* font.c (APPEND_SNPRINTF): Remove.
(font_unparse_xlfd):
* xterm.c (x_io_error_quitter):
Use esnprintf, not snprintf. That way, we don't have to worry
about porting to ancient platforms that lack snprintf.
(x_term_init): Use sprintf, not snprintf.
Don't assume XINT result fits in int, or that XFLOAT_DATA * 10
fits in int, when using sprintf. Use single snprintf to count
length of string rather than counting it via multiple sprintfs;
that's simpler and more reliable.
(APPEND_SPRINTF): New macro.
(font_unparse_fcname): Use it to avoid sprintf buffer overrun.
(generate_otf_features) [0 && HAVE_LIBOTF]: Use esprintf, not
sprintf, in case result does not fit in int.
This partly undoes my 2011-03-30 change, which replaced int with size_t.
Back then I didn't know that the Emacs coding style prefers signed int.
Also, in the meantime I found a few more instances where arguments
were being counted with int, which may truncate counts on 64-bit
machines, or EMACS_INT, which may be unnecessarily wide.
* lisp.h (struct Lisp_Subr.function.aMANY)
(DEFUN_ARGS_MANY, internal_condition_case_n, safe_call):
Arg counts are now ptrdiff_t, not size_t.
All variadic functions and their callers changed accordingly.
(struct gcpro.nvars): Now size_t, not size_t. All uses changed.
* bytecode.c (exec_byte_code): Check maxdepth for overflow,
to avoid potential buffer overrun. Don't assume arg counts fit in 'int'.
* callint.c (Fcall_interactively): Check arg count for overflow,
to avoid potential buffer overrun. Use signed char, not 'int',
for 'varies' array, so that we needn't bother to check its size
calculation for overflow.
* editfns.c (Fformat): Use ptrdiff_t, not EMACS_INT, to count args.
* eval.c (apply_lambda):
* fns.c (Fmapconcat): Use XFASTINT, not XINT, to get args length.
(struct textprop_rec.argnum): Now ptrdiff_t, not int. All uses changed.
(mapconcat): Use ptrdiff_t, not int and EMACS_INT, to count args.
* charset.c (Fdefine_charset_internal, Fdecode_char):
Use cons_to_unsigned to catch overflow.
(Fencode_char): Use INTEGER_TO_CONS.
* composite.h (LGLYPH_CODE): Use cons_to_unsigned.
(LGLYPH_SET_CODE): Use INTEGER_TO_CONS.
* data.c (long_to_cons, cons_to_long): Remove.
(cons_to_unsigned, cons_to_signed): New functions.
These signal an error for invalid or out-of-range values.
* dired.c (Ffile_attributes): Use INTEGER_TO_CONS.
* fileio.c (Fset_visited_file_modtime): Use CONS_TO_INTEGER.
* font.c (Ffont_variation_glyphs):
* fontset.c (Finternal_char_font): Use INTEGER_TO_CONS.
* lisp.h: Include <intprops.h>.
(INTEGER_TO_CONS, CONS_TO_INTEGER): New macros.
(cons_to_signed, cons_to_unsigned): New decls.
(long_to_cons, cons_to_long): Remove decls.
* undo.c (record_first_change): Use INTEGER_TO_CONS.
(Fprimitive_undo): Use CONS_TO_INTEGER.
* xfns.c (Fx_window_property): Likewise.
* xselect.c: Include <limits.h>.
(x_own_selection, selection_data_to_lisp_data):
Use INTEGER_TO_CONS.
(x_handle_selection_request, x_handle_selection_clear)
(x_get_foreign_selection, Fx_disown_selection_internal)
(Fx_get_atom_name, x_send_client_event): Use CONS_TO_INTEGER.
(lisp_data_to_selection_data): Use cons_to_unsigned.
(x_fill_property_data): Use cons_to_signed.
Report values out of range.
GCC 4.6.0 optimizes based on type-based alias analysis. For
example, if b is of type struct buffer * and v of type struct
Lisp_Vector *, then gcc -O2 was incorrectly assuming that &b->size
!= &v->size, and therefore "v->size = 1; b->size = 2; return
v->size;" must therefore return 1. This assumption is incorrect
for Emacs, since it type-puns struct Lisp_Vector * with many other
types. To fix this problem, this patch adds a new type struct
vector_header that documents the constraints on layout of vectors
and pseudovectors, and helps optimizing compilers not get fooled
by Emacs's type punning. It also adds the macros XSETTYPED_PVECTYPE
XSETTYPED_PSEUDOVECTOR, TYPED_PSEUDOVECTORP, for similar reasons.
* lisp.h (XVECTOR_SIZE): New convenience macro. All previous uses of
XVECTOR (foo)->size replaced to use this macro, to avoid the hassle
of writing XVECTOR (foo)->header.size.
(XVECTOR_HEADER_SIZE): New macro, for use in XSETPSEUDOVECTOR.
(XSETTYPED_PVECTYPE): New macro, specifying the name of the size
member.
(XSETPVECTYPE): Rewrite in terms of new macro.
(XSETPVECTYPESIZE): New macro, specifying both type and size.
This is a bit clearer, and further avoids the possibility of
undesirable aliasing.
(XSETTYPED_PSEUDOVECTOR): New macro, specifying the size.
(XSETPSEUDOVECTOR): Rewrite in terms of XSETTYPED_PSEUDOVECTOR
and XVECTOR_HEADER_SIZE.
(XSETSUBR): Rewrite in terms of XSETTYPED_PSEUDOVECTOR and XSIZE,
since Lisp_Subr is a special case (no "next" field).
(ASIZE): Rewrite in terms of XVECTOR_SIZE.
(struct vector_header): New type.
(TYPED_PSEUDOVECTORP): New macro, also specifying the C type of the
object, to help avoid aliasing.
(PSEUDOVECTORP): Rewrite in terms of TYPED_PSEUDOVECTORP.
(SUBRP): Likewise, since Lisp_Subr is a special case.
* lisp.h (struct Lisp_Vector, struct Lisp_Char_Table):
(struct Lisp_Sub_Char_Table, struct Lisp_Bool_Vector):
(struct Lisp_Hash_Table): Combine first two members into a single
struct vector_header member. All uses of "size" and "next" members
changed to be "header.size" and "header.next".
* buffer.h (struct buffer): Likewise.
* font.h (struct font_spec, struct font_entity, struct font): Likewise.
* frame.h (struct frame): Likewise.
* process.h (struct Lisp_Process): Likewise.
* termhooks.h (struct terminal): Likewise.
* window.c (struct save_window_data, struct saved_window): Likewise.
* window.h (struct window): Likewise.
* alloc.c (allocate_buffer, Fmake_bool_vector, allocate_pseudovector):
Use XSETPVECTYPESIZE, not XSETPVECTYPE, to avoid aliasing problems.
* buffer.c (init_buffer_once): Likewise.
* lread.c (defsubr): Use XSETTYPED_PVECTYPE, since Lisp_Subr is a
special case.
* process.c (Fformat_network_address): Use local var for size,
for brevity.
src/doprnt.c: Include limits.h.
(SIZE_MAX): New macro.
(doprnt): Return a size_t value. 2nd arg is now size_t. Many
local variables are now size_t instead of int or unsigned.
Improve overflow protection. Support `l' modifier for integer
conversions. Support %l conversion. Don't assume an EMACS_INT
argument for integer conversions and for %c.
src/lisp.h (doprnt): Restore prototype.
src/makefile.w32-in ($(BLD)/callint.$(O)): Depend on
$(SRC)/character.h.
src/Makefile.in (base_obj): Add back doprnt.o.
src/deps.mk (doprnt.o): Add back prerequisites.
(callint.o): Depend on character.h.
src/eval.c (internal_lisp_condition_case): Include the handler
representation in the error message.
(verror): Call doprnt instead of vsnprintf. Fix an off-by-one bug
when breaking from the loop.
src/xdisp.c (vmessage): Call doprnt instead of vsnprintf.
src/callint.c (Fcall_interactively): When displaying error message
about invalid control letter, pass the character's codepoint, not
a pointer to its multibyte form. Improve display of the character
in octal and display also its hex code.
src/character.c (char_string): Use %x to display the (unsigned)
codepoint of an invalid character, to avoid displaying a bogus
negative value.
src/font.c (check_otf_features): Pass SDATA of SYMBOL_NAME to
`error', not SYMBOL_NAME itself.
src/coding.c (Fencode_sjis_char, Fencode_big5_char): Use %c for
character arguments to `error'.
src/charset.c (check_iso_charset_parameter): Fix incorrect argument
to `error' in error message about FINAL_CHAR argument. Make sure
FINAL_CHAR is a character, and use %c when it is passed as
argument to `error'.
* lisp.h (pI): New macro, generalizing old pEd macro to other
conversion specifiers. For example, use "...%"pI"d..." rather
than "...%"pEd"...".
(pEd): Remove. All uses replaced with similar uses of pI.
* src/m/amdx86-64.h, src/m/ia64.h, src/m/ibms390x.h: Likewise.
* alloc.c (check_pure_size): Don't overflow by converting size to int.
* bidi.c (bidi_dump_cached_states): Use pI to avoid cast.
* data.c (Fnumber_to_string): Use pI instead of if-then-else-abort.
* dbusbind.c (xd_append_arg): Use pI to avoid cast.
(Fdbus_method_return_internal, Fdbus_method_error_internal): Likewise.
* font.c (font_unparse_xlfd): Avoid potential buffer overrun on
64-bit hosts.
(font_unparse_xlfd, font_unparse_fcname): Use pI to avoid casts.
* keyboard.c (record_char, modify_event_symbol): Use pI to avoid casts.
* print.c (safe_debug_print, print_object): Likewise.
(print_object): Don't overflow by converting EMACS_INT or EMACS_UINT
to int.
Use pI instead of if-then-else-abort. Use %p to avoid casts.
* process.c (Fmake_network_process): Use pI to avoid cast.
* region-cache.c (pp_cache): Likewise.
* xdisp.c (decode_mode_spec): Likewise.
* xrdb.c (x_load_resources) [USE_MOTIF]: Use pI to avoid undefined
behavior on 64-bit hosts with printf arg.
* xselect.c (x_queue_event): Use %p to avoid casts.
(x_stop_queuing_selection_requests): Likewise.
(x_get_window_property): Don't truncate byte count to an 'int'
when tracing.
* dispextern.h (FACE_SUITABLE_FOR_ASCII_CHAR_P): New macro.
(FACE_SUITABLE_FOR_CHAR_P): Use it.
* font.c (font_close_object): Now static.
* font.h (font_close_object): Remove.
* fontset.c (FONTSET_OBJLIST): Remove.
(free_realized_fontset) #if-0 the body, which does nothing.
(face_suitable_for_char_p): #if-0, as it's never called.
* fontset.h (face_suitable_for_char_p): Remove decl.
* xfaces.c (face_at_string_position): Use
FACE_SUITABLE_FOR_ASCII_CHAR_P, not FACE_SUITABLE_FOR_CHAR_P,
since 0 is always ASCII.
* font.c (copy_font_spec): Rename from Fcopy_font_spec, since it
was inaccessible from Lisp.
(merge_font_spec): Likewise, renaming from Fmerge_font_spec.
* font.c, font.h, fontset.c, xfaces.c, xfont.c: Change all uses.
This makes it easier for human readers (and static analyzers)
to see whether these variables are used from other modules.
* alloc.c, buffer.c, bytecode.c, callint.c, casetab.c, category.c:
* ccl.c, character.c, charset.c, cmds.c, coding.c, composite.c:
* data.c, dbusbind.c, dired.c, editfns.c, eval.c, fileio.c, fns.c:
* font.c, frame.c, fringe.c, ftfont.c, image.c, keyboard.c, keymap.c:
* lread.c, macros.c, minibuf.c, print.c, process.c, search.c:
* sound.c, syntax.c, textprop.c, window.c, xdisp.c, xfaces.c, xfns.c:
* xmenu.c, xselect.c:
Declare Q* vars static if they are not used in other modules.
* ccl.h, character.h, charset.h, coding.h, composite.h, font.h:
* frame.h, intervals.h, keyboard.h, lisp.h, process.h, syntax.h:
Remove decls of unexported vars.
* keyboard.h (EVENT_HEAD_UNMODIFIED): Remove now-unused macro.
This makes it easier for human readers (and static analyzers)
to see whether these functions can be called from other modules.
DEFUN now defines a static function. To make the function external
so that it can be used in other C modules, use the new macro DEFUE.
* lisp.h (DEFINE_FUNC): New macro, with the old contents of DEFUN.
(DEFUN): Rewrite in terms of DEFINE_FUNC. It now generates a
static function definition. Use DEFUE if you want an extern one.
(DEFUE, INFUN): New macros.
(Funibyte_char_to_multibyte, Fsyntax_table_p, Finit_image_library):
(Feval_region, Fbacktrace, Ffetch_bytecode, Fswitch_to_buffer):
(Ffile_executable_p, Fmake_symbolic_link, Fcommand_execute):
(Fget_process, Fdocumentation_property, Fbyte_code, Ffile_attributes):
Remove decls, since these functions are now static.
(Funintern, Fget_internal_run_time): New decls, since these functions
were already external.
* alloc.c, buffer.c, callint.c, callproc.c, casefiddle.c, casetab.c:
* ccl.c, character.c, chartab.c, cmds.c, coding.c, data.c, dispnew.c:
* doc.c, editfns.c, emacs.c, eval.c, fileio.c, filelock.c, floatfns.c:
* fns.c, font.c, fontset.c, frame.c, image.c, indent.c:
* keyboard.c, keymap.c, lread.c:
* macros.c, marker.c, menu.c, minibuf.c, print.c, process.c, search.c:
* syntax.c, term.c, terminal.c, textprop.c, undo.c:
* window.c, xdisp.c, xfaces.c, xfns.c, xmenu.c, xsettings.c:
Mark functions with DEFUE instead of DEFUN,
if they are used in other modules.
* buffer.c (Fset_buffer_major_mode, Fdelete_overlay): New forward
decls for now-static functions.
* buffer.h (Fdelete_overlay): Remove decl.
* callproc.c (Fgetenv_internal): Mark as internal.
* composite.c (Fremove_list_of_text_properties): Remove decl.
(Fcomposition_get_gstring): New forward static decl.
* composite.h (Fcomposite_get_gstring): Remove decl.
* dired.c (Ffile_attributes): New forward static decl.
* doc.c (Fdocumntation_property): New forward static decl.
* eval.c (Ffetch_bytecode): New forward static decl.
(Funintern): Remove extern decl; now in .h file where it belongs.
* fileio.c (Fmake_symbolic_link): New forward static decl.
* image.c (Finit_image_library): New forward static decl.
* insdel.c (Fcombine_after_change_execute): Make forward decl static.
* intervals.h (Fprevious_property_change):
(Fremove_list_of_text_properties): Remove decls.
* keyboard.c (Fthis_command_keys): Remove decl.
(Fcommand_execute): New forward static decl.
* keymap.c (Flookup_key): New forward static decl.
(Fcopy_keymap): Now static.
* keymap.h (Flookup_key): Remove decl.
* process.c (Fget_process): New forward static decl.
(Fprocess_datagram_address): Mark as internal.
* syntax.c (Fsyntax_table_p): New forward static decl.
(skip_chars): Remove duplicate decl.
* textprop.c (Fprevious_property_change): New forward static decl.
* window.c (Fset_window_fringes, Fset_window_scroll_bars):
Now internal.
(Fset_window_margins, Fset_window_vscroll): New forward static decls.
* window.h (Fset_window_vscroll, Fset_window_margins): Remove decls.
