bug#13611: SEGV during SMOB GC

[Mike Gran <spk121@yahoo.com>]

[-- Attachment #1: Type: text/plain, Size: 1375 bytes --]

Hello-

I have a reproducible SEGV during GC of SMOBs on Guile 2.0.7.
It was also present in 2.0.6.


To reproduce compile main.c as 

$ gcc -std=gnu99 -shared -o smobbug.so -Wall -Wextra `pkg-config guile-2.0 --cflags --libs` -fPIC main.c


Then with
$ LD_PRELOAD=./smobbug.so LD_LIBRARY_PATH=. GUILE_LOAD_PATH=. guile

;; At the repl, load the lib

 (use-modules (smobbug))
;; Make a SMOB to be GC'd

 (handlesmob-init)
;; Trigger a GC from the GC thread
 (string-length (make-string 10000000))

This gives

  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0xb7d98b40 (LWP 20488)]
  0xb7f251ab in smob_mark (addr=0x8608ff0, mark_stack_ptr=0xb7d90308, 
      mark_stack_limit=0xb7d982f0, env=0) at smob.c:325
  325           SCM_I_CURRENT_THREAD->current_mark_stack_ptr = mark_stack_ptr;

Here's what's happening internally.  When Guile starts up, it creates 3
threads
* Initial thread
* GC thread from scm_storage_prehistory GC_INIT()
* signal delivery thread

That second thread is the one from which automatic garbage collection
occurs.  The way that thread gets created, it has an
scm_i_current_thread == NULL, apparently.


So dereferencing scm_i_current_thread causes null dereference.
And smob_mark() will dereference scm_i_current_thread when collecting a
smob with a mark function.

-Mike

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: smobbug.scm --]
[-- Type: text/x-scheme; name="smobbug.scm", Size: 174 bytes --]

(define-module (smobbug)
  #:export ( 
	    handlesmob-init
	    ))

(load-extension "smobbug" "smobbug_init")

(define (handlesmob-init)
  "docstring"
  (%handlesmob-init))

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: main.c --]
[-- Type: text/x-csrc; name="main.c", Size: 1389 bytes --]

#define _GNU_SOURCE
#include <stdio.h>
#include <libguile.h>

static scm_t_bits handlesmob_tag;
void smobbug_init (void);
SCM mark_handle (SCM x);


SCM handlesmob_init ()
{
  SCM s_handlesmob;
  char *handle;

  handle = malloc (1);
  
  return SCM_NEWSMOB (s_handlesmob, handlesmob_tag, handle);
}

SCM
mark_handlesmob (SCM x)
{
  // No SCMs in the handle type: nothing to do here.
  return (SCM_BOOL_F);
}

size_t
free_handlesmob (SCM handle)
{
  SCM_ASSERT (SCM_SMOB_PREDICATE (handlesmob_tag, handle), handle, SCM_ARG1, "free-handlesmob");

  char *m = SCM_SMOB_DATA (handle);

  if (m != NULL)
      free (m);

  return 0;
}

int
print_handlesmob (SCM x, SCM port, scm_print_state *pstate)
{
  char *frm = (char *) SCM_SMOB_DATA (x);
  char *str;

  scm_puts ("#<handlesmob ", port);

  if (frm == (char *) NULL)
    {
      scm_puts ("(freed)", port);
    }
  else
    {
      if (asprintf (&str, "%p", frm) < 0)
	scm_puts ("???", port);
      else
	scm_puts (str, port);
    }

  scm_puts (">", port);
  
  // non-zero means success 
  return 1;
}

void
smobbug_init ()
{
  handlesmob_tag = scm_make_smob_type ("handlesmob", sizeof (char *));
  scm_set_smob_mark (handlesmob_tag, mark_handlesmob);
  scm_set_smob_free (handlesmob_tag, free_handlesmob);
  scm_set_smob_print (handlesmob_tag, print_handlesmob);
  scm_c_define_gsubr ("%handlesmob-init", 0, 0, 0, handlesmob_init);
}