GNU bug report logs - #50153
call-with-values outside tail position + backtrace + compilation causes segfault

Previous Next

Package: guile;

Reported by: Maxime Devos <maximedevos <at> telenet.be>

Date: Sat, 21 Aug 2021 18:14:02 UTC

Severity: normal

To reply to this bug, email your comments to 50153 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guile <at> gnu.org:
bug#50153; Package guile. (Sat, 21 Aug 2021 18:14:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maxime Devos <maximedevos <at> telenet.be>:
New bug report received and forwarded. Copy sent to bug-guile <at> gnu.org. (Sat, 21 Aug 2021 18:14:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: bug-guile <at> gnu.org
Subject: call-with-values outside tail position + backtrace + compilation
 causes segfault
Date: Sat, 21 Aug 2021 20:13:05 +0200
[Message part 1 (text/plain, inline)]
Hi guilers,

Write the following to "crash.scm":

> (call-with-values backtrace list)
> #t

(the trailing #t is important) and run

> # --auto-compile works too, but --no-auto-compile doesn't cause a crash
> guile --fresh-auto-compile -l crash.scm

it will segfault during the printing of the backtrace:

>  Backtrace:
>  In ice-9/boot-9.scm:
>    1752:10  8 (with-exception-handler _ _ #:unwind? _ #:unwind-for-type _)
>  In unknown file:
>             7 (apply-smob/0 #<thunk 7f1390524080>)
>  In ice-9/boot-9.scm:
>      724:2  6 (call-with-prompt _ _ #<procedure default-prompt-handler (k proc)>)
>  In ice-9/eval.scm:
>      619:8  5 (_ #(#(#<directory (guile-user) 7f139052ac80>)))
>  In ice-9/boot-9.scm:
>     2835:4  4 (save-module-excursion _)
>    4380:12  3 (_)
>  In [...]/crash.scm:
>       36:0  2 (segfault)
>  In unknown file:
>  Segmentatiefout

Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guile <at> gnu.org:
bug#50153; Package guile. (Sat, 21 Aug 2021 18:31:02 GMT) Full text and rfc822 format available.

Message #8 received at 50153 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 50153 <at> debbugs.gnu.org, 39954 <at> debbugs.gnu.org
Subject: Re: bug#50153: Acknowledgement (call-with-values outside tail
 position + backtrace + compilation causes segfault)
Date: Sat, 21 Aug 2021 20:30:25 +0200
[Message part 1 (text/plain, inline)]
This looks rather similar to 39954 <at> debbugs.gnu.org,
looking at the backtrace from GDB, maybe the cause is the same?

Thread 1 "guile" received signal SIGSEGV, Segmentation fault.
0x00007ffff7f40f3f in scm_is_values (x=<optimized out>) at values.h:30
30	  return SCM_HAS_TYP7 (x, scm_tc7_values);
(gdb) bt
#0  0x00007ffff7f40f3f in scm_is_values (x=<optimized out>) at values.h:30
#1  vm_debug_engine (thread=0x7ffff744cd80) at vm-engine.c:974
#2  0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff49612a0, argv=argv <at> entry=0x7fffffffc080, 
    nargs=nargs <at> entry=4) at vm.c:1608
#3  0x00007ffff7ec1234 in scm_call_4 (proc=<optimized out>, arg1=arg1 <at> entry=0x7ffff35162d0, 
    arg2=arg2 <at> entry=0x7ffff5ad4600, arg3=arg3 <at> entry=0x7ffff495a0b0, arg4=arg4 <at> entry=0x52) at eval.c:517
#4  0x00007ffff7eb3815 in display_backtrace_body (a=<optimized out>) at backtrace.c:239
#5  0x00007ffff7ec29ea in scm_c_with_exception_handler (type=type <at> entry=0x404, 
    handler=handler <at> entry=0x7ffff7f3aed0 <catch_post_unwind_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc230, thunk=thunk <at> entry=0x7ffff7f3b010 <catch_body>, 
    thunk_data=thunk_data <at> entry=0x7fffffffc230) at exceptions.c:170
#6  0x00007ffff7f3b20d in scm_c_catch (tag=tag <at> entry=0x404, 
    body=body <at> entry=0x7ffff7eb36f0 <display_backtrace_body>, body_data=body_data <at> entry=0x7fffffffc2a0, 
    handler=handler <at> entry=0x7ffff7eb3b20 <error_during_backtrace>, 
    handler_data=handler_data <at> entry=0x7ffff5ad4600, pre_unwind_handler=pre_unwind_handler <at> entry=0x0, 
    pre_unwind_handler_data=0x0) at throw.c:168
#7  0x00007ffff7f3b22e in scm_internal_catch (tag=tag <at> entry=0x404, 
    body=body <at> entry=0x7ffff7eb36f0 <display_backtrace_body>, body_data=body_data <at> entry=0x7fffffffc2a0, 
    handler=handler <at> entry=0x7ffff7eb3b20 <error_during_backtrace>, 
    handler_data=handler_data <at> entry=0x7ffff5ad4600) at throw.c:177
#8  0x00007ffff7eb36e5 in scm_display_backtrace_with_highlights (stack=stack <at> entry=0x7ffff38604a0, 
    port=port <at> entry=0x7ffff5ad4600, first=first <at> entry=0x4, depth=depth <at> entry=0x4, 
    highlights=highlights <at> entry=0x304) at backtrace.c:277
#9  0x00007ffff7eb3970 in scm_backtrace_with_highlights (highlights=0x304) at backtrace.c:310
#10 0x00007ffff7f40f3b in vm_debug_engine (thread=0x7ffff744cd80) at vm-engine.c:972
#11 0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff5a2e030, argv=argv <at> entry=0x7fffffffc498, 
    nargs=nargs <at> entry=1) at vm.c:1608
#12 0x00007ffff7ec2337 in scm_primitive_eval (exp=<optimized out>, exp <at> entry=0x7ffff5ba1a40)
    at eval.c:671
#13 0x00007ffff7ec2393 in scm_eval (exp=0x7ffff5ba1a40, 
    module_or_state=module_or_state <at> entry=0x7ffff5b93c80) at eval.c:705
#14 0x00007ffff7f1b780 in scm_shell (argc=4, argv=0x7fffffffcb08) at script.c:357
#15 0x00007ffff7edb1bd in invoke_main_func (body_data=0x7fffffffc9a0) at init.c:313
#16 0x00007ffff7ebc06a in c_body (d=0x7fffffffc8e0) at continuations.c:430
#17 0x00007ffff7f447d8 in vm_regular_engine (thread=0x7ffff744cd80) at vm-engine.c:972
#18 0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff5b088a0, argv=argv <at> entry=0x7fffffffc6a0, 
    nargs=nargs <at> entry=2) at vm.c:1608
#19 0x00007ffff7ec11da in scm_call_2 (proc=<optimized out>, arg1=<optimized out>, arg2=<optimized out>)
    at eval.c:503
#20 0x00007ffff7ec29ea in scm_c_with_exception_handler (type=type <at> entry=0x404, 
    handler=handler <at> entry=0x7ffff7f3aed0 <catch_post_unwind_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc810, thunk=thunk <at> entry=0x7ffff7f3b010 <catch_body>, 
    thunk_data=thunk_data <at> entry=0x7fffffffc810) at exceptions.c:170
#21 0x00007ffff7f3b20d in scm_c_catch (tag=tag <at> entry=0x404, body=body <at> entry=0x7ffff7ebc060 <c_body>, 
    body_data=body_data <at> entry=0x7fffffffc8e0, handler=handler <at> entry=0x7ffff7ebc300 <c_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc8e0, 
    pre_unwind_handler=pre_unwind_handler <at> entry=0x7ffff7ebc160 <pre_unwind_handler>, 
    pre_unwind_handler_data=0x7ffff5ad45c0) at throw.c:168
#22 0x00007ffff7ebc603 in scm_i_with_continuation_barrier (body=body <at> entry=0x7ffff7ebc060 <c_body>, 
    body_data=body_data <at> entry=0x7fffffffc8e0, handler=handler <at> entry=0x7ffff7ebc300 <c_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc8e0, 
    pre_unwind_handler=pre_unwind_handler <at> entry=0x7ffff7ebc160 <pre_unwind_handler>, 
--Type <RET> for more, q to quit, c to continue without paging--c
    pre_unwind_handler_data=0x7ffff5ad45c0) at continuations.c:368
#23 0x00007ffff7ebc695 in scm_c_with_continuation_barrier (func=<optimized out>, data=<optimized out>) at continuations.c:464
#24 0x00007ffff7f39c9f in with_guile (base=0x7fffffffc948, data=0x7fffffffc970) at threads.c:645
#25 0x00007ffff7e16b48 in GC_call_with_stack_base () from /gnu/store/f6kngpp27585xh4564y9rvshqn8hph8v-libgc-8.0.4/lib/libgc.so.1
#26 0x00007ffff7f39fc8 in scm_i_with_guile (dynamic_state=<optimized out>, data=data <at> entry=0x7fffffffc970, func=func <at> entry=0x7ffff7edb1a0 <invoke_main_func>) at threads.c:688
#27 scm_with_guile (func=func <at> entry=0x7ffff7edb1a0 <invoke_main_func>, data=data <at> entry=0x7fffffffc9a0) at threads.c:694
#28 0x00007ffff7edb332 in scm_boot_guile (argc=argc <at> entry=4, argv=argv <at> entry=0x7fffffffcb08, main_func=main_func <at> entry=0x401230 <inner_main>, closure=closure <at> entry=0x0) at init.c:296
#29 0x00000000004010f6 in main (argc=4, argv=0x7fffffffcb08) at guile.c:94
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guile <at> gnu.org:
bug#50153; Package guile. (Sun, 22 Aug 2021 09:36:02 GMT) Full text and rfc822 format available.

Message #11 received at 50153 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 50153 <at> debbugs.gnu.org, 39954 <at> debbugs.gnu.org
Subject: Re: bug#50153: Acknowledgement (call-with-values outside tail
 position + backtrace + compilation causes segfault)
Date: Sat, 21 Aug 2021 22:17:56 +0200
[Message part 1 (text/plain, inline)]
I did some debugging on the C side, using 'rr':

LD_LIBRARY_PATH=.libs ../meta/uninstalled-env rr record ./.libs/guile --fresh-auto-compile -l ../crash.scm

it leads to a segfault, as expected.  According to #39954, which looks
similar, 'frame-local-ref' returns (SCM)0x0.  So I tried some reverse debugging:

rr replay guile-3
break scm_frame_local_ref
reverse-continue
reverse-continue

I noticed "repr" was STACK_ITEM_SCM, and item->as_scm was set to 0x07
(which is invalid).  On another run, it was set to 0x09 (also invalid?).
I modified scm_frame_local_ref a bit so it ignores these 0x07 and 0x09
and treats them like SCM_EOF_VAL instead.  That allows printing the backtrace,
though I don't see those #<eof> appearing in the output.

Would someone know what's going on here?

Greetings,
Maxime
[printf.patch (text/x-patch, inline)]
diff --git a/libguile/frames.c b/libguile/frames.c
index 0bb40579c..87afaec3d 100644
--- a/libguile/frames.c
+++ b/libguile/frames.c
@@ -41,6 +41,7 @@
 
 #include "frames.h"
 
+#include <stdio.h>
 
 SCM
 scm_c_make_frame (enum scm_vm_frame_kind kind, const struct scm_frame *frame)
@@ -272,6 +273,11 @@ scm_frame_local_ref (SCM frame, SCM index, SCM representation)
       switch (repr)
         {
           case STACK_ITEM_SCM:
+            fprintf(stderr, "i: %u  SCM: %p\n", (unsigned) i, (void*)item->as_u64);
+            if (item->as_u64 == 0x07)
+              return SCM_EOF_VAL;
+            if (item->as_u64 == 0x09)
+              return SCM_EOF_VAL;
             return item->as_scm;
           case STACK_ITEM_F64:
             return scm_from_double (item->as_f64);
[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 3 years and 129 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.