Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault in ponyint_heap_alloc_small #1616

Closed
Theodus opened this issue Feb 25, 2017 · 5 comments
Closed

Segfault in ponyint_heap_alloc_small #1616

Theodus opened this issue Feb 25, 2017 · 5 comments
Labels
triggers release Major issue that when fixed, results in an "emergency" release

Comments

@Theodus
Copy link
Contributor

Theodus commented Feb 25, 2017

ponyc version:

0.10.0-b0affdb [debug]
compiled with: llvm 3.9.1 -- clang version 3.9.1-svn288847-1~exp1 (branches/release_39)

lldb output:

(lldb) target create "promises"
Current executable set to 'promises' (x86_64).
(lldb) run
Process 6676 launched: '/home/theodus/dev/playground/promises/promises' (x86_64)
Process 6676 stopped
* thread #2: tid = 6681, 0x000000000040a066 promises`ponyint_heap_alloc_small(actor=0x00007fffe3ddaf20, heap=0x00007fffe3ddaf60, sizeclass=0) + 118 at heap.c:226, name = 'promises', stop reason = signal SIGSEGV: address access protected (fault address: 0x41ca48)
    frame #0: 0x000000000040a066 promises`ponyint_heap_alloc_small(actor=0x00007fffe3ddaf20, heap=0x00007fffe3ddaf60, sizeclass=0) + 118 at heap.c:226
   223 	    slots &= ~(1 << bit);
   224 	
   225 	    m = chunk->m + (bit << HEAP_MINBITS);
-> 226 	    chunk->slots = slots;
   227 	
   228 	    if(slots == 0)
   229 	    {
(lldb) bt
* thread #2: tid = 6681, 0x000000000040a066 promises`ponyint_heap_alloc_small(actor=0x00007fffe3ddaf20, heap=0x00007fffe3ddaf60, sizeclass=0) + 118 at heap.c:226, name = 'promises', stop reason = signal SIGSEGV: address access protected (fault address: 0x41ca48)
  * frame #0: 0x000000000040a066 promises`ponyint_heap_alloc_small(actor=0x00007fffe3ddaf20, heap=0x00007fffe3ddaf60, sizeclass=0) + 118 at heap.c:226
    frame #1: 0x0000000000408c93 promises`pony_alloc_small(ctx=0x00007fffe5cba700, sizeclass=0) + 51 at actor.c:390
    frame #2: 0x0000000000406713 promises`___lldb_unnamed_symbol19$$promises + 771
@Theodus Theodus added bug: 1 - needs investigation triggers release Major issue that when fixed, results in an "emergency" release labels Feb 25, 2017
@dipinhora
Copy link
Contributor

@Theodus I'm unable to reproduce using the changes from b0affdb applied on top of its parent bfeb0be or current master.

Can you rebase onto current master or, better yet, on top of PR #1615 (since it fixes a buffer overlow issue) and confirm you still get the error?

@Theodus
Copy link
Contributor Author

Theodus commented Feb 25, 2017

I'm working on a minimal example that causes this issue.

@Theodus
Copy link
Contributor Author

Theodus commented Feb 25, 2017

I am now using ponyc 0.10.0-b1648b8 [debug] with similar results.
Here is the simplest example I could manage:

actor Main
  new create(env: Env) =>
    foo(Array[I64])

  fun foo(xs: Array[I64]): Array[I64] =>
    foo(xs).>append(xs)

Output from running with LLDB:

Process 15940 exited with status = 9 (0x00000009) 
(lldb) Process 15954 launched: '/home/theodus/dev/wat/slices/slices' (x86_64)
Process 15954 stopped
* thread #2: tid = 15959, 0x0000000000405154 slices`ponyint_messageq_pop(q=0x00007ffff6e99180) + 20 at messageq.c:83, name = 'slices', stop reason = signal SIGSEGV: invalid address (fault address: 0x8)
    frame #0: 0x0000000000405154 slices`ponyint_messageq_pop(q=0x00007ffff6e99180) + 20 at messageq.c:83
   80  	pony_msg_t* ponyint_messageq_pop(messageq_t* q)
   81  	{
   82  	  pony_msg_t* tail = q->tail;
-> 83  	  pony_msg_t* next = atomic_load_explicit(&tail->next, memory_order_acquire);
   84  	#ifdef USE_VALGRIND
   85  	  ANNOTATE_HAPPENS_AFTER(&tail->next);
   86  	#endif

LLDB backtrace ends up showing an infinite loop with output like this:

    frame #252710: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252711: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252712: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252713: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252714: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252715: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252716: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252717: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252718: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252719: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252720: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252721: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9
    frame #252722: 0x0000000000403479 slices`___lldb_unnamed_symbol6$$slices + 9

@dipinhora
Copy link
Contributor

@Theodus I'm not surprised that that example code is causing what is effectively an infinite loop.

From my reading of the code, every time foo is called, it calls itself to get the result and then append xs to it. But there's no base case so it will never stop recursing.

@Theodus
Copy link
Contributor Author

Theodus commented Feb 25, 2017

@dipinhora I agree. After reducing it down it no longer seems like what I thought it might be.

@Theodus Theodus closed this as completed Feb 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triggers release Major issue that when fixed, results in an "emergency" release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Theodus @dipinhora