From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Philipp Stephani Newsgroups: gmane.emacs.bugs Subject: bug#27258: 26.0.50; Possible undefined behavior in Fmapbacktrace Date: Mon, 05 Jun 2017 20:13:37 +0000 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a113cdf4204c1f605513c24a1" X-Trace: blaine.gmane.org 1496693653 32085 195.159.176.226 (5 Jun 2017 20:14:13 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 5 Jun 2017 20:14:13 +0000 (UTC) To: 27258@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jun 05 22:14:09 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dHyO9-00089J-7j for geb-bug-gnu-emacs@m.gmane.org; Mon, 05 Jun 2017 22:14:09 +0200 Original-Received: from localhost ([::1]:35000 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dHyOE-0001nn-5p for geb-bug-gnu-emacs@m.gmane.org; Mon, 05 Jun 2017 16:14:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53135) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dHyO3-0001mm-Nf for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:14:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dHyO2-0008Au-OO for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:14:03 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:55431) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dHyO2-0008An-L8 for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:14:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dHyO2-00043N-GU for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:14:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Philipp Stephani Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 05 Jun 2017 20:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27258 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.149669363915562 (code B ref -1); Mon, 05 Jun 2017 20:14:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 5 Jun 2017 20:13:59 +0000 Original-Received: from localhost ([127.0.0.1]:58108 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dHyNy-00042w-Sa for submit@debbugs.gnu.org; Mon, 05 Jun 2017 16:13:59 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:33872) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dHyNx-00042k-KP for submit@debbugs.gnu.org; Mon, 05 Jun 2017 16:13:57 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dHyNr-00083j-0U for submit@debbugs.gnu.org; Mon, 05 Jun 2017 16:13:51 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:44663) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dHyNq-00083e-T7 for submit@debbugs.gnu.org; Mon, 05 Jun 2017 16:13:50 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53070) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dHyNp-0001d3-NB for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:13:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dHyNo-00082B-P8 for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:13:49 -0400 Original-Received: from mail-oi0-x233.google.com ([2607:f8b0:4003:c06::233]:33070) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dHyNo-00081I-KD for bug-gnu-emacs@gnu.org; Mon, 05 Jun 2017 16:13:48 -0400 Original-Received: by mail-oi0-x233.google.com with SMTP id s3so78032916oia.0 for ; Mon, 05 Jun 2017 13:13:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=GYxMrgT5c2TOT8jXWHW5kL1ZppLzgAGoWGACkdoexAU=; b=j6WCCKC7p/QyjoIrrlZOoAi1x4SkulFMuL0PhlVv7x1MP8K9OaErazpp2koZ1s615O onbtCmmfhiZUYwsJHGkfh0n1CDZjIldtKQw/46dKWIbpILU0zUNqK1q/D3920ANy2S8q ms0j7mgH3i3qMFYVItmoeZxVZEadYlEf0mGPsRUK4bq/PZUuiwZGIXVRlMa9gzHlsRTx jw39eYx91NxImXBW/tKcxPt0pfc60vYJxc5MTaqDe4snQpeISzhQHpRflKyR8ArMwfoZ Blk/d3lv6ogdci/3oyUKNgTUZ2eNXFOIc2LBwigUYSqG66ouF8MxAY9zUnVy7uPnLlPA Z4bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=GYxMrgT5c2TOT8jXWHW5kL1ZppLzgAGoWGACkdoexAU=; b=GvRTYOcdAb781xgHvrPXnHWzpbnX4RTPjn3oyNYXeVIf8xgijD2jrFssaIy2+jsyL7 xsMPgD3+eE+PYIrlU17mQoTcrKajfhGHZo3y2zBq61ch+ITXFCIukiZcTyfroOl4Exef aJOuPiz6An73SfYiZQJTfuVtJisnkHGEBGdxfLNXl87EnwIQmnkLKp/QasF1Bm57544b 6xVn9ebm3zrCHF1D1Ueo0jTcXSEl9l6zDEaVDJf5PbiWyAK/Q7SUC+en/74hzXNYajNU HR0hwoeS75FQT+KgGv50umjaC6mkG7w+mFgnIstbql+9b0c2JtYB7wQlJC6ko5Cxe4KX vKgg== X-Gm-Message-State: AODbwcDcmBxujGOda27PjR3s8/a4oxKJ+3qL9zVklxcucg7iGjBGDdyZ zrfW/TW4trzSuyCCFBHAYvtQAw1LdTv3 X-Received: by 10.202.61.84 with SMTP id k81mr10343119oia.25.1496693627731; Mon, 05 Jun 2017 13:13:47 -0700 (PDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:133318 Archived-At: --001a113cdf4204c1f605513c24a1 Content-Type: text/plain; charset="UTF-8" Philipp schrieb am Mo., 5. Juni 2017 um 21:51 Uhr: > > Insert the following into /tmp/rec.el: > > ;; -*- lexical-binding: t; -*- > > (require 'cl-lib) > > (defun recurse (i g) > (if (= i 0) > (funcall g (cl-gensym)) > (recurse (1- i) g))) > > (recurse 100 (lambda (sym) > (message "outer: %s" sym) > (mapbacktrace > (lambda (_ _ args _) > (recurse 100 (lambda (sym) > (message "inner: %s %s" sym args))))))) > > Then run > > emacs -Q -batch -l /tmp/rec.el > > The printed messages will either be way too short, or Emacs will > segfault. Re-running the command a couple of times consistently > generated a segfault for me. > > My guess is that pdlvec got reallocated, but Fmapbacktrace uses pointers > instead of indices to access its element, so they pointers became > invalidated and point to garbage. Fixed with commit 3d9d976aa476b1c1098359a1215ad1cabd022d33. --001a113cdf4204c1f605513c24a1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Philip= p <p.stephani2@gmail.com>= ; schrieb am Mo., 5. Juni 2017 um 21:51=C2=A0Uhr:

Insert the following into /tmp/rec.el:

;; -*- lexical-binding: t; -*-

(require 'cl-lib)

(defun recurse (i g)
=C2=A0 (if (=3D i 0)
=C2=A0 =C2=A0 =C2=A0 (funcall g (cl-gensym))
=C2=A0 =C2=A0 (recurse (1- i) g)))

(recurse 100 (lambda (sym)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(message "outer= : %s" sym)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(mapbacktrace
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (lambda (_ _ args _= )
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (recurse 100= (lambda (sym)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(message "inner: %s %s&qu= ot; sym args)))))))

Then run

=C2=A0 emacs -Q -batch -l /tmp/rec.el

The printed messages will either be way too short, or Emacs will
segfault.=C2=A0 Re-running the command a couple of times consistently
generated a segfault for me.

My guess is that pdlvec got reallocated, but Fmapbacktrace uses pointers instead of indices to access its element, so they pointers became
invalidated and point to garbage.

Fixed wit= h commit 3d9d976aa476b1c1098359a1215ad1cabd022d33.=C2=A0
--001a113cdf4204c1f605513c24a1--