bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#18473: 24.4.50; SEGFAULT when vconcatting more than 2048 vectors


From: Dmitry Antipov
Subject: bug#18473: 24.4.50; SEGFAULT when vconcatting more than 2048 vectors
Date: Sun, 14 Sep 2014 21:10:31 +0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1

On 09/14/2014 06:37 AM, Michael Welsh Duggan wrote:

With attached foo.el:

emacs -Q -l foo.el
(testbug 2049)
C-j

SEGFAULT

Also reproduced in emacs-24 branch (here and below, emacs-24 branch is assumed).

This looks a fundamental bug in eval_sub, probably introduced in r112828.
When compiling with --enable-checking, it gives:

../../emacs-24/src/eval.c:184: Emacs fatal error: assertion failed: pdl->kind 
== SPECPDL_BACKTRACE

(gdb) bt 10
#0  0x000000000056a602 in terminate_due_to_signal (sig=6, 
backtrace_limit=2147483647) at ../../emacs-24/src/emacs.c:351
#1  0x00000000005f1d8e in die (msg=0x714b20 "pdl->kind == SPECPDL_BACKTRACE", 
file=0x714ab8 "../../emacs-24/src/eval.c", line=184)
    at ../../emacs-24/src/alloc.c:6833
#2  0x000000000060c5e6 in set_backtrace_args (pdl=0x1327bc0, 
args=0x7fffec33e010) at ../../emacs-24/src/eval.c:184
#3  0x0000000000611b76 in eval_sub (form=...) at ../../emacs-24/src/eval.c:2154
#4  0x0000000000611c3d in eval_sub (form=...) at ../../emacs-24/src/eval.c:2170
#5  0x000000000061141b in Feval (form=..., lexical=...) at 
../../emacs-24/src/eval.c:2003
#6  0x000000000061347d in Ffuncall (nargs=3, args=0x7fffffffbfa8) at 
../../emacs-24/src/eval.c:2818
#7  0x000000000065ce9a in exec_byte_code (bytestr=..., vector=..., 
maxdepth=..., args_template=..., nargs=1, args=0x7fffffffc7e0)
    at ../../emacs-24/src/bytecode.c:916
#8  0x0000000000613c9b in funcall_lambda (fun=..., nargs=1, 
arg_vector=0x7fffffffc7d8) at ../../emacs-24/src/eval.c:2983
#9  0x0000000000613633 in Ffuncall (nargs=2, args=0x7fffffffc7d0) at 
../../emacs-24/src/eval.c:2864
#10 0x000000000065ce9a in exec_byte_code (bytestr=..., vector=..., 
maxdepth=..., args_template=..., nargs=1, args=0x7fffffffd050)
    at ../../emacs-24/src/bytecode.c:916

In eval.c:

  2134        else if (XSUBR (fun)->max_args == MANY)
  2135          {
  2136            /* Pass a vector of evaluated arguments.  */
  2137            Lisp_Object *vals;
  2138            ptrdiff_t argnum = 0;
  2139            USE_SAFE_ALLOCA;
  2140
  2141            SAFE_ALLOCA_LISP (vals, XINT (numargs));
  2142
  2143            GCPRO3 (args_left, fun, fun);
  2144            gcpro3.var = vals;
  2145            gcpro3.nvars = 0;
  2146
  2147            while (!NILP (args_left))
  2148              {
  2149                vals[argnum++] = eval_sub (Fcar (args_left));
  2150                args_left = Fcdr (args_left);
  2151                gcpro3.nvars = argnum;
  2152              }
  2153
  2154            set_backtrace_args (specpdl_ptr - 1, vals);
  2155            set_backtrace_nargs (specpdl_ptr - 1, XINT (numargs));
  2156
  2157            val = (XSUBR (fun)->function.aMANY) (XINT (numargs), vals);
  2158            UNGCPRO;
  2159            SAFE_FREE ();
  2160          }

At 2141, if numargs is > 2047 (and so allocation size exceeds MAX_ALLOCA on
a 64-bit system), SAFE_ALLOCA_LISP pushes an entry of type SPECPDL_UNWIND to
specpdl stack.  At line 2154, set_backtrace_args modifies this entry assuming
SPECPDL_BACKTRACE.  Oops.

Dmitry





reply via email to

[Prev in Thread] Current Thread [Next in Thread]