CheckStackOverflow triggers crash in FFI #37910

sjindel-google · 2019-08-19T18:21:33Z

Migrated from #37606:

The following code leads to a segmentation fault when executed with the option --stacktrace_every=100. This happens on multiple builds e.g ReleaseX64.

import 'dart:ffi' as ffi;

typedef fooFfi1Type = ffi.Int32 Function();
int fooFfi1() {
  int a = 0;
  for(int i=0; i<1000; ++i) {                                                                                                            
    a += i;
  }
  return a;
}
int Function() foo1 = ffi.Pointer.fromFunction<fooFfi1Type>(fooFfi1, 0).cast<ffi.NativeFunction<fooFfi1Type>>().asFunction();
main() {
  foo1();
}

Fault:

../../sdk/out/ReleaseX64/dart --stacktrace_every=100 ffitest.dart

===== CRASH =====
si_signo=Segmentation fault(11), si_code=1, si_addr=0x7ff4c01c0000
version=2.5.0-edge.92562dc5a50a822656d76ce1b9b49da560b4327c (Mon Aug 12 17:01:06 2019 +0000) on "linux_x64"
thread=246184, isolate=main(0x56082d5b0100)
  pc 0x000056082bc731b3 fp 0x00007ff4beffe130 dart::PcDescriptors::DecodeInteger(long*) const
  pc 0x000056082bc7db18 fp 0x00007ff4beffe1a0 dart::Code::GetPcForDeoptId(long, dart::RawPcDescriptors::Kind) const
  pc 0x000056082bd4152b fp 0x00007ff4beffe1e0 dart::InlinedFunctionsIterator::InlinedFunctionsIterator(dart::Code const&, unsigned long)
  pc 0x000056082bbb51e1 fp 0x00007ff4beffe2a0 dart::Debugger::AppendCodeFrames(dart::Thread*, dart::Isolate*, dart::Zone*, dart::DebuggerStackTrace*, dart::StackFrame*, dart::Code*, dart::Code*, dart::Array*)
  pc 0x000056082bba9cb5 fp 0x00007ff4beffe400 dart::Debugger::CollectStackTrace()
  pc 0x000056082bd19321 fp 0x00007ff4beffe610 dart::DRT_StackOverflow(dart::NativeArguments)
  pc 0x00007ff4bf001108 fp 0x00007ff4beffe650 Unknown symbol
  pc 0x00007ff4bbf6cf82 fp 0x00007ff4beffe688 Unknown symbol
  pc 0x00007ff4bbf6c9a4 fp 0x00007ff4beffe6e0 Unknown symbol
  pc 0x00007ff4bf0015e0 fp 0x00007ff4beffe740 Unknown symbol
  pc 0x0000000000000000 fp 0x00007ff4beffe750 Unknown symbol
  pc 0x00007ff4bf0041ee fp 0x00007ff4beffe770 Unknown symbol
  pc 0x00007ff4bbf6cd4d fp 0x00007ff4beffe798 Unknown symbol
  pc 0x00007ff4bbf6c461 fp 0x00007ff4beffe7d0 Unknown symbol
  pc 0x00007ff4bbf6c350 fp 0x00007ff4beffe810 Unknown symbol
  pc 0x00007ff4bbf6c17c fp 0x00007ff4beffe848 Unknown symbol
  pc 0x00007ff4bbf6b3a4 fp 0x00007ff4beffe890 Unknown symbol
  pc 0x00007ff4bbf4a0ff fp 0x00007ff4beffe8d0 Unknown symbol
  pc 0x00007ff4bbf6b073 fp 0x00007ff4beffe908 Unknown symbol
  pc 0x00007ff4bf00166c fp 0x00007ff4beffe978 Unknown symbol
  pc 0x000056082bba4436 fp 0x00007ff4beffea20 dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long)
  pc 0x000056082bba78e6 fp 0x00007ff4beffea80 dart::DartLibraryCalls::HandleMessage(dart::Object const&, dart::Instance const&)
  pc 0x000056082bbe57b2 fp 0x00007ff4beffec80 dart::IsolateMessageHandler::HandleMessage(std::__2::unique_ptr<dart::Message, std::__2::default_delete<dart::Message> >)
  pc 0x000056082bc190fd fp 0x00007ff4beffecf0 dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)
  pc 0x000056082bc19946 fp 0x00007ff4beffed50 dart::MessageHandler::TaskCallback()
  pc 0x000056082bd51d97 fp 0x00007ff4beffed80 dart::ThreadPool::Worker::Loop()
  pc 0x000056082bd51c35 fp 0x00007ff4beffedc0 dart::ThreadPool::Worker::Main(unsigned long)
  pc 0x000056082bcb9569 fp 0x00007ff4beffee70 ../../sdk/out/ReleaseX64/dart+0x192b569
-- End of DumpStackTrace
[1]    246182 abort      ../../sdk/out/ReleaseX64/dart --stacktrace_every=100 ffitest.dart

/cc @feli-citas

The text was updated successfully, but these errors were encountered:

sjindel-google · 2019-08-19T18:22:16Z

This looks like an issue with the ForceOptimize() technology. I'll investigate.

Rationale: Until the related bug is fixed we disable the option '--stacktrace_every=100' for tests. Bug: #37910 Change-Id: I257579f49ab15f9cae8c1480ae02824e0484c531 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/113863 Commit-Queue: Felicitas Hetzelt <felih@google.com> Reviewed-by: Aart Bik <ajcbik@google.com>

sjindel-google · 2019-08-23T15:14:43Z

There turns out to be two issues here:

The profiler attempts to read the deopt info for optimized frames in order to recover inlined frames. There is no deopt info for force-optimized functions, so it crashes.
The debugger attempts to deoptimize any frame on the stack in order to debug the frame. Force-optimized functions cannot deoptimize, so the debugger crashes.

I've addressed both of these in https://dart-review.googlesource.com/c/sdk/+/113999

…d frames. Issue #37910 Change-Id: I76630fbc6733712c8709b782619a76190c70bfd5 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/113999 Commit-Queue: Samir Jindel <sjindel@google.com> Reviewed-by: Martin Kustermann <kustermann@google.com>

#37606 #37910 Change-Id: Ie7704aba796943aa010281d7094f4d8125c82287 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/114544 Reviewed-by: Ben Konyi <bkonyi@google.com> Commit-Queue: Aart Bik <ajcbik@google.com>

sjindel-google added library-ffi area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. labels Aug 19, 2019

sjindel-google self-assigned this Aug 19, 2019

sjindel-google mentioned this issue Aug 19, 2019

[vm/ffi] Explore fuzz-testing for the FFI #37606

Closed

aartbik added the dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) label Aug 19, 2019

sjindel-google closed this as completed Aug 26, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CheckStackOverflow triggers crash in FFI #37910

CheckStackOverflow triggers crash in FFI #37910

sjindel-google commented Aug 19, 2019

sjindel-google commented Aug 19, 2019

sjindel-google commented Aug 23, 2019

CheckStackOverflow triggers crash in FFI #37910

CheckStackOverflow triggers crash in FFI #37910

Comments

sjindel-google commented Aug 19, 2019

sjindel-google commented Aug 19, 2019

sjindel-google commented Aug 23, 2019