Re: [Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Matthew T. Kromer]

Matthew T. Kromer wrote:

>
> On *my* RedHat 7.3 system, I cannot reproduce your problem.
>
> However, you do note that exception 0x6e727574 is ASCII for 'nrut' or 
> 'turn' backwards.
> I dont know if that's meaningful or not.  I usally watch out for ASCII 
> in things that should otherwise be addresses.
>

FYI -- I fixed this in the ISO_8859_1 splitter.  The problem was a 
section of code attempting to use the character "mu" (a character with 
the high bit set) as an offset into an array.  It was cast to an int, 
rather than an unsigned char, so it went negative, and the code stored 
0x01 into an area it shouldn't have -- in this case, on top of the 
linkage table entry for PyExc_IndexError.


-- 
Matt Kromer
Zope Corporation  http://www.zope.com/ 





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Barry A. Warsaw]

> "DM" == Dieter Maurer <[EMAIL PROTECTED]> writes:

DM> This looks like a compiler error, maybe an error in the
DM> dynamic linking code.

Matt Kromer spent some more time on this today and indeed he suspected
ld.so (specifically /lib/ld-2.2.5.so).  This makes perfect sense and
Matt's analysis matches observed behavior.  Matt's contacted the glibc
maintainer at Redhat with details.

Matt, maybe you'd like to post that message here for completeness?

-Barry


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Dieter Maurer]

Barry A. Warsaw writes:
 > 
 > At the PyErr_SetString() call
 > PyExc_IndexError is a perfectly valid PyObject*, but just one stack
 > frame later, inside the PyErr_SetString, the exception object is a
 > completely bogus address.  PyErr_SetString() is not getting the same
 > object that Splitter_item() is providing in the first argument.  Note
 > that the second argument, a char* is just fine.
This looks like a compiler error, maybe an error in the dynamic
linking code.

I would single step through the assembler code and check whether
the parameter is pushed onto the stack, whether this stack address
is overwritten during the call sequence (which may include dynamic
linking code) and whether the variable is referenced in "PyErr_SetString"
from the correct frame offset.

To do this, you would use "display/i $pc"
and then single step on assembly level "xi" until you are
beyond the setup code of "PyErr_SetString".
You should find the frame offsets of you parameters with "i addr ".

When you like, you can send me the output for further examination.


Dieter


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Barry A. Warsaw]

> "MTK" == Matthew T Kromer <[EMAIL PROTECTED]> writes:

MTK> On *my* RedHat 7.3 system, I cannot reproduce your problem.

MTK> However, you do note that exception 0x6e727574 is ASCII for
MTK> 'nrut' or 'turn' backwards.  I dont know if that's meaningful
MTK> or not.  I usally watch out for ASCII in things that should
MTK> otherwise be addresses.

Ah, backwards masking C heaps!  If you look at the whole thing, it
says:

'natas fo rial eht retne ton ot dna dnuora nrut'

Actually the tale gets weirder.  With a Python 2.2.1 --with-pydebug
build there is no crash at all.  With a Python 2.1.3 built w/ gcc 3.1
and -g and -O2 I get no crash but this exception:

Traceback (most recent call last):
  File "crash.py", line 8, in ?
list(x)
SystemError: error return without exception set

With a Python 2.1.3 built w/gcc 3.1 and just -g (no -O2) I get some
weird worst-of-both-worlds:

Traceback (most recent call last):
  File "crash.py", line 8, in ?
list(x)
Segmentation fault (core dumped)

So I'm totally confuzzled and am sick of wasting time on this, so I
think I'll just trust Python 2.2.1.

;)

-Barry


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Matthew T. Kromer]

Barry A. Warsaw wrote:

>Working on the Zope 2.7 branch I noticed a very strange crash while
>running the test suite.  I re-checked out the Zope 2 cvs head, rebuilt
>everything from scratch and I still get the crash.  I'm about out of
>ideas so I thought I'd post what I know here in case anyone else can
>confirm or give clues.
>
>[...]
>
>The top of the backtrace is:
>
>#0  PyErr_SetString (exception=0x6e727574, 
>string=0x402660dc "Splitter index out of range") at Python/errors.c:69
>
>  
>


On *my* RedHat 7.3 system, I cannot reproduce your problem.

However, you do note that exception 0x6e727574 is ASCII for 'nrut' or 
'turn' backwards.
I dont know if that's meaningful or not.  I usally watch out for ASCII 
in things that should otherwise be addresses.

-- 
Matt Kromer
Zope Corporation  http://www.zope.com/ 





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Confusing segfault for Zope2 head on RH7.3

[Barry A. Warsaw]

Working on the Zope 2.7 branch I noticed a very strange crash while
running the test suite.  I re-checked out the Zope 2 cvs head, rebuilt
everything from scratch and I still get the crash.  I'm about out of
ideas so I thought I'd post what I know here in case anyone else can
confirm or give clues.

First off, I'm using a fresh checkout of the Zope 2 cvs head with a
virgin Python 2.1.3 (although a cvs head of the Python 2.1 maintenance
branch has the same problem).  I've rebuilt Python 2.1.3 with only the
-g option (no -O, although it makes no difference), and I've rebuilt
Zope using this command:

% python2.1 setup.py build_ext -i

which also builds with just the -g option, although that also makes no
difference.  Note that I've also built using "python2.1 wo_pcgi.py"
and that also makes no difference.

I then run the test suite like so:

% PYTHONPATH=lib/python python2.1 utilities/testrunner -a

and I reliably get a crash in ISO_8859_1_Splitter.c  I've boiled it
down to the following simplified test case:

 snip snip crash.py
from Products.PluginIndexes.TextIndex.Splitter.ISO_8859_1_Splitter.ISO_8859_1_Splitter 
import ISO_8859_1_Splitter
x = ISO_8859_1_Splitter('hello world')
list(x)
 snip snip 

run it like so:

% PYTHONPATH=lib/python python2.1 crash.py

The top of the backtrace is:

#0  PyErr_SetString (exception=0x6e727574, 
string=0x402660dc "Splitter index out of range") at Python/errors.c:69
#1  0x402658af in ISO_Splitter_item (self=0x843ed98, i=2)
at 
Products/PluginIndexes/TextIndex/Splitter/ISO_8859_1_Splitter/src/ISO_8859_1_Splitter.c:357
#2  0x0808b98d in PySequence_List (v=0x843ed98) at Objects/abstract.c:1258
#3  0x080b934f in builtin_list (self=0x0, args=0x810137c)
at Python/bltinmodule.c:1357
...

(I hacked the C code to rename Splitter_item() in
ISO_8859_1_Splitter.c to ISO_Splitter_item() for ease of setting the
break point.)

Here's the deal.  Splitter_item() cruises along as expected until it
hits the end of the text.  word is Py_None and it drops into the
clause that sets the IndexError exception.  AFAICT, there are no
reference counting bugs in the code.  At the PyErr_SetString() call
PyExc_IndexError is a perfectly valid PyObject*, but just one stack
frame later, inside the PyErr_SetString, the exception object is a
completely bogus address.  PyErr_SetString() is not getting the same
object that Splitter_item() is providing in the first argument.  Note
that the second argument, a char* is just fine.

Stepping through the code with gdb gives no help.  I can set break
points and inspect all the objects created and decref'd and everything
appears okay.  Printing PyExc_IndexError right before the call shows
nothing strange, but stepping into PyErr_SetString() shows the first
arg is corrupted.  I don't get it.  I've show the other PLabbers and
it perplexes them too. :)

To make matters weirder, we've tested this on various Linux flavors
and versions.  On RH6.1 and MD8.{0,1} it works just fine -- no crash.
The /only/ system that I've seen the crash is RedHat 7.3, and there it
crashes on both of my up-to-date RH7.3 systems, every time, and
reliably.

I think I've eliminated gcc as a culprit because most of our Linux
boxes are using the same gcc version, according to gcc -v:

Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 2731 (Red Hat Linux 7.3 2.96-110)

i.e 2.96 2731.

The /only/ difference that I can tell is the glibc version.  My RH7.3
systems have glibc 2.2.5 and on all the other systems glibc's are
older; no system with glibc 2.2.4 or earlier exhibits the crash.

I have not tested gcc 3.1 and I have not tried other glibc's on
RH7.3.  I'd really like to know if anybody else on RH7.3 either sees
the same crash or doesn't.  And if so  what version of gcc and
glibc you've got.  I'm starting to suspect a glibc bug, but it's dang
strange.

-Barry


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )