Debugger-induced corruption
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
SBCL |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
A function with one &optional arg is printed with an innocuous (but wrong) value for the missing arg based on whatever was on stack:
* (getf 'x '(a b c d))
debugger invoked on a TYPE-ERROR in thread
#<THREAD "main thread" RUNNING {1001278083}>:
The value X is not of type LIST when binding SB-IMPL::PLACE
Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.
restarts (invokable by number or by possibly-
0: [ABORT] Exit debugger, returning to top level.
(GETF X (A B C D) 34363007224) [external]
However, things go to hell if the unsupplied value location holds a wild pointer:
* (getf 'x '(a b c d))
debugger invoked on a TYPE-ERROR in thread
... ["X is not of type LIST" prints fine, but ...]
Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.
restarts (invokable by number or by possibly-
0: [ABORT] Exit debugger, returning to top level.
CORRUPTION WARNING in SBCL pid 196276(tid 0x7f9fe657cb80):
Memory fault at 0xfee8e898 (pc=0x52a7e6e1 [code 0x52a7e550+0x191 ID 0x71c2], fp=0x7f9fe62e6810, sp=0x7f9fe62e6800) tid 0x7f9fe657cb80
The integrity of this image is possibly compromised.
Continuing with fingers crossed.
debugger invoked on a SB-SYS:
Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.
restarts (invokable by number or by possibly-
0: [ABORT] Exit debugger, returning to top level.
CORRUPTION WARNING in SBCL pid 196276(tid 0x7f9fe657cb80):
Memory fault at 0xfee8e898 (pc=0x52a7e6e1 [code 0x52a7e550+0x191 ID 0x71c2], fp=0x7f9fe62e5618, sp=0x7f9fe62e5608) tid 0x7f9fe657cb80
The integrity of this image is possibly compromised.
Continuing with fingers crossed.
CORRUPTION WARNING in SBCL pid 196276(tid 0x7f9fe657cb80):
Memory fault at 0xfee8e8a0 (pc=0x5202a3ed [code 0x5202a0d0+0x31D ID 0xb0a], fp=0x7f9fe62e5690, sp=0x7f9fe62e5688) tid 0x7f9fe657cb80
The integrity of this image is possibly compromised.
Continuing with fingers crossed.
((LAMBDA (SB-PCL::.ARG0. SB-PCL::.ARG1.) :IN "SYS:SRC;
The backtrace at that point is:
Backtrace:
0: (LAMBDA (SB-PCL::.ARG0. SB-PCL::.ARG1.) :IN "SYS:SRC;
1: (LABELS SB-IMPL::HANDLE-IT :IN SB-KERNEL:
2: SB-INT::%WRITE, pc = 0x52046188, fp = 0x7f74b6fc6ba0
3: SB-DEBUG:
4: SB-DEBUG:
5: SB-DEBUG:
6: (FLET DEBUG :IN SB-DEBUG:
7: SB-DEBUG:
If execution is stopped at the first entrance into PRINT-FRAME-CALL before things have gotten worse, 'gdb' will show (in this example) that the wild pointer has fun-pointer-lowtag pointing to a word that ostensibly has SAP-WIDETAG but in fact is just instruction bytes.
Program received signal SIGSEGV, Segmentation fault.
0x0000000052a6f351 in ?? ()
(gdb) call print(0x10015e6f87) ; this the ARGS list obtained from FRAME-CALL
$1= 0x10015e6f87: list pointer
$2= car: 0x10015d738f: X
$3= cdr: 0x10015e6f97: ($4=($5=A $6=B $7=C $8=D) $9=#<ptr to sap>)
(gdb) x/2xg 0x10015e6f90
0x10015e6f90: 0x00000010015d7457 0x00000010015e6fa7
(gdb) x/2xg 0x00000010015e6fa0 ; show the CDR of ^
0x10015e6fa0: 0x0000000052059cab 0x0000000050100017 ; low byte of 'b' is fun-pointer
(gdb) x/2xg 0x0000000052059ca0
0x52059ca0: 0xfee8e88b4910894d 0x48e3420f48fffff7
I think we might be able to mitigate some of the problem by checking more carefully what FRAME-CALL returns. I don't any blame can be placed on %WRITE etc for not understanding how to print junk.
Changed in sbcl: | |
status: | New → Confirmed |
Changed in sbcl: | |
assignee: | nobody → Stas Boukarev (stassats) |
Changed in sbcl: | |
status: | Confirmed → Fix Committed |
assignee: | Stas Boukarev (stassats) → nobody |
Changed in sbcl: | |
status: | Fix Committed → Fix Released |