[Bug: 21.5-b26+CVS] Crash in GC

Jerry James james at xemacs.org
Mon May 1 13:26:43 EDT 2006 

I wrote:
> Here's the C backtrace:
>
> (gdb) bt
> #0  0x00000033ac92fbe7 in ?? () from /lib64/libc.so.6
> #1  0x00000000004c2f65 in fatal_error_signal (sig=6)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/emacs.c:3792
> #2  <signal handler called>
> #3  0x00000033ac92fbe7 in ?? () from /lib64/libc.so.6
> #4  0x00000000004c2f80 in fatal_error_signal (sig=11)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/emacs.c:3790
> #5  <signal handler called>
> #6  lispdesc_indirect_count_1 (code=-2, idesc=Variable "idesc" is not available.)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/gc.c:373
> #7  0x000000000056320c in kkcc_marking (cnt=100000)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/lrecord.h:1917
> #8  0x00000000005632dc in gc_resume_mark (incremental=Variable "incremental" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/gc.c:1878
> #9  0x00000000005635e0 in gc_1 (incremental=1)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/gc.c:1913
> #10 0x00000000005636b0 in gc (incremental=1)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/gc.c:1945
> #11 0x00000000004d0365 in Ffuncall (nargs=2, args=0x7fffffd0cf00)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/eval.c:3822
> #12 0x00000000004d0f87 in call1 (fn=Variable "fn" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/eval.c:4545
> #13 0x00000000004e1db0 in execute_internal_event (event=84134392)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/event-stream.c:3102
> #14 0x00000000004e8ff2 in Fdispatch_event (event=84134392)
>     at /home/james/Projects/xemacs/xemacs-21.5/src/event-stream.c:4644
> #15 0x00000000004850d9 in Fcommand_loop_1 ()
>     at /home/james/Projects/xemacs/xemacs-21.5/src/cmdloop.c:600
> #16 0x00000000004851ce in command_loop_1 (unused_dummy=Variable "unused_dummy" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/cmdloop.c:505
> #17 0x00000000004cb7bf in condition_case_1 (handlers=Variable "handlers" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/eval.c:1924
> #18 0x0000000000485305 in command_loop_2 (unused_dummy=Variable "unused_dummy" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/cmdloop.c:262
> #19 0x00000000004c9db0 in internal_catch (tag=Variable "tag" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/eval.c:1530
> #20 0x0000000000485544 in initial_command_loop (load_me=Variable "load_me" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/cmdloop.c:313
> #21 0x00000000004c3e77 in xemacs_21_5_b26_x86_64_unknown_linux (argc=1,
>     argv=0x7fffffd0d5d8, unused_envp=Variable "unused_envp" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/emacs.c:2666
> #22 0x00000000004c4af7 in main (argc=Variable "argc" is not available.
> )
>     at /home/james/Projects/xemacs/xemacs-21.5/src/emacs.c:3110
>
> Contrary to the print statement above, the crash is not due to address
> 0x8019c.  It is due to address 0x10008019c (the value of irdata), which
> is 32 bytes past 0x10008017c (the value of the idata parameter in frame
> 6).  This is because the print statement in vdb-posix.c that prints the
> addresses prints them as integers.  On my platform, integers are 32 bits
> and addresses are 64 bits, so the print statement chops off the upper 32
> bits.
>
> Note that the idata parameter in frame 6 is already bad: that address is
> not accessible in GDB.
>
> GDB and GCC don't seem to like each other very much on this platform
> (Fedora Core 5 for x86_64); note all the "is not available" messages in
> that backtrace.  I can't visit anything meaningful in stack frame 7.  I
> even compiled with -g3 this time, because I had the same thing happen to
> me when compiling with -g, but it does not seem to have helped at all.
> A quick test with -O0 -g3 shows that the problem persists even then.
>
> I'll save the core file in case someone can tell me what to do with it.

I've been able to tease GDB into giving me a little more information.
Stack frame 6, the call to lispdesc_indirect_count_1 with the bad
pointer, comes from the central for loop in kkcc_marking().  It is
crashing on the first iteration of the loop, where

desc[0] = {type = XD_BLOCK_PTR,
           offset = 8,
           data1 = -2,
           data2 = {write_only = 0x762dd0, descr = 0x762dd0, funcs = 0x762dd0},
           flags = 0}

The bad data pointer comes from kkcc_gc_stack_ptr[6732], which is:

  {data = 0x10008017c, desc = 0x762d20, level = 2730, pos = 2}

As mentioned in the intial report, address 0x10008017c is an invalid
address.  The information in data2 above (assuming it is a
sized_memory_description) is:

{size = 32, description = 0x762e40}

and THAT memory_description (0x762e40) points to:

  {type = XD_LISP_OBJECT,
   offset = 0,
   data1 = 0,
   data2 = {write_only = 0x0, descr = 0x0, funcs = 0x0},
   flags = 0}

Any theories on how that bad pointer got into a kkcc_gc_stack_ptr
element in the first place?  I still have the core file.

Regards,
-- 
Jerry James, Assistant Professor        james at xemacs.org
Computer Science Department             http://www.cs.usu.edu/~jerry/
Utah State University

More information about the XEmacs-Beta mailing list