GNU bug report logs - #19246
bindings: void return function *can* trigger a segfault

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: tracker <at> debbugs.gnu.org
Subject: bug#19246: closed (bindings: void return function *can* trigger a
 segfault)
Date: Mon, 01 Dec 2014 21:51:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Mon, 01 Dec 2014 22:50:38 +0100
with message-id <874mtfjaz5.fsf <at> gnu.org>
and subject line Re: bug#19246: bindings: void return function *can* trigger a segfault
has caused the debbugs.gnu.org bug report #19246,
regarding bindings: void return function *can* trigger a segfault
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
19246: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=19246
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Amirouche Boubekki <amirouche.boubekki <at> gmail.com>
To: bug-guile <at> gnu.org
Subject: bindings: void return function *can* trigger a segfault
Date: Mon, 1 Dec 2014 21:18:46 +0100

[Message part 3 (text/plain, inline)]

Héllo,


I reproduce the bug every time with the attached files. Here is gdb backtrace:


----8<--------------8<--------------8<--------------8<--------------8<--------------8<--------------8<----------

#0  0x00007ffff7921e56 in vm_debug_engine (vm=0x6f8020,
program=0xf5b280, argv=0x7fffffffc100, nargs=2) at vm-i-system.c:890
#1  0x00007ffff7932826 in scm_c_vm_run (vm=0x6f8020, program=0x786680,
argv=0x7fffffffc0f8, nargs=1) at vm.c:768
#2  0x00007ffff78622a7 in scm_primitive_eval (exp=0xf62420) at eval.c:692
#3  0x00007ffff78932df in scm_primitive_load (filename=0xf53360) at load.c:124
#4  0x00007ffff7921aa3 in vm_debug_engine (vm=0x6f8020,
program=0x7ffff7bb79c0 <scm_primitive_load.subr_raw_cell>,
    argv=0x7fffffffcf90, nargs=1) at vm-i-system.c:855
#5  0x00007ffff7932826 in scm_c_vm_run (vm=0x6f8020, program=0x786680,
argv=0x7fffffffcf88, nargs=1) at vm.c:768
#6  0x00007ffff78622a7 in scm_primitive_eval (exp=0x8c25c0) at eval.c:692
#7  0x00007ffff7862361 in scm_eval (exp=0x8c25c0,
module_or_state=0x888c60) at eval.c:726
#8  0x00007ffff78d6903 in scm_shell (argc=1, argv=0x7fffffffe318) at
script.c:439
#9  0x0000000000400c81 in inner_main (closure=0x0, argc=1,
argv=0x7fffffffe318) at guile.c:62
#10 0x00007ffff788a36d in invoke_main_func (body_data=0x7fffffffe1f0)
at init.c:336
#11 0x00007ffff7857148 in c_body (d=0x7fffffffe0b0) at continuations.c:517
#12 0x00007ffff7903b23 in apply_catch_closure (clo=0x895b60,
args=0x304) at throw.c:140
#13 0x00007ffff78d7126 in apply_1 (smob=0x895b60, a=0x304) at smob.c:142
#14 0x00007ffff790e2d5 in vm_regular_engine (vm=0x6f8020,
program=0x6f3000, argv=0x7fffffffdf80, nargs=2) at vm-i-system.c:858
#15 0x00007ffff7932826 in scm_c_vm_run (vm=0x6f8020, program=0x678c30,
argv=0x7fffffffdf60, nargs=4) at vm.c:768
#16 0x00007ffff7861a28 in scm_call_4 (proc=0x678c30, arg1=0x404,
arg2=0x895b60, arg3=0x895b40, arg4=0x895b20) at eval.c:507
#17 0x00007ffff7903980 in scm_catch_with_pre_unwind_handler
(key=0x404, thunk=0x895b60, handler=0x895b40,
    pre_unwind_handler=0x895b20) at throw.c:73
#18 0x00007ffff7903bfb in scm_c_catch (tag=0x404, body=0x7ffff7857120
<c_body>, body_data=0x7fffffffe0b0,
    handler=0x7ffff7857157 <c_handler>, handler_data=0x7fffffffe0b0,
pre_unwind_handler=0x7ffff78571b4 <pre_unwind_handler>,
    pre_unwind_handler_data=0x77dfa0) at throw.c:207

----8<--------------8<--------------8<--------------8<--------------8<--------------8<--------------8<----------

The related code is:

----8<--------------8<--------------8<--------------8<--------------8<--------------8<--------------8<----------

    case 10:
      ret = subr (sp[-9], sp[-8], sp[-7], sp[-6], sp[-5], sp[-4],
sp[-3], sp[-2], sp[-1], sp[0]);
      break;
    default:
      abort ();
    }

  NULLSTACK_FOR_NONLOCAL_EXIT ();

  if (SCM_UNLIKELY (SCM_VALUESP (ret)))
    {
      /* multiple values returned to continuation */
      ret = scm_struct_ref (ret, SCM_INUM0);
      nvalues = scm_ilength (ret);
      PUSH_LIST (ret, scm_is_null);
      goto vm_return_values;
    }
  else
    {
      PUSH (ret);
      goto vm_return;
    }


----8<--------------8<--------------8<--------------8<--------------8<--------------8<--------------8<----------

It's seems to me that the code always expects something to be
returned. During my tests ret is according to gdb (SCM) 0xbb8 (=3000 =
c variable from process function)

An easy fix for bindings creator, is to return a valid SCM value like
SCM_BOOL_T.



Best regards.

[void-return.c (text/x-csrc, attachment)]

[void-return.scm (text/x-scheme, attachment)]

[Message part 6 (message/rfc822, inline)]

From: ludo <at> gnu.org (Ludovic Courtès)
To: Amirouche Boubekki <amirouche.boubekki <at> gmail.com>
Cc: 19246-done <at> debbugs.gnu.org
Subject: Re: bug#19246: bindings: void return function *can* trigger a segfault
Date: Mon, 01 Dec 2014 22:50:38 +0100

Hi,

Amirouche Boubekki <amirouche.boubekki <at> gmail.com> skribis:

> void process(SCM integer, SCM other) {
>   int a = scm_to_int(integer);
>   int b = scm_to_int(other);
>   int i, c = 0;
>
>   for (i = 0; i<1000; i++) {
>     c = c + a + b;
>   }
> }
>
>
> void init () {
>   scm_c_define_gsubr("process", 2, 0, 0, process);
> }

Functions exposed to Scheme must always return ‘SCM’.

So ‘process’ above must be changed to return ‘SCM’, possibly the
SCM_UNSPECIFIED value since it’s a side-effecting function.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.