Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible heap corruption #35547

Closed
mkustermann opened this Issue Jan 3, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@mkustermann
Copy link
Member

mkustermann commented Jan 3, 2019

From this log:

FAILED: dartk-vm debug_x64 standalone_2/array_bounds_check_generalization_test
Expected: Pass
Actual: Crash

--- Command "vm" (took 06.000801s):
DART_CONFIGURATION=DebugX64 out/DebugX64/dart --no-background-compilation --hot-reload-test-mode --optimization_counter_threshold=10 --no-use-osr --complete-timeline --no-background_compilation --ignore-unrecognized-flags --packages=/b/s/w/ir/.packages /b/s/w/ir/tests/standalone_2/array_bounds_check_generalization_test.dart

exit code:
-6

stderr:
../../runtime/vm/object.h: 9104: error: expected: cid != kFreeListElement
thread=30642, isolate=array_bounds_check_generalization_test.dart:main()(0x55f2e811e900)
  [0x000055f2e5beffbc] dart::Profiler::DumpStackTrace(void*)
  [0x000055f2e5beffbc] dart::Profiler::DumpStackTrace(void*)
  [0x000055f2e5ea7462] dart::Assert::Fail(char const*, ...)
  [0x000055f2e59bf337] Unknown symbol
  [0x000055f2e5ab6fb9] dart::DeoptContext::~DeoptContext()
  [0x000055f2e5ab71ee] dart::DeoptContext::~DeoptContext()
  [0x000055f2e5c5e393] dart::DRT_DeoptimizeMaterialize(dart::NativeArguments)
  [0x00007f3f79e00fce] Unknown symbol
  [0x00007f3f79e01c4a] Unknown symbol
  [0x00007f3f79479b44] Unknown symbol
  [0x00007f3f7947936f] Unknown symbol
  [0x00007f3f7944dd3c] Unknown symbol
  [0x00007f3f79472318] Unknown symbol
  [0x00007f3f794661bf] Unknown symbol
  [0x00007f3f7944a07b] Unknown symbol
  [0x00007f3f79477532] Unknown symbol
  [0x00007f3f79e01494] Unknown symbol
  [0x000055f2e5a9d146] dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long)
  [0x000055f2e5aa0414] dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&)
  [0x000055f2e5add2de] dart::IsolateMessageHandler::HandleMessage(dart::Message*)
  [0x000055f2e5b1cb48] dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)
  [0x000055f2e5b1d8b6] dart::MessageHandler::TaskCallback()
  [0x000055f2e5cb060c] dart::ThreadPool::Worker::Loop()
  [0x000055f2e5cb00ea] dart::ThreadPool::Worker::Main(unsigned long)
  [0x000055f2e5be9c75] Unknown symbol
-- End of DumpStackTrace

--- Re-run this test:
python tools/test.py -n dartk-reload-linux-debug-x64 standalone_2/array_bounds_check_generalization_test

Cores should be available here

/cc @rmacnak-google @mraleph

@mkustermann

This comment has been minimized.

Copy link
Member Author

mkustermann commented Jan 3, 2019

The stacks are:

(gdb) t a a bt

Thread 8 (Thread 0x7f3f79d7f700 (LWP 30641)):
#0  __lll_unlock_wake () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:371
#1  0x00007f3f7a754894 in _L_unlock_722 () from /lib/x86_64-linux-gnu/libpthread.so.0
#2  0x00007f3f7a7547e4 in __pthread_mutex_unlock_usercnt (decr=1, mutex=0x55f2e80f68a0) at pthread_mutex_unlock.c:57
#3  __GI___pthread_mutex_unlock (mutex=0x55f2e80f68a0) at pthread_mutex_unlock.c:310
#4  0x000055f2e5bea8cf in dart::Monitor::Exit (this=0x55f2e80f68a0) at ../../runtime/vm/os_thread_linux.cc:420
#5  0x000055f2e5e53862 in ~MonitorLocker (this=<optimized out>) at ../../runtime/vm/lockers.h:143
#6  dart::ThreadBarrier::Exit (this=0x7f3f79c7a820) at ../../runtime/vm/thread_barrier.h:93
#7  0x000055f2e5e5ea2e in dart::MarkTask::Run (this=0x55f2e8114960) at ../../runtime/vm/heap/marker.cc:695
#8  0x000055f2e5cb060c in dart::ThreadPool::Worker::Loop (this=0x55f2e8112140) at ../../runtime/vm/thread_pool.cc:381
#9  0x000055f2e5cb00ea in dart::ThreadPool::Worker::Main (args=94501763883328) at ../../runtime/vm/thread_pool.cc:436
#10 0x000055f2e5be9c75 in dart::ThreadStart (data_ptr=<optimized out>) at ../../runtime/vm/os_thread_linux.cc:131
#11 0x00007f3f7a751184 in start_thread (arg=0x7f3f79d7f700) at pthread_create.c:312
#12 0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 7 (Thread 0x7f3f74afe700 (LWP 30644)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x000055f2e5beaa2d in dart::Monitor::WaitMicros (this=0x55f2e8112500, micros=5000000) at ../../runtime/vm/os_thread_linux.cc:445
#2  0x000055f2e5cb070e in WaitMicros (this=<optimized out>, micros=5000000) at ../../runtime/vm/lockers.h:177
#3  dart::ThreadPool::Worker::Loop (this=0x55f2e8112500) at ../../runtime/vm/thread_pool.cc:394
#4  0x000055f2e5cb00ea in dart::ThreadPool::Worker::Main (args=94501763884288) at ../../runtime/vm/thread_pool.cc:436
#5  0x000055f2e5be9c75 in dart::ThreadStart (data_ptr=<optimized out>) at ../../runtime/vm/os_thread_linux.cc:131
#6  0x00007f3f7a751184 in start_thread (arg=0x7f3f74afe700) at pthread_create.c:312
#7  0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 6 (Thread 0x7f3f747fe700 (LWP 30646)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x000055f2e5beaa2d in dart::Monitor::WaitMicros (this=0x55f2e812a628, micros=999999) at ../../runtime/vm/os_thread_linux.cc:445
#2  0x000055f2e5b1d90c in WaitMicros (this=<optimized out>, micros=137) at ../../runtime/vm/lockers.h:177
#3  CheckIfIdleLocked (this=<optimized out>, ml=0x55f2e5f324d0 <vtable for dart::MonitorLocker+16>) at ../../runtime/vm/message_handler.cc:507
#4  dart::MessageHandler::TaskCallback (this=0x55f2e812a620) at ../../runtime/vm/message_handler.cc:421
#5  0x000055f2e5cb060c in dart::ThreadPool::Worker::Loop (this=0x55f2e8112640) at ../../runtime/vm/thread_pool.cc:381
#6  0x000055f2e5cb00ea in dart::ThreadPool::Worker::Main (args=94501763884608) at ../../runtime/vm/thread_pool.cc:436
#7  0x000055f2e5be9c75 in dart::ThreadStart (data_ptr=<optimized out>) at ../../runtime/vm/os_thread_linux.cc:131
#8  0x00007f3f7a751184 in start_thread (arg=0x7f3f747fe700) at pthread_create.c:312
#9  0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 5 (Thread 0x7f3f748ff700 (LWP 30645)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x000055f2e5beaa2d in dart::Monitor::WaitMicros (this=0x55f2e81125a0, micros=4999999) at ../../runtime/vm/os_thread_linux.cc:445
#2  0x000055f2e5cb070e in WaitMicros (this=<optimized out>, micros=4999999) at ../../runtime/vm/lockers.h:177
#3  dart::ThreadPool::Worker::Loop (this=0x55f2e81125a0) at ../../runtime/vm/thread_pool.cc:394
#4  0x000055f2e5cb00ea in dart::ThreadPool::Worker::Main (args=94501763884448) at ../../runtime/vm/thread_pool.cc:436
#5  0x000055f2e5be9c75 in dart::ThreadStart (data_ptr=<optimized out>) at ../../runtime/vm/os_thread_linux.cc:131
#6  0x00007f3f7a751184 in start_thread (arg=0x7f3f748ff700) at pthread_create.c:312
#7  0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 4 (Thread 0x7f3f74bff700 (LWP 30643)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1  0x000055f2e5beaa2d in dart::Monitor::WaitMicros (this=0x55f2e8112460, micros=5000000) at ../../runtime/vm/os_thread_linux.cc:445
#2  0x000055f2e5cb070e in WaitMicros (this=<optimized out>, micros=5000000) at ../../runtime/vm/lockers.h:177
#3  dart::ThreadPool::Worker::Loop (this=0x55f2e8112460) at ../../runtime/vm/thread_pool.cc:394
#4  0x000055f2e5cb00ea in dart::ThreadPool::Worker::Main (args=94501763884128) at ../../runtime/vm/thread_pool.cc:436
#5  0x000055f2e5be9c75 in dart::ThreadStart (data_ptr=<optimized out>) at ../../runtime/vm/os_thread_linux.cc:131
#6  0x00007f3f7a751184 in start_thread (arg=0x7f3f74bff700) at pthread_create.c:312
#7  0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 3 (Thread 0x7f3f7ad737c0 (LWP 30639)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1  0x000055f2e5beaa54 in dart::Monitor::WaitMicros (this=0x7ffd639515d0, micros=0) at ../../runtime/vm/os_thread_linux.cc:440
#2  0x000055f2e5e8401a in Wait (this=<optimized out>, millis=0) at ../../runtime/vm/lockers.h:169
#3  Dart_RunLoop () at ../../runtime/vm/dart_api_impl.cc:1607
#4  0x000055f2e5837b26 in dart::bin::RunMainIsolate (script_name=0x7ffd63953bbc "/b/s/w/ir/tests/standalone_2/array_bounds_check_generalization_test.dart", dart_options=0x7ffd639517a0) at ../../runtime/bin/main.cc:916
#5  0x000055f2e5838917 in dart::bin::main (argc=10, argv=0x7ffd63951908) at ../../runtime/bin/main.cc:1157
#6  0x000055f2e5839319 in main (argc=1670714876, argv=0x80) at ../../runtime/bin/main.cc:1195

Thread 2 (Thread 0x7f3f7ad72700 (LWP 30640)):
#0  0x00007f3f79f706d3 in epoll_wait () at ../sysdeps/unix/syscall-template.S:81
#1  0x000055f2e5841d25 in dart::bin::EventHandlerImplementation::Poll (args=94501763833984) at ../../runtime/bin/eventhandler_linux.cc:392
#2  0x000055f2e586b51e in dart::bin::ThreadStart (data_ptr=<optimized out>) at ../../runtime/bin/thread_linux.cc:85
#3  0x00007f3f7a751184 in start_thread (arg=0x7f3f7ad72700) at pthread_create.c:312
#4  0x00007f3f79f7003d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7f3f79c7e700 (LWP 30642)):
#0  0x00007f3f79ea8c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f3f79eac028 in __GI_abort () at abort.c:89
#2  0x000055f2e5be7849 in dart::OS::Abort () at ../../runtime/vm/os_linux.cc:665
#3  0x000055f2e5ea7467 in dart::Assert::Fail (this=<optimized out>, format=<optimized out>) at ../../runtime/platform/assert.cc:43
#4  0x000055f2e59bf337 in SetRaw (this=<optimized out>, value=<optimized out>) at ../../runtime/vm/object.h:9115
#5  dart::Code::initializeHandle (obj=<optimized out>, raw_ptr=<optimized out>) at ../../runtime/vm/object.h:5220
#6  0x000055f2e5ab6fb9 in Handle (zone=<optimized out>, raw_ptr=0x7f3f736992b1) at ../../runtime/vm/object.h:5220
#7  dart::DeoptContext::~DeoptContext (this=0x55f2e8446630) at ../../runtime/vm/deopt_instructions.cc:165
#8  0x000055f2e5ab71ee in dart::DeoptContext::~DeoptContext (this=0x55f2e8446630) at ../../runtime/vm/deopt_instructions.cc:136
#9  0x000055f2e5c5e393 in DRT_HelperDeoptimizeMaterialize (isolate=0x55f2e811e900, arguments=..., thread=<optimized out>, zone=<optimized out>) at ../../runtime/vm/runtime_entry.cc:2511
#10 dart::DRT_DeoptimizeMaterialize (arguments=...) at ../../runtime/vm/runtime_entry.cc:2499
#11 0x00007f3f79e00fce in ?? ()
#12 0x000055f2e813aa00 in ?? ()
#13 0x0000000000000000 in ?? ()

The corresponding code:

DeoptContext::~DeoptContext() {
  ...
#ifndef PRODUCT
  if (FLAG_support_timeline && (deopt_start_micros_ != 0)) {
    ...
    if (compiler_stream->enabled()) {
      ...
      const Code& code = Code::Handle(zone(), code_);
  ...

The DeoptContext::code_ is

(gdb) p code_
$1 = (dart::RawCode *) 0x7f3f736992b1
(gdb) x/1gx 0x7f3f736992b0
0x7f3f736992b0: 0x000000000002001a
(gdb) p (dart::ClassId)0x2
$3 = dart::kFreeListElement
@a-siva

This comment has been minimized.

Copy link
Contributor

a-siva commented Jan 3, 2019

@a-siva a-siva closed this Jan 3, 2019

dart-bot pushed a commit that referenced this issue Jan 3, 2019

[vm, gc] Fix untracked pointer in DeoptContext.
Bug: #35547
Change-Id: I610b2ad863c973fe2c46787c07e4be39aea8eb89
Reviewed-on: https://dart-review.googlesource.com/c/88288
Reviewed-by: Siva Annamalai <asiva@google.com>
Commit-Queue: Ryan Macnak <rmacnak@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.