The plot thickens (Re: Segmentation fault cause)

Stephen R. van den Berg wrote:

Well, this experiment failed. I took out my reverts locally, and now changed the diagnostic Pike_error() in case of the already-destructed call into a Pike_fatal(), in hopes of finding out when it is being triggered from the next coredump.

This is what I find:

Coredump 1: [New LWP 13725] [New LWP 13648] [New LWP 13665] [New LWP 32741] [New LWP 13572] [New LWP 13650] [New LWP 13634] [New LWP 13726] [New LWP 13668] [New LWP 13671] [New LWP 13653] [New LWP 13656] [New LWP 13660] [New LWP 13727] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/bin/pike /home/spike.git/spike -n background'. Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7ff24b488700 (LWP 13725))] (gdb) where #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ff24fbda55b in __GI_abort () at abort.c:79 #2 0x000055a1069066b9 in debug_va_fatal ( fmt=0x55a106b92bc8 "Stdio.Buffer already destructed.\n", args=args@entry=0x7ff24b4871b8) at /home/srb/pike/src/error.c:575 #3 0x000055a106904339 in debug_fatal ( fmt=fmt@entry=0x55a106b92bc8 "Stdio.Buffer already destructed.\n") at /home/srb/pike/src/error.c:583 #4 0x000055a106b14062 in already_destructed () at /home/srb/pike/src/modules/_Stdio/buffer.cmod:891 #5 0x000055a106b161ae in f_Buffer_cq__sizeof (args=<optimized out>) at /home/srb/pike/src/modules/_Stdio/buffer.cmod:1596 #6 0x000055a10686e9a6 in lower_mega_apply (args=args@entry=0, o=o@entry=0x55a10843d640, fun=fun@entry=21) at /home/srb/pike/src/interpret.c:2506 #7 0x000055a1068ac990 in mega_apply_low (args=args@entry=0, arg1=0x55a10843d640, arg2=21) at /home/srb/pike/src/interpret.c:3048 #8 0x000055a106a5c9b7 in pike_sizeof (s=0x7ff24dcdd160) at /home/srb/pike/src/svalue.c:2638 #9 0x000055a106879fed in eval_instruction_without_debug ( pc=0x55a107a65f0b "k\b", pc@entry=0x55a107c4cb0c "O") at /home/srb/pike/src/interpret_functions.h:2190 #10 0x000055a1068ac8d3 in eval_instruction (pc=0x55a107c4cb0c "O") at /home/srb/pike/src/interpret.c:2012 #11 catching_eval_instruction (pc=pc@entry=0x55a107c4cb0c "O") --Type <RET> for more, q to quit, c to continue without paging-- at /home/srb/pike/src/interpret.c:3082 #12 0x000055a106876e17 in eval_instruction_without_debug (pc=<optimized out>) at /home/srb/pike/src/interpret_functions.h:1502 #13 0x000055a10687e039 in eval_instruction (pc=<optimized out>) at /home/srb/pike/src/interpret.c:2012 #14 mega_apply (type=type@entry=APPLY_STACK, args=args@entry=1, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /home/srb/pike/src/interpret.c:3023 #15 0x000055a1068ad70d in f_call_function (args=args@entry=1) at /home/srb/pike/src/interpret.c:3103 #16 0x000055a106a0912d in new_thread_func (data=<optimized out>) at /home/srb/pike/src/threads.c:1832 #17 0x00007ff24fd82f27 in start_thread (arg=<optimized out>) at pthread_create.c:479 #18 0x00007ff24fcb231f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I lost the coredump on this one (overwritten by the next). It hits sizeof() a buffer object that has been destroyed.

Then we have the following next one (I saved the core, so I can get more information from this one):

[New LWP 15651] [New LWP 15621] [New LWP 13738] [New LWP 15642] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/local/bin/pike /home/spike.git/spike -n background'. Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7f85113ec700 (LWP 15651))] (gdb) where #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f85140e055b in __GI_abort () at abort.c:79 #2 0x0000561705dfb6b9 in debug_va_fatal ( fmt=0x561706087bc8 "Stdio.Buffer already destructed.\n", args=args@entry=0x7f85113eb1b8) at /home/srb/pike/src/error.c:575 #3 0x0000561705df9339 in debug_fatal ( fmt=fmt@entry=0x561706087bc8 "Stdio.Buffer already destructed.\n") at /home/srb/pike/src/error.c:583 #4 0x0000561706009062 in already_destructed () at /home/srb/pike/src/modules/_Stdio/buffer.cmod:891 #5 0x000056170600f7ed in f_Buffer_add (args=<optimized out>) at /home/srb/pike/src/modules/_Stdio/buffer.cmod:1227 #6 0x0000561705d639a6 in lower_mega_apply (args=args@entry=1, o=o@entry=0x561706e266e0, fun=11) at /home/srb/pike/src/interpret.c:2506 #7 0x0000561705d6fd91 in eval_instruction_without_debug ( pc=0x561706d776c8 "\035\232\337\030-\n\022\336\031\070\n]\177W\001\001\070", pc@entry=0x561706d776ac "O") at /home/srb/pike/src/interpret_functions.h:2424 #8 0x0000561705da18d3 in eval_instruction (pc=0x561706d776ac "O") at /home/srb/pike/src/interpret.c:2012 #9 catching_eval_instruction (pc=pc@entry=0x561706d776ac "O") at /home/srb/pike/src/interpret.c:3082 #10 0x0000561705d6be17 in eval_instruction_without_debug (pc=<optimized out>) at /home/srb/pike/src/interpret_functions.h:1502 #11 0x0000561705d73039 in eval_instruction (pc=<optimized out>) at /home/srb/pike/src/interpret.c:2012 --Type <RET> for more, q to quit, c to continue without paging-- #12 mega_apply (type=type@entry=APPLY_STACK, args=args@entry=1, arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at /home/srb/pike/src/interpret.c:3023 #13 0x0000561705da270d in f_call_function (args=args@entry=1) at /home/srb/pike/src/interpret.c:3103 #14 0x0000561705efe12d in new_thread_func (data=<optimized out>) at /home/srb/pike/src/threads.c:1832 #15 0x00007f8514288f27 in start_thread (arg=<optimized out>) at pthread_create.c:479 #16 0x00007f85141b831f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

It calls add() on a destructed Buffer object.

Am I reading those correctly that both are upon thread creation?