[gnutls-devel] 3.3.19 / 3.4.7 Guile related testsuite segfaults

Ludovic Courtès ludo at gnu.org
Wed Dec 16 11:26:30 CET 2015 

Hi Andreas,

I have been able to reproduce the bug by running this from guile/tests:

  while ../pre-inst-guile -L . --no-auto-compile openpgp-auth.scm ; do : ; done

and to get a backtrace:

--8<---------------cut here---------------start------------->8---
(gdb) bt
#0  iprin1 (
    exp=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    port=#<port file 1dd2ff0>, pstate=0x1e71320) at print.c:589
#1  0x00007f8a7822e167 in scm_iprlist (hdr=hdr at entry=0x7f8a782a8e49 "(", 
    exp=exp at entry=<error reading variable: ERROR: Cannot access memory at address 0x0>, tlr=tlr at entry=41, port=port at entry=#<port file 1dd2ff0>, 
    pstate=pstate at entry=0x1e71320) at print.c:1336
#2  0x00007f8a7822ee24 in iprin1 (
    exp=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    port=#<port file 1dd2ff0>, pstate=0x1e71320) at print.c:614
#3  0x00007f8a7822e22b in scm_iprlist (hdr=hdr at entry=0x7f8a782a8e49 "(", 
    exp=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    exp at entry=<error reading variable: ERROR: Cannot access memory at address 0x0>, tlr=tlr at entry=41, port=port at entry=#<port file 1dd2ff0>, 
    pstate=pstate at entry=0x1e71320) at print.c:1347
#4  0x00007f8a7822ee24 in iprin1 (
    exp=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    port=#<port file 1dd2ff0>, pstate=0x1e71320) at print.c:614
#5  0x00007f8a7822dfa9 in scm_prin1 (
    exp=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    port=#<port file 1dd2ff0>, writingp=1) at print.c:845
#6  0x00007f8a7822f4f6 in scm_simple_format (
    destination=#<port file 1dd2ff0>, 
    message="~%throw to `~a' with args ~s~%", 
    args=<error reading variable: ERROR: Cannot access memory at address 0x0>)
    at print.c:1528
#7  0x00007f8a78278d56 in vm_regular_engine (
    vm=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    program=#<port file 1dd2ff0>, argv=0x1d505e0, nargs=2015556272)
    at vm-i-system.c:861
#8  0x00007f8a78279438 in scm_call_with_vm (vm=#<vm 1d4d070>, 
    proc=#<program 1d1c620>, args=<optimized out>) at vm.c:1060
#9  0x00007f8a781e6ac1 in scm_apply (proc=<optimized out>, 
    arg1=<optimized out>, args=<optimized out>, args at entry=()) at eval.c:755
#10 0x00007f8a781e8700 in scm_apply_1 (proc=<optimized out>, 
    arg1=arg1 at entry=wrong-type-arg, args=<optimized out>) at eval.c:588
#11 0x00007f8a7825e4fc in scm_throw (key=key at entry=wrong-type-arg, 
    args=<optimized out>) at throw.c:98
#12 0x00007f8a7825e925 in scm_ithrow (key=key at entry=wrong-type-arg, 
    args=<optimized out>, no_return=no_return at entry=1) at throw.c:435
#13 0x00007f8a781e5665 in scm_error_scm (key=key at entry=wrong-type-arg, 
    subr=<optimized out>, message=message at entry="Wrong type: ~S", 
    args=args at entry=<error reading variable: ERROR: Cannot access memory at address 0x0>, 
    data=data at entry=<error reading variable: ERROR: Cannot access memory at address 0x0>) at error.c:94
#14 0x00007f8a781e571f in scm_error (key=wrong-type-arg, subr=subr at entry=0x0, 
    message=<optimized out>, 
    args=<error reading variable: ERROR: Cannot access memory at address 0x0>, rest=rest at entry=<error reading variable: ERROR: Cannot access memory at address 0x0>) at error.c:59
#15 0x00007f8a781e59a8 in scm_wrong_type_arg (subr=subr at entry=0x0, 
    pos=pos at entry=0, 
    bad_value=<error reading variable: ERROR: Cannot access memory at address 0x0>) at error.c:248
#16 0x00007f8a781d4d80 in scm_to_bool (x=<optimized out>) at boolean.c:83
#17 0x00007f8a748dd7be in fill_session_record_port_input (
    port=<optimized out>) at core.c:896
#18 0x00007f8a78229598 in scm_slow_get_byte_or_eof (
    port=port at entry=#<port gnutls-session-port 200aae0>) at ports.c:1535
--8<---------------cut here---------------end--------------->8---

Here ‘fill_session_record_port_input’ attempts to access the SCM object
stored via ‘gnutls_session_set_ptr’ in the session object.  But it turns
out that this SCM object is garbage (maybe because it has been GC’d),
leading to a Scheme wrong-type-arg error and eventually a crash.

I can think of two options: either a GC bug (where the SMOB mark
procedure for the session SMOB would not be called, or its result would
be ignored, leading to the session data being GC’d too early), or some
random C level corruption.

I’ll keep investigating and report back.

Thanks,
Ludo’.

PS: Please keep me Cc’d.

More information about the Gnutls-devel mailing list