Package: emacs;
Reported by: john muhl <jm <at> pub.pink>
Date: Wed, 24 Jan 2024 16:44:02 UTC
Severity: normal
Done: Stefan Monnier <monnier <at> iro.umontreal.ca>
Bug is archived. No further changes may be made.
Message #11 received at 68690 <at> debbugs.gnu.org (full text, mbox):
From: Gerd Möllmann <gerd.moellmann <at> gmail.com> To: Eli Zaretskii <eliz <at> gnu.org> Cc: john muhl <jm <at> pub.pink>, 68690 <at> debbugs.gnu.org, Stefan Monnier <monnier <at> iro.umontreal.ca> Subject: Re: bug#68690: Segmentation fault building with native-comp Date: Wed, 24 Jan 2024 20:52:49 +0100
Eli Zaretskii <eliz <at> gnu.org> writes:
>> Date: Wed, 24 Jan 2024 08:36:15 -0600
>> From: john muhl via "Bug reports for GNU Emacs,
>> the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
>>
>> Bisect says 3018c6e7ba5 is the first bad commit. A build using
>> ‘--without-native-compilation’ works fine. The segfault can be
>> reproduced on Fedora 39 and Debian testing.
>>
>> make bootstrap
>> …
>> make -C ../lisp compile-first EMACS="../src/bootstrap-emacs"
>> make[3]: Entering directory '/home/jm/src/emacs-0/lisp'
>> ELC+ELN emacs-lisp/macroexp.elc
>> ELC+ELN emacs-lisp/cconv.elc
>> ELC+ELN emacs-lisp/byte-opt.elc
>> ELC+ELN emacs-lisp/bytecomp.elc
>> ELC+ELN emacs-lisp/comp.elc
>> ELC+ELN emacs-lisp/comp-cstr.elc
>> ELC+ELN emacs-lisp/comp-common.elc
>> ELC+ELN emacs-lisp/comp-run.elc
>> ELC+ELN emacs-lisp/loaddefs-gen.elc
>> ELC+ELN emacs-lisp/radix-tree.elc
>>
>> Backtrace:
>> ../src/bootstrap-emacs[0x57863b]
>> ../src/bootstrap-emacs[0x42651e]
>
> Adding Stefan, who installed that commit.
FWIW, in an ASAN build, I see an abort. This is with
1f3371b46e8a6a51f88c56785175b48af2a0bed7, on macOS.
ELC+ELN emacs-lisp/macroexp.elc
=================================================================
==32930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000353e0 at pc 0x000102b3fc97 bp 0x7ff7bdaf7250 sp 0x7ff7bdaf7248
READ of size 8 at 0x60c0000353e0 thread T0
#0 0x102b3fc96 in Fmaphash fns.c:5665
#1 0x102b062c8 in funcall_subr eval.c:3092
#2 0x102bf85af in exec_byte_code bytecode.c:815
#3 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#4 0x102b0766b in funcall_lambda eval.c:3207
#5 0x102b05b80 in funcall_general eval.c:2972
#6 0x102af5c86 in Ffuncall eval.c:3022
#7 0x102b3fdee in Fmaphash fns.c:5666
#8 0x102b062c8 in funcall_subr eval.c:3092
#9 0x102bf85af in exec_byte_code bytecode.c:815
#10 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#11 0x102b0766b in funcall_lambda eval.c:3207
#12 0x102b05b80 in funcall_general eval.c:2972
#13 0x102af5c86 in Ffuncall eval.c:3022
#14 0x102af238f in eval_sub eval.c:2497
#15 0x102af4477 in Fprogn eval.c:432
#16 0x102af429d in Fif eval.c:388
#17 0x102af1ecc in eval_sub eval.c:2476
#18 0x102af4477 in Fprogn eval.c:432
#19 0x102af46ae in Fcond eval.c:412
#20 0x102af1ecc in eval_sub eval.c:2476
#21 0x102af4477 in Fprogn eval.c:432
#22 0x102af908b in FletX eval.c:972
#23 0x102af1ecc in eval_sub eval.c:2476
#24 0x102af4477 in Fprogn eval.c:432
#25 0x102af4754 in prog_ignore eval.c:443
#26 0x102afa345 in Fwhile eval.c:1061
#27 0x102af1ecc in eval_sub eval.c:2476
#28 0x102af4477 in Fprogn eval.c:432
#29 0x102af908b in FletX eval.c:972
#30 0x102af1ecc in eval_sub eval.c:2476
#31 0x102af4477 in Fprogn eval.c:432
#32 0x102af1ecc in eval_sub eval.c:2476
#33 0x102af4244 in Fif eval.c:387
#34 0x102af1ecc in eval_sub eval.c:2476
#35 0x102af4477 in Fprogn eval.c:432
#36 0x102af9d17 in Flet eval.c:1040
#37 0x102af1ecc in eval_sub eval.c:2476
#38 0x102af4477 in Fprogn eval.c:432
#39 0x102af9d17 in Flet eval.c:1040
#40 0x102af1ecc in eval_sub eval.c:2476
#41 0x102af4477 in Fprogn eval.c:432
#42 0x102b07db5 in funcall_lambda eval.c:3287
#43 0x102b03941 in apply_lambda eval.c:3157
#44 0x102af3d68 in eval_sub eval.c:2615
#45 0x102af4477 in Fprogn eval.c:432
#46 0x102af9d17 in Flet eval.c:1040
#47 0x102af1ecc in eval_sub eval.c:2476
#48 0x102af4477 in Fprogn eval.c:432
#49 0x102b07db5 in funcall_lambda eval.c:3287
#50 0x102b03941 in apply_lambda eval.c:3157
#51 0x102af3d68 in eval_sub eval.c:2615
#52 0x102afb992 in Funwind_protect eval.c:1321
#53 0x102af1ecc in eval_sub eval.c:2476
#54 0x102af4477 in Fprogn eval.c:432
#55 0x102af9d17 in Flet eval.c:1040
#56 0x102af1ecc in eval_sub eval.c:2476
#57 0x102af4477 in Fprogn eval.c:432
#58 0x102af429d in Fif eval.c:388
#59 0x102af1ecc in eval_sub eval.c:2476
#60 0x102af4477 in Fprogn eval.c:432
#61 0x102b07db5 in funcall_lambda eval.c:3287
#62 0x102b03941 in apply_lambda eval.c:3157
#63 0x102af3d68 in eval_sub eval.c:2615
#64 0x102b02223 in Feval eval.c:2389
#65 0x1028d087a in top_level_2 keyboard.c:1173
#66 0x102afd8e8 in internal_condition_case eval.c:1537
#67 0x1028d06e0 in top_level_1 keyboard.c:1185
#68 0x102afb4b5 in internal_catch eval.c:1217
#69 0x10288e149 in command_loop keyboard.c:1134
#70 0x10288db6d in recursive_edit_1 keyboard.c:744
#71 0x10288eb2c in Frecursive_edit keyboard.c:827
#72 0x1028867be in main emacs.c:2624
#73 0x7ff808461385 in start+0x795 (dyld:x86_64+0xfffffffffff5c385)
0x60c0000353e0 is located 96 bytes inside of 128-byte region [0x60c000035380,0x60c000035400)
freed by thread T0 here:
#0 0x1052b0e16 in free+0xa6 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xe0e16)
#1 0x102eca876 in rpl_free free.c:48
#2 0x102a567bf in xfree alloc.c:831
#3 0x102a5eada in hash_table_free_bytes alloc.c:5653
#4 0x102b3b781 in maybe_resize_hash_table fns.c:4723
#5 0x102b3ae12 in hash_put fns.c:4864
#6 0x102b3fa6f in Fputhash fns.c:5639
#7 0x102b06416 in funcall_subr eval.c:3094
#8 0x102bf85af in exec_byte_code bytecode.c:815
#9 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#10 0x102b0766b in funcall_lambda eval.c:3207
#11 0x102b05b80 in funcall_general eval.c:2972
#12 0x102af5c86 in Ffuncall eval.c:3022
#13 0x102b3fdee in Fmaphash fns.c:5666
#14 0x102b062c8 in funcall_subr eval.c:3092
#15 0x102bf85af in exec_byte_code bytecode.c:815
#16 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#17 0x102b0766b in funcall_lambda eval.c:3207
#18 0x102b05b80 in funcall_general eval.c:2972
#19 0x102af5c86 in Ffuncall eval.c:3022
#20 0x102b3fdee in Fmaphash fns.c:5666
#21 0x102b062c8 in funcall_subr eval.c:3092
#22 0x102bf85af in exec_byte_code bytecode.c:815
#23 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#24 0x102b0766b in funcall_lambda eval.c:3207
#25 0x102b05b80 in funcall_general eval.c:2972
#26 0x102af5c86 in Ffuncall eval.c:3022
#27 0x102af238f in eval_sub eval.c:2497
#28 0x102af4477 in Fprogn eval.c:432
#29 0x102af429d in Fif eval.c:388
previously allocated by thread T0 here:
#0 0x1052b0ccd in malloc+0x9d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xe0ccd)
#1 0x102a564bd in lmalloc alloc.c:1402
#2 0x102a563d6 in xmalloc alloc.c:772
#3 0x102a5ea87 in hash_table_alloc_bytes alloc.c:5644
#4 0x102b3b295 in maybe_resize_hash_table fns.c:4700
#5 0x102b3ae12 in hash_put fns.c:4864
#6 0x102b3fa6f in Fputhash fns.c:5639
#7 0x102b06416 in funcall_subr eval.c:3094
#8 0x102bf85af in exec_byte_code bytecode.c:815
#9 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#10 0x102b0766b in funcall_lambda eval.c:3207
#11 0x102b05b80 in funcall_general eval.c:2972
#12 0x102af5c86 in Ffuncall eval.c:3022
#13 0x102b3fdee in Fmaphash fns.c:5666
#14 0x102b062c8 in funcall_subr eval.c:3092
#15 0x102bf85af in exec_byte_code bytecode.c:815
#16 0x102b0fd66 in fetch_and_exec_byte_code eval.c:3135
#17 0x102b0766b in funcall_lambda eval.c:3207
#18 0x102b05b80 in funcall_general eval.c:2972
#19 0x102af5c86 in Ffuncall eval.c:3022
#20 0x102af238f in eval_sub eval.c:2497
#21 0x102af4477 in Fprogn eval.c:432
#22 0x102af429d in Fif eval.c:388
#23 0x102af1ecc in eval_sub eval.c:2476
#24 0x102af4477 in Fprogn eval.c:432
#25 0x102af46ae in Fcond eval.c:412
#26 0x102af1ecc in eval_sub eval.c:2476
#27 0x102af4477 in Fprogn eval.c:432
#28 0x102af908b in FletX eval.c:972
#29 0x102af1ecc in eval_sub eval.c:2476
SUMMARY: AddressSanitizer: heap-use-after-free fns.c:5665 in Fmaphash
Shadow bytes around the buggy address:
0x60c000035100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x60c000035180: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x60c000035200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x60c000035280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x60c000035300: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x60c000035380: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x60c000035400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x60c000035480: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x60c000035500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x60c000035580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x60c000035600: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32930==ABORTING
Fatal error 6: Aborted
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.