Avoid crashes due to objects read with the #n=object form

* src/lread.c (read1): Use Fcons for 'placeholder', not AUTO_CONS, because elements of the list in 'read_objects' cannot be allocated off the stack. (Bug#24640)
author: Eli Zaretskii 2016-10-14 22:52:46 +0300
committer: Eli Zaretskii 2016-10-14 22:52:46 +0300
commit: 10835b18cdfd93442e6fae093ffd130587006fcf (patch)
tree: 98bdfa191e4c2de8b27dbc27e2c6ef2acb17a4b4 /src
parent: 4de671d844c56d70e747366657664c8d293fe2bf (diff)
download: emacs-10835b18cdfd93442e6fae093ffd130587006fcf.tar.gz
emacs-10835b18cdfd93442e6fae093ffd130587006fcf.zip
1 files changed, 12 insertions, 1 deletions
diff --git a/src/lread.c b/src/lread.c
index ef58b20070d..8a368806e15 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2845,7 +2845,18 @@ read1 (Lisp_Object readcharfun, int *pch, bool first_in_list)
                  if (c == '=')
                    {
                      /* Make a placeholder for #n# to use temporarily.  */
-                      AUTO_CONS (placeholder, Qnil, Qnil);
+                      /* Note: We used to use AUTO_CONS to allocate
+                         placeholder, but that is a bad idea, since it
+                         will place a stack-allocated cons cell into
+                         the list in read_objects, which is a
+                         staticpro'd global variable, and thus each of
+                         its elements is marked during each GC.  A
+                         stack-allocated object will become garbled
+                         when its stack slot goes out of scope, and
+                         some other function reuses it for entirely
+                         different purposes, which will cause crashes
+                         in GC.  */
+                      Lisp_Object placeholder = Fcons (Qnil, Qnil);
                      Lisp_Object cell = Fcons (make_number (n), placeholder);
                      read_objects = Fcons (cell, read_objects);
author	Eli Zaretskii	2016-10-14 22:52:46 +0300
committer	Eli Zaretskii	2016-10-14 22:52:46 +0300
commit	10835b18cdfd93442e6fae093ffd130587006fcf (patch)
tree	98bdfa191e4c2de8b27dbc27e2c6ef2acb17a4b4 /src
parent	4de671d844c56d70e747366657664c8d293fe2bf (diff)
download	emacs-10835b18cdfd93442e6fae093ffd130587006fcf.tar.gz emacs-10835b18cdfd93442e6fae093ffd130587006fcf.zip

diff --git a/src/lread.c b/src/lread.c index ef58b20070d..8a368806e15 100644 --- a/src/lread.c +++ b/src/lread.c
@@ -2845,7 +2845,18 @@ read1 (Lisp_Object readcharfun, int *pch, bool first_in_list)
2845	if (c == '=')	2845	if (c == '=')
2846	{	2846	{
2847	/* Make a placeholder for #n# to use temporarily. */	2847	/* Make a placeholder for #n# to use temporarily. */
2848	AUTO_CONS (placeholder, Qnil, Qnil);	2848	/* Note: We used to use AUTO_CONS to allocate
		2849	placeholder, but that is a bad idea, since it
		2850	will place a stack-allocated cons cell into
		2851	the list in read_objects, which is a
		2852	staticpro'd global variable, and thus each of
		2853	its elements is marked during each GC. A
		2854	stack-allocated object will become garbled
		2855	when its stack slot goes out of scope, and
		2856	some other function reuses it for entirely
		2857	different purposes, which will cause crashes
		2858	in GC. */
		2859	Lisp_Object placeholder = Fcons (Qnil, Qnil);
2849	Lisp_Object cell = Fcons (make_number (n), placeholder);	2860	Lisp_Object cell = Fcons (make_number (n), placeholder);
2850	read_objects = Fcons (cell, read_objects);	2861	read_objects = Fcons (cell, read_objects);
2851		2862