Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004234OCamlOCaml generalpublic2007-03-20 00:142007-03-26 20:00
ReporterMatthewFluet 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version3.10+dev 
Summary0004234: out-of-range bugs in globroots.c
DescriptionThere appear to be a a bug in the management of global roots, related to registering very many global roots.

I see a segmentation fault (on both amd64-linux and x86-darwin) with the following program:

crash.c:
/**********/
#include <stdlib.h>

#include "caml/mlvalues.h"
#include "caml/memory.h"

struct crash_s {
  value v;
};

void crash_fn(value v) {
  struct crash_s* p;
  p = (struct crash_s*) malloc(sizeof(struct crash_s));
  caml_register_global_root(&(p->v));
  caml_remove_global_root(&(p->v));
  free(p);
  return;
}
/**********/

crash.ml
(**********)
external crash_fn : unit -> unit = "crash_fn"

let rec crashLoop () = (crash_fn (); crashLoop ())

let _ = crashLoop ()
(**********)
Additional InformationI believe that the issue arises from the fact that random_level function of byterun/globroots.c may return the value 15 (or 16), but all of the arrays have size MAX_LEVEL (= 15), so accessing index 15 (or 16) yields undefined results.

Furthermore, despite the Assert in the random_level function, random_level may return the value 16 (observed by repeatedly calling random_level).

Indeed, if r is set equal to 0xFFFFFFFFU by the PRNG, then random_level will return 16.

Nonetheless, the fix seems clear:
Change
  #define MAX_LEVELS 15
to
  #define MAX_LEVELS 16
and change array declarations
  ty arr[MAX_LEVELS];
to
  ty arr[MAX_LEVELS+1];
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0003981)
MatthewFluet (reporter)
2007-03-20 00:17

Oops, failed to change Category to "OCaml general".
(0003994)
doligez (administrator)
2007-03-26 20:00

This will be fixed for 3.10.
Thanks for the nice report.

- Issue History
Date Modified Username Field Change
2007-03-20 00:14 MatthewFluet New Issue
2007-03-20 00:17 MatthewFluet Note Added: 0003981
2007-03-26 15:00 doligez Category Caml-light => OCaml general
2007-03-26 20:00 doligez Note Added: 0003994
2007-03-26 20:00 doligez Status new => closed
2007-03-26 20:00 doligez Resolution open => fixed
2007-03-26 20:00 doligez Fixed in Version => 3.10+dev


Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker