GNU bug report logs - #16512
24.3; Segmentation fault from empty byte-code object literal

Previous Next

Package: emacs;

Reported by: Christopher Wellons <wellons <at> nullprogram.com>

Date: Tue, 21 Jan 2014 02:12:02 UTC

Severity: normal

Merged with 15405

Found in version 24.3

Fixed in version 24.4

Done: Barry OReilly <gundaetiapo <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 16512 in the body.
You can then email your comments to 16512 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#16512; Package emacs. (Tue, 21 Jan 2014 02:12:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Christopher Wellons <wellons <at> nullprogram.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 21 Jan 2014 02:12:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Wellons <wellons <at> nullprogram.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.3; Segmentation fault from empty byte-code object literal
Date: Mon, 20 Jan 2014 21:11:27 -0500

The following command will cause a segmentation fault in 24.3.1 under
GNU/Linux, both 32-bit and 64-bit. The key is that empty byte-code
object. The rest is there just to make Emacs do enough work to crash.

    emacs -Q --eval '(type-of #[])' \
             --eval '(insert "(defun ())")' \
             -f eval-last-sexp

Pure speculation about why: is it assuming that the byte-code object has
at least four elements, dereferencing garbage somewhere past the end?
The manual states byte-code objects "must have at least four elements,"
which is enforced by `make-byte-code' but *not* enforced for byte-code
literals.


Fatal error 11: Segmentation fault
Backtrace:
emacs[0x4f74cb]
emacs[0x4dcf2e]
emacs[0x4f611e]
emacs[0x4f6283]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf210)[0x7f9276bad210]
emacs[0x5617bb]
emacs[0x564232]
emacs[0x564c67]
emacs[0x565b77]
emacs[0x4aacff]
emacs[0x4ab4f4]
emacs[0x4ab698]
emacs[0x4acc7d]
emacs[0x43a3bd]
emacs[0x4412fe]
emacs[0x441431]
emacs[0x44acbd]
emacs[0x4e754c]
emacs[0x4e99d8]
emacs[0x4ebd4d]
emacs[0x54e453]
emacs[0x4dd3be]
emacs[0x54e32e]
emacs[0x4e1c07]
emacs[0x4e1f04]
emacs[0x4171c5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f9276813995]
emacs[0x417ccf]
Segmentation fault


Here's the "bt full" showing the crash is actually occuring in
/lib/x86_64-linux-gnu/libthread_db.so.1.


(gdb) run --eval '(type-of #[])'
Starting program: /usr/bin/emacs --eval '(type-of #[])'
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe8a23700 (LWP 15364)]
[New Thread 0x7fffe3fff700 (LWP 15365)]

Program received signal SIGSEGV, Segmentation fault.
0x00000000005617bb in ?? ()
(gdb) bt full
#0  0x00000000005617bb in ?? ()
No symbol table info available.
#1  0x0000000000564232 in ?? ()
No symbol table info available.
#2  0x0000000000564c67 in ?? ()
No symbol table info available.
#3  0x0000000000565b77 in ?? ()
No symbol table info available.
#4  0x00000000004aacff in ?? ()
No symbol table info available.
#5  0x00000000004ab4f4 in ?? ()
No symbol table info available.
#6  0x00000000004ab698 in ?? ()
No symbol table info available.
#7  0x00000000004acc7d in ?? ()
No symbol table info available.
#8  0x000000000043a3bd in ?? ()
No symbol table info available.
#9  0x00000000004412fe in ?? ()
No symbol table info available.
#10 0x0000000000441431 in ?? ()
No symbol table info available.
#11 0x000000000044acbd in ?? ()
No symbol table info available.
#12 0x00000000004e754c in ?? ()
No symbol table info available.
#13 0x00000000004e99d8 in ?? ()
No symbol table info available.
#14 0x00000000004ebd4d in ?? ()
No symbol table info available.
#15 0x000000000054e453 in ?? ()
No symbol table info available.
#16 0x00000000004dd3be in ?? ()
No symbol table info available.
#17 0x000000000054e32e in ?? ()
No symbol table info available.
#18 0x00000000004e1c07 in ?? ()
No symbol table info available.
#19 0x00000000004e1f04 in ?? ()
No symbol table info available.
#20 0x00000000004171c5 in ?? ()
No symbol table info available.
#21 0x00007ffff11df995 in __libc_start_main (main=0x4167b0, argc=3,
    ubp_av=0x7fffffffe868, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffe858) at libc-start.c:276
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 8758318328891328105,
                4291750, 140737488349280, 0, 0, -8758318329162348951,
                -8758324633951386007}, mask_was_saved = 0}}, priv = {pad = {0x0,
              0x0, 0x5d14f0, 0x7fffffffe868}, data = {prev = 0x0, cleanup = 0x0,
              canceltype = 6100208}}}
        not_first_call = <optimized out>
#22 0x0000000000417ccf in ?? ()
No symbol table info available.



In GNU Emacs 24.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.8.6)
 of 2013-12-22 on brahms, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.11405000
System Description:	Debian GNU/Linux unstable (sid)

Configured using:
 `configure '--build' 'x86_64-linux-gnu' '--build' 'x86_64-linux-gnu'
 '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib'
 '--localstatedir=/var/lib' '--infodir=/usr/share/info'
 '--mandir=/usr/share/man' '--with-pop=yes'
 '--enable-locallisppath=/etc/emacs24:/etc/emacs:/usr/local/share/emacs/24.3/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/24.3/site-lisp:/usr/share/emacs/site-lisp'
 '--with-crt-dir=/usr/lib/x86_64-linux-gnu' '--with-x=yes'
 '--with-x-toolkit=gtk3' '--with-toolkit-scroll-bars'
 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector
 --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2''

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#16512; Package emacs. (Tue, 21 Jan 2014 02:52:02 GMT) Full text and rfc822 format available.

Message #8 received at 16512 <at> debbugs.gnu.org (full text, mbox):

From: Barry OReilly <gundaetiapo <at> gmail.com>
To: wellons <at> nullprogram.com, 16512 <at> debbugs.gnu.org
Subject: 24.3; Segmentation fault from empty byte-code object literal
Date: Mon, 20 Jan 2014 21:51:10 -0500

[Message part 1 (text/plain, inline)]
This was fixed on trunk under bug 15405.

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=15405

[Message part 2 (text/html, inline)]
bug Marked as fixed in versions 24.4. Request was from Glenn Morris <rgm <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 21 Jan 2014 03:38:03 GMT) Full text and rfc822 format available.
Forcibly Merged 15405 16512. Request was from Glenn Morris <rgm <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 21 Jan 2014 03:38:03 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 18 Feb 2014 12:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 11 years and 177 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.