GNU bug report logs - #63279
Segfault when printing a call-with-values stack frame in backtrace

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 63279 in the body.
You can then email your comments to 63279 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Thompson, David" <dthompson2 <at> worcester.edu>
To: bug-guile <at> gnu.org
Subject: Segfault when printing a call-with-values stack frame in backtrace
Date: Thu, 4 May 2023 12:29:40 -0400

Hello there,

Guile seems to segfault when trying to print certain backtraces with a
'call-with-values' stack frame.  Here's a minimal reproducer program:

(symbol? (call-with-values (lambda () (error 'oh-no)) list))

If you eval this at the REPL and enter ,bt in the debugger, Guile
should segfault.

Relevant gdb backtrace:

#0  0x00007ffff7f43397 in scm_is_values (x=<error reading variable:
ERROR: Cannot access memory at address 0x0>0x0) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/values.h:30
#1  vm_regular_engine (thread=0x7ffff7401900) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/vm-engine.c:974
#2  0x00007ffff7f50db5 in scm_call_n (proc=<optimized out>,
argv=<optimized out>, nargs=4) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/vm.c:1615
#3  0x00007ffff7ebb674 in scm_call_4 (proc=<optimized out>,
arg1=<optimized out>, arg2=<optimized out>, arg3=<optimized out>,
arg4=<optimized out>) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/eval.c:517
#4  0x00007ffff7eb801b in display_backtrace_body (a=0x7fffed68e6a0) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/backtrace.c:239
#5  0x00007ffff7f62092 in scm_c_with_exception_handler.constprop.0
(type=#t, handler_data=handler_data <at> entry=0x7fffed68e630,
thunk_data=thunk_data <at> entry=0x7fffed68e630, thunk=<optimized out>,
handler=<optimized out>)
    at /tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/exceptions.c:170

From what I can tell, in vm-engine.c, in the subr-call op,
'scm_apply_subr (sp, idx, FRAME_LOCALS_COUNT ())' is called and
returns an SCM object, which is stored in the local variable 'ret'.
Then 'scm_is_values (ret)' is called, and the segfault occurs due to a
null pointer dereference. At the time of the segfault, 'idx' is 1130,
corresponding to the 'frame-local-ref' subr. Makes sense since it's
the backtrace printer that crashes Guile.

It seems that the data stored in the stack frames for
'call-with-values' calls is incorrect and the backtrace printer wants
to display 3 arguments for the call when the procedure only accepts 2
arguments.  This can be clearly seen by running another small program
that happens to not segfault:

(call-with-values (lambda () (error 'oh-no)) list)

Check out the backtrace and you'll see a frame like this:

(_ #<procedure b34e28 at <unknown port>:8:18 ()> #<procedure list _> 1)

The first 2 arguments are as expected, but why is there a 1 at the end?

For another example that doesn't crash but has an even more clearly
messed up backtrace, try this:

(append '(a b c) (call-with-values (lambda () (error 'oh-no)) list))

You'll see a frame like this:

(_ #<procedure b39730 at <unknown port>:10:35 ()> #<procedure list _>
. #<unknown-type (0xb . 0x304) @ 0x7f50dd792050>)

At Spritely we've reproduced this issue on multiple machines with both
Guile 3.0.7 and 3.0.9.

- Dave

Message #8 received at 63279 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 63279 <at> debbugs.gnu.org, "Thompson, David" <dthompson2 <at> worcester.edu>
Subject: Re: Segfault when printing a call-with-values stack frame in backtrace
Date: Sun, 7 May 2023 17:06:48 +0200

[Message part 1 (text/plain, inline)]

> Hello there,
> 
> Guile seems to segfault when trying to print certain backtraces with a
> 'call-with-values' stack frame.  Here's a minimal reproducer program:
> 
> (symbol? (call-with-values (lambda () (error 'oh-no)) list))


Here is a more minimal reproducer, from
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=50153>:

> Write the following to "crash.scm":
> 
>> (call-with-values backtrace list)
>> #t
> 
> (the trailing #t is important) and run
> 
>> # --auto-compile works too, but --no-auto-compile doesn't cause a crash
>> guile --fresh-auto-compile -l crash.scm

(i.e., it doesn't seem to be a bug in the exception mechanism, itself 
rather it seems a bug in something _used_ by the exception mechanism.)

I don't know if it has exactly the same cause, but it looks familiar.

For some other backtrace suspiciousness, see 
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=48422>, though possibly 
that issue has a different cause.

Because of the ‘It seems that the data stored in the stack frames for
'call-with-values' calls is incorrect [...]’ it seems plausible 
something similar is going on in 
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46232>, though possibly 
that is unrelated.

Greeitngs,
Maxime.

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #13 received at 63279-done <at> debbugs.gnu.org (full text, mbox):

From: "Thompson, David" <dthompson2 <at> worcester.edu>
To: 63279-done <at> debbugs.gnu.org
Subject: Segfault when printing a call-with-values stack frame in backtrace
Date: Mon, 8 May 2023 10:15:04 -0400

Andy fixed this in commit 6efc0b8159f0fc74c0eafec988fe5434fb4d9f51.
Thank you, Andy!

Closing.

- Dave

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.