[Gc] Segfault in GC_mark_from

Klaus Treichel ktreichel at web.de
Sat Oct 25 00:07:56 PDT 2008


Hi,

Am Sonntag, den 12.10.2008, 21:06 +0400 schrieb Ivan Maidanski:
> Hi!
> 
> Klaus Treichel <ktreichel at web.de> wrote:
> > Hi,
> > 
> > i finally managed to reproduce the segfault on one of my boxes running
> > a ?x86 Linux.
> > 
> > libgc is built with assertions enabled but without mmap and munmap.
> You are not using THREAD_LOCAL_ALLOC and PARALLEL_MARK, aren't you?
> And, on the contrary, ALL_INTERIOR_POINTERS should be defined.

I'm using a default build on x86 Linux.

> > 
> > 
> > Program received signal SIGSEGV, Segmentation fault.
> > [Switching to Thread 0xb69b7b90 (LWP 6451)]
> > GC_mark_from (mark_stack_top=0x819c110, mark_stack=0x819c000,
> >     mark_stack_limit=0x81a4000) at mark.c:795
> > 795               deferred = *(word *)limit;
> > (gdb) print limit
> > $1 = 0x83f20b8 <Address 0x83f20b8 out of bounds>
> > (gdb) print mark_stack_top[0]
> > $4 = {mse_start = 0x83f20bc <Address 0x83f20bc out of bounds>,
> >   mse_descr = 2064244}
> 
> Please insert something like "GC_noop1(*(word*)...->mse_start);" after every place
> in gclib where mse_start is changed. And try to reproduce the segfault again...

Ok, I've done that and now it shows that an invalid value is set for
mse_start in mark.c at line 671.

          mark_stack_top -> mse_start =
         	limit = current_p + WORDS_TO_BYTES(SPLIT_RANGE_WORDS-1);

(gdb) print current_p
$1 = 0x83e1edc ""

That's with modified mse_start but before mse_descr is decreased.

(gdb) print mark_stack_top[0]
$2 = {mse_start = 0x83e20d8 <Address 0x83e20d8 out of bounds>,
  mse_descr = 1806676}


(gdb) call GC_dump()
***Static roots:
Total size: 0

***Heap sections:
Total heap size: 1691648
Section 0 from 0x81a5000 to 0x81b5000 0/16 blacklisted
Section 1 from 0x81c5000 to 0x81d5000 0/16 blacklisted
Section 2 from 0x8265000 to 0x8275000 0/16 blacklisted
Section 3 from 0x8275000 to 0x828e000 0/25 blacklisted
Section 4 from 0x828e000 to 0x82ad000 0/31 blacklisted
Section 5 from 0x82ad000 to 0x82f5000 0/72 blacklisted
Section 6 from 0x82f5000 to 0x8358000 0/99 blacklisted
Section 7 from 0x8358000 to 0x83e2000 0/138 blacklisted

***Free blocks:
Free list 3 (Total size 12288):
        0x83df000 size 12288 not black listed
Free list 14 (Total size 57344):
        0x82af000 size 57344 not black listed
Free list 24 (Total size 98304):
        0x828e000 size 98304 not black listed
Free list 55 (Total size 909312):
        0x82ff000 size 909312 not black listed
Total of 1077248 bytes on free list

***Blocks in use:
(kind(0=ptrfree,1=normal,2=unc.):size_in_bytes, #_marks_set)
(0:8,96)(1:136,0)(4:208920,1)(2:10248,1)(2:32776,1)(1:64,11)(0:16,6)(4:34832,0)(1:56,1)(2:10248,1)(2:32776,1)(2:10248,1)(2:32776,1)(4:64,0)(1:448,4)(2:10248,1)(2:32776,1)(4:4112,0)(4:32,0)(4:2064,1)(4:72,0)(4:48,1)(1:48,1)(4:24,3)(4:16,3)(4:40,7)(2:4080,1)(4:136,1)(1:24,1)(1:16,1)(4:56,3)(2:10248,1)(0:1360,2)(1:56,54)(2:32776,1)(2:136,6!=487)(1:32,13)(1:8,1)(1:216,1)(2:24,2!=343)
blocks = 40, bytes = 614400

***Finalization statistics:
12 finalization table entries; 0 disappearing links
1 objects are eligible for immediate finalization

That's the backtrace of an other thread in the test app at this point.

#3  0x0810c697 in GC_suspend_handler (sig=30, info=0xb71d571c,
    context=0xb71d579c) at pthread_stop_world.c:142
#4  <signal handler called>
#5  0xffffe410 in __kernel_vsyscall ()
#6  0xb7e98d31 in __lll_mutex_unlock_wake () from /lib/libpthread.so.0
#7  0xb7e95b88 in _L_mutex_unlock_175 () from /lib/libpthread.so.0
#8  0xb7e95874 in __pthread_mutex_unlock_usercnt ()
from /lib/libpthread.so.0
#9  0x08100f40 in GC_generic_malloc (lb=208915, k=4) at malloc.c:187
#10 0x08108f01 in GC_malloc_explicitly_typed (lb=208915, d=1073741825)
    at typd_mlc.c:611

It's similar to the one i sent before.

(gdb) fr 9
#9  0x08100f40 in GC_generic_malloc (lb=208915, k=4) at malloc.c:187
187             UNLOCK();
(gdb) print result
$3 = (void *) 0xb7ea0ff4

Any hints ?

Klaus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://napali.hpl.hp.com/pipermail/gc/attachments/20081025/e7f790f6/attachment.pgp


More information about the Gc mailing list