From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ruijie Yu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#62009: 29.0.60; Emacs crashes on setf symbol-name Date: Tue, 07 Mar 2023 12:40:06 +0800 Message-ID: References: <87o7p5of4n.fsf@daniel-mendler.de> Reply-To: Ruijie Yu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16878"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.8.14; emacs 30.0.50 Cc: 62009@debbugs.gnu.org To: Daniel Mendler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Mar 07 15:20:40 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZYBE-00045H-LT for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 07 Mar 2023 15:20:40 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZYAx-0007CZ-1G; Tue, 07 Mar 2023 09:20:27 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZYAh-0007AC-EM for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 09:20:08 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pZYAc-0004yF-EU for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 09:20:05 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pZYAc-0004rw-3J for bug-gnu-emacs@gnu.org; Tue, 07 Mar 2023 09:20:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ruijie Yu Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 07 Mar 2023 14:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62009 X-GNU-PR-Package: emacs Original-Received: via spool by 62009-submit@debbugs.gnu.org id=B62009.167819878718682 (code B ref 62009); Tue, 07 Mar 2023 14:20:02 +0000 Original-Received: (at 62009) by debbugs.gnu.org; 7 Mar 2023 14:19:47 +0000 Original-Received: from localhost ([127.0.0.1]:44927 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZYAM-0004rF-Qm for submit@debbugs.gnu.org; Tue, 07 Mar 2023 09:19:47 -0500 Original-Received: from netyu.xyz ([152.44.41.246]:53698 helo=mail.netyu.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pZYAK-0004r5-KA for 62009@debbugs.gnu.org; Tue, 07 Mar 2023 09:19:45 -0500 Original-Received: from fw.net.yu.netyu.xyz ( [222.248.4.98]) by netyu.xyz (OpenSMTPD) with ESMTPSA id 8ae80f05 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 7 Mar 2023 14:19:42 +0000 (UTC) In-reply-to: <87o7p5of4n.fsf@daniel-mendler.de> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:257465 Archived-At: --=-=-= Content-Type: text/plain Daniel Mendler writes: > Execute the following in the scratch buffer: > > (setf (aref (symbol-name 'car) 1) ?o) > > Emacs crashes with a segmentation fault. Is this a well-known issue? I > could reproduce the problem on Emacs 27 and 29. Should there be some > mechanism to protect the strings of symbols? > > I found the snippet on reddit: > https://old.reddit.com/r/emacs/comments/11ix6yu/ive_found_what_ive_been_looking_for/jb4ah5v/ Can't access reddit, but can reproduce in recent master (6fb8a4dff7ef). To test, first put this file under emacs.git/src/: --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=test.el (defun foo (symbol) (message "[1] %S" (symbol-name symbol)) (setf (aref (symbol-name symbol) 1) ?x) (message "[2] %S" (symbol-name symbol))) --=-=-= Content-Type: text/plain $ make; cd src Then do the following for each symbol: - setf - find-file - with-current-buffer - buffer-file-name $ ./emacs -Q -batch -l test.el -eval '(foo (quote setf))' [1] "setf" [2] "sxtf" $ ./emacs -Q -batch -l test.el -eval '(foo (quote find-file))' [1] "find-file" [2] "fxnd-file" And these below below: aref, null, car, cdr, save-current-buffer $ ./emacs -Q -batch -l test.el -eval '(foo (quote aref))' [1] "aref" Fatal error 11: Segmentation fault Backtrace: ... My observation is that symbols "introduced" via C defuns and defmacros exhibit this problem, whereas those introduced via Elisp defuns and defmacros do not. No symbols introduced via defvars exhibit this problem, as shown above with buffer-file-name. Seeing that it is a segfault, maybe the setf is trying to modify readonly memory produced by the C defuns and defmacros? If that is the case, *if* we allow such modifications, we should make the memory readwrite; *otherwise* maybe we should no-op, warn, or err in setf and friends when we see readonly memory blocks? With this collection of GDB commands: --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=debug.gdb set debuginfod enabled off run bt exit --=-=-= Content-Type: text/plain And this GDB command line option: $ gdb -x debug.gdb --batch --args ./emacs -Q -batch -l ../test.el -eval '(foo (quote car))' > car.backtrace I get the backtrace (attached below) for setf + symbol-name + 'car as reported by OP. --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=car.backtrace SIGINT is used by the debugger. Are you sure you want to change it? (y or n) [answered Y; input not from terminal] DISPLAY = :0 TERM = xterm-256color Breakpoint 1 at 0x4e2ab: file emacs.c, line 426. Breakpoint 2 at 0x142970: file xterm.c, line 26474. [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. Faset (array=XIL(0x7ffff1d10adc), idx=make_fixnum(1), newelt=make_fixnum(120)) at /opt/src/emacs/base/62009-setf-symbol-name/src/lisp.h:1671 1671 return XSTRING (string)->u.s.data; #0 Faset (array=XIL(0x7ffff1d10adc), idx=make_fixnum(1), newelt=make_fixnum(120)) at /opt/src/emacs/base/62009-setf-symbol-name/src/lisp.h:1671 #1 0x000055555576f431 in eval_sub (form=) at eval.c:2506 #2 0x000055555577132d in Fprogn (body=XIL(0)) at eval.c:436 #3 FletX (args=) at eval.c:958 #4 0x000055555576f198 in eval_sub (form=) at eval.c:2451 #5 0x00005555557701ed in Fprogn (body=XIL(0x7ffff24d25d3)) at eval.c:436 #6 funcall_lambda (fun=, fun@entry=XIL(0x7ffff24d5b13), nargs=nargs@entry=1, arg_vector=arg_vector@entry=0x7fffffffd9e0) at eval.c:3235 #7 0x000055555577095c in apply_lambda (fun=fun@entry=XIL(0x7ffff24d5b13), args=, count=count@entry=...) at eval.c:3105 #8 0x000055555576eea6 in eval_sub (form=form@entry=XIL(0x7ffff24d5cf3)) at eval.c:2590 #9 0x0000555555771a8f in Feval (form=XIL(0x7ffff24d5cf3), lexical=) at eval.c:2363 #10 0x00005555557b5882 in exec_byte_code (fun=, args_template=, nargs=, args=) at bytecode.c:809 #11 0x000055555577095c in apply_lambda (fun=fun@entry=XIL(0x7ffff19dc085), args=, count=count@entry=...) at eval.c:3105 #12 0x000055555576eea6 in eval_sub (form=form@entry=XIL(0x7ffff1e13773)) at eval.c:2590 #13 0x0000555555771a8f in Feval (form=XIL(0x7ffff1e13773), lexical=) at eval.c:2363 #14 0x0000555555769cf7 in internal_condition_case (bfun=bfun@entry=0x5555556da3b0 , handlers=handlers@entry=XIL(0x90), hfun=hfun@entry=0x5555556e1990 ) at eval.c:1474 #15 0x00005555556dad36 in top_level_1 (ignore=ignore@entry=XIL(0)) at keyboard.c:1141 #16 0x0000555555769c51 in internal_catch (tag=tag@entry=XIL(0x103e0), func=func@entry=0x5555556dad10 , arg=arg@entry=XIL(0)) at eval.c:1197 #17 0x00005555556da32f in command_loop () at keyboard.c:1101 #18 0x00005555556e1512 in recursive_edit_1 () at keyboard.c:711 #19 0x00005555556e18a0 in Frecursive_edit () at keyboard.c:794 #20 0x00005555555ab49f in main (argc=7, argv=0x7fffffffe0a8) at emacs.c:2530 Lisp Backtrace: "aset" (0xffffd790) "let*" (0xffffd8c0) "foo" (0xffffd9e0) "eval" (0xf05ff1c0) "command-line-1" (0xf05ff0b8) "command-line" (0xf05ff040) "normal-top-level" (0xffffdbd0) A debugging session is active. Inferior 1 [process 1106482] will be killed. Quit anyway? (y or n) [answered Y; input not from terminal] --=-=-= Content-Type: text/plain HTH. -- Best, RY --=-=-=--