SBCL

Memory fault with SEARCH-ROOTS

Bug #1903419 reported by Michał "phoe" Herda on 2020-11-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	SBCL	Fix Released	Undecided	Unassigned

Bug Description

SBCL 2.0.10 on Linux amd64.

* (flet ((root (thing) (search-roots (make-weak-pointer thing) :print nil)))
    (sb-ext:gc :full t)
    (dotimes (i 10) (make-instance 'standard-class))
    (let ((thing (root (slot-value (make-instance 'standard-class)
                                   'sb-pcl::wrapper))))
      (sb-ext:gc :full t)
      (root thing)))
CORRUPTION WARNING in SBCL pid 606045 tid 606045:
Memory fault at 0xf8 (pc=0x525279bc [code 0x52527760+0x25C ID 0x7767], fp=0x7ff8995ff8a8, sp=0x7ff8995ff830) tid 606045
The integrity of this image is possibly compromised.
Continuing with fingers crossed.

debugger invoked on a SB-SYS:MEMORY-FAULT-ERROR in thread
#<THREAD "main thread" RUNNING {1001570103}>:
Unhandled memory fault at #xF8.

Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.

restarts (invokable by number or by possibly-abbreviated name):
0: [ABORT] Exit debugger, returning to top level.

(SB-IMPL::PREPROCESS-TRACEROOT-RESULTS NIL #(((1 0 . #.(SB-SYS:INT-SAP #X00000000)))))
0] backtrace

Backtrace for: #<SB-THREAD:THREAD "main thread" RUNNING {1001570103}>
0: (SB-IMPL::PREPROCESS-TRACEROOT-RESULTS NIL #(((1 0 . #.(SB-SYS:INT-SAP #X00000000)))))
1: (SEARCH-ROOTS #<weak pointer: ((#<SB-KERNEL:LAYOUT for #<SB-KERNEL:STANDARD-CLASSOID anonymous {1001ADB513}> {503D2283}> :STATIC (#<HASH-TABLE :TEST EQ :HASH-FUNCTION #<FUNCTION SB-KERNEL:TYPE-HASH-VALUE> :COUNT 165 {10002506C3}> . 5) (#(165 0 #<SB-KERNEL:STANDARD-CLASSOID SB-MOP:FUNCALLABLE-STANDARD-OBJECT> #<SB-KERNEL:LAYOUT for SB-MOP:FUNCALLABLE-STANDARD-OBJECT {50217003}> #<SB-KERNEL:STANDARD-CLASSOID SB-MOP:EQL-SPECIALIZER> #<SB-KERNEL:LAYOUT for SB-MOP:EQL-SPECIALIZER {50216003}> #<SB-KERNEL:STANDARD-CLASSOID SB-MOP:STANDARD-ACCESSOR-METHOD> #<SB-KERNEL:LAYOUT for SB-MOP:STANDARD-ACCESSOR-METHOD {50216D03}> #<SB-KERNEL:STANDARD-CLASSOID STANDARD-METHOD> #<SB-KERNEL:LAYOUT for STANDARD-METHOD {50216E03}> #<SB-KERNEL:STANDARD-CLASSOID CLASS> #<SB-KERNEL:LAYOUT for CLASS {50215F83}> ...) . 333)))> :CRITERION :OLDEST :GC NIL :IGNORE NIL :PRINT NIL)
2: (SB-INT:SIMPLE-EVAL-IN-LEXENV (LABELS ((ANCESTOR (THING) (FIRST (THIRD #))) (ROOT (THING) (SEARCH-ROOTS (MAKE-WEAK-POINTER THING) :PRINT NIL)) (FROB (THING) (ANCESTOR (ROOT THING)))) (GC :FULL T) (DOTIMES (I 10) (MAKE-INSTANCE (QUOTE STANDARD-CLASS))) (LET ((THING (ROOT #))) (GC :FULL T) (ROOT THING))) #<NULL-LEXENV>)
3: (EVAL (LABELS ((ANCESTOR (THING) (FIRST (THIRD #))) (ROOT (THING) (SEARCH-ROOTS (MAKE-WEAK-POINTER THING) :PRINT NIL)) (FROB (THING) (ANCESTOR (ROOT THING)))) (GC :FULL T) (DOTIMES (I 10) (MAKE-INSTANCE (QUOTE STANDARD-CLASS))) (LET ((THING (ROOT #))) (GC :FULL T) (ROOT THING))))
4: (INTERACTIVE-EVAL (LABELS ((ANCESTOR (THING) (FIRST (THIRD #))) (ROOT (THING) (SEARCH-ROOTS (MAKE-WEAK-POINTER THING) :PRINT NIL)) (FROB (THING) (ANCESTOR (ROOT THING)))) (GC :FULL T) (DOTIMES (I 10) (MAKE-INSTANCE (QUOTE STANDARD-CLASS))) (LET ((THING (ROOT #))) (GC :FULL T) (ROOT THING))) :EVAL NIL)
5: (SB-IMPL::REPL-FUN NIL)
6: ((LAMBDA NIL :IN SB-IMPL::TOPLEVEL-REPL))
7: (SB-IMPL::%WITH-REBOUND-IO-SYNTAX #<CLOSURE (LAMBDA NIL :IN SB-IMPL::TOPLEVEL-REPL) {1002E84FAB}>)
8: (SB-IMPL::TOPLEVEL-REPL NIL)
9: (SB-IMPL::TOPLEVEL-INIT)
10: ((FLET SB-UNIX::BODY :IN SB-IMPL::START-LISP))
11: ((FLET "WITHOUT-INTERRUPTS-BODY-1" :IN SB-IMPL::START-LISP))
12: (SB-IMPL::START-LISP)

See original description

Michał "phoe" Herda (phoe-krk) on 2020-11-07

description:	updated
description:	updated

Revision history for this message

Douglas Katzman (dougk) wrote on 2020-11-08:

Yes search-roots shouldn't crash, but your test case seems to be misusing it.
The return value is not "a root", it is a path, which is effectively random cons cells.
Your second query asks for a patch to the first cons cell of the path that formed the previous answer. That path was a pinned object in the just-prior GC, but it's actually not going to find a path to that. So it was trying to return no answer, and did that wrong. and the lisp side crashed.
I've fixed that. But I'm not sure if the point of this example was that you're trying to actually use traceroot in a meaningful way or whether you're pointing out a strange edge case.

Changed in sbcl:
status:	New → Fix Committed

Revision history for this message

Michał "phoe" Herda (phoe-krk) wrote on 2020-11-08:

This is a crash that I have encountered while doing lots of SEARCH-ROOTS-heavy stuff. I indeed mistakenly tried to take a root of the cons cell returned from the previous search and therefore return value will be of little importance to me; I simply expected SEARCH-ROOTS not to segfault on me even if I feed it silly data like this.

Thanks for the fix.

Christophe Rhodes (csr21-cantab) on 2020-11-29

Changed in sbcl:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.