GNU bug report logs - #76970
31.0.50; master emacs crash with stack overflow

Previous Next

Package: emacs;

Reported by: Eval Exec <execvy <at> gmail.com>

Date: Wed, 12 Mar 2025 02:45:02 UTC

Severity: normal

Found in version 31.0.50

Done: Pip Cet <pipcet <at> protonmail.com>

Full log


View this message in rfc822 format

From: Pip Cet <pipcet <at> protonmail.com>
To: Aaron Zeng <azeng <at> janestreet.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, app-emacs-dev <at> janestreet.com, 76970 <at> debbugs.gnu.org
Subject: bug#76970: 31.0.50; master emacs crash with stack overflow
Date: Tue, 24 Jun 2025 05:46:22 +0000
"Aaron Zeng" <azeng <at> janestreet.com> writes:

> I applied your patch from the master branch and got a segfault again, but it has a different
> top frame.  I have attached a backtrace generated with [thread apply all bt full].  In this one,
> I do not see __lll_unlock_wake appear at all.

This one happened while waiting for the lock, not right after unlocking
it.  Not a big difference.

The original fix was incomplete, please try applying this one, too:

diff --git a/src/eval.c b/src/eval.c
index 46705dc4543..20782639990 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -159,7 +159,11 @@ set_backtrace_debug_on_exit (union specbinding *pdl, bool doe)
 
 bool
 backtrace_p (union specbinding *pdl)
-{ return specpdl ? pdl >= specpdl : false; }
+{
+  if (current_thread && specpdl && pdl)
+    return pdl >= specpdl;
+  return false;
+}
 
 static bool
 backtrace_thread_p (struct thread_state *tstate, union specbinding *pdl)

> This is from Emacs compiled at revision 991d3ad80a37a1cf8951d2607eb5f7544f968e93.
>
> It seems it is possible for current_thread to be set to NULL by the dying thread,
> during backtrace_top.

It is possible, in theory, for that to happen, and this additional race
condition also should be fixed, but it's not what happened here.  What
happened here was that current_thread became NULL, we checked it in
backtrace_top, returned a NULL pointer for the pdl, passed that NULL
pointer to backtrace_p, dereferenced current_thread again (by evaluating
specpdl) and caused a segfault.

Pip





This bug report was last modified 27 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.