bug#29066: 26.0.90; crash in gc involving buffer local symbols

[Valentin Gatien-Baron]

Yes, it fixes the problem.

I also checked the following works, and seems better to me (stop having dangling pointers, instead of being careful with them):

diff --git a/src/alloc.c b/src/alloc.c

index da0c3ad4b3..44dfa95cf5 100644

--- a/src/alloc.c

+++ b/src/alloc.c

@@ -7030,8 +7030,10 @@ sweep_symbols (void)

         {

           if (!sym->s.gcmarkbit)

             {

-              if (sym->s.redirect == SYMBOL_LOCALIZED)

+              if (sym->s.redirect == SYMBOL_LOCALIZED) {

                 xfree (SYMBOL_BLV (&sym->s));

+                sym->s.val.blv = NULL;

+              }

               sym->s.next = symbol_free_list;

               symbol_free_list = &sym->s;

               symbol_free_list->function = Vdead;

On Mon, Oct 30, 2017 at 4:38 PM, Eli Zaretskii <eliz@gnu.org> wrote:

> From: Valentin Gatien-Baron <vgatien-baron@janestreet.com>
> Date: Mon, 30 Oct 2017 10:36:41 -0400
> Cc: Mark Shinwell <mshinwell@janestreet.com>
>
> $ installed/bin/emacs -Q -L . -batch --eval '(progn (message "before") (make-local-variable (make-symbol "\
> s")) (kill-buffer) (garbage-collect) (garbage-collect) (message "after"))'
> before
> *** Error in `installed/bin/emacs': double free or corruption (!prev): 0x00000000014bff10 ***

Thanks.

Does the below fix the problem?

diff --git a/src/alloc.c b/src/alloc.c
index d9d7485..11afdfd 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -7024,7 +7024,9 @@ sweep_symbols (void)
         {
           if (!sym->s.gcmarkbit)
             {
-              if (sym->s.redirect == SYMBOL_LOCALIZED)
+              if (sym->s.redirect == SYMBOL_LOCALIZED
+                 /* Already freed?  */
+                 && !EQ (sym->s.function, Vdead))
                 xfree (SYMBOL_BLV (&sym->s));
               sym->s.next = symbol_free_list;
               symbol_free_list = &sym->s;