GNU bug report logs - #75648
Minor safety improvements to fns.c/eval.c

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 18 Jan 2025 12:19:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 18 07:19:03 2025
Received: from localhost ([127.0.0.1]:40625 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tZ7n5-00020C-4z
	for submit <at> debbugs.gnu.org; Sat, 18 Jan 2025 07:19:03 -0500
Received: from lists.gnu.org ([2001:470:142::17]:57208)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <pipcet@HIDDEN>)
 id 1tZ7n2-0001zN-ML
 for submit <at> debbugs.gnu.org; Sat, 18 Jan 2025 07:19:01 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pipcet@HIDDEN>)
 id 1tZ7mk-0005OG-06
 for bug-gnu-emacs@HIDDEN; Sat, 18 Jan 2025 07:18:42 -0500
Received: from mail-4322.protonmail.ch ([185.70.43.22])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pipcet@HIDDEN>)
 id 1tZ7mg-0000hf-D7
 for bug-gnu-emacs@HIDDEN; Sat, 18 Jan 2025 07:18:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1737202713; x=1737461913;
 bh=JvONP/pzYcn4gEmr9sxQp8jr3CKu/OCMNo2/xFxQoVA=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector:
 List-Unsubscribe:List-Unsubscribe-Post;
 b=BlQJmnjj5nBc3FNEuth7Vy4En1nNm2blFRKf1kfP2yMTX+xg3YlUgdcO0r1p7kgPO
 o7mByBj+BNB6GUG9tC0YoPnv7Hvg83KwQn3ctWcMRUoS4/Yzm71O+dzcu5KEzbO8yG
 4BhuUalBv68g/UGBNmCtkkeScQbfZ05xj9iFwf62RwcH8hcY1YceTTCo49MmyWyqOg
 ZbfWdLAWWjlWbQzOG9v7T7/zzz3hre9yL+z3c0bOoWw5N1TYGS0OeFUwJFoLQgRa8+
 SHiIX+hYpqKWj1fX3IlQbp/KpZOq3I5swiZw+xM73tYprQdp/YPm7rg3rJ1ye3YVK8
 FOGiYrZJJ7Bbg==
Date: Sat, 18 Jan 2025 12:18:27 +0000
To: bug-gnu-emacs@HIDDEN
From: Pip Cet <pipcet@HIDDEN>
Subject: Minor safety improvements to fns.c/eval.c
Message-ID: <87jzasco3g.fsf@HIDDEN>
Feedback-ID: 112775352:user:proton
X-Pm-Message-ID: 50a085b07ef6c28b76ad16fa80027933a50a4642
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=185.70.43.22; envelope-from=pipcet@HIDDEN;
 helo=mail-4322.protonmail.ch
X-Spam_score_int: -38
X-Spam_score: -3.9
X-Spam_bar: ---
X-Spam_report: (-3.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.787,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

This is a spin-off from bug#75584, originally reported in

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D75584#27

fns.c contains some minor bugs which can cause crashes for buggy Elisp.
While it's conceivable that one of them could happen by accident, it
doesn't affect the pdumper build, so it is still very unlikely.

They are:

1. plist-get and plist-put assume that the cdr of a cons cell is also a
cons cell.  They check this, then call out to Lisp, then rely on the
fact.  However, the Lisp code can call setcdr and turn the cdr into a
non-cons cell, which causes a crash.

2. Fntake, Fsort, and Fwidget_put modify user-supplied cons cells with
XSETCAR/XSETCDR.  They do not check that the cons cell isn't "pure", in
which case writing to it may cause crashes.  In the case of Fsort, this
is likely to happen when a user accidentally attempts to sort a
(partially) pure list in-place.

3. Fsetq does the same thing to the lexical environment, which may
include a pure cons cell establishing a binding.

As (2) and (3) will become non-bugs once purespace is removed, I would
like to propose not fixing them for now.

(1), however, needs a fix.  Also, just as importantly, it needs tests.

Unfortunately, ert is not really set up very well for tests that may
crash.

My proposal will be to:

1. Give such tests a :crash tag
2. Introduce a should-not-crash macro which succeeds if the form it
evaluates returns in any way, whether by error or not.
3. Modify ert.el to print when a :crash test is about to start running.
This allows us to identify the crashing test.
4. Deviate from the current logical test order and put crash tests last.
It's conceivable that if a once-fixed crash reoccurs, the reason is a
simple bug that may show up in regular tests, too.  If two tests fail
and one of them crashes the test run, it's better for the first failure
to have been reported first.

I'll send a patch once this has a bug number.