (point-max))))))))
		224
		225	(ert-deftest module--test-assertions--load-non-live-object ()
		226	"Check that -module-assertions verify that non-live objects
		227	aren’t accessed."
187	(skip-unless (file-executable-p mod-test-emacs))	228	(skip-unless (file-executable-p mod-test-emacs))
188	;; This doesn’t yet cause undefined behavior.	229	;; This doesn’t yet cause undefined behavior.
189	(should (eq (mod-test-invalid-store) 123))	230	(should (eq (mod-test-invalid-store) 123))
190	;; To contain any core dumps.	231	(module--test-assertion (rx "Emacs value not found in "
191	(let ((tempdir (make-temp-file "emacs-module-test" t)))	232	(+ digit) " values of "
192	(unwind-protect	233	(+ digit) " environments\n" eos)
193	(with-temp-buffer	234	;; Storing and reloading a local value causes undefined behavior,
194	(should (string-match-p	235	;; which should be detected by the module assertions.
195	"Abort" ; eg "Aborted" or "Abort trap: 6"	236	(mod-test-invalid-store)
196	(let ((default-directory tempdir))	237	(mod-test-invalid-load)))
197	(call-process mod-test-emacs nil t nil	238
198	"-batch" "-Q" "-module-assertions" "-eval"	239	(ert-deftest module--test-assertions--call-emacs-from-gc ()
199	(prin1-to-string	240	"Check that -module-assertions prevents calling Emacs functions
200	`(progn	241	during garbage collection."
201	(require 'mod-test ,mod-test-file)	242	(skip-unless (file-executable-p mod-test-emacs))
202	;; Storing and reloading a local	243	(module--test-assertion
203	;; value causes undefined behavior,	244	(rx "Module function called during garbage collection\n" eos)
204	;; which should be detected by the	245	(mod-test-invalid-finalizer)))
205	;; module assertions.
206	(mod-test-invalid-store)
207	(mod-test-invalid-load)))))))
208	(search-backward "Emacs module assertion:")
209	(should (string-match-p (rx bos "Emacs module assertion: "
210	"Emacs value not found in "
211	(+ digit) " values of "
212	(+ digit) " environments" eos)
213	(buffer-substring-no-properties
214	(line-beginning-position)
215	(line-end-position)))))
216	(delete-directory tempdir t))))
217		246
218	;;; emacs-module-tests.el ends here	247	;;; emacs-module-tests.el ends here