Segmentation fault in backend_find_call_out_info
Imported from https://youtrack.roxen.com/issue/PIKE-55
Reported by Marcus Wellhardh wellhard@roxen.com
Got the following segmentation fault using roxen-6.2.77-test-ep-rhel7_x86_64.sh which in reality is version 6.2.78.
Server version:
: Server start command:
: /usr/local/roxen/server-6.2.78/bin/roxen
: -DLOG_GC_TIMESTAMPS
: -DLOG_GC_CYCLES
: -DLOG_GC_HISTOGRAM
: -DREP_DEBUG_DEF_CACHING
: -DRAM_CACHE
: -DHTTP_COMPRESSION
: -M/usr/local/roxen/server-6.2.78/etc/modules
: -M/usr/local/roxen/local/pike_modules
: -I/usr/local/roxen/server-6.2.78/etc/include
: -I/usr/local/roxen/server-6.2.78/base_server
: -P/usr/local/roxen/server-6.2.78/base_server
: -P/usr/local/roxen/server-6.2.78
: base_server/roxenloader.pike
: --pid-file=../configurations/_roxen_pid
GDB:
(gdb) bt
#0 0x000000000044b2fa in backend_find_call_out_info (me# me@entry
0x8d6758, fun=0x7ffff7e631f0) at /home/dist/tmp/build/pike.srcbuild/../pike/src/backend.cmod:1138
#1 0x000000000044c465 in f_Backend_remove_call_out (args=<optimized out>) at /home/dist/tmp/build/pike.srcbuild/../pike/src/backend.cmod:1289
#2 0x0000000000429fd9 in low_mega_apply (type# APPLY_SVALUE, type@entry
APPLY_SVALUE_STRICT, args# 1, arg1
<optimized out>, arg2# arg2@entry
0x0) at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/apply_low.h:221
#3 0x000000000042a74d in jump_opcode_F_APPLY_AND_POP (arg1=<optimized out>) at /home/dist/tmp/build/pike.srcbuild/../pike/src/interpret_functions.h:2449
#4 0x00007fffe95507d9 in ?? ()
#5 0x00000000011ed2f0 in ?? ()
#6 0x0000000000b28f90 in ?? ()
#7 0x00007ffff0236000 in ?? ()
#8 0x00007ffff7e631c0 in ?? ()
#9 0x0000000000b1e848 in ?? ()
#10 0x00000000008e3820 in ?? ()
#11 0x00007fffeb5fe593 in ?? ()
#12 0x000000000041d636 in eval_instruction (pc=0x7fffeb5fe593 "UH\211\345AWAVAUATSH\203\354\bI\211\377M\213w H\215\005\365\377\377\377I\211F(M\213/I\213VpI\213v`L\211\357H\017\267R\002\307\300\200\371K")
at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:1711
#13 catching_eval_instruction (pc# 0x7fffeb5fe593 "UH\211\345AWAVAUATSH\203\354\bI\211\377M\213w H\215\005\365\377\377\377I\211F(M\213/I\213VpI\213v`L\211\357H\017\267R\002\307\300\200\371K", pc@entry
0x7fffffffd040 "\223\345_\353\377\177")
at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:2754
#14 0x000000000041fc50 in inter_return_opcode_F_CATCH (addr=0x7fffffffd040 "\223\345_\353\377\177") at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:1295
#15 0x00007fffeb5fe57b in ?? ()
#16 0x0000000007245820 in ?? ()
#17 0xfffffffffffffff0 in ?? ()
#18 0x000000005a65d8e6 in ?? ()
#19 0x000000005a65d8e5 in ?? ()
#20 0x0000000000000001 in ?? ()
#21 0x0000000000000001 in ?? ()
#22 0x00000000008d6758 in ?? ()
#23 0x000000000042df96 in eval_instruction (pc=<optimized out>) at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:1711
#24 mega_apply (arg2# 0x0, arg1
0x0, args# args@entry
9320480, type=APPLY_STACK) at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:2695
#25 f_call_function (args# args@entry
9320480) at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:2775
#26 0x000000000044c244 in backend_do_call_outs (me# 0x7ffff7e63180, me@entry
0x8d6758) at /home/dist/tmp/build/pike.srcbuild/../pike/src/backend.cmod:1048
#27 0x000000000044ff39 in pdb_low_backend_once (pdb# 0x8d6740, timeout
timeout@entry=0x7fffffffd4f0) at /home/dist/tmp/build/pike.srcbuild/../pike/src/backend.cmod:4177
#28 0x00000000004501b0 in f_PollDeviceBackend_cq__backtick_28_29 (args=<optimized out>) at /home/dist/tmp/build/pike.srcbuild/../pike/src/backend.cmod:4310
#29 0x0000000000429fd9 in low_mega_apply (type# APPLY_SVALUE, type@entry
APPLY_STACK, args# 1, arg1
<optimized out>, arg1@entry# 0x0, arg2
arg2@entry=0x0) at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/apply_low.h:221
#30 0x000000000042a99e in jump_opcode_F_CALL_FUNCTION_AND_POP () at /home/dist/tmp/build/pike.srcbuild/../pike/src/interpret_functions.h:2452
#31 0x00007ffff000e47c in ?? ()
#32 0x000000000000005f in ?? ()
#33 0x0000000000965ba0 in ?? ()
#34 0x00007ffff0236000 in ?? ()
#35 0x00007ffff7e63120 in ?? ()
#36 0x00000000008caef8 in ?? ()
#37 0x00000000008e3820 in ?? ()
#38 0x00007ffff000c2a4 in ?? ()
#39 0x000000000041d636 in eval_instruction (pc=0x7ffff000c2a4 "UH\211\345AWAVAUATSH\203\354\bI\211\377M\213w H\215\005\365\377\377\377I\211F(M\213/I\213NpH\213I H\213\211\230") at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:1711
#40 catching_eval_instruction (pc# 0x7ffff000c2a4 "UH\211\345AWAVAUATSH\203\354\bI\211\377M\213w H\215\005\365\377\377\377I\211F(M\213/I\213NpH\213I H\213\211\230", pc@entry
0x7ffff7e63240 "") at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:2754
#41 0x000000000041fc50 in inter_return_opcode_F_CATCH (addr=0x7ffff7e63240 "") at /tmp/dist/6.0/pike.rhel7_x86_64/pike/src/interpret.c:1295
#42 0x00007ffff000c28c in ?? ()
#43 0x00007fffffffda14 in ?? ()
#44 0x0000000000000001 in ?? ()
#45 0x00000000005d460d in __dso_handle ()
#46 0x00007fffffffda50 in ?? ()
#47 0x0000000000000000 in ?? ()
(gdb) disassemble 0x000000000044b2fa
Dump of assembler code for function backend_find_call_out_info:
0x000000000044b270 <+0>: push %r12
0x000000000044b272 <+2>: mov 0x403d57(%rip),%rax # 0x84efd0 <Pike_interpreter_pointer>
0x000000000044b279 <+9>: mov %rdi,%r12
0x000000000044b27c <+12>: push %rbp
0x000000000044b27d <+13>: push %rbx
0x000000000044b27e <+14>: mov (%rax),%rbp
0x000000000044b281 <+17>: mov 0x100(%rdi),%eax
0x000000000044b287 <+23>: test %eax,%eax
0x000000000044b289 <+25>: je 0x44b34f <backend_find_call_out_info+223>
0x000000000044b28f <+31>: cmpw $0x8,(%rsi)
0x000000000044b293 <+35>: mov %rsi,%rbx
0x000000000044b296 <+38>: je 0x44b360 <backend_find_call_out_info+240>
0x000000000044b29c <+44>: mov %rbx,%rdi
0x000000000044b29f <+47>: callq 0x540640 <hash_svalue>
0x000000000044b2a4 <+52>: mov 0x114(%r12),%ecx
0x000000000044b2ac <+60>: mov %eax,%esi
0x000000000044b2ae <+62>: xor %edx,%edx
0x000000000044b2b0 <+64>: mov %rsi,%rax
0x000000000044b2b3 <+67>: div %rcx
0x000000000044b2b6 <+70>: shl $0x4,%rdx
0x000000000044b2ba <+74>: add 0x120(%r12),%rdx
0x000000000044b2c2 <+82>: mov 0x8(%rdx),%rcx
0x000000000044b2c6 <+86>: test %rcx,%rcx
0x000000000044b2c9 <+89>: je 0x44b43b <backend_find_call_out_info+459>
0x000000000044b2cf <+95>: mov 0x403cfa(%rip),%r8 # 0x84efd0 <Pike_interpreter_pointer>
0x000000000044b2d6 <+102>: mov (%r8),%rdx
0x000000000044b2d9 <+105>: jmp 0x44b2e9 <backend_find_call_out_info+121>
0x000000000044b2db <+107>: nopl 0x0(%rax,%rax,1)
0x000000000044b2e0 <+112>: mov 0x20(%rcx),%rcx
0x000000000044b2e4 <+116>: test %rcx,%rcx
0x000000000044b2e7 <+119>: je 0x44b34a <backend_find_call_out_info+218>
0x000000000044b2e9 <+121>: cmp %rsi,0x8(%rcx)
0x000000000044b2ed <+125>: jne 0x44b2e0 <backend_find_call_out_info+112>
0x000000000044b2ef <+127>: mov 0x40(%rcx),%rax
0x000000000044b2f3 <+131>: lea 0x10(%rdx),%rdi
0x000000000044b2f7 <+135>: mov %rdi,(%r8)
=> 0x000000000044b2fa <+138>: addl $0x1,(%rax)
0x000000000044b2fd <+141>: movq $0x8,(%rdx)
0x000000000044b304 <+148>: mov %rax,0x8(%rdx)
0x000000000044b308 <+152>: mov %rdi,%rdx
0x000000000044b30b <+155>: jmp 0x44b2e0 <backend_find_call_out_info+112>
0x000000000044b30d <+157>: nopl (%rax)
0x000000000044b310 <+160>: mov -0x8(%rdx),%r12
0x000000000044b314 <+164>: mov %rbx,%rdi
0x000000000044b317 <+167>: mov 0x28(%r12),%rsi
0x000000000044b31c <+172>: callq 0x541370 <is_eq>
0x000000000044b321 <+177>: test %eax,%eax
0x000000000044b323 <+179>: jne 0x44b3b0 <backend_find_call_out_info+320>
0x000000000044b329 <+185>: mov 0x403ca0(%rip),%rax # 0x84efd0 <Pike_interpreter_pointer>
0x000000000044b330 <+192>: mov (%rax),%rcx
0x000000000044b333 <+195>: lea -0x10(%rcx),%rdx
0x000000000044b337 <+199>: mov %rdx,(%rax)
0x000000000044b33a <+202>: movzwl -0x10(%rcx),%eax
0x000000000044b33e <+206>: and $0xfffffff8,%eax
0x000000000044b341 <+209>: cmp $0x8,%eax
0x000000000044b344 <+212>: je 0x44b420 <backend_find_call_out_info+432>
0x000000000044b34a <+218>: cmp %rdx,%rbp
0x000000000044b34d <+221>: jb 0x44b310 <backend_find_call_out_info+160>
0x000000000044b34f <+223>: xor %eax,%eax
0x000000000044b351 <+225>: pop %rbx
0x000000000044b352 <+226>: pop %rbp
0x000000000044b353 <+227>: pop %r12
0x000000000044b355 <+229>: retq
0x000000000044b356 <+230>: nopw %cs:0x0(%rax,%rax,1)
---Type <return> to continue, or q <return> to quit---
(gdb) info reg
rax 0x0 0
rbx 0x7ffff7e631f0 140737352446448
rcx 0x14ef0a80 351210112
rdx 0x7ffff7e63200 140737352446464
rsi 0x459954 4561236
rdi 0x7ffff7e63210 140737352446480
rbp 0x7ffff7e63200 0x7ffff7e63200
rsp 0x7fffffffcec0 0x7fffffffcec0
r8 0x8e3820 9320480
r9 0x186a0 100000
r10 0x8e3820 9320480
r11 0x293 659
r12 0x8d6758 9267032
r13 0x7ffff7e631f0 140737352446448
r14 0x8e3380 9319296
r15 0xb1c5c8 11650504
rip 0x44b2fa 0x44b2fa <backend_find_call_out_info+138>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)