Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault with lazy empty arrays #5518

Closed
vicuna opened this issue Mar 4, 2012 · 4 comments
Closed

Segfault with lazy empty arrays #5518

vicuna opened this issue Mar 4, 2012 · 4 comments

Comments

@vicuna
Copy link

vicuna commented Mar 4, 2012

Original bug ID: 5518
Reporter: @sliquister
Status: closed (set by @damiendoligez on 2012-03-06T19:18:15Z)
Resolution: fixed
Priority: normal
Severity: crash
OS: Ubuntu
Version: 3.12.1
Fixed in version: 3.13.0+dev
Category: runtime system and C interface
Monitored by: @hcarty @damiendoligez

Bug description

It also breaks in version 3.11.2.

The following program segfaults in the garbage collector:

let empty = lazy [||]
let _ = Lazy.force empty
let () = Gc.minor ()

Steps to reproduce

Compile with ocamlc or ocamlopt without any particular options.

Additional information

If the lazy value is not forced, it doesn't segfault.
If the array is not empty, it doesn't segfault.
If the empty array is computed rather than a literal, it still segfaults.

@vicuna
Copy link
Author

vicuna commented Mar 4, 2012

Comment author: @gasche

Confirmed -- also reproduced with reasonably-recent trunk.

@vicuna
Copy link
Author

vicuna commented Mar 5, 2012

Comment author: @sliquister

On the other hand, this works fine (tested with tags between 1 and 240):

let empty = lazy (Obj.new_block 1 0)
let _ = Lazy.force empty
let () = Gc.minor ()

So it only segfaults for an atom with tag 0.

@vicuna
Copy link
Author

vicuna commented Mar 5, 2012

Comment author: @sliquister

I would say that the following piece of code from minor_gc is the culprit:
if (Is_block (f)){
vv = Is_in_value_area(f);
if (vv) {
ft = Tag_val (Hd_val (f) == 0 ? Field (f, 0) : f);
}
}

f is the array, and I think Field(f, 0) is called because the header of an
atom with a tag 0 looks a lot like a forwarded header.

@vicuna
Copy link
Author

vicuna commented Mar 6, 2012

Comment author: @damiendoligez

Fixed in trunk (commit 12194).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant