26514 – Seg fault when mapping array of struct for files bigger than a threshold size

Bug 26514 - Seg fault when mapping array of struct for files bigger than a threshold size

Summary: Seg fault when mapping array of struct for files bigger than a threshold size

Status:	RESOLVED FIXED

Alias:	None

Product:	poke
Classification:	Unclassified
Component:	default (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-08-21 07:26 UTC by Mohammad-Reza Nabipoor
Modified:	2022-07-11 18:38 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:	2020-08-21 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mohammad-Reza Nabipoor 2020-08-21 07:26:04 UTC

Hi,

A file size dependent bug + a double-free bug.
Pay attention to the file sizes (these are thresholds).
Below the threshold everything seems fine.

I found, empirically(!), that `1360 * #Packet` is a good starting point to find
the threshold :D

=== Observation 1

$ dd if=/dev/zero of=/tmp/x bs=1 count=$((1360*12)) # count=16320
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { int i; long j; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)


=== Observation 2

$ dd if=/dev/zero of=/tmp/x bs=1 count=$((1360*16)) # count=21760
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)


=== Observation 3

$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 - 1)*24)) # count=32616
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; long k; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)


=== Observation 4

$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 + 2)*8)) # count=10896
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; };
(poke) defvar p = Packet[] @ 0#B;
Segmentation fault (core dumped)


=== Observation 5

New bug: double-free

$ dd if=/dev/zero of=/tmp/x bs=1 count=$(((1360 - 1)*24 - 1)) # count=32615
$ ./run poke
(poke) .file /tmp/x
(poke) deftype Packet = struct { long i; long j; long k; };
(poke) defvar p = Packet[] @ 0#B;
free(): invalid pointer
Aborted (core dumped)

Here's the backtrace:

#0  0x00007fcb3d047355 in raise () from /usr/lib/libc.so.6
#1  0x00007fcb3d030853 in abort () from /usr/lib/libc.so.6
#2  0x00007fcb3d08a878 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007fcb3d091d3a in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007fcb3d093f92 in free_check () from /usr/lib/libc.so.6
#5  0x00007fcb3d433a4d in jitter_stack_finalize_backing (backing=0x558d18da6ff0) at ../../jitter/jitter/jitter-stack.c:73
#6  0x00007fcb3d4238e8 in pvm_state_finalize (jitter_state=0x558d18da6fd0) at ../../libpoke/pvm.jitter:689
#7  0x00007fcb3d417b44 in pvm_shutdown (apvm=0x558d18da6fd0) at ../../libpoke/pvm.c:150
#8  0x00007fcb3d3d38da in pk_compiler_free (pkc=0x558d18dab9f0) at ../../libpoke/libpoke.c:75
#9  0x0000558d183d369a in finalize () at ../../poke/poke.c:289
#10 0x0000558d183d313d in main (argc=<optimized out>, argv=<optimized out>) at ../../poke/poke.c:686



Thanks

Comment 1 Jose E. Marchesi 2020-08-21 07:55:50 UTC

Hi Mohammad.

Thanks for the report.  This is a known issue, and is a consequence of how the `mka' instruction works.  The instruction, used to create array values at the PVM level, requires to stack all the elements of the array in the main data stack.  Jitter stacks are limited, and do not grow, so when the array is big enough, it leads to this segmentation fault.

This will go away once we change the way `mka' works, which is planned.

Comment 2 Jose E. Marchesi 2020-11-13 08:57:21 UTC

This should be fixed now in master.
Salud!