From unknown Thu Jun 19 13:55:40 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#31186 <31186@debbugs.gnu.org> To: bug#31186 <31186@debbugs.gnu.org> Subject: Status: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p Reply-To: bug#31186 <31186@debbugs.gnu.org> Date: Thu, 19 Jun 2025 20:55:40 +0000 retitle 31186 27.0.50; Undefined behavior in lisp_file_lexically_bound_p reassign 31186 emacs submitter 31186 Philipp severity 31186 normal tag 31186 confirmed thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 16 20:28:11 2018 Received: (at submit) by debbugs.gnu.org; 17 Apr 2018 00:28:11 +0000 Received: from localhost ([127.0.0.1]:56485 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8ETj-0003PM-2v for submit@debbugs.gnu.org; Mon, 16 Apr 2018 20:28:11 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8ETh-0003PA-PJ for submit@debbugs.gnu.org; Mon, 16 Apr 2018 20:28:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f8ETa-0006tN-Qw for submit@debbugs.gnu.org; Mon, 16 Apr 2018 20:28:04 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58630) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f8ETa-0006tG-N4 for submit@debbugs.gnu.org; Mon, 16 Apr 2018 20:28:02 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43520) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f8ETY-0005bC-R5 for bug-gnu-emacs@gnu.org; Mon, 16 Apr 2018 20:28:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f8ETX-0006qN-4r for bug-gnu-emacs@gnu.org; Mon, 16 Apr 2018 20:28:00 -0400 Received: from mail-wr0-x235.google.com ([2a00:1450:400c:c0c::235]:40835) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1f8ETW-0006pa-Qn for bug-gnu-emacs@gnu.org; Mon, 16 Apr 2018 20:27:59 -0400 Received: by mail-wr0-x235.google.com with SMTP id v60so26773469wrc.7 for ; Mon, 16 Apr 2018 17:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=qyQxeBBCIhfz76wuEfuU6iMBWBIEvkcune36nguuILE=; b=cIVntbV6P24aafLGmSV+ijVhnK9CEElV/TrTH/HH5x1GLxc9b4d3eJ/cz69duQTC7R 0h2Z34NFEYhVqTWFrRnGh71TJQXNLE5aFm5nvWAjOlqk2Eooi02Ot7phR2JFpuJdKsVB PdtQji07k2cKDRWdfvk/ooJeW5dWANIheFhGVryfyXCfKKuFiDd3TfKbfbT60gdWDM2a YUHaQYXRbvdKXw2dDO3YbFve48HN/1jFW17AcQQ94dpgj9P5ko3qFIZf1FCtYDgeVlA8 lGIJXc+YWHghZaVp9P/pzw/TuinzvxjwDldCogk/0sZn3uY/VgzEFsykw2TeaPU2BmT6 0wjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=qyQxeBBCIhfz76wuEfuU6iMBWBIEvkcune36nguuILE=; b=SckfELDlZBk6dSvpP/a+SmQzafWUu4Bg4Z4Sc8fzaz2YsWR0Yncb0LKbUyjS1Qd7YI Rqc3Hw+KuPgedP7mbvh7iJoPwa4YmZl52/srcv350nzyxtYe7dCCfa9bFy+gVdtM4PR4 xqtx96mG/GA2sclbRdvWKjH/vSE6XptXZZyzavyYXSAA2vrzO9Q6dvdl2RpQXLtiLNQD U4zyYYy1JCmb+6LtTRamJu5pYBOmx0eN0QQ5XEp5QsV4Sm4uX1fqmL/PWWkIe75/GH8D 31yvm+RRgVjoYiMIW6y1OGdr+otCkXRIdMB88HxhVYmNfGNKsCoh/MVPDkdy/cH+eQ0Y E4KQ== X-Gm-Message-State: ALQs6tC8mYRVKasCRgwGIIuG/2fW6t7Koz8+OCcwPj1Rxi6nrQgden8m Pzc//D88TjWXSTXpUpYM8VHyLk1V X-Google-Smtp-Source: AIpwx49sKIh4rJ5AFqJZPsdel13NpPnXIpHsCzUQwl39f/SOtePboKs+lIe6K/5vegrTxvIHk6QcCA== X-Received: by 10.28.185.76 with SMTP id j73mr221759wmf.95.1523924876778; Mon, 16 Apr 2018 17:27:56 -0700 (PDT) Received: from p ([2001:4c50:25c:c900:3063:4e34:a578:b41a]) by smtp.gmail.com with ESMTPSA id m78sm9876494wma.25.2018.04.16.17.27.55 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 16 Apr 2018 17:27:55 -0700 (PDT) From: Philipp To: bug-gnu-emacs@gnu.org Subject: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p Date: Tue, 17 Apr 2018 02:27:55 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.8 (----) Loading a file or evaluating a buffer with the following contents causes undefined behavior, normally resulting in a segmentation fault: ;; -*- -:*- For example: $ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))' Fatal error 11: Segmentation faultAbort trap: 6 Backtrace: (lldb) run -Q -batch -nw -l /tmp/crash.el Process 45748 launched: '/Users/p/Entwicklung/Emacs/master/src/emacs' (x86_64) Process 45748 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e) frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936 933 if (! in_file_vars) 934 /* The value was terminated by an end-marker, which remove. */ 935 i -= 3; -> 936 while (i > 0 && (val[i - 1] == ' ' || val[i - 1] == '\t')) 937 i--; 938 val[i] = '\0'; 939 Target 0: (emacs) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fffefbf7a8e) * frame #0: 0x0000000100373f19 emacs`lisp_file_lexically_bound_p(readcharfun=(i = 0x0000000101505955)) at lread.c:936 frame #1: 0x000000010037563c emacs`Feval_buffer(buffer=(i = 0x0000000101505955), printflag=(i = 0x0000000000000000), filename=(i = 0x0000000101126a64), unibyte=(i = 0x0000000000000000), do_allow_print=(i = 0x000000000000b8e0)) at lread.c:2140 frame #2: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c920, numargs=5, args=0x00007ffeefbf7fa0) at eval.c:2910 frame #3: 0x0000000100308bfb emacs`Ffuncall(nargs=6, args=0x00007ffeefbf7f98) at eval.c:2823 frame #4: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010055da5c), vector=(i = 0x000000010055da7d), maxdepth=(i = 0x000000000000001a), args_template=(i = 0x0000000000000000), nargs=0, args=0x0000000000000000) at bytecode.c:632 frame #5: 0x000000010030b22f emacs`funcall_lambda(fun=(i = 0x000000010055d9dd), nargs=4, arg_vector=0x00007ffeefbf9468) at eval.c:3102 frame #6: 0x0000000100308c4b emacs`Ffuncall(nargs=5, args=0x00007ffeefbf9460) at eval.c:2825 frame #7: 0x0000000100309dd9 emacs`call4(fn=(i = 0x00000000076b1188), arg1=(i = 0x0000000101126a64), arg2=(i = 0x0000000101126a64), arg3=(i = 0x0000000000000000), arg4=(i = 0x000000000000b8e0)) at eval.c:2699 frame #8: 0x000000010037172f emacs`Fload(file=(i = 0x0000000101306f34), noerror=(i = 0x0000000000000000), nomessage=(i = 0x000000000000b8e0), nosuffix=(i = 0x0000000000000000), must_suffix=(i = 0x0000000000000000)) at lread.c:1366 frame #9: 0x000000010030a643 emacs`funcall_subr(subr=0x000000010093c8f0, numargs=3, args=0x00007ffeefbf9d58) at eval.c:2910 frame #10: 0x0000000100308bfb emacs`Ffuncall(nargs=4, args=0x00007ffeefbf9d50) at eval.c:2823 frame #11: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x000000010063d05c), vector=(i = 0x000000010063d07d), maxdepth=(i = 0x000000000000005e), args_template=(i = 0x0000000000000406), nargs=1, args=0x00007ffeefbfb5e8) at bytecode.c:632 frame #12: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x000000010063d02d), nargs=1, arg_vector=0x00007ffeefbfb5e0) at eval.c:3024 frame #13: 0x0000000100308c4b emacs`Ffuncall(nargs=2, args=0x00007ffeefbfb5d8) at eval.c:2825 frame #14: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100637974), vector=(i = 0x0000000100637995), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfd038) at bytecode.c:632 frame #15: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x0000000100637945), nargs=0, arg_vector=0x00007ffeefbfd038) at eval.c:3024 frame #16: 0x0000000100308c4b emacs`Ffuncall(nargs=1, args=0x00007ffeefbfd030) at eval.c:2825 frame #17: 0x00000001003b2ddd emacs`exec_byte_code(bytestr=(i = 0x0000000100636924), vector=(i = 0x0000000100636945), maxdepth=(i = 0x0000000000000032), args_template=(i = 0x0000000000000002), nargs=0, args=0x00007ffeefbfe4d0) at bytecode.c:632 frame #18: 0x000000010030abcc emacs`funcall_lambda(fun=(i = 0x00000001006368f5), nargs=0, arg_vector=0x00007ffeefbfe4d0) at eval.c:3024 frame #19: 0x00000001002fedb3 emacs`apply_lambda(fun=(i = 0x00000001006368f5), args=(i = 0x0000000000000000), count=4) at eval.c:2960 frame #20: 0x00000001002efa3c emacs`eval_sub(form=(i = 0x0000000107862053)) at eval.c:2333 frame #21: 0x00000001002faa37 emacs`Feval(form=(i = 0x0000000107862053), lexical=(i = 0x0000000000000000)) at eval.c:2108 frame #22: 0x00000001001d9a9a emacs`top_level_2 at keyboard.c:1120 frame #23: 0x00000001002f8e9f emacs`internal_condition_case(bfun=(emacs`top_level_2 at keyboard.c:1119), handlers=(i = 0x0000000000004a10), hfun=(emacs`cmd_error at keyboard.c:939)) at eval.c:1334 frame #24: 0x00000001001d9741 emacs`top_level_1(ignore=(i = 0x0000000000000000)) at keyboard.c:1128 frame #25: 0x00000001002f80a8 emacs`internal_catch(tag=(i = 0x000000000000bf10), func=(emacs`top_level_1 at keyboard.c:1125), arg=(i = 0x0000000000000000)) at eval.c:1099 frame #26: 0x00000001001bb9a1 emacs`command_loop at keyboard.c:1089 frame #27: 0x00000001001bb7e4 emacs`recursive_edit_1 at keyboard.c:696 frame #28: 0x00000001001bbc11 emacs`Frecursive_edit at keyboard.c:767 frame #29: 0x00000001001b9289 emacs`main(argc=6, argv=0x00007ffeefbff798) at emacs.c:1720 frame #30: 0x00007fff6b0dd115 libdyld.dylib`start + 1 frame #31: 0x00007fff6b0dd115 libdyld.dylib`start + 1 My guess is that `i' wraps around in line 935. Found by american fuzzy lop. In GNU Emacs 27.0.50 (build 63, x86_64-apple-darwin17.4.0, NS appkit-1561.20 Version 10.13.3 (Build 17D102)) of 2018-04-17 built on p Repository revision: b0d261e29e5c1ffb9bc76e3519dd7525ab1edac4 Windowing system distributor 'Apple', version 10.3.1561 System Description: Mac OS X 10.13.3 Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Configured using: 'configure --with-modules --without-pop --with-mailutils --enable-gcc-warnings=yes --enable-checking --enable-check-lisp-object-type 'CFLAGS=-ggdb3 -O0'' Configured features: NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES THREADS JSON Important settings: value of $LANG: de_DE.UTF-8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny seq byte-opt gv bytecomp byte-compile cconv dired dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg epg-config gnus-util rmail rmail-loaddefs mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils time-date elec-pair tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/ns-win ns-win ucs-normalize mule-util term/common-win tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote kqueue cocoa ns multi-tty make-network-process emacs) Memory information: ((conses 16 204572 6900) (symbols 48 19993 1) (miscs 40 56 173) (strings 32 28833 1950) (string-bytes 1 772113) (vectors 16 35272) (vector-slots 8 721614 13568) (floats 8 51 65) (intervals 56 210 0) (buffers 992 11)) From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 16 20:41:32 2018 Received: (at control) by debbugs.gnu.org; 17 Apr 2018 00:41:32 +0000 Received: from localhost ([127.0.0.1]:56491 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8Ege-0005g9-I5 for submit@debbugs.gnu.org; Mon, 16 Apr 2018 20:41:32 -0400 Received: from hermes.netfonds.no ([80.91.224.195]:48557) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8Egb-0005g0-EG for control@debbugs.gnu.org; Mon, 16 Apr 2018 20:41:29 -0400 Received: from 46.67.12.60.tmi.telenormobil.no ([46.67.12.60] helo=corrigan) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1f8EgY-000497-Rl for control@debbugs.gnu.org; Tue, 17 Apr 2018 02:41:28 +0200 Received: from larsi by corrigan with local (Exim 4.89) (envelope-from ) id 1f8EgP-0000Bg-1f for control@debbugs.gnu.org; Tue, 17 Apr 2018 02:41:17 +0200 To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #31186 Message-Id: Date: Tue, 17 Apr 2018 02:41:17 +0200 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 31186 confirmed From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 17 05:48:14 2018 Received: (at 31186-done) by debbugs.gnu.org; 17 Apr 2018 09:48:14 +0000 Received: from localhost ([127.0.0.1]:56704 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8NDh-0007HI-Md for submit@debbugs.gnu.org; Tue, 17 Apr 2018 05:48:14 -0400 Received: from mx2.suse.de ([195.135.220.15]:56384) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f8NDf-0007H0-Ok for 31186-done@debbugs.gnu.org; Tue, 17 Apr 2018 05:48:12 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E2991AD52; Tue, 17 Apr 2018 09:48:04 +0000 (UTC) From: Andreas Schwab To: Philipp Subject: Re: bug#31186: 27.0.50; Undefined behavior in lisp_file_lexically_bound_p References: X-Yow: Now I understand the meaning of ``THE MOD SQUAD''! Date: Tue, 17 Apr 2018 11:48:04 +0200 In-Reply-To: (Philipp's message of "Tue, 17 Apr 2018 02:27:55 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 31186-done Cc: 31186-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On Apr 17 2018, Philipp wrote: > Loading a file or evaluating a buffer with the following contents causes > undefined behavior, normally resulting in a segmentation fault: > > ;; -*- -:*- > > For example: > > $ emacs -Q -batch -nw -eval '(with-temp-buffer (insert ";; -*- -:*-") (eval-buffer))' > Fatal error 11: Segmentation faultAbort trap: 6 I have installed this patch in the emacs-26 branch: * src/lread.c (lisp_file_lexically_bound_p): Reset beg_end_state before reading variable or value. --- src/lread.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lread.c b/src/lread.c index 3104c441ec..72523c057f 100644 --- a/src/lread.c +++ b/src/lread.c @@ -896,6 +896,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun) ch = READCHAR; i = 0; + beg_end_state = NOMINAL; while (ch != ':' && ch != '\n' && ch != EOF && in_file_vars) { if (i < sizeof var - 1) @@ -921,6 +922,7 @@ lisp_file_lexically_bound_p (Lisp_Object readcharfun) ch = READCHAR; i = 0; + beg_end_state = NOMINAL; while (ch != ';' && ch != '\n' && ch != EOF && in_file_vars) { if (i < sizeof val - 1) -- 2.17.0 Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." From unknown Thu Jun 19 13:55:40 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 15 May 2018 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator