Re: Crash on invalid cons_free_list

Re: Crash on invalid cons_free_list

[Kim F. Storm]

Chong Yidong <cyd@stupidchicken.com> writes:

> [I sent this to emacs-pretest-bug a few days ago, but it didn't seem
> to arrive.  I think my email system was flaking out at the time.]
>
> I installed VM to and played around with it trying to make the
> string_free_list/compact_small_strings crash happen.  I got a crash on
> an invalid cons_free_list; dunno if that's related.

It seems that most of the crashes triggered by VM are somehow related
to mapcar -- and in this case a mapcar called inside mapatoms.

Can you deduce what functions are run here, and see if they
do something special, e.g. intern new symbols or something
else which manipulates symbols, conses, or strings...


>
> Unfortunately, I have not been able to reproduce the crash.  I'll keep
> the gdb session up for the next day or so in case someone needs more
> information.  This Emacs was built about four days ago.
>
>
> Program received signal SIGSEGV, Segmentation fault.
> Fcons (car=137392193, cdr=137392193) at alloc.c:2696
> 2696          cons_free_list = *(struct Lisp_Cons **)&cons_free_list->cdr;
> (gdb) p cons_free_list
> $3 = (struct Lisp_Cons *) 0x41081b22
> (gdb) p cons_free_list->cdr
> Cannot access memory at address 0x41081b26
> (gdb) xbacktrace
> "mapcar"
> "vm-mapc"
> "vm-copy-local-variables"
> "vm-do-needed-mode-line-update"
> 0x897134c PVEC_COMPILED
> "mapatoms"
> "vm-update-summary-and-mode-line"
> "vm-decode-mime-message"
> "vm-show-current-message"
> "vm-scroll-forward"
> "call-interactively"
> "recursive-edit"
> "byte-code"
> "debug"
> "execute-extended-command"
> "call-interactively"
> (gdb) bt full
> #0  Fcons (car=137392193, cdr=137392193) at alloc.c:2696
>         val = 137392193
> #1  0x08134900 in Flist (nargs=1, args=0xbf983d80) at alloc.c:2784
>         val = 143785469
> #2  0x08155930 in Fmapcar (function=143785469, sequence=143784269)
>     at fns.c:3208
>         leni = 2
>         args = (int *) 0xbf983d80
>         ret = -1080541824
>         sa_must_free = 0
> #3  0x0814bf66 in Ffuncall (nargs=3, args=0xbf983e34) at eval.c:2865
>         fun = 137108664
>         funcar = 137392193
>         numargs = 2
>         lisp_numargs = 137392193
>         val = 137392193
>         backtrace = {
>           next = 0xbf983f10, 
> 	  function = 0xbf983e30, 
>           args = 0xbf983e34, 
>           nargs = 2, 
>           evalargs = 0 '\0', 
>           debug_on_exit = 0 '\0'
>        }
>        internal_args = (int *) 0xbf983e34
>        i = 137392193
>
>
> _______________________________________________
> Emacs-devel mailing list
> Emacs-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/emacs-devel
>
>

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk

Crash on invalid cons_free_list

[Chong Yidong]

[I sent this to emacs-pretest-bug a few days ago, but it didn't seem
to arrive.  I think my email system was flaking out at the time.]

I installed VM to and played around with it trying to make the
string_free_list/compact_small_strings crash happen.  I got a crash on
an invalid cons_free_list; dunno if that's related.

Unfortunately, I have not been able to reproduce the crash.  I'll keep
the gdb session up for the next day or so in case someone needs more
information.  This Emacs was built about four days ago.


Program received signal SIGSEGV, Segmentation fault.
Fcons (car=137392193, cdr=137392193) at alloc.c:2696
2696          cons_free_list = *(struct Lisp_Cons **)&cons_free_list->cdr;
(gdb) p cons_free_list
$3 = (struct Lisp_Cons *) 0x41081b22
(gdb) p cons_free_list->cdr
Cannot access memory at address 0x41081b26
(gdb) xbacktrace
"mapcar"
"vm-mapc"
"vm-copy-local-variables"
"vm-do-needed-mode-line-update"
0x897134c PVEC_COMPILED
"mapatoms"
"vm-update-summary-and-mode-line"
"vm-decode-mime-message"
"vm-show-current-message"
"vm-scroll-forward"
"call-interactively"
"recursive-edit"
"byte-code"
"debug"
"execute-extended-command"
"call-interactively"
(gdb) bt full
#0  Fcons (car=137392193, cdr=137392193) at alloc.c:2696
        val = 137392193
#1  0x08134900 in Flist (nargs=1, args=0xbf983d80) at alloc.c:2784
        val = 143785469
#2  0x08155930 in Fmapcar (function=143785469, sequence=143784269)
    at fns.c:3208
        leni = 2
        args = (int *) 0xbf983d80
        ret = -1080541824
        sa_must_free = 0
#3  0x0814bf66 in Ffuncall (nargs=3, args=0xbf983e34) at eval.c:2865
        fun = 137108664
        funcar = 137392193
        numargs = 2
        lisp_numargs = 137392193
        val = 137392193
        backtrace = {
          next = 0xbf983f10, 
	  function = 0xbf983e30, 
          args = 0xbf983e34, 
          nargs = 2, 
          evalargs = 0 '\0', 
          debug_on_exit = 0 '\0'
       }
       internal_args = (int *) 0xbf983e34
       i = 137392193

Re: Crash on invalid cons_free_list

[Kevin Rodgers]

Kim F. Storm wrote:
 > Chong Yidong <cyd@stupidchicken.com> writes:
 >>I installed VM to and played around with it trying to make the
 >>string_free_list/compact_small_strings crash happen.  I got a crash on
 >>an invalid cons_free_list; dunno if that's related.
 >
 > It seems that most of the crashes triggered by VM are somehow related
 > to mapcar -- and in this case a mapcar called inside mapatoms.
 >
 > Can you deduce what functions are run here, and see if they
 > do something special, e.g. intern new symbols or something
 > else which manipulates symbols, conses, or strings...

Here is the code inside vm-update-summary-and-mode-line that calls
mapatoms:

   (save-excursion
     (mapatoms (function
	       (lambda (b)
		 (setq b (get-buffer (symbol-name b)))
		 (if b
		     (progn
		       (set-buffer b)
		       (intern (buffer-name)
			       vm-buffers-needing-undo-boundaries)
		       (vm-check-for-killed-summary)
		       (and vm-use-toolbar
			    (vm-toolbar-support-possible-p)
			    (vm-toolbar-update-toolbar))
		       (vm-do-needed-renumbering)
		       (if vm-summary-buffer
			   (vm-do-needed-summary-rebuild))
		       (vm-do-needed-mode-line-update)))))
	      vm-buffers-needing-display-update)
     (fillarray vm-buffers-needing-display-update 0))

The crash occurs inside vm-do-needed-mode-line-update, which calls
vm-copy-local-variables, which in turn calls vm-mapc:

(defun vm-copy-local-variables (buffer &rest variables)
   (let ((values (mapcar 'symbol-value variables)))
     (save-excursion
       (set-buffer buffer)
       (vm-mapc 'set variables values))))

(defun vm-mapc (function &rest lists)
   (let (arglist)
     (while (car lists)
       (setq arglist (mapcar 'car lists))
       (apply function arglist)
       (setq lists (mapcar 'cdr lists)))))

-- 
Kevin

Re: Crash on invalid cons_free_list

[Richard M. Stallman]

    It seems that most of the crashes triggered by VM are somehow related
    to mapcar -- and in this case a mapcar called inside mapatoms.

The crash happens when cons encounters invalid data in the free list.
However, the bug occurred earlier, when the data became invalid.

There is no evidence that it is directly related to this mapcar, or to
this mapatoms.  But if we look at which part of VM does this mapatoms,
then depending on how often it is done, it might offer some sort of
clue.  If VM does this mapatoms very often, perhaps all we can deduce
is that most of VM's consing is there, so if the bug happens in VM, it
would tend to show up there.  That doesn't really help.

However, if only a particular VM command does this mapatoms, and most
of VM's consing is done elsewhere, maybe it means the bug is in
something done by that command.  (Not necessarily WITHIN the
mapatoms--it could be earlier in the same command.)  That could narrow
things down to the point where it would be worth rechecking the C code
for any unusual thing done by that command.

Re: Crash on invalid cons_free_list

[David Kastrup]

"Richard M. Stallman" <rms@gnu.org> writes:

>     It seems that most of the crashes triggered by VM are somehow related
>     to mapcar -- and in this case a mapcar called inside mapatoms.
>
> The crash happens when cons encounters invalid data in the free list.
> However, the bug occurred earlier, when the data became invalid.

I find that significantly lowering gc-cons-threshold helps a lot in
triggering such errors more often and making them occur somewhat
closer to their origin.

-- 
David Kastrup, Kriemhildstr. 15, 44793 Bochum

Re: Crash on invalid cons_free_list

[Richard M. Stallman]

    I find that significantly lowering gc-cons-threshold helps a lot in
    triggering such errors more often and making them occur somewhat
    closer to their origin.

That is a good suggestion.  Could you add something to etc/DEBUG about
that?

Re: Crash on invalid cons_free_list

[Juri Linkov]

>> The crash happens when cons encounters invalid data in the free list.
>> However, the bug occurred earlier, when the data became invalid.
>
> I find that significantly lowering gc-cons-threshold helps a lot in
> triggering such errors more often and making them occur somewhat
> closer to their origin.

>From my experience, quite contrary: for a half year I got no crashes
with a low value of gc-cons-threshold.  But when I increased it to
a big value (80MB) I immediately got a cons_free_list related crash.

-- 
Juri Linkov
http://www.jurta.org/emacs/