* [patch] libguile GC crash
@ 2003-07-06 10:25 Sam Hocevar
2003-07-06 14:35 ` Han-Wen Nienhuys
0 siblings, 1 reply; 2+ messages in thread
From: Sam Hocevar @ 2003-07-06 10:25 UTC (permalink / raw)
[-- Attachment #1: Type: text/plain, Size: 904 bytes --]
Hello, I am experiencing a crash using libguile 1.6.4. Here is a
reduced testcase: (crashes here for i = 1886, but YMMV)
#include <libguile.h>
int main(void) {
char foo[128]; int i;
scm_init_guile();
for(i=0; i<100000; i++) {
sprintf(foo, "symbol%i%i%i%i", i, i, i, i);
scm_c_make_subr(foo, 0, NULL);
}
return 0;
}
My understanding is that scm_c_make_subr() calls scm_must_realloc()
to reallocate new_table, which in turn calls check_mtrigger(). But when
a GC is triggered, scm_igc() calls scm_mark_subr_table(), and since the
memory pointed by new_table has just been realloc()ated but new_table
hasn't been updated yet, scm_mark_subr_table() crashes.
A simple fix would be to call check_mtrigger() before realloc().
Proposed patch attached. I am not yet familiar with all the internals
so I may have missed something, but it looked pretty safe to me.
Regards,
--
Sam.
[-- Attachment #2: patch-guile-gc.diff --]
[-- Type: text/plain, Size: 330 bytes --]
--- guile-1.6-1.6.4.orig/libguile/gc.c
+++ guile-1.6-1.6.4/libguile/gc.c
@@ -2051,9 +2051,9 @@
scm_must_free() won't take NULL.
*/
scm_mallocated += size - old_size;
- SCM_SYSCALL (ptr = realloc (where, size));
-
check_mtrigger (what);
+
+ SCM_SYSCALL (ptr = realloc (where, size));
if (NULL != ptr)
{
[-- Attachment #3: Type: text/plain, Size: 142 bytes --]
_______________________________________________
Guile-devel mailing list
Guile-devel@gnu.org
http://mail.gnu.org/mailman/listinfo/guile-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [patch] libguile GC crash
2003-07-06 10:25 [patch] libguile GC crash Sam Hocevar
@ 2003-07-06 14:35 ` Han-Wen Nienhuys
0 siblings, 0 replies; 2+ messages in thread
From: Han-Wen Nienhuys @ 2003-07-06 14:35 UTC (permalink / raw)
Cc: guile-devel
sam@zoy.org writes:
> Hello, I am experiencing a crash using libguile 1.6.4. Here is a
> reduced testcase: (crashes here for i = 1886, but YMMV)
>
> #include <libguile.h>
>
> int main(void) {
> char foo[128]; int i;
> scm_init_guile();
> for(i=0; i<100000; i++) {
> sprintf(foo, "symbol%i%i%i%i", i, i, i, i);
> scm_c_make_subr(foo, 0, NULL);
> }
> return 0;
> }
>
> My understanding is that scm_c_make_subr() calls scm_must_realloc()
> to reallocate new_table, which in turn calls check_mtrigger(). But when
> a GC is triggered, scm_igc() calls scm_mark_subr_table(), and since the
> memory pointed by new_table has just been realloc()ated but new_table
> hasn't been updated yet, scm_mark_subr_table() crashes.
>
> A simple fix would be to call check_mtrigger() before realloc().
> Proposed patch attached. I am not yet familiar with all the internals
> so I may have missed something, but it looked pretty safe to me.
>
> Regards,
Thanks for reporting and analyzing the bug. Your analysis as well as
your fix seems correct to me.
Rob, will you apply this patch?
The following comment may also be added:
/*
realloc() may will probably invalidate the block pointed to by
WHERE, eg. by unmapping it from memory or altering the contents.
Since check_mtrigger() might scan WHERE, it is crucial that
this call precedes realloc().
*/
--
Han-Wen Nienhuys | hanwen@cs.uu.nl | http://www.xs4all.nl/~hanwen
_______________________________________________
Guile-devel mailing list
Guile-devel@gnu.org
http://mail.gnu.org/mailman/listinfo/guile-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-07-06 14:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-06 10:25 [patch] libguile GC crash Sam Hocevar
2003-07-06 14:35 ` Han-Wen Nienhuys
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).