#938 segfault when referencing variable of unknown type

[Timo Lindfors]

Steps to reproduce:
1. Compile testcases with "jikes class1.java class2.java"

Expected results:
1. Jikes should print an error about "unknowntype1" but not crash.

Actual results:
1. Jikes prints and error about "unknowntype1" but also segfaults. Here's full output:
[lindi@protu Gui]$ CLASSPATH=/home/lindi/cp/2005-07-31T115359+0000/share/classpath/glibj.zip:$CLASSPATH ~/opt/jikes-cvs20050729-debug/bin/jikes -d ../bin class1.java class2.java

Found 1 semantic error compiling "class1.java":

1. public class class1 { static unknowntype1 field1; }
^----------^
*** Semantic Error: Type "unknowntype1" was not found.
Segmentation fault (core dumped)

Testcases (2 files):
[lindi@protu Gui]$ cat class1.java
public class class1 { static unknowntype1 field1; }
[lindi@protu Gui]$ cat class2.java
public class class2 {
public void method1() {
class1.field1.a();
}
}

Backtrace:
[lindi@protu Gui]$ gdb ~/opt/jikes-cvs20050729-debug/bin/jikes -c core.3331
GNU gdb Red Hat Linux (6.1post-1.20040607.43rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

Core was generated by `/home/lindi/opt/jikes-cvs20050729-debug/bin/jikes -d ../bin class1.java class2.'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/tls/libm.so.6...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x08086f9a in ByteCode::RegisterMethodref (this=0x9c5fac0, type=0x9ad99f0, method=0x9ad99f0) at bytecode.h:589
589 method -> ExternalIdentity() -> Utf8_literal;
(gdb) bt
#0 0x08086f9a in ByteCode::RegisterMethodref (this=0x9c5fac0, type=0x9ad99f0, method=0x9ad99f0) at bytecode.h:589
#1 0x0807bbf5 in ByteCode::CompleteCall (this=0x9c5fac0, msym=0x9ad99f0, stack_words=0, need_value=false, base_type=0x9ad99f0)
at bytecode.cpp:5139
#2 0x0807bba0 in ByteCode::EmitMethodInvocation (this=0x9c5fac0, expression=0x9c54674, need_value=false) at bytecode.cpp:5130
#3 0x08071977 in ByteCode::EmitStatementExpression (this=0x9c5fac0, expression=0x9c54674) at bytecode.cpp:1273
#4 0x080703fe in ByteCode::EmitStatement (this=0x9c5fac0, statement=0x9c61480) at bytecode.cpp:860
#5 0x08071793 in ByteCode::EmitBlockStatement (this=0x9c5fac0, block=0x9c61498) at bytecode.cpp:1230
#6 0x0806de8e in ByteCode::GenerateCode (this=0x9c5fac0) at bytecode.cpp:106
#7 0x080a9b72 in Control::ProcessBodies (this=0x9aba5e8, type=0x9c50d78) at control.cpp:1397
#8 0x080a9327 in Control::ProcessFile (this=0x9aba5e8, file_symbol=0x9c47e38) at control.cpp:1185
#9 0x080a62e0 in Control (this=0x9aba5e8, arguments=0x9aba5b8, option_=@0x9aba270) at control.cpp:352
#10 0x08100df4 in JikesAPI::compile (this=0x9aba218, filenames=0x9aba5b8) at jikesapi.cpp:211
#11 0x08100359 in main (argc=5, argv=0xbff22324) at jikes.cpp:116
(gdb)

Valgrind output:
==3567== Invalid read of size 4
==3567== at 0x8086F9A: ByteCode::RegisterMethodref(TypeSymbol const*, MethodSymbol const*) (bytecode.h:589)
==3567== by 0x807BBF4: ByteCode::CompleteCall(MethodSymbol*, int, bool, TypeSymbol*) (bytecode.cpp:5139)
==3567== by 0x807BB9F: ByteCode::EmitMethodInvocation(AstMethodInvocation*, bool) (bytecode.cpp:5130)
==3567== by 0x8071976: ByteCode::EmitStatementExpression(AstExpression*) (bytecode.cpp:1273)
==3567== by 0x80703FD: ByteCode::EmitStatement(AstStatement*) (bytecode.cpp:860)
==3567== by 0x8071792: ByteCode::EmitBlockStatement(AstBlock*) (bytecode.cpp:1230)
==3567== by 0x806DE8D: ByteCode::GenerateCode() (bytecode.cpp:106)
==3567== by 0x80A9B71: Control::ProcessBodies(TypeSymbol*) (control.cpp:1397)
==3567== by 0x80A9326: Control::ProcessFile(FileSymbol*) (control.cpp:1185)
==3567== by 0x80A62DF: Control::Control(char**, Option&) (control.cpp:352)
==3567== by 0x8100DF3: JikesAPI::compile(char**) (jikesapi.cpp:211)
==3567== by 0x8100358: main (jikes.cpp:116)
==3567== Address 0xF is not stack'd, malloc'd or (recently) free'd
==3567==
==3567== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3567== Access not within mapped region at address 0xF
==3567== at 0x8086F9A: ByteCode::RegisterMethodref(TypeSymbol const*, MethodSymbol const*) (bytecode.h:589)
==3567== by 0x807BBF4: ByteCode::CompleteCall(MethodSymbol*, int, bool, TypeSymbol*) (bytecode.cpp:5139)
==3567== by 0x807BB9F: ByteCode::EmitMethodInvocation(AstMethodInvocation*, bool) (bytecode.cpp:5130)
==3567== by 0x8071976: ByteCode::EmitStatementExpression(AstExpression*) (bytecode.cpp:1273)
==3567== by 0x80703FD: ByteCode::EmitStatement(AstStatement*) (bytecode.cpp:860)
==3567== by 0x8071792: ByteCode::EmitBlockStatement(AstBlock*) (bytecode.cpp:1230)
==3567== by 0x806DE8D: ByteCode::GenerateCode() (bytecode.cpp:106)
==3567== by 0x80A9B71: Control::ProcessBodies(TypeSymbol*) (control.cpp:1397)
==3567== by 0x80A9326: Control::ProcessFile(FileSymbol*) (control.cpp:1185)
==3567== by 0x80A62DF: Control::Control(char**, Option&) (control.cpp:352)
==3567== by 0x8100DF3: JikesAPI::compile(char**) (jikesapi.cpp:211)
==3567== by 0x8100358: main (jikes.cpp:116)
==3567==
==3567== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 26 from 3)
==3567== malloc/free: in use at exit: 2005851 bytes in 25964 blocks.
==3567== malloc/free: 45384 allocs, 19420 frees, 3334705 bytes allocated.
==3567== For counts of detected errors, rerun with: -v
==3567== searching for pointers to 25964 not-freed blocks.
==3567== checked 2129644 bytes.
==3567==
==3567== LEAK SUMMARY:
==3567== definitely lost: 45184 bytes in 244 blocks.
==3567== possibly lost: 8508 bytes in 115 blocks.
==3567== still reachable: 1952159 bytes in 25605 blocks.
==3567== suppressed: 0 bytes in 0 blocks.
==3567== Use --leak-check=full to see details of leaked memory.
Segmentation fault (core dumped)

Adding a dummy field to the begining of MethodSymbol just before external_name_symbol causes the -1 to be written to that dummy field. This suggests that somewhere in the code the reference is incorrectly cast to some other type.

[Timo Lindfors]

Logged In: YES
user_id=1213285

I added DYNAMIC_CAST<>'s around and noticed that adding

--- src/bytecode.cpp.~1.185.~ 2004-05-21 00:01:33.000000000 +0300
+++ src/bytecode.cpp 2005-09-17 00:53:26.000000000 +0300
@@ -6844,7 +6845,8 @@
}
if (unit_type -> owner -> MethodCast())
{
- MethodSymbol* enclosing = (MethodSymbol*) unit_type -> owner;
+ MethodSymbol* enclosing = DYNAMIC_CAST<MethodSymbol*> (unit_type -> owner);
+ assert(enclosing != NULL);
AddAttribute(CreateEnclosingMethodAttribute(enclosing));
}
//

seems to spot the problem before segfault:

DYNAMIC_CAST argument type was "P6Symbol"
jikes: platform.h:265: TO DYNAMIC_CAST(FROM) [with TO = MethodSymbol*, FROM = Symbol*]: Assertion `ptr && "Failed dynamic_cast<> in DYNAMIC_CAST"' failed.

Program received signal SIGABRT, Aborted.
0x0012a7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0 0x0012a7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1 0x0016b7d5 in raise () from /lib/tls/libc.so.6
#2 0x0016d149 in abort () from /lib/tls/libc.so.6
#3 0x00164db1 in __assert_fail () from /lib/tls/libc.so.6
#4 0x0805aa61 in DYNAMIC_CAST<MethodSymbol*, Symbol*> (f=0x821bf90) at platform.h:265
#5 0x0807bb58 in ByteCode::EmitMethodInvocation (this=0x8402ba0, expression=0x8412400, need_value=false) at bytecode.cpp:5086
#6 0x08071aab in ByteCode::EmitStatementExpression (this=0x8402ba0, expression=0x8412400) at bytecode.cpp:1273
#7 0x08070532 in ByteCode::EmitStatement (this=0x8402ba0, statement=0x841247c) at bytecode.cpp:860
#8 0x080718c7 in ByteCode::EmitBlockStatement (this=0x8402ba0, block=0x84124cc) at bytecode.cpp:1230
#9 0x0806dfa4 in ByteCode::GenerateCode (this=0x8402ba0) at bytecode.cpp:106
#10 0x080aa266 in Control::ProcessBodies (this=0x81fc5e8, type=0x83ecab0) at control.cpp:1397
#11 0x080a9a0f in Control::ProcessFile (this=0x81fc5e8, file_symbol=0x83e3978) at control.cpp:1185
#12 0x080a6881 in Control (this=0x81fc5e8, arguments=0x81fc5b8, option_=@0x81fc270) at control.cpp:352
#13 0x08101a5c in JikesAPI::compile (this=0x81fc218, filenames=0x81fc5b8) at jikesapi.cpp:211
#14 0x08100fc1 in main (argc=5, argv=0xbff23024) at jikes.cpp:116

[Timo Lindfors]

Logged In: YES
user_id=1213285

Seems I pasted the wrong diff. The one that affects this bug is

--- src/bytecode.cpp.~1.185.~ 2004-05-21
00:01:33.000000000 +0300
+++ src/bytecode.cpp 2005-09-17 00:53:26.000000000 +0300
@@ -5082,7 +5083,7 @@
AstMethodInvocation* method_call = expression ->
resolution_opt
? expression -> resolution_opt ->
MethodInvocationCast() : expression;
assert(method_call);
- MethodSymbol* msym = (MethodSymbol*) method_call -> symbol;
+ MethodSymbol* msym = DYNAMIC_CAST<MethodSymbol*>
(method_call -> symbol);
AstExpression* base = method_call -> base_opt;
bool is_super = false; // set if super call