GNU bug report logs - #27258
26.0.50; Possible undefined behavior in Fmapbacktrace

Previous Next

Package: emacs;

Reported by: Philipp <p.stephani2 <at> gmail.com>

Date: Mon, 5 Jun 2017 19:56:02 UTC

Severity: normal

Found in version 26.0.50

Done: Philipp Stephani <p.stephani2 <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Philipp Stephani <p.stephani2 <at> gmail.com>
To: 27258 <at> debbugs.gnu.org
Subject: bug#27258: 26.0.50; Possible undefined behavior in Fmapbacktrace
Date: Mon, 05 Jun 2017 20:13:37 +0000

[Message part 1 (text/plain, inline)]
Philipp <p.stephani2 <at> gmail.com> schrieb am Mo., 5. Juni 2017 um 21:51 Uhr:

>
> Insert the following into /tmp/rec.el:
>
> ;; -*- lexical-binding: t; -*-
>
> (require 'cl-lib)
>
> (defun recurse (i g)
>   (if (= i 0)
>       (funcall g (cl-gensym))
>     (recurse (1- i) g)))
>
> (recurse 100 (lambda (sym)
>                (message "outer: %s" sym)
>                (mapbacktrace
>                 (lambda (_ _ args _)
>                   (recurse 100 (lambda (sym)
>                                  (message "inner: %s %s" sym args)))))))
>
> Then run
>
>   emacs -Q -batch -l /tmp/rec.el
>
> The printed messages will either be way too short, or Emacs will
> segfault.  Re-running the command a couple of times consistently
> generated a segfault for me.
>
> My guess is that pdlvec got reallocated, but Fmapbacktrace uses pointers
> instead of indices to access its element, so they pointers became
> invalidated and point to garbage.


Fixed with commit 3d9d976aa476b1c1098359a1215ad1cabd022d33.

[Message part 2 (text/html, inline)]
This bug report was last modified 8 years and 73 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.