GNU bug report logs - #50153
call-with-values outside tail position + backtrace + compilation causes segfault

Previous Next

To reply to this bug, email your comments to 50153 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: bug-guile <at> gnu.org
Subject: call-with-values outside tail position + backtrace + compilation
 causes segfault
Date: Sat, 21 Aug 2021 20:13:05 +0200

[Message part 1 (text/plain, inline)]

Hi guilers,

Write the following to "crash.scm":

> (call-with-values backtrace list)
> #t

(the trailing #t is important) and run

> # --auto-compile works too, but --no-auto-compile doesn't cause a crash
> guile --fresh-auto-compile -l crash.scm

it will segfault during the printing of the backtrace:

>  Backtrace:
>  In ice-9/boot-9.scm:
>    1752:10  8 (with-exception-handler _ _ #:unwind? _ #:unwind-for-type _)
>  In unknown file:
>             7 (apply-smob/0 #<thunk 7f1390524080>)
>  In ice-9/boot-9.scm:
>      724:2  6 (call-with-prompt _ _ #<procedure default-prompt-handler (k proc)>)
>  In ice-9/eval.scm:
>      619:8  5 (_ #(#(#<directory (guile-user) 7f139052ac80>)))
>  In ice-9/boot-9.scm:
>     2835:4  4 (save-module-excursion _)
>    4380:12  3 (_)
>  In [...]/crash.scm:
>       36:0  2 (segfault)
>  In unknown file:
>  Segmentatiefout

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 50153 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 50153 <at> debbugs.gnu.org, 39954 <at> debbugs.gnu.org
Subject: Re: bug#50153: Acknowledgement (call-with-values outside tail
 position + backtrace + compilation causes segfault)
Date: Sat, 21 Aug 2021 20:30:25 +0200

[Message part 1 (text/plain, inline)]

This looks rather similar to 39954 <at> debbugs.gnu.org,
looking at the backtrace from GDB, maybe the cause is the same?

Thread 1 "guile" received signal SIGSEGV, Segmentation fault.
0x00007ffff7f40f3f in scm_is_values (x=<optimized out>) at values.h:30
30	  return SCM_HAS_TYP7 (x, scm_tc7_values);
(gdb) bt
#0  0x00007ffff7f40f3f in scm_is_values (x=<optimized out>) at values.h:30
#1  vm_debug_engine (thread=0x7ffff744cd80) at vm-engine.c:974
#2  0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff49612a0, argv=argv <at> entry=0x7fffffffc080, 
    nargs=nargs <at> entry=4) at vm.c:1608
#3  0x00007ffff7ec1234 in scm_call_4 (proc=<optimized out>, arg1=arg1 <at> entry=0x7ffff35162d0, 
    arg2=arg2 <at> entry=0x7ffff5ad4600, arg3=arg3 <at> entry=0x7ffff495a0b0, arg4=arg4 <at> entry=0x52) at eval.c:517
#4  0x00007ffff7eb3815 in display_backtrace_body (a=<optimized out>) at backtrace.c:239
#5  0x00007ffff7ec29ea in scm_c_with_exception_handler (type=type <at> entry=0x404, 
    handler=handler <at> entry=0x7ffff7f3aed0 <catch_post_unwind_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc230, thunk=thunk <at> entry=0x7ffff7f3b010 <catch_body>, 
    thunk_data=thunk_data <at> entry=0x7fffffffc230) at exceptions.c:170
#6  0x00007ffff7f3b20d in scm_c_catch (tag=tag <at> entry=0x404, 
    body=body <at> entry=0x7ffff7eb36f0 <display_backtrace_body>, body_data=body_data <at> entry=0x7fffffffc2a0, 
    handler=handler <at> entry=0x7ffff7eb3b20 <error_during_backtrace>, 
    handler_data=handler_data <at> entry=0x7ffff5ad4600, pre_unwind_handler=pre_unwind_handler <at> entry=0x0, 
    pre_unwind_handler_data=0x0) at throw.c:168
#7  0x00007ffff7f3b22e in scm_internal_catch (tag=tag <at> entry=0x404, 
    body=body <at> entry=0x7ffff7eb36f0 <display_backtrace_body>, body_data=body_data <at> entry=0x7fffffffc2a0, 
    handler=handler <at> entry=0x7ffff7eb3b20 <error_during_backtrace>, 
    handler_data=handler_data <at> entry=0x7ffff5ad4600) at throw.c:177
#8  0x00007ffff7eb36e5 in scm_display_backtrace_with_highlights (stack=stack <at> entry=0x7ffff38604a0, 
    port=port <at> entry=0x7ffff5ad4600, first=first <at> entry=0x4, depth=depth <at> entry=0x4, 
    highlights=highlights <at> entry=0x304) at backtrace.c:277
#9  0x00007ffff7eb3970 in scm_backtrace_with_highlights (highlights=0x304) at backtrace.c:310
#10 0x00007ffff7f40f3b in vm_debug_engine (thread=0x7ffff744cd80) at vm-engine.c:972
#11 0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff5a2e030, argv=argv <at> entry=0x7fffffffc498, 
    nargs=nargs <at> entry=1) at vm.c:1608
#12 0x00007ffff7ec2337 in scm_primitive_eval (exp=<optimized out>, exp <at> entry=0x7ffff5ba1a40)
    at eval.c:671
#13 0x00007ffff7ec2393 in scm_eval (exp=0x7ffff5ba1a40, 
    module_or_state=module_or_state <at> entry=0x7ffff5b93c80) at eval.c:705
#14 0x00007ffff7f1b780 in scm_shell (argc=4, argv=0x7fffffffcb08) at script.c:357
#15 0x00007ffff7edb1bd in invoke_main_func (body_data=0x7fffffffc9a0) at init.c:313
#16 0x00007ffff7ebc06a in c_body (d=0x7fffffffc8e0) at continuations.c:430
#17 0x00007ffff7f447d8 in vm_regular_engine (thread=0x7ffff744cd80) at vm-engine.c:972
#18 0x00007ffff7f45c2d in scm_call_n (proc=0x7ffff5b088a0, argv=argv <at> entry=0x7fffffffc6a0, 
    nargs=nargs <at> entry=2) at vm.c:1608
#19 0x00007ffff7ec11da in scm_call_2 (proc=<optimized out>, arg1=<optimized out>, arg2=<optimized out>)
    at eval.c:503
#20 0x00007ffff7ec29ea in scm_c_with_exception_handler (type=type <at> entry=0x404, 
    handler=handler <at> entry=0x7ffff7f3aed0 <catch_post_unwind_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc810, thunk=thunk <at> entry=0x7ffff7f3b010 <catch_body>, 
    thunk_data=thunk_data <at> entry=0x7fffffffc810) at exceptions.c:170
#21 0x00007ffff7f3b20d in scm_c_catch (tag=tag <at> entry=0x404, body=body <at> entry=0x7ffff7ebc060 <c_body>, 
    body_data=body_data <at> entry=0x7fffffffc8e0, handler=handler <at> entry=0x7ffff7ebc300 <c_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc8e0, 
    pre_unwind_handler=pre_unwind_handler <at> entry=0x7ffff7ebc160 <pre_unwind_handler>, 
    pre_unwind_handler_data=0x7ffff5ad45c0) at throw.c:168
#22 0x00007ffff7ebc603 in scm_i_with_continuation_barrier (body=body <at> entry=0x7ffff7ebc060 <c_body>, 
    body_data=body_data <at> entry=0x7fffffffc8e0, handler=handler <at> entry=0x7ffff7ebc300 <c_handler>, 
    handler_data=handler_data <at> entry=0x7fffffffc8e0, 
    pre_unwind_handler=pre_unwind_handler <at> entry=0x7ffff7ebc160 <pre_unwind_handler>, 
--Type <RET> for more, q to quit, c to continue without paging--c
    pre_unwind_handler_data=0x7ffff5ad45c0) at continuations.c:368
#23 0x00007ffff7ebc695 in scm_c_with_continuation_barrier (func=<optimized out>, data=<optimized out>) at continuations.c:464
#24 0x00007ffff7f39c9f in with_guile (base=0x7fffffffc948, data=0x7fffffffc970) at threads.c:645
#25 0x00007ffff7e16b48 in GC_call_with_stack_base () from /gnu/store/f6kngpp27585xh4564y9rvshqn8hph8v-libgc-8.0.4/lib/libgc.so.1
#26 0x00007ffff7f39fc8 in scm_i_with_guile (dynamic_state=<optimized out>, data=data <at> entry=0x7fffffffc970, func=func <at> entry=0x7ffff7edb1a0 <invoke_main_func>) at threads.c:688
#27 scm_with_guile (func=func <at> entry=0x7ffff7edb1a0 <invoke_main_func>, data=data <at> entry=0x7fffffffc9a0) at threads.c:694
#28 0x00007ffff7edb332 in scm_boot_guile (argc=argc <at> entry=4, argv=argv <at> entry=0x7fffffffcb08, main_func=main_func <at> entry=0x401230 <inner_main>, closure=closure <at> entry=0x0) at init.c:296
#29 0x00000000004010f6 in main (argc=4, argv=0x7fffffffcb08) at guile.c:94

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 50153 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 50153 <at> debbugs.gnu.org, 39954 <at> debbugs.gnu.org
Subject: Re: bug#50153: Acknowledgement (call-with-values outside tail
 position + backtrace + compilation causes segfault)
Date: Sat, 21 Aug 2021 22:17:56 +0200

[Message part 1 (text/plain, inline)]

I did some debugging on the C side, using 'rr':

LD_LIBRARY_PATH=.libs ../meta/uninstalled-env rr record ./.libs/guile --fresh-auto-compile -l ../crash.scm

it leads to a segfault, as expected.  According to #39954, which looks
similar, 'frame-local-ref' returns (SCM)0x0.  So I tried some reverse debugging:

rr replay guile-3
break scm_frame_local_ref
reverse-continue
reverse-continue

I noticed "repr" was STACK_ITEM_SCM, and item->as_scm was set to 0x07
(which is invalid).  On another run, it was set to 0x09 (also invalid?).
I modified scm_frame_local_ref a bit so it ignores these 0x07 and 0x09
and treats them like SCM_EOF_VAL instead.  That allows printing the backtrace,
though I don't see those #<eof> appearing in the output.

Would someone know what's going on here?

Greetings,
Maxime

[printf.patch (text/x-patch, inline)]

diff --git a/libguile/frames.c b/libguile/frames.c
index 0bb40579c..87afaec3d 100644
--- a/libguile/frames.c
+++ b/libguile/frames.c
@@ -41,6 +41,7 @@
 
 #include "frames.h"
 
+#include <stdio.h>
 
 SCM
 scm_c_make_frame (enum scm_vm_frame_kind kind, const struct scm_frame *frame)
@@ -272,6 +273,11 @@ scm_frame_local_ref (SCM frame, SCM index, SCM representation)
       switch (repr)
         {
           case STACK_ITEM_SCM:
+            fprintf(stderr, "i: %u  SCM: %p\n", (unsigned) i, (void*)item->as_u64);
+            if (item->as_u64 == 0x07)
+              return SCM_EOF_VAL;
+            if (item->as_u64 == 0x09)
+              return SCM_EOF_VAL;
             return item->as_scm;
           case STACK_ITEM_F64:
             return scm_from_double (item->as_f64);

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.