From: Noam Postavsky <npostavs@gmail.com>
To: 30481@debbugs.gnu.org
Subject: bug#30481: 26.0.91; infinite recursion + edebug = memory corruption
Date: Thu, 15 Feb 2018 22:38:10 -0500 [thread overview]
Message-ID: <87sha17gf1.fsf_-_@gmail.com> (raw)
In-Reply-To: <87h8r9mlxx.fsf@users.sourceforge.net> (Noam Postavsky's message of "Thu, 25 Jan 2018 20:46:18 -0500")
[-- Attachment #1: Type: text/plain, Size: 2125 bytes --]
Tags: patch
Picking up on a side issue from Bug#30243:
>>> emacs: malloc.c:2427: sysmalloc: Assertion `(old_top == initial_top
>>> (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE &&
>>> prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1))
>>> == 0)' failed.
>>> Fatal error 6: Aborted
> The problem appears to be that we hit the limit in grow_specpdl(),
> and then call signal_error which does Ffuncall and then
> record_in_backtrace writes to specdl, this latter write is invalid
> since we failed to grow specdl before. Thus memory corruption,
> undefined behaviour, etc.
>
> #0 0x000000000063999d in record_in_backtrace (function=XIL(0xd9ea380), args=0xffef5b188, nargs=2)
> at ../../src/eval.c:2096
> #1 0x000000000063b8c9 in Ffuncall (nargs=3, args=0xffef5b180) at ../../src/eval.c:2746
> #2 0x000000000063b320 in call2 (fn=XIL(0xd9ea380), arg1=XIL(0x5250), arg2=XIL(0x1161fc03))
> at ../../src/eval.c:2625
> #3 0x00000000006381db in signal_or_quit (error_symbol=XIL(0x5250), data=XIL(0x1161fc03),
> keyboard_quit=false) at ../../src/eval.c:1565
> #4 0x000000000063806d in Fsignal (error_symbol=XIL(0x5250), data=XIL(0x1161fc03))
> at ../../src/eval.c:1514
> #5 0x000000000057939a in xsignal (error_symbol=XIL(0x5250), data=XIL(0x1161fc03))
> at ../../src/lisp.h:3861
> #6 0x0000000000638704 in signal_error (s=0x75e388 "Variable binding depth exceeds max-specpdl-size",
> arg=XIL(0)) at ../../src/eval.c:1688
> #7 0x00000000006398cd in grow_specpdl () at ../../src/eval.c:2080
> (More stack frames follow...)
A simple reproducer from emacs -Q, C-u C-M-x on the following:
(defun foo ()
(let ((x 1))
(foo)))
then evaluate (foo) and git 'g' to continue until the "Variable binding
depth exceeds max-specpdl-size" error. At that point the memory
corruption has happened (verified with valgrind), although I found I had
to split window to actually trigger the malloc assertion.
The following patch solves the problem by not calling
signal-hook-function when the specpdl array is exhausted. I think it
could be safe for emacs-26.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: patch --]
[-- Type: text/x-diff, Size: 1427 bytes --]
From c9a183b31dce87803dad3d5feccf561fe3f63c9b Mon Sep 17 00:00:00 2001
From: Noam Postavsky <npostavs@gmail.com>
Date: Thu, 15 Feb 2018 22:13:51 -0500
Subject: [PATCH v1] Avoid memory corruption with lisp stack overflow + edebug
If grow_specpdl fails due to outgrowing max_specpdl_size, it will
signal an error *before* growing the specpdl array. Therefore, when
handling the signal, specpdl_ptr points past the end of the specpdl
array and any further use of of specpdl before unwinding (e.g., if
edebug binds signal-hook-function) will cause memory corruption.
* src/eval.c (signal_or_quit): Don't call `signal-hook-function' if
the specpdl_ptr is already past the end of the specpdl array.
---
src/eval.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/eval.c b/src/eval.c
index e05a17f7b4..ca1eb84ff3 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -1553,7 +1553,10 @@ signal_or_quit (Lisp_Object error_symbol, Lisp_Object data, bool keyboard_quit)
/* This hook is used by edebug. */
if (! NILP (Vsignal_hook_function)
- && ! NILP (error_symbol))
+ && ! NILP (error_symbol)
+ /* Don't try to call a lisp function if we've already overflowed
+ the specpdl stack. */
+ && specpdl_ptr < specpdl + specpdl_size)
{
/* Edebug takes care of restoring these variables when it exits. */
if (lisp_eval_depth + 20 > max_lisp_eval_depth)
--
2.11.0
next prev parent reply other threads:[~2018-02-16 3:38 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-24 22:12 bug#30243: 26.0.91; Infinite recursion in `make-auto-save-file-name' for quoted filenames phst
2018-01-24 22:43 ` Philipp Stephani
2018-01-24 23:04 ` Noam Postavsky
2018-01-24 23:25 ` Philipp Stephani
2018-01-25 5:57 ` Noam Postavsky
2018-01-25 9:49 ` Michael Albinus
2018-01-25 14:07 ` Noam Postavsky
2018-01-25 16:36 ` Michael Albinus
2018-01-25 16:46 ` Noam Postavsky
2018-01-26 1:46 ` Noam Postavsky
2018-01-26 11:01 ` Michael Albinus
2018-01-26 22:11 ` Noam Postavsky
2018-01-28 10:28 ` Michael Albinus
2018-01-28 14:58 ` Noam Postavsky
2018-01-28 19:17 ` Michael Albinus
2018-01-30 13:46 ` Eli Zaretskii
2018-01-30 16:02 ` Michael Albinus
2018-01-30 19:22 ` Philipp Stephani
2018-01-31 0:01 ` Noam Postavsky
2018-01-31 16:02 ` Eli Zaretskii
2018-01-31 18:07 ` Michael Albinus
2018-01-31 18:16 ` Noam Postavsky
2018-01-31 18:21 ` Michael Albinus
2018-02-01 14:01 ` Michael Albinus
2018-02-01 16:40 ` Philipp Stephani
2018-02-01 18:52 ` Michael Albinus
2018-02-02 1:16 ` Noam Postavsky
2018-02-02 17:56 ` Michael Albinus
2018-02-03 20:34 ` Noam Postavsky
2018-01-31 15:38 ` Eli Zaretskii
2018-02-16 3:38 ` Noam Postavsky [this message]
2018-02-16 8:39 ` bug#30481: 26.0.91; infinite recursion + edebug = memory corruption Eli Zaretskii
2018-02-17 3:30 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sha17gf1.fsf_-_@gmail.com \
--to=npostavs@gmail.com \
--cc=30481@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.