From unknown Wed Jun 18 00:18:20 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#30481 <30481@debbugs.gnu.org> To: bug#30481 <30481@debbugs.gnu.org> Subject: Status: 26.0.91; infinite recursion + edebug = memory corruption Reply-To: bug#30481 <30481@debbugs.gnu.org> Date: Wed, 18 Jun 2025 07:18:20 +0000 retitle 30481 26.0.91; infinite recursion + edebug =3D memory corruption reassign 30481 emacs submitter 30481 Noam Postavsky severity 30481 normal tag 30481 fixed patch thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 15 22:38:27 2018 Received: (at submit) by debbugs.gnu.org; 16 Feb 2018 03:38:27 +0000 Received: from localhost ([127.0.0.1]:45473 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1emWqx-0003VC-9R for submit@debbugs.gnu.org; Thu, 15 Feb 2018 22:38:27 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53265) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1emWqw-0003V0-5q for submit@debbugs.gnu.org; Thu, 15 Feb 2018 22:38:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emWqp-0005ED-Tz for submit@debbugs.gnu.org; Thu, 15 Feb 2018 22:38:21 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:51659) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1emWqp-0005E6-Pe for submit@debbugs.gnu.org; Thu, 15 Feb 2018 22:38:19 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44198) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1emWqo-0007Do-F2 for bug-gnu-emacs@gnu.org; Thu, 15 Feb 2018 22:38:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emWqk-0005BH-M5 for bug-gnu-emacs@gnu.org; Thu, 15 Feb 2018 22:38:18 -0500 Received: from mail-io0-x22b.google.com ([2607:f8b0:4001:c06::22b]:43892) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1emWqk-0005Ac-Fg for bug-gnu-emacs@gnu.org; Thu, 15 Feb 2018 22:38:14 -0500 Received: by mail-io0-x22b.google.com with SMTP id 72so2892426iom.10 for ; Thu, 15 Feb 2018 19:38:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:references:date:in-reply-to:message-id:user-agent :mime-version; bh=4NXUFwPGofQ2kgM5cx7E2mFgwNJn8YEmFXtd8UAY3ko=; b=rD8dLw3G/Ufh/ASgNEwZ8i/pfh3PSBYkFonxxJsJwK3cPmNpAtHUIHjEVtw3CItYWa uJ/EC19e4KzNo8rp2hWMcLVJEzu5AGKSEhkU2SrOiwSS74yIlgxGvXJZ+b+eddU2QLZG 1vntUxYhvxBM5G/B3wmmvlS8O7EnQGTBSUCDFIlQyXA/gC02v+D6paGX7HrWz7CPZUMI oByI7eWQvDZGTktRIdHDO3kVOr0OkaYv/N7e8mfrS4Jz3zKTMdgkfyP4hM48S9HV/5ab D6uFU6T3tzg0Z2wxNzIgZedbLNWlKMe4gZBYWXTXaypR9kFCVgai3ornilbkyl4sIs87 WyNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=4NXUFwPGofQ2kgM5cx7E2mFgwNJn8YEmFXtd8UAY3ko=; b=Fkyhs5D2FAphJgRXWPPQLpo9BLTZFfusIrV4v5NDU6VeRTNIKU68OvXMwkp+xpNlhU kPeKAhUWE9NxgvLMFhYPfdWaH93tU25QSkTb9ZiGnCnB2EV21Lsz0fPbipnxjfpvk/+0 bAsOA1/Kz/dUvxC1zazVfJtIfsGvlLmPo1TOutd44oCTxnv1vCpuT/Kru81aEtoqAU68 Hy7etZfSg7iYCJHRkqqmRscHpBfd+h+8WGHcveMO2pwKe5NQ04NvCW45hgwHXK8KsK0t frqp/sL848TAN2Pwn/xswc3yDi1xMx5xQzuTrNG2RzZaS07IFI0xPKdMCA/HS/qbDWGR 2sOg== X-Gm-Message-State: APf1xPBh3UHBOZsUosHDx9JvypVmOT5i2hX6XbSoA3p3bqjDSplYiQzu ZSwUhG1epRnrWv9MJhT69imoWQ== X-Google-Smtp-Source: AH8x226S9YAnWyUmVekm0J6mQZ590MBmnofP0Tbqwq9jeDB0kLdA1V74B4kc5sszffydV7qfAmkMaw== X-Received: by 10.107.178.70 with SMTP id b67mr6791707iof.55.1518752293037; Thu, 15 Feb 2018 19:38:13 -0800 (PST) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id s32sm1388313ite.1.2018.02.15.19.38.11 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 15 Feb 2018 19:38:11 -0800 (PST) From: Noam Postavsky To: bug-gnu-emacs@gnu.org Subject: 26.0.91; infinite recursion + edebug = memory corruption References: <87shaun9ix.fsf@users.sourceforge.net> <87po5ymqed.fsf@users.sourceforge.net> <874lnafeun.fsf@gmx.de> <87mv12m3q6.fsf@users.sourceforge.net> <877es528vp.fsf@gmx.de> <87h8r9mlxx.fsf@users.sourceforge.net> Date: Thu, 15 Feb 2018 22:38:10 -0500 In-Reply-To: <87h8r9mlxx.fsf@users.sourceforge.net> (Noam Postavsky's message of "Thu, 25 Jan 2018 20:46:18 -0500") Message-ID: <87sha17gf1.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --=-=-= Content-Type: text/plain Tags: patch Picking up on a side issue from Bug#30243: >>> emacs: malloc.c:2427: sysmalloc: Assertion `(old_top == initial_top >>> (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && >>> prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) >>> == 0)' failed. >>> Fatal error 6: Aborted > The problem appears to be that we hit the limit in grow_specpdl(), > and then call signal_error which does Ffuncall and then > record_in_backtrace writes to specdl, this latter write is invalid > since we failed to grow specdl before. Thus memory corruption, > undefined behaviour, etc. > > #0 0x000000000063999d in record_in_backtrace (function=XIL(0xd9ea380), args=0xffef5b188, nargs=2) > at ../../src/eval.c:2096 > #1 0x000000000063b8c9 in Ffuncall (nargs=3, args=0xffef5b180) at ../../src/eval.c:2746 > #2 0x000000000063b320 in call2 (fn=XIL(0xd9ea380), arg1=XIL(0x5250), arg2=XIL(0x1161fc03)) > at ../../src/eval.c:2625 > #3 0x00000000006381db in signal_or_quit (error_symbol=XIL(0x5250), data=XIL(0x1161fc03), > keyboard_quit=false) at ../../src/eval.c:1565 > #4 0x000000000063806d in Fsignal (error_symbol=XIL(0x5250), data=XIL(0x1161fc03)) > at ../../src/eval.c:1514 > #5 0x000000000057939a in xsignal (error_symbol=XIL(0x5250), data=XIL(0x1161fc03)) > at ../../src/lisp.h:3861 > #6 0x0000000000638704 in signal_error (s=0x75e388 "Variable binding depth exceeds max-specpdl-size", > arg=XIL(0)) at ../../src/eval.c:1688 > #7 0x00000000006398cd in grow_specpdl () at ../../src/eval.c:2080 > (More stack frames follow...) A simple reproducer from emacs -Q, C-u C-M-x on the following: (defun foo () (let ((x 1)) (foo))) then evaluate (foo) and git 'g' to continue until the "Variable binding depth exceeds max-specpdl-size" error. At that point the memory corruption has happened (verified with valgrind), although I found I had to split window to actually trigger the malloc assertion. The following patch solves the problem by not calling signal-hook-function when the specpdl array is exhausted. I think it could be safe for emacs-26. --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=v1-0001-Avoid-memory-corruption-with-lisp-stack-overflow-.patch Content-Description: patch >From c9a183b31dce87803dad3d5feccf561fe3f63c9b Mon Sep 17 00:00:00 2001 From: Noam Postavsky Date: Thu, 15 Feb 2018 22:13:51 -0500 Subject: [PATCH v1] Avoid memory corruption with lisp stack overflow + edebug If grow_specpdl fails due to outgrowing max_specpdl_size, it will signal an error *before* growing the specpdl array. Therefore, when handling the signal, specpdl_ptr points past the end of the specpdl array and any further use of of specpdl before unwinding (e.g., if edebug binds signal-hook-function) will cause memory corruption. * src/eval.c (signal_or_quit): Don't call `signal-hook-function' if the specpdl_ptr is already past the end of the specpdl array. --- src/eval.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/eval.c b/src/eval.c index e05a17f7b4..ca1eb84ff3 100644 --- a/src/eval.c +++ b/src/eval.c @@ -1553,7 +1553,10 @@ signal_or_quit (Lisp_Object error_symbol, Lisp_Object data, bool keyboard_quit) /* This hook is used by edebug. */ if (! NILP (Vsignal_hook_function) - && ! NILP (error_symbol)) + && ! NILP (error_symbol) + /* Don't try to call a lisp function if we've already overflowed + the specpdl stack. */ + && specpdl_ptr < specpdl + specpdl_size) { /* Edebug takes care of restoring these variables when it exits. */ if (lisp_eval_depth + 20 > max_lisp_eval_depth) -- 2.11.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 16 03:39:20 2018 Received: (at 30481) by debbugs.gnu.org; 16 Feb 2018 08:39:20 +0000 Received: from localhost ([127.0.0.1]:45607 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1embY8-0004p4-Dz for submit@debbugs.gnu.org; Fri, 16 Feb 2018 03:39:20 -0500 Received: from eggs.gnu.org ([208.118.235.92]:51437) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1embY7-0004oq-7d for 30481@debbugs.gnu.org; Fri, 16 Feb 2018 03:39:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1embXy-0003oJ-8s for 30481@debbugs.gnu.org; Fri, 16 Feb 2018 03:39:14 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47671) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1embXy-0003nw-4O; Fri, 16 Feb 2018 03:39:10 -0500 Received: from [176.228.60.248] (port=1672 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1embXx-0007Ye-HL; Fri, 16 Feb 2018 03:39:09 -0500 Date: Fri, 16 Feb 2018 10:39:08 +0200 Message-Id: <83k1vde3bn.fsf@gnu.org> From: Eli Zaretskii To: Noam Postavsky In-reply-to: <87sha17gf1.fsf_-_@gmail.com> (message from Noam Postavsky on Thu, 15 Feb 2018 22:38:10 -0500) Subject: Re: bug#30481: 26.0.91; infinite recursion + edebug = memory corruption References: <87shaun9ix.fsf@users.sourceforge.net> <87po5ymqed.fsf@users.sourceforge.net> <874lnafeun.fsf@gmx.de> <87mv12m3q6.fsf@users.sourceforge.net> <877es528vp.fsf@gmx.de> <87h8r9mlxx.fsf@users.sourceforge.net> <87sha17gf1.fsf_-_@gmail.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 30481 Cc: 30481@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Eli Zaretskii Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > From: Noam Postavsky > Date: Thu, 15 Feb 2018 22:38:10 -0500 > > The following patch solves the problem by not calling > signal-hook-function when the specpdl array is exhausted. I think it > could be safe for emacs-26. Please push to emacs-26, and thanks. (Is it practical to have a test for this?) From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 16 22:30:44 2018 Received: (at 30481) by debbugs.gnu.org; 17 Feb 2018 03:30:44 +0000 Received: from localhost ([127.0.0.1]:47419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1emtD2-0001Fe-6D for submit@debbugs.gnu.org; Fri, 16 Feb 2018 22:30:44 -0500 Received: from mail-it0-f44.google.com ([209.85.214.44]:52700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1emtD0-000170-9P; Fri, 16 Feb 2018 22:30:42 -0500 Received: by mail-it0-f44.google.com with SMTP id o13so3936661ito.2; Fri, 16 Feb 2018 19:30:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=HgeBx6NPuWAiV4kMVUO171BSidDc4Nxv7O5/j73BiGE=; b=CgnUIpQoWS+XpWdr4FfXzoAZa4ov89KNUIHHZN+amqIRjj8jsppo9HG2kmLzuqpi3y TO8Sns9Iv1WpVTOzvzSh8W0xnzMdC51xW36XwS4i2//C41I1/i5DKNpsNl4wi6PsWN8w NXetR1EoswnGZnva4rQMen35kxnJifJQtVQec/8sCOTecoz61cHLdFYwOaCK/2Le9RNm oSqb1/9fHmjU0BNHuQeSchykpi+wAPk2x7yH1XoCqxKtDcwPmH1ykUnRCa0iS6DzsxOF z7vGcxavWLz4/x2qC2vCigt3OCT6wekk1WG+TCaD22cFxD3S6TSqZjqFQxbMzZwYzVGI r4HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=HgeBx6NPuWAiV4kMVUO171BSidDc4Nxv7O5/j73BiGE=; b=X4iV2LXdtSAtUhqxXw1UXC/pK38lSa9GXaMp1Y+l2gk+l7r6ZH4jAvitJc2mIHA6pS 5MDQt9R4aJctvQGljIkn8xSfsF2DT8X0d1wEqYAG5nftfKZO2/iTWjG6j1Jk4kcsmNbV ISH91H24ft55OszohbZ8Wvmu/xVASXsabIvbmVlvcPd7NcBdc99a1Shc62vai+EKU3xf ocDGe/eVR+IOXUA6/WGIvOea+1lDeNErRqL2+5B9Oy8Vvp13baKZikTbLnyqAX46qj6/ 1KowiEVqQdWKjaTnTVUY7ZnD+8ivu/5TfIWBJ4aPMfWa9bXt9Ow6O9eEbzSUzmYWpI93 o/7g== X-Gm-Message-State: APf1xPAw0x5pxj+d0tvNXhdgK8cxZX/MH68Ao1JpGnomTVQiMTTQ2izT +iwtc1BZOIur6vV2uPBYbpUyIA== X-Google-Smtp-Source: AH8x225xDQndDh02jW7usNZs9RTa3iu2uubgSD57j4AvNE3SgX33m1x+dUGZVIgP/bU8+np9xYvY9A== X-Received: by 10.36.14.202 with SMTP id 193mr4870235ite.137.1518838236328; Fri, 16 Feb 2018 19:30:36 -0800 (PST) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id g186sm2880354itg.2.2018.02.16.19.30.34 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 16 Feb 2018 19:30:35 -0800 (PST) From: Noam Postavsky To: Eli Zaretskii Subject: Re: bug#30481: 26.0.91; infinite recursion + edebug = memory corruption References: <87shaun9ix.fsf@users.sourceforge.net> <87po5ymqed.fsf@users.sourceforge.net> <874lnafeun.fsf@gmx.de> <87mv12m3q6.fsf@users.sourceforge.net> <877es528vp.fsf@gmx.de> <87h8r9mlxx.fsf@users.sourceforge.net> <87sha17gf1.fsf_-_@gmail.com> <83k1vde3bn.fsf@gnu.org> Date: Fri, 16 Feb 2018 22:30:33 -0500 In-Reply-To: <83k1vde3bn.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 16 Feb 2018 10:39:08 +0200") Message-ID: <87lgfs70o6.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30481 Cc: 30481@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) tags 30481 fixed close 30481 26.1 quit Eli Zaretskii writes: >> From: Noam Postavsky >> Date: Thu, 15 Feb 2018 22:38:10 -0500 >> >> The following patch solves the problem by not calling >> signal-hook-function when the specpdl array is exhausted. I think it >> could be safe for emacs-26. > > Please push to emacs-26, and thanks. Pushed (with test) [1: c352434ab8]. > (Is it practical to have a test for this?) Yes, actually. I initially had some trouble reproducing without instrumenting a function with edebug, but now I see that's just because a function which let-binds only a single variable hits max-lisp-eval-depth before max-specpdl-size (edebug's intrumentation adds more bindings per call). Let-binding two variables allows to trigger the bug with just (defun foo () (let ((x 1) (y 2)) (foo))) (let ((signal-hook-function #'ignore)) (foo)) [1: c352434ab8]: 2018-02-16 22:13:34 -0500 Avoid memory corruption with specpdl overflow + edebug (Bug#30481) https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=c352434ab89617b48c7c1f29342a22e5a5685504 From unknown Wed Jun 18 00:18:20 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 17 Mar 2018 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator