* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
@ 2018-11-27 20:59 Damien Cassou
2018-11-28 5:40 ` Paul Eggert
2018-11-28 6:16 ` Eli Zaretskii
0 siblings, 2 replies; 9+ messages in thread
From: Damien Cassou @ 2018-11-27 20:59 UTC (permalink / raw)
To: 33530; +Cc: Paul Eggert, Michael Albinus
The following line crashes both Emacs 26 and Emacs master.
emacs -Q -batch --eval "(require 'dbus)" --eval "(dbus-call-method :system \"org.freedesktop.NetworkManager\" \"/org/freedesktop/NetworkManager/Devices/1\" \"org.freedesktop.NetworkManager.Device.Wireless\" \"RequestScan\" :dict-entry)"
Here is a trace on emacs-master.
Wrong type argument: consp, Fatal error 11: Segmentation fault
#0 0x00000000005870c8 in PSEUDOVECTOR_TYPE (v=0xc8c7000c8421c6c0) at lisp.h:1573
size = -3979211692002130235
#1 0x0000000000675c88 in print_vectorlike (obj=XIL(0xc8c7000c8421c6c5), printcharfun=XIL(0x58b0), escapeflag=true, buf=0x7fffffffca10 "\004") at print.c:1368
#2 0x0000000000678de5 in print_object (obj=XIL(0xc8c7000c8421c6c5), printcharfun=XIL(0x58b0), escapeflag=true) at print.c:2152
buf = "\004\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\320\321\000\000\000\000\000\000\260X\000\000\000\000\000\000`\312\377\377\377\177\000\000\tzd\000\000\000\000\000\202\000\000\000\000"
#3 0x000000000067503c in print (obj=XIL(0xc8c7000c8421c6c5), printcharfun=XIL(0x58b0), escapeflag=true) at print.c:1145
#4 0x00000000006727d1 in Fprin1 (object=XIL(0xc8c7000c8421c6c5), printcharfun=XIL(0x58b0)) at print.c:653
old = 0xcd5800 <bss_sbrk_buffer+457984>
old_point = -1
start_point = -1
old_point_byte = -1
start_point_byte = -1
specpdl_count = 4
free_print_buffer = false
multibyte = true
original = XIL(0x58b0)
#5 0x0000000000674b2d in print_error_message (data=XIL(0x13472d3), stream=XIL(0x58b0), context=0xbc093e <pure+3999998> "", caller=XIL(0x2a90)) at print.c:980
obj = XIL(0xc8c7000c8421c6c5)
sep = 0x786fef ", "
errname = XIL(0xe3a0)
errmsg = XIL(0x7fb874)
file_error = XIL(0)
tail = XIL(0x13473b3)
#6 0x0000000000591321 in Fcommand_error_default_function (data=XIL(0x13472d3), context=XIL(0x7f0064), signal=XIL(0x2a90)) at keyboard.c:1005
sf = 0xce2830 <bss_sbrk_buffer+511280>
#7 0x00000000006485fa in funcall_subr (subr=0x7ebe80 <Scommand_error_default_function>, numargs=3, args=0x7fffffffce48) at eval.c:2939
internal_argbuf = {XIL(0x7fffffffcdb0), make_number(16107774448), XIL(0x7ebe80), XIL(0x7fffffffcd78), XIL(0x58716b), XIL(0xf00000000), XIL(0x7ebe85), XIL(0x7fffffffcd90)}
internal_args = 0x7fffffffce48
#8 0x00000000006480ef in Ffuncall (nargs=4, args=0x7fffffffce40) at eval.c:2859
fun = XIL(0x7ebe85)
original_fun = XIL(0x9a9d0)
funcar = XIL(0x7fffffffceb0)
numargs = 3
val = XIL(0)
count = 3
#9 0x0000000000647a93 in call3 (fn=XIL(0x9a9d0), arg1=XIL(0x13472d3), arg2=XIL(0x7f0064), arg3=XIL(0x2a90)) at eval.c:2726
#10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x13472d3), context=0x7fffffffceb0 "") at keyboard.c:972
#11 0x00000000005910b7 in cmd_error (data=XIL(0x13472d3)) at keyboard.c:941
old_level = XIL(0)
old_length = XIL(0)
macroerror = "\000\316\377\377\001", '\000' <repeats 12 times>, "\317\377\377\377\177\000\000s_d", '\000' <repeats 13 times>, "ӛ1\001\000\000\000\000", <incomplete sequence \317>
#12 0x0000000000644047 in internal_condition_case (bfun=0x591523 <top_level_2>, handlers=XIL(0x54c0), hfun=0x590f67 <cmd_error>) at eval.c:1369
val = XIL(0x13472d3)
c = 0x2c9b710
#13 0x0000000000591584 in top_level_1 (ignore=XIL(0)) at keyboard.c:1096
#14 0x000000000064356e in internal_catch (tag=XIL(0xcc30), func=0x591542 <top_level_1>, arg=XIL(0)) at eval.c:1136
val = XIL(0)
c = 0x2c998e0
#15 0x0000000000591473 in command_loop () at keyboard.c:1057
#16 0x0000000000590a79 in recursive_edit_1 () at keyboard.c:703
count = 1
val = XIL(0x7fffffffd040)
#17 0x0000000000590c5b in Frecursive_edit () at keyboard.c:774
count = 0
buffer = XIL(0)
#18 0x000000000058e85d in main (argc=7, argv=0x7fffffffd288) at emacs.c:1716
stack_bottom_variable = 0x7ffff5ed6f40
do_initial_setlocale = true
dumping = false
skip_args = 1
no_loadup = false
junk = 0x0
dname_arg = 0x0
ch_to_dir = 0x0
original_pwd = 0x0
rlim = {
rlim_cur = 10022912,
rlim_max = 18446744073709551615
}
sockfd = -1
Lisp Backtrace:
"command-error-default-function" (0xffffce48)
Windowing system distributor 'Fedora Project', version 11.0.12003000
System Description: Fedora release 29 (Twenty Nine)
--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-27 20:59 bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error Damien Cassou
@ 2018-11-28 5:40 ` Paul Eggert
2018-11-28 7:10 ` Eli Zaretskii
2018-11-28 9:36 ` Damien Cassou
2018-11-28 6:16 ` Eli Zaretskii
1 sibling, 2 replies; 9+ messages in thread
From: Paul Eggert @ 2018-11-28 5:40 UTC (permalink / raw)
To: Damien Cassou, 33530-done; +Cc: Michael Albinus
[-- Attachment #1: Type: text/plain, Size: 278 bytes --]
Thanks for reporting that. I installed the attached into the master branch and
am marking the bug as fixed. Not sure whether it's worth installing into the
emacs-26 branch. It is a serious problem if Lisp code can make Emacs crash; on
the other hand, the usage is erroneous.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Fix-core-dump-in-dbus-message-internal.patch --]
[-- Type: text/x-patch; name="0001-Fix-core-dump-in-dbus-message-internal.patch", Size: 985 bytes --]
From cef3f8fbf98296eaa59f80716db33b4f8689889a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 27 Nov 2018 21:36:18 -0800
Subject: [PATCH] Fix core dump in dbus-message-internal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* src/dbusbind.c (Fdbus_message_internal):
Don’t go past array end (Bug#33530).
---
src/dbusbind.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/dbusbind.c b/src/dbusbind.c
index 9bc344e961..403fc598c0 100644
--- a/src/dbusbind.c
+++ b/src/dbusbind.c
@@ -1423,7 +1423,7 @@ usage: (dbus-message-internal &rest REST) */)
for (; count < nargs; ++count)
{
dtype = XD_OBJECT_TO_DBUS_TYPE (args[count]);
- if (XD_DBUS_TYPE_P (args[count]))
+ if (count + 1 < nargs && XD_DBUS_TYPE_P (args[count]))
{
XD_DEBUG_VALID_LISP_OBJECT_P (args[count]);
XD_DEBUG_VALID_LISP_OBJECT_P (args[count+1]);
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-27 20:59 bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error Damien Cassou
2018-11-28 5:40 ` Paul Eggert
@ 2018-11-28 6:16 ` Eli Zaretskii
2018-11-28 9:28 ` Damien Cassou
1 sibling, 1 reply; 9+ messages in thread
From: Eli Zaretskii @ 2018-11-28 6:16 UTC (permalink / raw)
To: Damien Cassou; +Cc: 33530, eggert, michael.albinus
> From: Damien Cassou <damien@cassou.me>
> Date: Tue, 27 Nov 2018 21:59:01 +0100
> Cc: Paul Eggert <eggert@cs.ucla.edu>, Michael Albinus <michael.albinus@gmx.de>
>
> The following line crashes both Emacs 26 and Emacs master.
>
> emacs -Q -batch --eval "(require 'dbus)" --eval "(dbus-call-method :system \"org.freedesktop.NetworkManager\" \"/org/freedesktop/NetworkManager/Devices/1\" \"org.freedesktop.NetworkManager.Device.Wireless\" \"RequestScan\" :dict-entry)"
It dies trying to display an error message:
> #5 0x0000000000674b2d in print_error_message (data=XIL(0x13472d3), stream=XIL(0x58b0), context=0xbc093e <pure+3999998> "", caller=XIL(0x2a90)) at print.c:980
> obj = XIL(0xc8c7000c8421c6c5)
> sep = 0x786fef ", "
> errname = XIL(0xe3a0)
> errmsg = XIL(0x7fb874)
> file_error = XIL(0)
> tail = XIL(0x13473b3)
> #6 0x0000000000591321 in Fcommand_error_default_function (data=XIL(0x13472d3), context=XIL(0x7f0064), signal=XIL(0x2a90)) at keyboard.c:1005
> sf = 0xce2830 <bss_sbrk_buffer+511280>
> #7 0x00000000006485fa in funcall_subr (subr=0x7ebe80 <Scommand_error_default_function>, numargs=3, args=0x7fffffffce48) at eval.c:2939
> internal_argbuf = {XIL(0x7fffffffcdb0), make_number(16107774448), XIL(0x7ebe80), XIL(0x7fffffffcd78), XIL(0x58716b), XIL(0xf00000000), XIL(0x7ebe85), XIL(0x7fffffffcd90)}
> internal_args = 0x7fffffffce48
> #8 0x00000000006480ef in Ffuncall (nargs=4, args=0x7fffffffce40) at eval.c:2859
> fun = XIL(0x7ebe85)
> original_fun = XIL(0x9a9d0)
> funcar = XIL(0x7fffffffceb0)
> numargs = 3
> val = XIL(0)
> count = 3
> #9 0x0000000000647a93 in call3 (fn=XIL(0x9a9d0), arg1=XIL(0x13472d3), arg2=XIL(0x7f0064), arg3=XIL(0x2a90)) at eval.c:2726
> #10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x13472d3), context=0x7fffffffceb0 "") at keyboard.c:972
> #11 0x00000000005910b7 in cmd_error (data=XIL(0x13472d3)) at keyboard.c:941
> old_level = XIL(0)
> old_length = XIL(0)
> macroerror = "\000\316\377\377\001", '\000' <repeats 12 times>, "\317\377\377\377\177\000\000s_d", '\000' <repeats 13 times>, "ӛ1\001\000\000\000\000", <incomplete sequence \317>
Can you please show the value of 'data' in frame #10 or in frame #5,
in human-readable form? This should be possible using the "xtype"
command followed by another x* command, according to what type is
shown by "xtype", probably "xsymbol".
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 5:40 ` Paul Eggert
@ 2018-11-28 7:10 ` Eli Zaretskii
2018-11-28 9:36 ` Damien Cassou
1 sibling, 0 replies; 9+ messages in thread
From: Eli Zaretskii @ 2018-11-28 7:10 UTC (permalink / raw)
To: Paul Eggert; +Cc: damien, 33530, eggert
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 27 Nov 2018 21:40:55 -0800
> Cc: Michael Albinus <michael.albinus@gmx.de>
>
> Not sure whether it's worth installing into the emacs-26 branch.
Please do, and thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 6:16 ` Eli Zaretskii
@ 2018-11-28 9:28 ` Damien Cassou
2018-11-28 9:48 ` Eli Zaretskii
0 siblings, 1 reply; 9+ messages in thread
From: Damien Cassou @ 2018-11-28 9:28 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 33530, eggert, michael.albinus
Hi Eli,
Eli Zaretskii <eliz@gnu.org> writes:
> Can you please show the value of 'data' in frame #10 or in frame #5,
> in human-readable form? This should be possible using the "xtype"
> command followed by another x* command, according to what type is
> shown by "xtype", probably "xsymbol".
I would like to do that but I lack knowledge of gdb. Here is what I came
up with:
(gdb) frame 10
#10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x1347253), context=0x7fffffffce90 "") at keyboard.c:972
972 call3 (Vcommand_error_function, data,
(gdb) p data
$1 = XIL(0x1347253)
(gdb) xtype
Lisp_Cons
(gdb) xcons
$2 = (struct Lisp_Cons *) 0x1347250 <bss_sbrk_buffer+7214928>
{
u = {
s = {
car = XIL(0xe3a0),
u = {
cdr = XIL(0x1347283),
chain = 0x1347283
}
},
gcaligned = 0xa0
}
}
--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 5:40 ` Paul Eggert
2018-11-28 7:10 ` Eli Zaretskii
@ 2018-11-28 9:36 ` Damien Cassou
1 sibling, 0 replies; 9+ messages in thread
From: Damien Cassou @ 2018-11-28 9:36 UTC (permalink / raw)
To: Paul Eggert, 33530-done; +Cc: Michael Albinus
Paul Eggert <eggert@cs.ucla.edu> writes:
> Thanks for reporting that. I installed the attached into the master branch and
> am marking the bug as fixed. Not sure whether it's worth installing into the
> emacs-26 branch. It is a serious problem if Lisp code can make Emacs crash; on
> the other hand, the usage is erroneous.
thank you Paul for the quick fix.
--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 9:28 ` Damien Cassou
@ 2018-11-28 9:48 ` Eli Zaretskii
2018-11-28 11:33 ` Damien Cassou
0 siblings, 1 reply; 9+ messages in thread
From: Eli Zaretskii @ 2018-11-28 9:48 UTC (permalink / raw)
To: Damien Cassou; +Cc: 33530, eggert, michael.albinus
> From: Damien Cassou <damien@cassou.me>
> Cc: 33530@debbugs.gnu.org, eggert@cs.ucla.edu, michael.albinus@gmx.de
> Date: Wed, 28 Nov 2018 10:28:47 +0100
>
> Eli Zaretskii <eliz@gnu.org> writes:
> > Can you please show the value of 'data' in frame #10 or in frame #5,
> > in human-readable form? This should be possible using the "xtype"
> > command followed by another x* command, according to what type is
> > shown by "xtype", probably "xsymbol".
>
> I would like to do that but I lack knowledge of gdb. Here is what I came
> up with:
>
> (gdb) frame 10
> #10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x1347253), context=0x7fffffffce90 "") at keyboard.c:972
> 972 call3 (Vcommand_error_function, data,
>
> (gdb) p data
> $1 = XIL(0x1347253)
>
> (gdb) xtype
> Lisp_Cons
>
> (gdb) xcons
Use "pp data" instead, it's better with conses, because it avoids the
need to manually drill down into each cons cell.
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 9:48 ` Eli Zaretskii
@ 2018-11-28 11:33 ` Damien Cassou
2018-11-28 12:00 ` Eli Zaretskii
0 siblings, 1 reply; 9+ messages in thread
From: Damien Cassou @ 2018-11-28 11:33 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 33530, eggert, michael.albinus
Eli Zaretskii <eliz@gnu.org> writes:
>> (gdb) p data
>> $1 = XIL(0x1347253)
> Use "pp data" instead, it's better with conses, because it avoids the
> need to manually drill down into each cons cell.
(gdb) frame 10
#10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x1347283), context=0x7fffffffce90 "") at keyboard.c:972
972 call3 (Vcommand_error_function, data,
(gdb) pp data
(wrong-type-argument consp
Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.
0x00000000005870c8 in PSEUDOVECTOR_TYPE (v=0xc8c7000c8421c6c0) at lisp.h:1573
1573 ptrdiff_t size = v->header.size;
The program being debugged was signaled while in a function called from GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on".
Evaluation of the expression containing the function
(safe_debug_print) will be abandoned.
When the function is done executing, GDB will silently stop.
--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error
2018-11-28 11:33 ` Damien Cassou
@ 2018-11-28 12:00 ` Eli Zaretskii
0 siblings, 0 replies; 9+ messages in thread
From: Eli Zaretskii @ 2018-11-28 12:00 UTC (permalink / raw)
To: Damien Cassou; +Cc: 33530, eggert, michael.albinus
> From: Damien Cassou <damien@cassou.me>
> Cc: 33530@debbugs.gnu.org, eggert@cs.ucla.edu, michael.albinus@gmx.de
> Date: Wed, 28 Nov 2018 12:33:51 +0100
>
> (gdb) frame 10
> #10 0x00000000005911d8 in cmd_error_internal (data=XIL(0x1347283), context=0x7fffffffce90 "") at keyboard.c:972
> 972 call3 (Vcommand_error_function, data,
>
> (gdb) pp data
> (wrong-type-argument consp
Thanks, it's clear now.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-11-28 12:00 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-27 20:59 bug#33530: 26.1.90; D-Bus crashes Emacs: consp, Fatal error 7: Bus error Damien Cassou
2018-11-28 5:40 ` Paul Eggert
2018-11-28 7:10 ` Eli Zaretskii
2018-11-28 9:36 ` Damien Cassou
2018-11-28 6:16 ` Eli Zaretskii
2018-11-28 9:28 ` Damien Cassou
2018-11-28 9:48 ` Eli Zaretskii
2018-11-28 11:33 ` Damien Cassou
2018-11-28 12:00 ` Eli Zaretskii
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).