From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Dmitry Antipov <dmantipov@yandex.ru>
Newsgroups: gmane.emacs.devel
Subject: Nasty GC bug
Date: Fri, 24 Aug 2012 11:26:59 +0400
Message-ID: <50372CC3.9050704@yandex.ru>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1345793080 24448 80.91.229.3 (24 Aug 2012 07:24:40 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 24 Aug 2012 07:24:40 +0000 (UTC)
To: Emacs development discussions <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Aug 24 09:24:40 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T4oFx-0004H2-1Y
	for ged-emacs-devel@m.gmane.org; Fri, 24 Aug 2012 09:24:37 +0200
Original-Received: from localhost ([::1]:55854 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T4oFv-0003Sb-CZ
	for ged-emacs-devel@m.gmane.org; Fri, 24 Aug 2012 03:24:35 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:39326)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmantipov@yandex.ru>) id 1T4oFo-0003SW-9e
	for emacs-devel@gnu.org; Fri, 24 Aug 2012 03:24:33 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dmantipov@yandex.ru>) id 1T4oFn-0000GN-Bx
	for emacs-devel@gnu.org; Fri, 24 Aug 2012 03:24:28 -0400
Original-Received: from forward14.mail.yandex.net ([95.108.130.92]:34003)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dmantipov@yandex.ru>) id 1T4oFn-0000GJ-3w
	for emacs-devel@gnu.org; Fri, 24 Aug 2012 03:24:27 -0400
Original-Received: from smtp11.mail.yandex.net (smtp11.mail.yandex.net [95.108.130.67])
	by forward14.mail.yandex.net (Yandex) with ESMTP id BA733198087C
	for <emacs-devel@gnu.org>; Fri, 24 Aug 2012 11:24:25 +0400 (MSK)
Original-Received: from smtp11.mail.yandex.net (localhost [127.0.0.1])
	by smtp11.mail.yandex.net (Yandex) with ESMTP id A81A37E00C3
	for <emacs-devel@gnu.org>; Fri, 24 Aug 2012 11:24:25 +0400 (MSK)
Original-Received: from unknown (unknown [37.139.84.55])
	by smtp11.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
	OPuW7fsQ-OPuKoYO0; Fri, 24 Aug 2012 11:24:25 +0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
	t=1345793065; bh=dj7F2wDVlsrFZfiFU/Nhm4C++sGD7rp1QEJQNg3bRLs=;
	h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:
	Content-Type:Content-Transfer-Encoding;
	b=RiayH+Opg+/TYeWrgGZ9pwF1Tu/sqW+3D2FQq2Dq2WANqC+PmLAnOJGCFXgjl8q9M
	qM3O2NTD8PfNN087s+MQ/io3sDod6iuoTByT7gD3xK+K2VaOuG3cxU0V50h4mR75Bm
	mo6Noo7UXTheaHXx2I68E9Aq4rTSpBWslTBhxJL0=
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:14.0) Gecko/20120713 Thunderbird/14.0
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 95.108.130.92
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:152791
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/152791>

It looks like live_cons_p (M, P) may be true if P is a cons cell from
the spare_memory[X], X = 1..4. So, mark_maybe_{object, pointer} may
call to mark_object for an uninitialized cons from spare blocks, with
random results (most probably a crash). This is very hard to reproduce
because it depends from the values found on a C stack.

The same looks to be true for live_string_p and spare_memory[5, 6].

Suggested fix is to use MEM_TYPE_NON_LISP for spare memory, e.g.:

=== modified file 'src/alloc.c'
--- src/alloc.c	2012-08-21 23:39:56 +0000
+++ src/alloc.c	2012-08-24 07:23:48 +0000
@@ -3816,22 +3816,22 @@
      spare_memory[0] = malloc (SPARE_MEMORY);
    if (spare_memory[1] == 0)
      spare_memory[1] = lisp_align_malloc (sizeof (struct cons_block),
-						  MEM_TYPE_CONS);
+						  MEM_TYPE_NON_LISP);
    if (spare_memory[2] == 0)
      spare_memory[2] = lisp_align_malloc (sizeof (struct cons_block),
-					 MEM_TYPE_CONS);
+					 MEM_TYPE_NON_LISP);
    if (spare_memory[3] == 0)
      spare_memory[3] = lisp_align_malloc (sizeof (struct cons_block),
-					 MEM_TYPE_CONS);
+					 MEM_TYPE_NON_LISP);
    if (spare_memory[4] == 0)
      spare_memory[4] = lisp_align_malloc (sizeof (struct cons_block),
-					 MEM_TYPE_CONS);
+					 MEM_TYPE_NON_LISP);
    if (spare_memory[5] == 0)
      spare_memory[5] = lisp_malloc (sizeof (struct string_block),
-				   MEM_TYPE_STRING);
+				   MEM_TYPE_NON_LISP);
    if (spare_memory[6] == 0)
      spare_memory[6] = lisp_malloc (sizeof (struct string_block),
-				   MEM_TYPE_STRING);
+				   MEM_TYPE_NON_LISP);
    if (spare_memory[0] && spare_memory[1] && spare_memory[5])
      Vmemory_full = Qnil;
  #endif

Comments?

Dmitry