Avoid crashes due to objects read with the #n=object form

* src/lread.c (read1): Use Fcons for 'placeholder', not AUTO_CONS,
because elements of the list in 'read_objects' cannot be allocated
off the stack.  (Bug#24640)

diff --git a/src/lread.c b/src/lread.c
index ef58b20070d85f7837256a1022b6b1f6ad4b5c67..8a368806e154d39524ef381998671dccaea4fdbf 100644 (file)
--- a/src/lread.c
+++ b/src/lread.c
@@ -2845,7 +2845,18 @@ read1 (Lisp_Object readcharfun, int *pch, bool first_in_list)
                  if (c == '=')
                    {
                      /* Make a placeholder for #n# to use temporarily.  */
-                     AUTO_CONS (placeholder, Qnil, Qnil);
+                     /* Note: We used to use AUTO_CONS to allocate
+                        placeholder, but that is a bad idea, since it
+                        will place a stack-allocated cons cell into
+                        the list in read_objects, which is a
+                        staticpro'd global variable, and thus each of
+                        its elements is marked during each GC.  A
+                        stack-allocated object will become garbled
+                        when its stack slot goes out of scope, and
+                        some other function reuses it for entirely
+                        different purposes, which will cause crashes
+                        in GC.  */
+                     Lisp_Object placeholder = Fcons (Qnil, Qnil);
                      Lisp_Object cell = Fcons (make_number (n), placeholder);
                      read_objects = Fcons (cell, read_objects);