bug#18473: 24.4.50; SEGFAULT when vconcatting more than 2048 vectors

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Dmitry Antipov <dmantipov@yandex.ru>
To: Michael Welsh Duggan <md5i@md5i.com>,
	Stefan Monnier <monnier@IRO.UMontreal.CA>
Cc: 18473@debbugs.gnu.org
Subject: bug#18473: 24.4.50; SEGFAULT when vconcatting more than 2048 vectors
Date: Sun, 14 Sep 2014 21:10:31 +0400	[thread overview]
Message-ID: <5415CC07.2010702@yandex.ru> (raw)
In-Reply-To: <87lhpngc6a.fsf@maru2.md5i.com>

On 09/14/2014 06:37 AM, Michael Welsh Duggan wrote:

> With attached foo.el:
>
> emacs -Q -l foo.el
> (testbug 2049)
> C-j
>
> SEGFAULT

Also reproduced in emacs-24 branch (here and below, emacs-24 branch is assumed).

This looks a fundamental bug in eval_sub, probably introduced in r112828.
When compiling with --enable-checking, it gives:

../../emacs-24/src/eval.c:184: Emacs fatal error: assertion failed: pdl->kind == SPECPDL_BACKTRACE

(gdb) bt 10
#0  0x000000000056a602 in terminate_due_to_signal (sig=6, backtrace_limit=2147483647) at ../../emacs-24/src/emacs.c:351
#1  0x00000000005f1d8e in die (msg=0x714b20 "pdl->kind == SPECPDL_BACKTRACE", file=0x714ab8 "../../emacs-24/src/eval.c", line=184)
     at ../../emacs-24/src/alloc.c:6833
#2  0x000000000060c5e6 in set_backtrace_args (pdl=0x1327bc0, args=0x7fffec33e010) at ../../emacs-24/src/eval.c:184
#3  0x0000000000611b76 in eval_sub (form=...) at ../../emacs-24/src/eval.c:2154
#4  0x0000000000611c3d in eval_sub (form=...) at ../../emacs-24/src/eval.c:2170
#5  0x000000000061141b in Feval (form=..., lexical=...) at ../../emacs-24/src/eval.c:2003
#6  0x000000000061347d in Ffuncall (nargs=3, args=0x7fffffffbfa8) at ../../emacs-24/src/eval.c:2818
#7  0x000000000065ce9a in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=1, args=0x7fffffffc7e0)
     at ../../emacs-24/src/bytecode.c:916
#8  0x0000000000613c9b in funcall_lambda (fun=..., nargs=1, arg_vector=0x7fffffffc7d8) at ../../emacs-24/src/eval.c:2983
#9  0x0000000000613633 in Ffuncall (nargs=2, args=0x7fffffffc7d0) at ../../emacs-24/src/eval.c:2864
#10 0x000000000065ce9a in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=1, args=0x7fffffffd050)
     at ../../emacs-24/src/bytecode.c:916

In eval.c:

   2134        else if (XSUBR (fun)->max_args == MANY)
   2135          {
   2136            /* Pass a vector of evaluated arguments.  */
   2137            Lisp_Object *vals;
   2138            ptrdiff_t argnum = 0;
   2139            USE_SAFE_ALLOCA;
   2140
   2141            SAFE_ALLOCA_LISP (vals, XINT (numargs));
   2142
   2143            GCPRO3 (args_left, fun, fun);
   2144            gcpro3.var = vals;
   2145            gcpro3.nvars = 0;
   2146
   2147            while (!NILP (args_left))
   2148              {
   2149                vals[argnum++] = eval_sub (Fcar (args_left));
   2150                args_left = Fcdr (args_left);
   2151                gcpro3.nvars = argnum;
   2152              }
   2153
   2154            set_backtrace_args (specpdl_ptr - 1, vals);
   2155            set_backtrace_nargs (specpdl_ptr - 1, XINT (numargs));
   2156
   2157            val = (XSUBR (fun)->function.aMANY) (XINT (numargs), vals);
   2158            UNGCPRO;
   2159            SAFE_FREE ();
   2160          }

At 2141, if numargs is > 2047 (and so allocation size exceeds MAX_ALLOCA on
a 64-bit system), SAFE_ALLOCA_LISP pushes an entry of type SPECPDL_UNWIND to
specpdl stack.  At line 2154, set_backtrace_args modifies this entry assuming
SPECPDL_BACKTRACE.  Oops.

Dmitry

next prev parent reply	other threads:[~2014-09-14 17:10 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-14  2:37 bug#18473: 24.4.50; SEGFAULT when vconcatting more than 2048 vectors Michael Welsh Duggan
2014-09-14 17:10 ` Dmitry Antipov [this message]
2014-09-15  6:38   ` Dmitry Antipov
2014-09-15 13:09     ` Stefan Monnier
2014-09-15 15:04       ` Dmitry Antipov
2014-09-15 19:15         ` Stefan Monnier
2014-09-16  4:19           ` Dmitry Antipov
2014-09-23 15:52 ` Paul Eggert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5415CC07.2010702@yandex.ru \
    --to=dmantipov@yandex.ru \
    --cc=18473@debbugs.gnu.org \
    --cc=md5i@md5i.com \
    --cc=monnier@IRO.UMontreal.CA \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.