bug#63279: Segfault when printing a call-with-values stack frame in backtrace

bug#63279: Segfault when printing a call-with-values stack frame in backtrace

[Thompson, David]

Hello there,

Guile seems to segfault when trying to print certain backtraces with a
'call-with-values' stack frame.  Here's a minimal reproducer program:

(symbol? (call-with-values (lambda () (error 'oh-no)) list))

If you eval this at the REPL and enter ,bt in the debugger, Guile
should segfault.

Relevant gdb backtrace:

#0  0x00007ffff7f43397 in scm_is_values (x=<error reading variable:
ERROR: Cannot access memory at address 0x0>0x0) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/values.h:30
#1  vm_regular_engine (thread=0x7ffff7401900) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/vm-engine.c:974
#2  0x00007ffff7f50db5 in scm_call_n (proc=<optimized out>,
argv=<optimized out>, nargs=4) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/vm.c:1615
#3  0x00007ffff7ebb674 in scm_call_4 (proc=<optimized out>,
arg1=<optimized out>, arg2=<optimized out>, arg3=<optimized out>,
arg4=<optimized out>) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/eval.c:517
#4  0x00007ffff7eb801b in display_backtrace_body (a=0x7fffed68e6a0) at
/tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/backtrace.c:239
#5  0x00007ffff7f62092 in scm_c_with_exception_handler.constprop.0
(type=#t, handler_data=handler_data@entry=0x7fffed68e630,
thunk_data=thunk_data@entry=0x7fffed68e630, thunk=<optimized out>,
handler=<optimized out>)
    at /tmp/guix-build-guile-3.0.9.drv-0/guile-3.0.9/libguile/exceptions.c:170

From what I can tell, in vm-engine.c, in the subr-call op,
'scm_apply_subr (sp, idx, FRAME_LOCALS_COUNT ())' is called and
returns an SCM object, which is stored in the local variable 'ret'.
Then 'scm_is_values (ret)' is called, and the segfault occurs due to a
null pointer dereference. At the time of the segfault, 'idx' is 1130,
corresponding to the 'frame-local-ref' subr. Makes sense since it's
the backtrace printer that crashes Guile.

It seems that the data stored in the stack frames for
'call-with-values' calls is incorrect and the backtrace printer wants
to display 3 arguments for the call when the procedure only accepts 2
arguments.  This can be clearly seen by running another small program
that happens to not segfault:

(call-with-values (lambda () (error 'oh-no)) list)

Check out the backtrace and you'll see a frame like this:

(_ #<procedure b34e28 at <unknown port>:8:18 ()> #<procedure list _> 1)

The first 2 arguments are as expected, but why is there a 1 at the end?

For another example that doesn't crash but has an even more clearly
messed up backtrace, try this:

(append '(a b c) (call-with-values (lambda () (error 'oh-no)) list))

You'll see a frame like this:

(_ #<procedure b39730 at <unknown port>:10:35 ()> #<procedure list _>
. #<unknown-type (0xb . 0x304) @ 0x7f50dd792050>)

At Spritely we've reproduced this issue on multiple machines with both
Guile 3.0.7 and 3.0.9.

- Dave

bug#63279: Segfault when printing a call-with-values stack frame in backtrace

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 1266 bytes --]

> Hello there,
> 
> Guile seems to segfault when trying to print certain backtraces with a
> 'call-with-values' stack frame.  Here's a minimal reproducer program:
> 
> (symbol? (call-with-values (lambda () (error 'oh-no)) list))


Here is a more minimal reproducer, from
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=50153>:

> Write the following to "crash.scm":
> 
>> (call-with-values backtrace list)
>> #t
> 
> (the trailing #t is important) and run
> 
>> # --auto-compile works too, but --no-auto-compile doesn't cause a crash
>> guile --fresh-auto-compile -l crash.scm

(i.e., it doesn't seem to be a bug in the exception mechanism, itself 
rather it seems a bug in something _used_ by the exception mechanism.)

I don't know if it has exactly the same cause, but it looks familiar.

For some other backtrace suspiciousness, see 
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=48422>, though possibly 
that issue has a different cause.

Because of the ‘It seems that the data stored in the stack frames for
'call-with-values' calls is incorrect [...]’ it seems plausible 
something similar is going on in 
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46232>, though possibly 
that is unrelated.

Greeitngs,
Maxime.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

bug#63279: Segfault when printing a call-with-values stack frame in backtrace

[Thompson, David]

Andy fixed this in commit 6efc0b8159f0fc74c0eafec988fe5434fb4d9f51.
Thank you, Andy!

Closing.

- Dave