D issues are now tracked on GitHub. This Bugzilla instance remains as a read-only archive.
Issue 10838 - Null pointer dereference in gc.gcx.Gcx.isMarked
Summary: Null pointer dereference in gc.gcx.Gcx.isMarked
Status: RESOLVED FIXED
Alias: None
Product: D
Classification: Unclassified
Component: druntime (show other issues)
Version: D2
Hardware: x86_64 Mac OS X
: P2 major
Assignee: No Owner
URL:
Keywords: pull
Depends on:
Blocks:
 
Reported: 2013-08-17 11:40 UTC by Peter Alexander
Modified: 2013-10-30 17:40 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Peter Alexander 2013-08-17 11:40:46 UTC 
Running with with the attached file as stdin (/usr/share/dict/words on OSX 10.8.4) results in a seg fault.

import std.algorithm, std.range, std.array, std.stdio, std.string;
void main()
{
    auto ws = stdin.byLine.map!(a => a.dup.toLower).array;
    ws.zip(ws.map!(a => a.dup.sort)).
       array.
       sort!((a, b) => a[1] > b[1]).
       group!((a, b) => a[1] == b[1]).
       array;
}

% dmd words.d
% gdb words
...
(gdb) run words < dict
...
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000004
0x0000000100025e5d in D2gc3gcx3Gcx8isMarkedMFPvZE2gc3gcx8IsMarked ()
...
(gdb) bt
#0  0x0000000100025e5d in D2gc3gcx3Gcx8isMarkedMFPvZE2gc3gcx8IsMarked ()
#1  0x000000010001ea5e in thread_processGCMarks ()
#2  0x0000000100025803 in D2gc3gcx3Gcx11fullcollectMFZm ()
#3  0x0000000100024b2e in D2gc3gcx3Gcx8bigAllocMFmPPS2gc3gcx4PoolPmZPv ()
#4  0x00000001000223ac in D2gc3gcx2GC12mallocNoSyncMFmkPmZPv ()
#5  0x00000001000221da in D2gc3gcx2GC6mallocMFmkPmZPv ()
#6  0x0000000100021822 in gc_qalloc ()
#7  0x000000010001c5a4 in D4core6memory2GC6qallocFNaNbmkZS4core6memory8BlkInfo_ ()
#8  0x000000010001245f in D3std5array88__T8AppenderTAS3std8typecons51__T5TupleTS3std8typecons16__T5TupleTAaTAaZ5TupleTkZ5TupleZ8Appender13ensureAddableMFmZv ()
#9  0x000000010001275c in D3std5array88__T8AppenderTAS3std8typecons51__T5TupleTS3std8typecons16__T5TupleTAaTAaZ5TupleTkZ5TupleZ8Appender82__T3putTS3std8typecons51__T5TupleTS3std8typecons16__T5TupleTAaTAaZ5TupleTkZ5TupleZ3putMFS3std8typecons51__T5TupleTS3std8typecons16__T5TupleTAaTAaZ5TupleTkZ5TupleZv ()
#10 0x0000000100011fac in D3std5array149__T5arrayTSmain124__T5GroupS16main10__lambda10TSmain74__T11SortedRangeTAS3std8typecons16__T5TupleTAaTAaZ5TupleS14main9__lambda7Z11SortedRangeZ5GroupZ5arrayFSmain124__T5GroupS16main10__lambda10TSmain74__T11SortedRangeTAS3std8typecons16__T5TupleTAaTAaZ5TupleS14main9__lambda7Z11SortedRangeZ5GroupZAS3std8typecons51__T5TupleTS3std8typecons16__T5TupleTAaTAaZ5TupleTkZ5Tuple ()
#11 0x0000000100001547 in _Dmain ()
#12 0x0000000100028cf9 in D2rt6dmain211_d_run_mainUiPPaPUAAaZiZi7runMainMFZv ()
#13 0x0000000100028845 in D2rt6dmain211_d_run_mainUiPPaPUAAaZiZi7tryExecMFMDFZvZv ()
#14 0x0000000100028d45 in D2rt6dmain211_d_run_mainUiPPaPUAAaZiZi6runAllMFZv ()
#15 0x0000000100028845 in D2rt6dmain211_d_run_mainUiPPaPUAAaZiZi7tryExecMFMDFZvZv ()
#16 0x00000001000287f9 in _d_run_main ()
#17 0x0000000100028628 in main ()

I'm running OSX 10.8.4 with DMD 2.063.

I've had no success so far trying to produce a smaller test case.
Comment 1 Peter Alexander 2013-08-17 11:46:54 UTC 
Attaching failed as it's too big (2MB). You can find the file at http://poita.org/misc/dict
Comment 2 Maxim Fomin 2013-08-18 03:29:07 UTC 
May be related - http://d.puremagic.com/issues/show_bug.cgi?id=10701
It isn't mentioned explicitly that segfault there also occures in gc.gc.Gcx.isMarked(). By the way, this case can't be reproduced in linux.
Comment 4 safety0ff.bugz 2013-10-30 17:40:29 UTC 
Fixed / Duplicate of #10701.
See commit: https://github.com/D-Programming-Language/druntime/commit/545b44b934585b0f9ac552da84da73fed385735e