Segmentation fault on cherry-pick

[liayn]

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options
git version 2.10.2.windows.1
sizeof-long: 4
machine: x86_64

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver
Microsoft Windows [Version 10.0.14393]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt
Path Option: Cmd
Plink Path: C:\Program Files\TortoiseGit\bin\TortoiseGitPlink.exe
SSH Option: Plink
CRLF Option: CRLFCommitAsIs
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled

• Additional info

The repository is the TYPO3 CMS repository git://git.typo3.org/Packages/TYPO3.CMS.git
I run multiple worktrees for master/7-6/6-2/.

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

# I'm on master branch in sync with origin/master
git fetch https://review.typo3.org/Packages/TYPO3.CMS refs/changes/60/50460/4
git cherry-pick FETCH_HEAD

• What did you expect to occur after running these commands?

The commit fetched from Gerrit should be applied on top.

• What actually happened instead?

Segmentation fault

• If the problem was occurring with a specific repository, can you provide the
  URL to that repository to help us with testing?

A colleague tried the same command and it works.
I tried creating another "master" branch, but cherry-picking segfaults as well.
Cherry-picking onto another branch (different worktree) works as expected.
I run git gc git fsck ... git prune... and so on, nothing helped.

I did a complete new clone of the repo and applying the patch did work, but I actually do not want to redo my whole setup on a new checkout and I want to help finding the reason for a segfault.

Any help really appreciated. I could also provide my whole local repository for testing purposes, nothing confidential involved.

[liayn]

I now rebased the change on Gerrit directly (now set 5) and all of a sudden the patch could be applied again.

I'll still keep this report open, since no matter what happened here, a segmentation fault must never happen.

[dscho]

I seriously hope you kept a .zip of the directory tree. Because if you did not, we have exactly no chance to reproduce this issue, like, ever.

[liayn]

No, I did not, but running the above cherry-pick does still segfault. ;-)
I prepared the zip now :-D

Shall I upload the file here, or should I send it somewhere? > 200MB

[dscho]

@liayn thanks for keeping the .zip around. Would you have a chance to share it with me via, say, https://instant.io/?

[liayn]

@dscho I'm on the road a bit, so "streaming" the file to you is a bit hard. I uploaded it to our webserver now. Can I send you the link in a PM somehow?

[dscho]

Can I send you the link in a PM somehow?

@liayn sure. I'm on https://gitter.im/git-for-windows/git, for example. Also, all of my commits are signed off using my email address.

[dscho]

For the record, I received the rather large .zip and tried to reproduce the issue, but failed (the cherry-pick worked without segfaulting in my hands).

[liayn]

For the record: I did manage to respond to your mails earlier. Did so now. Let's see if we can still manage to see what's been happening. Thanks so far!

[dscho]

@liayn would it be possible to install the Git for Windows SDK and try to run the cherry-pick through gdb?

[liayn]

Sure, will give it a shot tomorrow.

[liayn]

Okay, I followed https://github.com/git-for-windows/git/wiki/Debugging-Git and kicked the optimization. I skipped step 3, since this seems to be governed by a CFLAGS check already.
Running make then fails for me though:

Markus@klein-lap MSYS /usr/src/git (master)
$ make
GIT_VERSION = 2.11.0.rc3.windows.1.dirty
    * new build flags
    CC credential-store.o
/bin/sh: cc: command not found
make: *** [Makefile:1995: credential-store.o] Error 127

@dscho Any suggestion for me?

[liayn]

Okay... one should update the wiki and should mention that I should not use the msys2_shell.cmd but simply open git-bash.exe :-(
ref https://github.com/git-for-windows/git/wiki/Technical-overview#installing-the-sdk

build is running now

[liayn]

here we go:

(gdb) r
Starting program: S:\git-sdk-64\mingw64\bin\git.exe "--exec-path=S:/git-sdk-64/usr/src/git" cherry-pick FETCH_HEAD
[New Thread 11508.0x3cb4]
[New Thread 11508.0x2a54]
[New Thread 11508.0x1a64]
[New Thread 11508.0x2d50]
[New Thread 11508.0x1980]
[New Thread 11508.0x1534]
[New Thread 11508.0x1274]
[New Thread 11508.0x22c4]
[New Thread 11508.0x1b80]
[New Thread 11508.0x468]
[New Thread 11508.0x3b4c]
[New Thread 11508.0x32f4]
[New Thread 11508.0x2478]
[New Thread 11508.0xf80]
[New Thread 11508.0x2058]
[New Thread 11508.0x3fac]
[New Thread 11508.0x940]
[New Thread 11508.0x3cd0]
[New Thread 11508.0x2e68]
[New Thread 11508.0xa8c]
[Thread 11508.0x22c4 exited with code 0]
[Thread 11508.0x1b80 exited with code 0]
[Thread 11508.0x1274 exited with code 0]
[Thread 11508.0x3b4c exited with code 0]
[Thread 11508.0x2e68 exited with code 0]
[Thread 11508.0xa8c exited with code 0]
[Thread 11508.0x1980 exited with code 0]
[Thread 11508.0x32f4 exited with code 0]
[Thread 11508.0x940 exited with code 0]
[Thread 11508.0x1534 exited with code 0]
[Thread 11508.0xf80 exited with code 0]
[Thread 11508.0x2478 exited with code 0]
[Thread 11508.0x468 exited with code 0]
[Thread 11508.0x2058 exited with code 0]
[Thread 11508.0x3cd0 exited with code 0]
[Thread 11508.0x3fac exited with code 0]

Thread 1 received signal SIGSEGV, Segmentation fault.
0x0000000000b51f18 in ?? ()
(gdb) back
#0  0x0000000000b51f18 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

guess you need some more info, right?

[dscho]

one should update the wiki

I did that now. For future record: please just edit the wiki next time you see something wrong there. It's a wiki for that very reason: so that you (and everybody else) do not need to wait for me to do everything.

guess you need some more info, right?

Yes.

You may see different threads using the info threads command, then switch to another thread via, say, thread 1 and bt would then list the stack trace of that current thread.

If that does not help shed light into the issue, it would be best to single-step, or a variation thereof. This is how I would go about it:

1. set a breakpoint on cherry-pick's main function: b cmd_cherry_pick
2. start the debugging session: r
3. once execution stops in the main function, I would try to determine a reasonable next breakpoint by looking at the source: l (subsequent l commands will list more, l <lineno> will list from a given line number
4. then I would set another breakpoint and continue: b <lineno> and then c
5. If the crash occurs in between those breakpoints, I would try to figure out a break point between the last two, i.e. go back to step 3 above (with the difference that the debugging session has to be restarted with r instead of continued with c).
6. If there is actually no line between the two latest breakpoints, i.e. if the crash occurs in a function that was called from the line on which rests the second-latest breakpoint, I would restart with r and then step into that function using s. Then repeat as above.
7. If the crash does not occur between those two breakpoints, I would then disable the first breakpoint (so that subsequent restarts of the debugging session will not stop unnecessarily): dis <number> (where <number> is the breakpoint's number that was printed when you set it via b <function-or-line>.

This will need a little bit of tenacity, but should get you consistently to the culprit.

[liayn]

wiki

Sorry, wasn't aware that this wiki is open for everyone. I'm more used to those "closed" wikis, where only members can edit.

debugging

Okay, will do a binary search. Lets see.

Thanks for the detailed info. I'm so much used to GUI based debuggers nowadays. ;-)

[liayn]

Thread 1 received signal SIGSEGV, Segmentation fault.
0x0000000000b51f18 in ?? ()
(gdb) info threads
  Id   Target Id         Frame
* 1    Thread 3500.0x24c4 0x0000000000b51f18 in ?? ()
  2    Thread 3500.0x2054 0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory () from C:\WINDOWS\SYSTEM32\ntdll.dll
  3    Thread 3500.0x488 0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory () from C:\WINDOWS\SYSTEM32\ntdll.dll
  4    Thread 3500.0x3a0c 0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory () from C:\WINDOWS\SYSTEM32\ntdll.dll
(gdb) thread 2
[Switching to thread 2 (Thread 3500.0x2054)]
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
(gdb) bt
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#1  0x00007ffe82492f6e in ntdll!RtlReleaseSRWLockExclusive ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#2  0x00007ffe7fd38364 in KERNEL32!BaseThreadInitThunk ()
   from C:\WINDOWS\System32\kernel32.dll
#3  0x00007ffe824c5e91 in ntdll!RtlUserThreadStart ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#4  0x0000000000000000 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) thread 3
[Switching to thread 3 (Thread 3500.0x488)]
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
(gdb) bt
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#1  0x00007ffe82492f6e in ntdll!RtlReleaseSRWLockExclusive ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#2  0x00007ffe7fd38364 in KERNEL32!BaseThreadInitThunk ()
   from C:\WINDOWS\System32\kernel32.dll
#3  0x00007ffe824c5e91 in ntdll!RtlUserThreadStart ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#4  0x0000000000000000 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) thread 4
[Switching to thread 4 (Thread 3500.0x3a0c)]
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
(gdb) bt
#0  0x00007ffe82508634 in ntdll!ZwWaitForWorkViaWorkerFactory ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#1  0x00007ffe82492f6e in ntdll!RtlReleaseSRWLockExclusive ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#2  0x00007ffe7fd38364 in KERNEL32!BaseThreadInitThunk ()
   from C:\WINDOWS\System32\kernel32.dll
#3  0x00007ffe824c5e91 in ntdll!RtlUserThreadStart ()
   from C:\WINDOWS\SYSTEM32\ntdll.dll
#4  0x0000000000000000 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)

Looks like threads 2 to 4 are in waiting state for work.

[liayn]

Bad news...

Reading symbols from git.exe...done.
(gdb) b  cmd_cherry_pick
Breakpoint 1 at 0x470ba0: file builtin/revert.c, line 197.
(gdb) r
Starting program: S:\git-sdk-64\mingw64\bin\git.exe "--exec-path=S:/git-sdk-64/usr/src/git" cherry-pick FETCH_HEAD
[New Thread 12224.0x38c]
[New Thread 12224.0x3a40]
[New Thread 12224.0x764]
[New Thread 12224.0x2cc4]
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x470ba0

Command aborted.
(gdb)

(I ran the SDK as admin)

Not sure how to proceed here.

[dscho]

Cannot insert breakpoint 1.
Cannot access memory at address 0x470ba0

That means that the file was compiled with ASLR.

S:\git-sdk-64\mingw64\bin\git.exe

This is not the git.exe you want to test (and it explains why it was compiled with ASLR). The git.exe you want to test is S:\git-sdk-64\usr\src\git\git.exe.

[liayn]

Oh dear... stupidity will never be exterminated.

Here we go:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x0000000000543f1e in add_index_entry_with_check (
    istate=0x6cf120 <the_index>, ce=0x0, option=0) at read-cache.c:1014
1014            pos = index_name_stage_pos(istate, ce->name, ce_namelen(ce), ce_stage(ce));
(gdb)

I guess ce should not be zero.

[liayn]

The trace:

(gdb) bt
#0  0x0000000000543f1e in add_index_entry_with_check (
    istate=0x6cf120 <the_index>, ce=0x0, option=0) at read-cache.c:1014
#1  0x0000000000544112 in add_index_entry (istate=0x6cf120 <the_index>,
    ce=0x0, option=0) at read-cache.c:1063
#2  0x0000000000519bf3 in add_cacheinfo (o=0x108f210, mode=33188,
    oid=0x108eea0,
    path=0x43b2300 "typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js", stage=0, refresh=1, options=0) at merge-recursive.c:239
#3  0x000000000051e10b in merge_content (o=0x108f210,
    path=0x43b2300 "typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js", o_oid=0x43b23ac, o_mode=33188, a_oid=0x43b23c4, a_mode=33188,
    b_oid=0x43b23dc, b_mode=33188, rename_conflict_info=0x44a65e0)
    at merge-recursive.c:1727
#4  0x000000000051e503 in process_entry (o=0x108f210,
    path=0x43b2300 "typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js", entry=0x43b2390) at merge-recursive.c:1797
#5  0x000000000051ec8f in merge_trees (o=0x108f210, head=0x31f47b0,
    merge=0x31f4788, common=0x31f47d8, result=0x108f1e8)
    at merge-recursive.c:1948
#6  0x0000000000573cde in do_recursive_merge (base=0x31e67b0, next=0x31e6778,
    base_label=0x4567c20 "parent of a851758d29... [WIP][FEATURE] Option to define sorting of suggest wizard results",
    next_label=0x45683f0 "a851758d29... [WIP][FEATURE] Option to define sorting of suggest wizard results", head=0x108f420 "▒h▒\n▒▒V▒T▒\026\231▒\210▒,▒▒",
    msgbuf=0x108f3e0, opts=0x108fb90) at sequencer.c:488
#7  0x0000000000575772 in do_pick_commit (command=TODO_PICK,
    commit=0x31e6778, opts=0x108fb90, final_fixup=0) at sequencer.c:1115
#8  0x000000000057925b in single_pick (cmit=0x31e6778, opts=0x108fb90)
    at sequencer.c:2236
#9  0x00000000005794d9 in sequencer_pick_revisions (opts=0x108fb90)
    at sequencer.c:2285
#10 0x000000000048970f in run_sequencer (argc=1, argv=0x24690, opts=0x108fb90)
    at builtin/revert.c:178
#11 0x0000000000489871 in cmd_cherry_pick (argc=2, argv=0x24690, prefix=0x0)
    at builtin/revert.c:203
...

[liayn]

Thread 1 hit Breakpoint 4, refresh_cache_ent (istate=0x6cf120 <the_index>,
    ce=0x4b0a168, options=24, err=0x0, changed_ret=0x0) at read-cache.c:1169
1169                    return NULL;
(gdb) bt
#0  refresh_cache_ent (istate=0x6cf120 <the_index>, ce=0x4b0a168, options=24,
    err=0x0, changed_ret=0x0) at read-cache.c:1169
#1  0x0000000000544a71 in refresh_cache_entry (ce=0x4b0a168, options=24)
    at read-cache.c:1296
#2  0x0000000000519bcc in add_cacheinfo (o=0x108f210, mode=33188,
    oid=0x108eea0,
    path=0x43d4880 "typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js", stage=0, refresh=1, options=0) at merge-recursive.c:237
#3  0x000000000051e10b in merge_content (o=0x108f210,
    path=0x43d4880 "typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js", o_oid=0x43d492c, o_mode=33188, a_oid=0x43d4944, a_mode=33188,
    b_oid=0x43d495c, b_mode=33188, rename_conflict_info=0x44bb850)
    at merge-recursive.c:1727

read-cache.c:

1166            if (ie_modified(istate, ce, &st, options)) {
1167                    if (err)
1168                            *err = EINVAL;
1169                    return NULL;
1170            }

This is where the NULL comes from that causes the segfault later on.

(gdb) info locals
st = {st_dev = 0, st_ino = 0, st_mode = 33152, st_nlink = 1, st_uid = 0,
  st_gid = 0, st_rdev = 0, st_size = 10544, st_atim = {tv_sec = 1479807945,
    tv_nsec = 587155800}, st_mtim = {tv_sec = 1478094908,
    tv_nsec = 569068000}, st_ctim = {tv_sec = 1445270267,
    tv_nsec = 274579800}}
updated = 0x2240000021d
changed = 35
size = 0
refresh = 16
ignore_valid = 0
ignore_skip_worktree = 0
ignore_missing = 8

(gdb) info args
istate = 0x6cf120 <the_index>
ce = 0x4b0a168
options = 24
err = 0x0
changed_ret = 0x0

The changed value above is also read again from ie_match_stat() inside ie_modified(). The value 35 means MTIME_CHANGED | CTIME_CHANGED | DATA_CHANGED

[dscho]

Okay, that's better, and it points to a terrible thing, too: ce is NULL.

The add_cacheinfo() function reads like this:

static int add_cacheinfo(struct merge_options *o,
                unsigned int mode, const struct object_id *oid,
                const char *path, int stage, int refresh, int options)
{
        struct cache_entry *ce;
        int ret;

        ce = make_cache_entry(mode, oid ? oid->hash : null_sha1, path, stage, 0);
        if (!ce)
                return err(o, _("addinfo_cache failed for path '%s'"), path);

        ret = add_cache_entry(ce, options);
        if (refresh) { 
                struct cache_entry *nce;

                nce = refresh_cache_entry(ce, CE_MATCH_REFRESH | CE_MATCH_IGNORE_MISSING);
                if (nce != ce)
                        ret = add_cache_entry(nce, options);
        }
        return ret;
}

Line 239 is that last add_cache_entry() call (which is a macro that redirects to add_index_entry()), of course, as the one before that is guarded behind an if (ce), so the ce parameter could not possibly be NULL.

So it seems that something makes the return value of refresh_cache_entry() be NULL, and the code does not expect that. Let's have a look at that function (actually refresh_cache_ent(), as refresh_cache_entry() is a one-liner calling that function). It does return NULL in a couple of places, so that add_cacheinfo() call is incorrectly expecting either that nce cannot be NULL or that add_cache_entry() can handle a NULL entry to remove entries.

The fact that add_cache_entry() would not know which entry to remove if it was passed a ce parameter that is NULL leaves only the former option: that add_cacheinfo() expected that nce cannot be NULL. Let's look closer at those three places where refresh_cache_ent() can return NULL.

The first one triggers when an early part of the file turned into a symbolic link (in which case the entry is no longer valid, as we would track the symbolic link, not the target). The second one triggers when the file does not even exist. And the third one triggers when the entry was modified (or at least, is marked as modified, which may be the case in your setup if the line ending settings somehow contradict each other).

It would be really interesting to find out what happened there. Could you find out what happened with typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js in your worktree? Is it modified? Was it removed by accident? Is it outside a sparse checkout? Or did you introduce a symbolic link somewhere in that path (e.g. typo3/sysext/backend/Resources pointing somewhere else)?

In any case, I think what should happen here is that the cherry-pick should complain about an index entry that is not up-to-date, something like this:

diff --git a/merge-recursive.c b/merge-recursive.c
index 9041c2f149..609061f58a 100644
--- a/merge-recursive.c
+++ b/merge-recursive.c
@@ -235,6 +235,8 @@ static int add_cacheinfo(struct merge_options *o,
 		struct cache_entry *nce;
 
 		nce = refresh_cache_entry(ce, CE_MATCH_REFRESH | CE_MATCH_IGNORE_MISSING);
+		if (!nce)
+			return err(o, _("addinfo: '%s' is not up-to-date"), path);
 		if (nce != ce)
 			ret = add_cache_entry(nce, options);
 	}

Could you test that?

[dscho]

The changed value above is also read again from ie_match_stat() inside ie_modified(). The value 35 means MTIME_CHANGED | CTIME_CHANGED | DATA_CHANGED

Ah, it looks more and more as if this is a line ending problem. git ls-files --eol typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js should shine a light into that issue.

[liayn]

As written above it is clearly a bug that nce is not checked for being NULL.

$ git ls-files --eol typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js
i/lf    w/crlf  attr/                   typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js

In general I always install git for windows with the setting checkout-as-is. I simply hate this weird auto-conversion of line endings. Put stuff on my disk as is and the editor will cope with the rest.

git status says the repository is clean.

[liayn]

Adding the NULL-check to the source now results into:

Markus@klein-lap MINGW64 /s/segf (master)
$  /s/git-sdk-64/usr/src/git/git cherry-pick FETCH_HEAD
error: addinfo: 'typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js' is not up-to-date
On branch master
Your branch is ahead of 'origin/master' by 1 commit.
  (use "git push" to publish your local commits)
You are currently cherry-picking commit a851758d29.

Changes not staged for commit:
        modified:   typo3/sysext/backend/Resources/Public/JavaScript/ModuleMenu.js

no changes added to commit
The previous cherry-pick is now empty, possibly due to conflict resolution.
If you wish to commit it anyway, use:

    git commit --allow-empty

Otherwise, please use 'git reset'

Markus@klein-lap MINGW64 /s/segf (master|CHERRY-PICKING)
$

We are on a very good track. ;-)

[dscho]

So the worktree file says CR/LF, the index says LF. I guess that is why refresh_cache_ent() thinks it is modified... ;-)

[dscho]

We are on a very good track. ;-)

Just to make sure, git diff shows an empty diff?

[dscho]

It does not matter, apparently. I modified that .js file manually here and that triggered the segmentation fault.

For the record, this is not a minimal example. I think I boiled it down to this recipe:

git init
echo first >first && git add first && git commit -m first
git checkout -b branch
echo unrelated >unrelated & git add unrelated && git commit -m unrelated
git checkout @{-1}
git mv first renamed && git commit -m renamed
echo modified >renamed
git cherry-pick branch

Let's try to turn that into a patch to the test suite.

[liayn]

For the record: git diff is empty.

[dscho]

@liayn yeah, line endings. You asked for the line endings to be identical to the ones in the repository, but somehow got CR/LFs into your working file. The bug is reproducible with a regular modified file, though.

[liayn]

Maybe to be ultra-precise: git diff is empty on the repository. But if I run the cherry-pick with the patched git as above and I end up in the cherry-picking state, the diff clearly shows the line endings mismatch.

Don't know if it is good or bad that you can reproduce this with regular files.

[dscho]

It's good.

😁