Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIGSEGV on rust_icu_umsg only on ICU 67.1 #83

Closed
filmil opened this issue May 8, 2020 · 4 comments
Closed

SIGSEGV on rust_icu_umsg only on ICU 67.1 #83

filmil opened this issue May 8, 2020 · 4 comments
Labels
bug Something isn't working

Comments

@filmil
Copy link
Member

filmil commented May 8, 2020

Repro:

env DOCKER_TEST_ENV=rust_icu_testenv-67 make docker-test
# See it crash, then repeat the run on ICU 67.1 with gdb and the binary, to obtain the back trace
env PKG_CONFIG_PATH=$HOME/local/lib/pkgconfig LD_LIBRARY_PATH=$HOME/local/lib bash -c 'gdb target/debug/deps/rust_icu_umsg-4cf9ad179042bf4d'

Backtrace:

[Switching to Thread 0x7ffff5a39700 (LWP 119163)]
0x00007ffff7b71870 in u_strlen_67 () from /home/fmil/local/lib/libicuuc.so.67
(gdb) bt
#0  0x00007ffff7b71870 in u_strlen_67 () from /home/fmil/local/lib/libicuuc.so.67
#1  0x00007ffff7b6bda2 in icu_67::UnicodeString::doAppend(char16_t const*, int, int) ()
   from /home/fmil/local/lib/libicuuc.so.67
#2  0x00007ffff7b6bd27 in icu_67::UnicodeString::UnicodeString(char16_t const*) ()
   from /home/fmil/local/lib/libicuuc.so.67
#3  0x00007ffff7da0e39 in umsg_vformat_67 () from /home/fmil/local/lib/libicui18n.so.67
#4  0x000055555556b48f in rust_icu_umsg::format_varargs::{{closure}} (va_list=...)
    at rust_icu_umsg/src/lib.rs:384
#5  0x000055555556c7d7 in core::ffi::VaListImpl::with_copy (self=0x7ffff5a37fe8, f=...)
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ffi.rs:345
#6  0x000055555556bd08 in format_varargs (fmt=0x7ffff5a383c8, args=...) at rust_icu_umsg/src/lib.rs:373
#7  0x000055555556a834 in rust_icu_umsg::tests::basic () at rust_icu_umsg/src/lib.rs:448
#8  0x000055555556c441 in rust_icu_umsg::tests::basic::{{closure}} () at rust_icu_umsg/src/lib.rs:434
#9  0x000055555556d4de in core::ops::function::FnOnce::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ops/function.rs:232
#10 0x00005555555962b6 in <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#11 <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:318
#12 std::panicking::try::do_call ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:297
#13 std::panicking::try ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:274
#14 std::panic::catch_unwind ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:394
#15 test::run_test_in_process () at src/libtest/lib.rs:541
#16 test::run_test::run_test_inner::{{closure}} () at src/libtest/lib.rs:450
#17 0x000055555556e146 in std::sys_common::backtrace::__rust_begin_short_backtrace ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/sys_common/backtrace.rs:130
#18 0x0000555555573585 in std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}} ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/thread/mod.rs:475
#19 <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:318
#20 std::panicking::try::do_call ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:297
#21 std::panicking::try ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:274
#22 std::panic::catch_unwind ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:394
#23 std::thread::Builder::spawn_unchecked::{{closure}} ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/thread/mod.rs:474
#24 core::ops::function::FnOnce::call_once{{vtable-shim}} ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ops/function.rs:232
#25 0x00005555555e6a1a in <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#26 <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once ()
    at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#27 std::sys::unix::thread::Thread::new::thread_start () at src/libstd/sys/unix/thread.rs:87
#28 0x00007ffff7a4bfb7 in start_thread (arg=<optimized out>) at pthread_create.c:486
#29 0x00007ffff796119f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)
@filmil filmil changed the title SIGSEGV on rust_icu_umsg ony on ICU 67.1 SIGSEGV on rust_icu_umsg only on ICU 67.1 May 8, 2020
@filmil
Copy link
Member Author

filmil commented May 8, 2020

Looks like an ICU bug... details upcoming.

@filmil
Copy link
Member Author

filmil commented May 8, 2020

Here's a backtrace with debug info for the ICU library.

#0  0x00007ffff7b51870 in u_strlen_67 (s=0xf5616b02 <error: Cannot access memory at address 0xf5616b02>) at ../../icu/icu4c/source/common/ustring.cpp:1000
#1  0x00007ffff7b4bd22 in icu_67::UnicodeString::doAppend (this=0x7ffff5615e08, srcChars=0xf5616b02 <error: Cannot access memory at address 0xf5616b02>, srcStart=0, srcLength=-1) at ../../icu/icu4c/source/common/unistr.cpp:1560
#2  0x00007ffff7b4bca7 in icu_67::UnicodeString::UnicodeString (this=0x7ffff5615e08, text=0xf5616b02 <error: Cannot access memory at address 0xf5616b02>) at ../../icu/icu4c/source/common/unistr.cpp:211
#3  0x00007ffff7d88ef9 in umsg_vformat_67 (fmt=0x7fffec001300, result=0x7fffec020b20 u"", resultLength=1024, ap=0x7ffff5615f48, status=0x7ffff5616144) at ../../icu/icu4c/source/i18n/umsg.cpp:445
#4  0x000055555556bc18 in rust_icu_umsg::format_varargs::{{closure}} (va_list=...) at rust_icu_umsg/src/lib.rs:386
#5  0x000055555556d017 in core::ffi::VaListImpl::with_copy (self=0x7ffff5616128, f=...) at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ffi.rs:345
#6  0x000055555556c541 in format_varargs (fmt=0x7ffff5616528, args=...) at rust_icu_umsg/src/lib.rs:374
#7  0x000055555556b108 in rust_icu_umsg::tests::empty_args_in_format () at rust_icu_umsg/src/lib.rs:484
#8  0x000055555556cc81 in rust_icu_umsg::tests::empty_args_in_format::{{closure}} () at rust_icu_umsg/src/lib.rs:471
#9  0x000055555556dcde in core::ops::function::FnOnce::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ops/function.rs:232
#10 0x0000555555596b26 in <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#11 <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:318
#12 std::panicking::try::do_call () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:297
#13 std::panicking::try () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:274
#14 std::panic::catch_unwind () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:394
#15 test::run_test_in_process () at src/libtest/lib.rs:541
#16 test::run_test::run_test_inner::{{closure}} () at src/libtest/lib.rs:450
#17 0x000055555556e9b6 in std::sys_common::backtrace::__rust_begin_short_backtrace () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/sys_common/backtrace.rs:130
#18 0x0000555555573df5 in std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}} () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/thread/mod.rs:475
#19 <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:318
#20 std::panicking::try::do_call () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:297
#21 std::panicking::try () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panicking.rs:274
#22 std::panic::catch_unwind () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/panic.rs:394
#23 std::thread::Builder::spawn_unchecked::{{closure}} () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libstd/thread/mod.rs:474
#24 core::ops::function::FnOnce::call_once{{vtable-shim}} () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/libcore/ops/function.rs:232
#25 0x00005555555e728a in <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#26 <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once () at /rustc/a08c47310c7d49cbdc5d7afb38408ba519967ecd/src/liballoc/boxed.rs:1034
#27 std::sys::unix::thread::Thread::new::thread_start () at src/libstd/sys/unix/thread.rs:87
#28 0x00007ffff7a2bfb7 in start_thread (arg=<optimized out>) at pthread_create.c:486
#29 0x00007ffff794119f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

filmil added a commit to filmil/rust_icu that referenced this issue May 8, 2020
@filmil
Starts testing with ICU 67.1
2957980 
This is the last step in getting rust_icu tested with ICU 67.1  There
are a few pull requests in flight that preempt this one, such as google#75,
but once those are commited, this can go in. (And should pass.)

Fixes google#76, google#83
@filmil
Copy link
Member Author

filmil commented May 8, 2020
edited

tl;dr: I called umsg_vformat without any arguments.

This caused the code at #3 0x00007ffff7d88ef9 in umsg_vformat_67 (fmt=0x7fffec001300, result=0x7fffec020b20 u"", resultLength=1024, ap=0x7ffff5615f48, status=0x7ffff5616144) at ../../icu/icu4c/source/i18n/umsg.cpp:445 to think there are (checks notes) -335472056 arguments to the fmt, which explains the SIGSEGV (it's trying to index array by this count).

I think that ICU should make an assertion on count being 0 or greater to avoid this memory safety issue at least. And it should be documented that empty va lists are not allowed.

filmil added a commit that referenced this issue May 8, 2020
@filmil
Starts testing with ICU 67.1
0850dd1 
This is the last step in getting rust_icu tested with ICU 67.1  There
are a few pull requests in flight that preempt this one, such as #75,
but once those are commited, this can go in. (And should pass.)

Fixes #76, #83
@filmil filmil added the bug Something isn't working label May 8, 2020
@filmil
Copy link
Member Author

filmil commented May 12, 2020

This has been worked around with the "Starts testing with ICU 67.1"

@filmil filmil closed this as completed May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@filmil