bug#16512: 24.3; Segmentation fault from empty byte-code object literal

bug#16512: 24.3; Segmentation fault from empty byte-code object literal

[Christopher Wellons]

The following command will cause a segmentation fault in 24.3.1 under
GNU/Linux, both 32-bit and 64-bit. The key is that empty byte-code
object. The rest is there just to make Emacs do enough work to crash.

    emacs -Q --eval '(type-of #[])' \
             --eval '(insert "(defun ())")' \
             -f eval-last-sexp

Pure speculation about why: is it assuming that the byte-code object has
at least four elements, dereferencing garbage somewhere past the end?
The manual states byte-code objects "must have at least four elements,"
which is enforced by `make-byte-code' but *not* enforced for byte-code
literals.


Fatal error 11: Segmentation fault
Backtrace:
emacs[0x4f74cb]
emacs[0x4dcf2e]
emacs[0x4f611e]
emacs[0x4f6283]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf210)[0x7f9276bad210]
emacs[0x5617bb]
emacs[0x564232]
emacs[0x564c67]
emacs[0x565b77]
emacs[0x4aacff]
emacs[0x4ab4f4]
emacs[0x4ab698]
emacs[0x4acc7d]
emacs[0x43a3bd]
emacs[0x4412fe]
emacs[0x441431]
emacs[0x44acbd]
emacs[0x4e754c]
emacs[0x4e99d8]
emacs[0x4ebd4d]
emacs[0x54e453]
emacs[0x4dd3be]
emacs[0x54e32e]
emacs[0x4e1c07]
emacs[0x4e1f04]
emacs[0x4171c5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f9276813995]
emacs[0x417ccf]
Segmentation fault


Here's the "bt full" showing the crash is actually occuring in
/lib/x86_64-linux-gnu/libthread_db.so.1.


(gdb) run --eval '(type-of #[])'
Starting program: /usr/bin/emacs --eval '(type-of #[])'
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe8a23700 (LWP 15364)]
[New Thread 0x7fffe3fff700 (LWP 15365)]

Program received signal SIGSEGV, Segmentation fault.
0x00000000005617bb in ?? ()
(gdb) bt full
#0  0x00000000005617bb in ?? ()
No symbol table info available.
#1  0x0000000000564232 in ?? ()
No symbol table info available.
#2  0x0000000000564c67 in ?? ()
No symbol table info available.
#3  0x0000000000565b77 in ?? ()
No symbol table info available.
#4  0x00000000004aacff in ?? ()
No symbol table info available.
#5  0x00000000004ab4f4 in ?? ()
No symbol table info available.
#6  0x00000000004ab698 in ?? ()
No symbol table info available.
#7  0x00000000004acc7d in ?? ()
No symbol table info available.
#8  0x000000000043a3bd in ?? ()
No symbol table info available.
#9  0x00000000004412fe in ?? ()
No symbol table info available.
#10 0x0000000000441431 in ?? ()
No symbol table info available.
#11 0x000000000044acbd in ?? ()
No symbol table info available.
#12 0x00000000004e754c in ?? ()
No symbol table info available.
#13 0x00000000004e99d8 in ?? ()
No symbol table info available.
#14 0x00000000004ebd4d in ?? ()
No symbol table info available.
#15 0x000000000054e453 in ?? ()
No symbol table info available.
#16 0x00000000004dd3be in ?? ()
No symbol table info available.
#17 0x000000000054e32e in ?? ()
No symbol table info available.
#18 0x00000000004e1c07 in ?? ()
No symbol table info available.
#19 0x00000000004e1f04 in ?? ()
No symbol table info available.
#20 0x00000000004171c5 in ?? ()
No symbol table info available.
#21 0x00007ffff11df995 in __libc_start_main (main=0x4167b0, argc=3,
    ubp_av=0x7fffffffe868, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffe858) at libc-start.c:276
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 8758318328891328105,
                4291750, 140737488349280, 0, 0, -8758318329162348951,
                -8758324633951386007}, mask_was_saved = 0}}, priv = {pad = {0x0,
              0x0, 0x5d14f0, 0x7fffffffe868}, data = {prev = 0x0, cleanup = 0x0,
              canceltype = 6100208}}}
        not_first_call = <optimized out>
#22 0x0000000000417ccf in ?? ()
No symbol table info available.



In GNU Emacs 24.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.8.6)
 of 2013-12-22 on brahms, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11405000
System Description:	Debian GNU/Linux unstable (sid)

Configured using:
 `configure '--build' 'x86_64-linux-gnu' '--build' 'x86_64-linux-gnu'
 '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
 '--localstatedir=/var/lib' '--infodir=/usr/share/info'
 '--mandir=/usr/share/man' '--with-pop=yes'
 '--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.3/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.3/site-lisp:/usr/share/emacs/site-lisp'
 '--with-crt-dir=/usr/lib/x86_64-linux-gnu' '--with-x=yes'
 '--with-x-toolkit=gtk3' '--with-toolkit-scroll-bars'
 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector
 --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2''

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t

bug#16512: 24.3; Segmentation fault from empty byte-code object literal

[Barry OReilly]

[-- Attachment #1: Type: text/plain, Size: 93 bytes --]

This was fixed on trunk under bug 15405.

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=15405

[-- Attachment #2: Type: text/html, Size: 193 bytes --]