runtime: crash in GC #7205

randall77 · 2014-01-25T00:44:41Z

go test reflect, crashes occasionally (~1 in 20?).  Stack trace below.

Looks like it is crashing in gc because a GC_IFACE op finds an interface value with a
tab or tab->type field which is junk.

(linux/amd64)
SIGSEGV: segmentation violation
PC=0x40e191

scanblock(0x7fe3b7934000, 0x7fe3b7915d00)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/mgc0.c:948 +0x8c1
markroot(0xc210026000, 0x7)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/mgc0.c:1277 +0xd9
runtime.parfordo(0xc210026000)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/parfor.c:105 +0xa3
gc(0x7fe3b7a4d480)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/mgc0.c:2163 +0x259
mgc(0xc2100015a0)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/mgc0.c:2104 +0x2e
runtime.mcall(0x427667)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/asm_amd64.s:181 +0x4b

goroutine 57 [garbage collection]:
runtime.gc(0x7fe300000000)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/mgc0.c:2075 +0x1b2 fp=0x7fe3b7a4d490
runtime.mallocgc(0x40, 0x0, 0x9)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/malloc.goc:211 +0x1b8 fp=0x7fe3b7a4d508
gostringsize(0x7fe3b7a4d558, 0x3c)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/string.goc:49 +0x5f fp=0x7fe3b7a4d540
concatstring(0x7fe3b7a4d5f8, 0x5, 0x7fe3b7a4d5a8)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/string.goc:171 +0x13c fp=0x7fe3b7a4d588
runtime.concatstring5(0x5dbcd0, 0xb, 0x5e2050, 0x11, 0x5c91d0, ...)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/string.goc:204 +0x28 fp=0x7fe3b7a4d5a8
reflect.funcLayout(0x592c40, 0x595bc0, 0x564960)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/type.go:1883 +0x9ce fp=0x7fe3b7a4d6c8
reflect.Value.call(0x595bc0, 0xc21004bea0, 0x0, 0x138, 0x5ca550, ...)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/value.go:535 +0xf99 fp=0x7fe3b7a4db00
reflect.Value.Call(0x595bc0, 0xc21004bea0, 0x0, 0x138, 0xc210095f40, ...)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/value.go:411 +0xb3 fp=0x7fe3b7a4db68
reflect_test.func·012(0x5c8fb0, 0x3, 0x595bc0, 0xc21004bea0, 0x0, ...)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/all_test.go:1803 +0x29e fp=0x7fe3b7a4dd10
reflect_test.func·013(0x5c8fb0, 0x3, 0x595bc0, 0xc21004bea0, 0x28)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/all_test.go:1818 +0xc0 fp=0x7fe3b7a4ddb8
reflect_test.TestMethod5(0xc210090900)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/reflect/all_test.go:1852 +0x8ad fp=0x7fe3b7a4df60
testing.tRunner(0xc210090900, 0x8cee38)
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/testing/testing.go:398 +0x8b fp=0x7fe3b7a4df90
runtime.goexit()
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/runtime/proc.c:1438 fp=0x7fe3b7a4df98
created by testing.RunTests
    /usr/local/google/home/khr/sandbox/go-ro/src/pkg/testing/testing.go:479 +0x978

randall77 · 2014-01-25T01:13:52Z

Comment 1:

Looks like live values are wrong:
package main
import "reflect"
func baz(bx reflect.Value) bool {
    b := bx.Interface()
    return b != byte(99)
}
../bin/go tool 6g -live -S issue7205.go
/usr/local/google/home/khr/go/issue7205.go:5: live at entry to baz: bx b
/usr/local/google/home/khr/go/issue7205.go:6: live at call to Value.Interface: bx b
/usr/local/google/home/khr/go/issue7205.go:7: live at call to convT2E: bx b
/usr/local/google/home/khr/go/issue7205.go:7: live at call to efaceeq: bx
Looking at the assembly, there's no zeroing of b before the call to Interface().

randall77 · 2014-01-28T01:36:29Z

Comment 2:

Simpler repro:
package main
var i interface{}
func foo()
func baz() bool {
    foo()
    b := i
    return b != byte(99)
}
The main bug is that any local or return value live at the start of the function needs
to be zeroed.  This shouldn't happen, but does in this situation because of...
The secondary bug is that the write to b in this situation is not considered a kill of b
because an interface{} is a fat value.  The "write" actually occurs with two separate
instructions and neither is obviously a kill by itself.
Not sure how to fix it just yet.  Still looking...

randall77 · 2014-01-28T02:04:46Z

Comment 3:

This issue was updated by revision 28479f2.

LGTM=iant
R=golang-codereviews, iant
CC=golang-codereviews
https://golang.org/cl/50730044

davecheney · 2014-02-03T23:44:41Z

Comment 5:

Labels changed: added release-go1.3, repo-main.

Status changed to Started.

rsc · 2014-02-13T06:19:26Z

Comment 7:

I have a fix for comment #2. I also changed the compiler as we discussed Tuesday, to
crash if it finds any local variable or result variable live on entry to the function.
That has turned up a handful related problems, not all of which I've been able to fix
yet.

Owner changed to @rsc.

rsc · 2014-02-14T03:45:24Z

Comment 9:

This issue was closed by revision 91b1f7c.

Status changed to Fixed.

randall77 added fixed labels Feb 14, 2014

randall77 assigned rsc Feb 14, 2014

rsc added this to the Go1.3 milestone Apr 14, 2015

rsc removed the release-go1.3 label Apr 14, 2015

golang locked and limited conversation to collaborators Jun 25, 2016

gopherbot added the FrozenDueToAge label Jun 25, 2016

rsc removed their assignment Jun 23, 2022

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

runtime: crash in GC #7205

runtime: crash in GC #7205

randall77 commented Jan 25, 2014

randall77 commented Jan 25, 2014

randall77 commented Jan 28, 2014

randall77 commented Jan 28, 2014

davecheney commented Feb 3, 2014

rsc commented Feb 13, 2014

rsc commented Feb 14, 2014

runtime: crash in GC #7205

runtime: crash in GC #7205

Comments

randall77 commented Jan 25, 2014

randall77 commented Jan 25, 2014

randall77 commented Jan 28, 2014

randall77 commented Jan 28, 2014

davecheney commented Feb 3, 2014

rsc commented Feb 13, 2014

rsc commented Feb 14, 2014