Random segfaults in ::Heap::markFrom (core/state.h:348)

[Quentin-M]

Hi,

I experience random segmentation faults on ::Heap::markFrom (core/state.h:348) :

Program received signal SIGSEGV, Segmentation fault.
(anonymous namespace)::Heap::markFrom (from=0x17184c0, this=<optimized out>) at core/state.h:348
348                if (curr->mark != thisMark) {

It appears the curr is NULL, thus the crash on curr->mark:

(gdb) print curr
$1 = ((anonymous namespace)::HeapEntity *) 0x0
(gdb) print stack
$5 = std::vector of length 5, capacity 8 = {{<No data fields>}, {<No data fields>}, {<No data fields>}, {<No data fields>},
  {<No data fields>}}
(gdb) print curr_index
$6 = 4

A bit more context:

(gdb) backtrace
#0  (anonymous namespace)::Heap::markFrom (from=0x17184c0, this=<optimized out>) at core/state.h:348
#1  0x00007ffff3e76d08 in markFrom (this=0x7fffffffc230, v=...) at core/state.h:327
#2  (anonymous namespace)::Interpreter::makeHeap<(anonymous namespace)::HeapString, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&> (this=0x7fffffffc230) at core/vm.cpp:505
#3  0x00007ffff3e80777 in makeString (v=..., this=<optimized out>) at core/vm.cpp:597
#4  (anonymous namespace)::Interpreter::jsonToHeap (this=0x0, v=std::unique_ptr<JsonnetJsonValue> containing 0x0, attach=...)
    at core/vm.cpp:1279
#5  0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x0,
    v=std::unique_ptr<JsonnetJsonValue> containing 0x0, attach=...) at core/vm.cpp:1313
#6  0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x0, this@entry=0x7fffffffc230,
    v=std::unique_ptr<JsonnetJsonValue> containing 0x0, attach=...) at core/vm.cpp:1313
#7  0x00007ffff3e86f27 in (anonymous namespace)::Interpreter::evaluate (this=this@entry=0x7fffffffc230, ast_=<optimized out>,
    ast_@entry=0x14e3c20, initial_stack_size=<optimized out>) at core/vm.cpp:2095
#8  0x00007ffff3e82450 in (anonymous namespace)::Interpreter::manifestJson (this=0x7fffffffc230, loc=..., multiline=true,
    indent=U"      ") at core/vm.cpp:2541
#9  0x00007ffff3e820b3 in (anonymous namespace)::Interpreter::manifestJson (this=0x7fffffffc230, loc=..., multiline=true,
    indent=U"   ") at core/vm.cpp:2496
#10 0x00007ffff3e8a041 in (anonymous namespace)::Interpreter::manifestJson (this=this@entry=0x7fffffffc230, loc=..., indent=U"",
    multiline=true) at core/vm.cpp:2542
Python Exception <type 'exceptions.ValueError'> Cannot find type const (anonymous namespace)::ExtMap::_Rep_type:
#11 0x00007ffff3e8d3ab in jsonnet_vm_execute (alloc=alloc@entry=0x7fffffffc610, ast=<optimized out>,
    ext_vars=std::map with 0 elements, max_stack=<optimized out>, gc_min_objects=<optimized out>, gc_growth_trigger=<optimized out>,
Python Exception <type 'exceptions.ValueError'> Cannot find type const VmNativeCallbackMap::_Rep_type:
    natives=std::map with 11 elements, import_callback=0x7ffff3e34c20 <cpython_import_callback>, ctx=0x7fffffffc830,
---Type <return> to continue, or q <return> to quit---
    string_output=false) at core/vm.cpp:2664
#12 0x00007ffff3e510ad in jsonnet_evaluate_snippet_aux (vm=vm@entry=0xef4620, filename=<optimized out>,

My template is a quite big, so I won't paste it directly here. However, we can note that I am using the Python library, native callbacks, std.mergePatch, and tla_codes. At first glance, we might think that mergePatch causes it as I recently introduced it in my templates.

Thanks.

[sparkprime]

#6 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x0, this@entry=0x7fffffffc230,
v=std::unique_ptr containing 0x0, attach=...) at core/vm.cpp:1313

this=0x0 looks very suspicious

Can you run in valgrind? It may be a bug in the native callbacks, or maybe the Python wrapper. I can assist you debugging it if you're comfortable with that. Otherwise I'll probably need a reproduction case. You can also build without optimisations for easier debugging with make OPT=

[sparkprime]

--gc-min-objects 1 --gc-growth-trigger 1 will put more stress on the garbage collector (initiate a full collection cycle at every allocation). This will probably remove the randomness but will be slower as well.

[Quentin-M]

Sure thing! Thanks!

Here is a Valgrind run, starting from the moment it actually starts processing the manifest. Note that the invalid reads/use of uninitialized value in PyObject_Free and PyEval_EvalFrameEx happen pretty much all the time, from the very beginning, so they probably are irrelevant.

http://pastebin.com/FPVNcrPf

If you prefer me to host the report elsewhere, feel free to tell me!
I may try to recompile using -Og if necessary.
Python code is open-source if it may help.

[Quentin-M]

In the an imported manifest, I have the following function:

variables(package, params):: (
   local p = package + {variables: package.variables + std.mergePatch(super.variables, params.variables)};
   p.variables
),

Removing the + operation (and thus either std.mergePatch or package.variables) seems to make the issue disappear. Using the shorthand variables+: std.mergePatch(super.variables, params.variables) seems to make it happen a little less.

[sparkprime]

From that valgrind output I think I know what's going on. For a given HeapThunk *t, t->content is valid when t->filled is true, but state.h:1273 sets t->filled true without setting t->content. The intent is that the recursive call to jsonToHeap will fill in t->content immediately but it does so by creating another object on the heap and then assigning the resulting pointer to t->content. If creating that object triggers a GC cycle then the garbage collector will eventually get to the thunk t and try to read content looking for more objects to mark alive because filled is true. In this case that results in reading 0 most of the time and triggering a segfault.

I'll look into a solution tomorrow (I'm too many margaritas down right now!). As a workaround you should be able to increase the GC tuning to make the GC less likely to run at that precise point in time where the heap is temporarily malformed.

Of course this may be an unrelated bug but it looks like it explains the behavior pretty well to me.

[Quentin-M]

Hi,

Thanks for #229. However, I still face random segmentation faults:

gdb:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff3b6a655 in __dynamic_cast () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#2  0x00007ffff3e75df4 in (anonymous namespace)::Heap::markFrom (from=0x1440da0, this=<optimized out>) at core/state.h:351
#3  0x00007ffff3e81058 in markFrom (this=<optimized out>, v=...) at core/state.h:327
#4  makeHeap<(anonymous namespace)::HeapComprehensionObject, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >&, AST const*&, Identifier const*&, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >&> (this=<optimized out>) at core/vm.cpp:505
#5  makeObject<(anonymous namespace)::HeapComprehensionObject, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >, AST const*, Identifier const*, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > > > (this=<optimized out>) at core/vm.cpp:589
#6  (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60, v=<error reading variable: Cannot access memory at address 0x0>,
    attach=...) at core/vm.cpp:1307
#7  0x00007ffff3e80d97 in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1301
#8  0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#9  0x00007ffff3e80d97 in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1301
#10 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#11 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#12 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#13 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0xd7da60, this@entry=0x7fffffffc230,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#14 0x00007ffff3e86f27 in (anonymous namespace)::Interpreter::evaluate (this=this@entry=0x7fffffffc230, ast_=<optimized out>,
    ast_@entry=0xd31580, initial_stack_size=<optimized out>) at core/vm.cpp:2095
#15 0x00007ffff3e82450 in (anonymous namespace)::Interpreter::manifestJson (this=0x7fffffffc230, loc=..., multiline=true,

#0  0x00007ffff3b6a618 in __dynamic_cast () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00007ffff3e75df4 in (anonymous namespace)::Heap::markFrom (from=0x17b90f0, this=<optimized out>) at core/state.h:351
#2  0x00007ffff3e81058 in markFrom (this=<optimized out>, v=...) at core/state.h:327
#3  makeHeap<(anonymous namespace)::HeapComprehensionObject, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >&, AST const*&, Identifier const*&, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >&> (this=<optimized out>) at core/vm.cpp:505
#4  makeObject<(anonymous namespace)::HeapComprehensionObject, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >, AST const*, Identifier const*, std::map<Identifier const*, (anonymous namespace)::HeapThunk*, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > > > (this=<optimized out>) at core/vm.cpp:589
#5  (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10, v=<error reading variable: Cannot access memory at address 0x0>,
    attach=...) at core/vm.cpp:1307
#6  0x00007ffff3e80d97 in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1301
#7  0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#8  0x00007ffff3e80d97 in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1301
#9  0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#10 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#11 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#12 0x00007ffff3e80b7d in (anonymous namespace)::Interpreter::jsonToHeap (this=0x178fa10, this@entry=0x7fffffffc230,
    v=<error reading variable: Cannot access memory at address 0x0>, attach=...) at core/vm.cpp:1313
#13 0x00007ffff3e86f27 in (anonymous namespace)::Interpreter::evaluate (this=this@entry=0x7fffffffc230, ast_=<optimized out>,
    ast_@entry=0x14f10a0, initial_stack_size=<optimized out>) at core/vm.cpp:2095
#14 0x00007ffff3e82450 in (anonymous namespace)::Interpreter::manifestJson (this=0x7fffffffc230, loc=..., multiline=true,
    indent=U"      ") at core/vm.cpp:2541

some valgrind:

==125753==  Address 0x7f44020 is 16 bytes after a block of size 48 free'd
==125753==    at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==125753==    by 0xB2B99E7: deallocate (new_allocator.h:110)
==125753==    by 0xB2B99E7: deallocate (alloc_traits.h:383)
==125753==    by 0xB2B99E7: _M_put_node (stl_tree.h:389)
==125753==    by 0xB2B99E7: _M_destroy_node (stl_tree.h:438)
==125753==    by 0xB2B99E7: std::_Rb_tree<Identifier const*, std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*>, std::_Select1st<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> >, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >::_M_erase(std::_Rb_tree_node<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> >*) (stl_tree.h:1247)
==125753==    by 0xB2B99DB: std::_Rb_tree<Identifier const*, std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*>, std::_Select1st<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> >, std::less<Identifier const*>, std::allocator<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> > >::_M_erase(std::_Rb_tree_node<std::pair<Identifier const* const, (anonymous namespace)::HeapThunk*> >*) (stl_tree.h:1245)
==125753==    by 0xB2BE4DD: ~_Rb_tree (stl_tree.h:715)
==125753==    by 0xB2BE4DD: ~map (stl_map.h:96)
==125753==    by 0xB2BE4DD: ~Frame (vm.cpp:91)
==125753==    by 0xB2BE4DD: destroy<(anonymous namespace)::Frame> (new_allocator.h:124)
==125753==    by 0xB2BE4DD: _S_destroy<(anonymous namespace)::Frame> (alloc_traits.h:282)
==125753==    by 0xB2BE4DD: destroy<(anonymous namespace)::Frame> (alloc_traits.h:411)
==125753==    by 0xB2BE4DD: pop_back (stl_vector.h:952)
==125753==    by 0xB2BE4DD: (anonymous namespace)::Stack::pop() (vm.cpp:253)
==125753==    by 0xB2C9AE8: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2454)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)
==125753==    by 0xB2C8AAE: (anonymous namespace)::Interpreter::toString(LocationRange const&) (vm.cpp:1322)
==125753==    by 0xB2CAAFE: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2401)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)
==125753==    by 0xB2C80B2: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2496)
==125753==    by 0xB2D0040: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) [clone .constprop.912] (vm.cpp:2542)
==125753==    by 0xB2D33AA: jsonnet_vm_execute(Allocator*, AST const*, std::map<std::string, VmExt, std::less<std::string>, std::allocator<std::pair<std::string const, VmExt> > > const&, unsigned int, double, double, std::map<std::string, VmNativeCallback, std::less<std::string>, std::allocator<std::pair<std::string const, VmNativeCallback> > > const&, char* (*)(void*, char const*, char const*, char**, int*), void*, bool) (vm.cpp:2664)
==125753==  Address 0xbf14020 is 16 bytes after a block of size 32 free'd
==125753==    at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==125753==    by 0xB2B9D86: deallocate (new_allocator.h:110)
==125753==    by 0xB2B9D86: deallocate (alloc_traits.h:383)
==125753==    by 0xB2B9D86: _M_deallocate (stl_vector.h:178)
==125753==    by 0xB2B9D86: void std::vector<(anonymous namespace)::Heap::markFrom((anonymous namespace)::HeapEntity*)::State, std::allocator<(anonymous namespace)::Heap::markFrom((anonymous namespace)::HeapEntity*)::State> >::_M_emplace_back_aux<(anonymous namespace)::HeapEntity*&>((anonymous namespace)::HeapEntity*&) (vector.tcc:438)
==125753==    by 0xB2BC37C: emplace_back<(anonymous namespace)::HeapEntity*&> (vector.tcc:101)
==125753==    by 0xB2BC37C: (anonymous namespace)::Heap::markFrom((anonymous namespace)::HeapEntity*) [clone .isra.603] (state.h:392)
==125753==    by 0xB2BC663: (anonymous namespace)::Frame::mark((anonymous namespace)::Heap&) const (vm.cpp:178)
==125753==    by 0xB2BCC79: mark (vm.cpp:236)
==125753==    by 0xB2BCC79: (anonymous namespace)::HeapString* (anonymous namespace)::Interpreter::makeHeap<(anonymous namespace)::HeapString, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&>(std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:502)
==125753==    by 0xB2CB357: makeString (vm.cpp:597)
==125753==    by 0xB2CB357: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:1545)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)
==125753==    by 0xB2C8467: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2542)
==125753==    by 0xB2C8467: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2542)
==125753==    by 0xB2C8AAE: (anonymous namespace)::Interpreter::toString(LocationRange const&) (vm.cpp:1322)
==125753==    by 0xB2CAAFE: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2401)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)

==125753==  Address 0xae74020 is 0 bytes inside a block of size 120 free'd
==125753==    at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==125753==    by 0xB2BA695: (anonymous namespace)::HeapClosure::~HeapClosure() (state.h:232)
==125753==    by 0xB2B985A: (anonymous namespace)::Heap::sweep() (state.h:407)
==125753==    by 0xB2BCC90: (anonymous namespace)::HeapString* (anonymous namespace)::Interpreter::makeHeap<(anonymous namespace)::HeapString, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&>(std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:508)
==125753==    by 0xB2CB357: makeString (vm.cpp:597)
==125753==    by 0xB2CB357: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:1545)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)
==125753==    by 0xB2C8467: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2542)
==125753==    by 0xB2C8467: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2542)
==125753==    by 0xB2C8AAE: (anonymous namespace)::Interpreter::toString(LocationRange const&) (vm.cpp:1322)
==125753==    by 0xB2CAAFE: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2401)
==125753==    by 0xB2C844F: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2541)
==125753==    by 0xB2C80B2: (anonymous namespace)::Interpreter::manifestJson(LocationRange const&, bool, std::basic_string<char32_t, std::char_traits<char32_t>, std::allocator<char32_t> > const&) (vm.cpp:2496)
==125753==

==125753== Conditional jump or move depends on uninitialised value(s)
==125753==    at 0xB2BC01A: (anonymous namespace)::Heap::markFrom((anonymous namespace)::HeapEntity*) [clone .isra.603] (state.h:378)
==125753==    by 0xB2C7057: markFrom (state.h:327)
==125753==    by 0xB2C7057: makeHeap<(anonymous namespace)::HeapComprehensionObject, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >&, const AST*&, const Identifier*&, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >&> (vm.cpp:505)
==125753==    by 0xB2C7057: makeObject<(anonymous namespace)::HeapComprehensionObject, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >, const AST*, const Identifier*, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > > > (vm.cpp:589)
==125753==    by 0xB2C7057: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1307)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6D96: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1301)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6D96: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1301)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2CCF26: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2095)
==125753==
==125753== Use of uninitialised value of size 8
==125753==    at 0xB2BBDCE: (anonymous namespace)::Heap::markFrom((anonymous namespace)::HeapEntity*) [clone .isra.603] (state.h:348)
==125753==    by 0xB2C7057: markFrom (state.h:327)
==125753==    by 0xB2C7057: makeHeap<(anonymous namespace)::HeapComprehensionObject, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >&, const AST*&, const Identifier*&, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >&> (vm.cpp:505)
==125753==    by 0xB2C7057: makeObject<(anonymous namespace)::HeapComprehensionObject, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > >, const AST*, const Identifier*, std::map<const Identifier*, (anonymous namespace)::HeapThunk*, std::less<const Identifier*>, std::allocator<std::pair<const Identifier* const, (anonymous namespace)::HeapThunk*> > > > (vm.cpp:589)
==125753==    by 0xB2C7057: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1307)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6D96: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1301)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6D96: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1301)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2C6B7C: (anonymous namespace)::Interpreter::jsonToHeap(std::unique_ptr<JsonnetJsonValue, std::default_delete<JsonnetJsonValue> > const&, (anonymous namespace)::Value&) (vm.cpp:1313)
==125753==    by 0xB2CCF26: (anonymous namespace)::Interpreter::evaluate(AST const*, unsigned int) (vm.cpp:2095)
==125753==

==125758==  Address 0xdb65020 is 16 bytes after a block of size 112 free'd
==125758==    at 0x4C2A360: operator delete(void*) (vg_replace_malloc.c:507)
==125758==    by 0xB2A93A6: pop_front (stl_list.h:1015)
==125758==    by 0xB2A93A6: pop (parser.cpp:100)
==125758==    by 0xB2A93A6: (anonymous namespace)::Parser::parse(int) (parser.cpp:863)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)
==125758==    by 0xB2A9100: (anonymous namespace)::Parser::parse(int) (parser.cpp:820)

[sparkprime]

Ok how about a reproduction case, or if you like we can meet up in NYC and debug it together.

[Quentin-M]

Hi,

Unfortunately, I won't be back in NYC until few months. I'll try to create a reproduction case!
Have a nice day.

Edit (Aug 22): Met on Google Hangout to share reproduction case.

[sparkprime]

Are you still getting segfaults? I found that once I was running the new build (which was not the case originally because I had to clean out Python's eggs) the segfault went away. There were lingering valgrind errors but they all seemed to be coming from Python (false positives or actual bugs, who knows).