OCaml SIGSEGV in invert_pointer_at() (OCaml Garbage Collector / Compaction) #7431
Comments
|
Comment author: @gasche Wow, thanks for the reproduction work. Have you contacted the Unison maintainers and Richard Jones, as the OCaml package for Fedora and pointed them at this issue report? They may have additional insights (I'm no GC expert but my impression is that a segfault in compaction can easily be caused by any other source of memory corruption in the process, not necessarily the GC code itself, it is rather that this GC phase touches a lot of memory). |
|
Comment author: alexmarkley gasche, thanks for responding! Actually you're the first person to respond directly to any of my bug reports. Since my troubleshooting has lead me deeper and deeper, I am thinking of adjusting my Redhat Bugzilla issue, so that it is a report against the ocaml package instead of a report against the unison package. After all, the ocaml package is probably used by quite a bit more people, so I would imagine it will get more exposure that way. Also, I am quite aware how memory-intensive this kind of operation must be. In fact, since I'm running this on a brand-new laptop, I have been worried that this may actually be pointing to a hardware problem. However, so far, tools like memtest86+ have not reported any issues! My other sneaking suspicion is that the compiler is producing broken code again. Fedora 25 ships with GCC 6.2.1, which is another major update to the compiler, and I'm not confident the dust has fully settled from all of this: https://fedoraproject.org/wiki/Changes/GCC6 http://www.phoronix.com/scan.php?page=news_item&px=Fedora-GCC6-Rebuild-Results I am currently in the process of building OCaml 4.04.0 with all optimizations disabled. Keeping my fingers crossed that this will "magically" fix the problem. As always, any insight is greatly appreciated. |
|
Comment author: alexmarkley I rebuilt OCaml 4.04.0 with all GCC optimizations disabled. (My methodology for doing so can be discussed in more depth if that is of interest.) I was able to reproduce the segfault again, and interestingly it landed in a different spot: [alex@obsidian ~]$ gdb /usr/local/bin/unison Thread 1 (process 9136): |
|
Comment author: @mshinwell Can you confirm that when you disabled GCC optimisation, for building OCaml, that you did not remove the "-fno-strict-aliasing -fwrapv" compiler flags? These are needed to ensure correct compilation (and the former may be even more important for GCC 6). In the OCaml source tree without GCC optimisation enabled please enter the testsuite/ directory and run "make all". Do any of the tests fail? |
|
Comment author: alexmarkley @shinwell, thanks for your attention to this issue! My methodology for removing GCC optimization was to remove -O flags only. The following files and variables were modified:
I ran the test suite as you suggested. Both with GCC optimizations and without, the results were exactly the same: Summary: List of skipped tests: |
|
Comment author: alexmarkley Also of note for this issue, one of the Unison developers suggested that the issue may be a stack overflow: bcpierce00/unison#48 (comment) However, I carefully tested for and eliminated that possibility using a sequence of tests described here: bcpierce00/unison#48 (comment) I am still open to any suggestion for troubleshooting steps and/or feedback on my troubleshooting so far. Steps I am currently pursuing:
|
|
Comment author: @gasche I don't have experience building unison but their makefiles appear to have a NATIVE variable that you could set to 'false' to get a bytecode executable (DEBUGGING=true might also help diagnose a problem, although it is mostly useful to generate OCaml stack traces using OCAMLRUNPARAM=b, I'm not sure it makes a difference when you have a core dump). |
|
Comment author: @mshinwell I'm making a few investigations into this problem, but in the meantime, I think it would be useful to try to rule out the C compiler change. Can you try to build an old version of GCC and use that? I believe 4.4.7 is OK for OCaml compilation, but I'm not sure if it will build on your system. However try to stick to a 4.x version if you can. This should be fairly easy. You need dev packages for GMP and MPFR which there should be Fedora packages for. Then download the source and make a build directory which must be outside of the extracted source tree. From the build directory I think you do: ../gcc-4.4.7/configure --prefix=/path/to/install Then just add /path/to/install to your path and rebuild OCaml and Unison. Does it still fail? |
|
Comment author: @mshinwell I suspect this is not the source of the problem, but it's quite hard to think about so just in case: In src/bytearray_stubs.c line 32, in the Unison tree, there is this code: char *src = String_val(s) + Int_val(i); I think this is wrong. [i] is the offset into a string, which might be large; in particular, it might be so large that the result of the "(int)" cast inside "Int_val" might be a negative number (since on your platform "int" is probably only 32 bits wide, and I imagine your platform is 64 bit). It should be "Long_val" instead. |
|
Comment author: alexmarkley @gasche, thanks for the find in the Unison Makefile. I'll give that a try if/when I move on to attempting non-native OCaml execution. @shinwell, regarding the Int_val vs. Long_val, that's a great catch. I tried re-building Unison with Long_val on line 32 of src/bytearray_stubs.c and unfortunately it did not fix the problem. (Regardless, if you think Long_val is the more appropriate way to go, I will probably open a pull request against the Unison project and see if they accept it.) Regarding building an older compiler, GCC 4.4.7 would not compile for me. However, GCC 5.4.0 DID compile okay, so I got that installed in an isolated corner of my system and I am in the process of attempting to reproduce the bug on Fedora 25 on GCC 5. In addition to all of this, I did manage to build another system with enough disk space to test this issue. It's another x86_64 machine, but for my first test, it was running Ubuntu 16.04. Interestingly, I was able to successfully run the initial Unison synchronization (the entire 1TB+ replica) to the Ubuntu machine with Ocaml 4.04.0 and Unison git master. I was able to do this with GCC 5.4 (included with Ubuntu 16.04) AND GCC 6.2 (from the toolchain test PPA: https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test?field.series_filter=xenial ). So I think I was able to confirm that nothing about the data set itself (nor the size of the data set) was causing the Unison codebase to segfault. My next step is to more thoroughly examine the GCC bug option by attempting to eliminate the issue on my laptop running Fedora 25 by using GCC 5.4. In parallel, I am going to continue to attempt to reproduce the issue on the new desktop by installing Fedora 25 and using GCC 6.2, which would reduce or eliminate the likelihood of a hardware bug. |
|
Comment author: @mshinwell I do think Long_val is correct in that circumstance, yes. |
|
Comment author: alexmarkley Another update here: I was able to reproduce the bug on completely separate hardware. A desktop machine running Fedora 25 segfaulted while synchronizing the replica this afternoon. Also, I did build GCC 5 on my laptop and used that to build OCaml 4.04.0 (and then used that to build Unison git master). Unfortunately, this did not make the problem go away. What does this mean? Well, while I'm more sure than ever now that I'm dealing with a software bug (as opposed to a hardware bug), I'm now starting to think that the issue is deeper than I previously thought. ldd says that the native unison binary requires the following shared libraries: Presumably the issue could be:
As always, feedback is welcome. |
|
Comment author: @mshinwell You said you'd run this successfully on earlier versions of Fedora. Can you tell us the most recent version of Fedora on which this works? (e.g. 24 maybe?) |
|
Comment author: @chambart If it is a GC or binding bug, it might be possible to narrow the search space by using the debug runtime. |
|
Comment author: @gasche (That is, compiling the compiler distribution with the --with-debug-runtime configure option.) |
|
Comment author: @mshinwell You need to do both what @gasche and @chambart said, if I remember correctly. |
|
Comment author: alexmarkley @shinwell, I'm not positive when the most recent version of fedora was that I ran Unison in client mode. (The other client host I use a lot is Mac OS X.) It was probably not any earlier than Fedora 22. I expect I will continue using my repurposed desktop for testing, attempt to reproduce the issue on Fedora 24, and work backward from there. The other factor here which might muddy the water a bit is that my home directory replica has been growing rapidly for the past couple of years, so if this issue only crops up when Unison is running for multiple hours I'm not super confident that I would have been affected by this issue in the past. @chambart & @gasche, thank you for letting me know about this option. I was not aware of this, so I will definitely add this to my list. I was also thinking of engaging Valgrind as another deep-dive debugging tool. It can be really helpful in getting early warnings when things start to go off the rails. The disadvantage for me is that I don't know anything about the OCaml language or runtime internals, so the results might be hard to interpret. The other option I'm pursuing at this moment is running OCaml & Unison in 32-bit mode on my laptop. Fedora supports installing i686 binaries from the package manager side-by-side with 64-bit binaries, so it was pretty easy to install all of the prerequisite libraries and get OCaml to build in i686 mode. My rationale here is that the i686 instruction set is pretty different from the x86_64 instruction set, so if the problem is still reproducible in i686 mode, that may indicate a real code bug (as opposed to a compiler regression). |
|
Comment author: alexmarkley Quick update: I was able to reproduce the issue in i686 mode. Produced the following backtrace: ===SNIP=== Thread 1 (process 9392): I am also working now on running Unison within the OCaml debug runtime within Valgrind to see if I can't get more info. |
|
Comment author: @gasche I'm not super-familiar with Valgrind's precise guarantees, but I expect that one limitation of it for OCaml programs is that it probably isn't able to notice memory read/writes that violate OCaml's memory model (in terms of gc-expectations etc.) but occur within GC-owned memory. (A tool that could be interesting to use is an overflow-sanitizer, in case the issue here is overflow-related.) |
|
Comment author: @mshinwell Yeah, I'm unsure valgrind will be of much help here. I think there may be a lot of spurious warnings generated as well, from what I remember last time I tried to use it. |
|
Comment author: alexmarkley So initially I tried reproducing the problem running the OCaml debug runtime inside of valgrind. However, the combined performance hit from both worked out to something like a factor of ten, and the ETA of the experiment was over 24 hours. So instead I broke them up and ran Unison with the OCaml debug runtime separately from the Valgrind experiment. The OCaml debug runtime finished already, and I have uploaded the output to this issue. ( https://caml.inria.fr/mantis/file_download.php?file_id=1648&type=bug ) Unison's output contains a lot of sensitive/personal information, so I redacted the output quite a lot. Most everything that remains is the debug runtime's chatter. I was concerned about the exception at the end -- I've never seen that before. But I couldn't tell if it terminated the program or not. It looks like Unison might have finished successfully. Regardless, the segmentation fault definitely did not occur, which definitely escalates this issue to my very favorite kind of bug: https://en.wikipedia.org/wiki/Heisenbug Regarding Valgrind, which is still running, I have had some success with it in the past detecting early causes or symptoms of memory corruption. Obviously the limitations @gausche mentions are salient -- if you are scribbling on your own memory, nobody cares but you. However, if we go on the assumption that the OCaml heap-related functions are well debugged and probably bug-free (especially likely, since the segfault is happening everywhere), it seems reasonable to expect that the root cause of the bug is memory corruption happening earlier, forming garbage input or garbage state, causing the later code to go crazy. I've seen a really subtle, off-by-one-byte overflow issue go unnoticed in a codebase for YEARS because it so rarely caused any issues. But then on one platform it would cause a stack corruption that would crash the program (of course many many calls later) so we had to track it down and fix it. @shinwell, regarding Valgrind's spurious errors, that often depends on third-party code. I have seen cases where graphically-enabled code gets lots of warnings due to passing buffers back and forth with kernel drivers (deep in third party libraries usually). Usually those warnings/errors can be suppressed so you can focus on the issue(s) at hand. |
|
Comment author: alexmarkley Valgrind finished, and I'm optimistic that it may have uncovered the root cause of the segfaults. I've uploaded the full transcript (personal information redacted as described before) here: https://caml.inria.fr/mantis/file_download.php?file_id=1649&type=bug However, everything is explained pretty clearly in the error summary at the bottom: ==20579== ERROR SUMMARY: 528 errors from 3 contexts (suppressed: 0 from 0) I'm still analysing these errors to determine what exactly they indicate. I initially thought they were simple off-by-one read overflows, but now I'm wondering if these are read-after-free errors. To make the backtraces clearer I'm going to rebuild OCaml without optimization (using the method described above) and reproduce these error messages. The documentation here: ( http://valgrind.org/docs/manual/quick-start.html ) and here: ( http://valgrind.org/docs/manual/mc-manual.html#mc-manual.errormsgs ) should be especially helpful. This is all so great! I'm very optimistic that this may be a simple bug after all. |
|
Comment author: alexmarkley The unoptimized run finished. I've uploaded the (redacted) transcript here: https://caml.inria.fr/mantis/file_download.php?file_id=1650&type=bug The relevant portions (error summary) is here: ==27863== ERROR SUMMARY: 448 errors from 3 contexts (suppressed: 0 from 0) |
|
Comment author: alexmarkley Based on the Valgrind documentation, it definitely looks like all three of these issues are read-after-free errors. |
|
Comment author: alexmarkley Taking a quick look at these backtraces, one common denominator I see is this: ==27863== by 0x4DA418: ml_unmarshal_from_bigarray (bytearray_stubs.c:25) It jumps out at me because it's within the Unison codebase. Is it possible that Unison is doing something funky or deprecated with the OCaml internals API that is causing this issue? I might need someone who knows OCaml internals to look at this -- I'm going to be pretty useless from here on out. |
|
Comment author: @gasche There was a change to the OCaml implementation of marshaling in I looked at Unison (un)marshalling code (included for reference at the On the other hand, there seems to be logic in Unison that checks the So it is theoretically possible that this mismatch could be a cause of
So it seems unlikely to me that this is the cause of the issue, but we
|
|
Comment author: @mshinwell Thanks for the valgrind output, which was very helpful. I think this may be a bug in Unison. I conjecture that it unmarshals data from a bigarray which, immediately after the call to [Bytearray.unmarshal], is dead in the OCaml code (in the liveness sense). The C variable in bytearray_stubs.c, function ml_unmarshal_from_bigarray, that holds the bigarray value is not registered as a root despite the fact that data is being read from memory managed by that bigarray. As such, if an allocation triggers during unmarshalling as we can see happened in the valgrind trace above, the memory being unmarshalled from could presumably be overwritten before unmarshalling finishes. Try this: diff --git a/src/bytearray_stubs.c b/src/bytearray_stubs.c CAMLprim value ml_unmarshal_from_bigarray(value b, value ofs)
CAMLprim value ml_blit_string_to_bigarrayI suspect this has always been a bug but was previously unlikely since bigarrays were only finalised by the major GC. #92 changed that. However that patch I believe is in 4.03 so I'm not sure why it wasn't seen there. Quite possibly just chance. |
|
Comment author: alexmarkley @shinwell, thanks for the patch! This sounds like a reasonable theory. I have a couple of experiments running right now, but as soon as they are done I will try this patch. |
|
Comment author: alexmarkley @shinwell, I got the following: ocamlopt: bytearray_stubs.c ---> bytearray_stubs.o
I'm investigating now, but if you have any pointers on how to get this to correctly build & link, that would be great. |
|
Comment author: alexmarkley Never mind! A quick grep through the ocaml codebase revealed the symbols as macros defined in caml/memory.h. Testing now... |
|
Comment author: alexmarkley @shinwell, this patch does not solve this issue. I will see if I can produce another valgrind trace with the patch in place, but for the moment I am operating under the assumption that the patch did not affect this issue. |
|
Comment author: @mshinwell Another valgrind trace taken with that patch applied would be useful, thanks. |
|
Comment author: alexmarkley @shinwell, I was attempting to do precisely that, but now I am somewhat confused. My first attempt to reproduce the problem with Valgrind + the patch failed with a segfault and complaints about a stack overflow (a completely different issue). So then I bumped up my stack limit and re-ran the process -- but this time it ran to completion and produced this: ==13604== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) So now I'm wondering if my initial report of "not fixed" was a false positive due to a stack overflow. I'm going to need to back up and re-run an experiment or two to reassess. |
|
Comment author: alexmarkley @shinwell, I can confirm that the proposed patch fixes the issue for me! Thanks everybody. |
|
Comment author: @mshinwell OK, I'm going to close this issue then. Please submit the two patches to Unison if you could. Thanks for your help debugging this issue. |
Original bug ID: 7431
Reporter: alexmarkley
Assigned to: @mshinwell
Status: closed (set by @mshinwell on 2016-12-22T07:16:05Z)
Resolution: not a bug
Priority: normal
Severity: crash
Platform: x86_64
OS: Linux
OS Version: Fedora 25
Version: 4.04.0
Category: runtime system and C interface
Bug description
When running the Unison File Synchronizer (a project written in OCaml: https://www.cis.upenn.edu/~bcpierce/unison/index.html ) against a large replica (1TB), I am encountering a showstopping segfault every single time.
I have tried multiple versions of Unison, including stable versions which were working fine for me in the past and newer beta versions.
I initially tried the official Fedora builds of OCaml (4.02.3-3) and when I was having no success with those, I removed them from my system and I built/installed OCaml 4.04.0 myself.
I finally got a really good backtrace (included in this report) running OCaml 4.04 and Unison git master. As you can see, the segmentation fault occurred within the OCaml heap compaction portion of the garbage collection routine.
It is worth noting that I never had this problem in earlier releases of Fedora, even with the same or earlier versions of OCaml and Unison. (I'm not sure what this implies, except that perhaps the bug is actually being triggered by a lower-level system component, like GCC or a system library.)
Related bug reports:
https://bugzilla.redhat.com/show_bug.cgi?id=1401759
bcpierce00/unison#48
Steps to reproduce
NOTE: These steps may only successfully reproduce the issue if the client is running Fedora 25 on x86_64, and if both OCaml and Unison were built on that machine.
Create a large, complicated dataset on the server for Unison to synchronize. Ideally this will be over 1TB in size and require over 2 hours to transfer.
Perform a synchronization between the client and the server, requiring the majority of the data to be transferred from the server to the client. (This mimics initial synchronization of a new hub/spoke node.)
Observe the client fails to synchronize the entire dataset. Client is terminated with SIGSEGV.
Additional information
===SNIP===
/home/alex/Temp/galculator-2.1.3/intltool-extract.in has already been transferred
/home/alex/Temp/galculator-2.1.3/intltool-merge.in has already been transferred
/home/alex/Temp/galculator-2.1.3/intltool-update.in has already been transferred
33% 100:25 ETA
Program received signal SIGSEGV, Segmentation fault.
0x00000000004ec76b in invert_pointer_at (p=p@entry=0x7fffd38c7b28) at compact.c:90
90 compact.c: No such file or directory.
(gdb) thread apply all bt full
Thread 1 (process 19298):
#0 0x00000000004ec76b in invert_pointer_at (p=p@entry=0x7fffd38c7b28) at compact.c:90
val = 140736742586384
hp = 0x7461705f77617264
q = 140736742586416
#1 0x00000000004ec90c in do_compaction () at compact.c:228
q =
i =
sz = 6
t =
infixes =
p = 0x7fffd38c7b10
ch = 0x7fffbf2fc000 "\363\273M"
chend = 0x7ffff09f1000 ""
#2 0x00000000004ecdea in caml_compact_heap () at compact.c:426
target_wsz =
live =
#3 0x00000000004ed24a in caml_compact_heap_maybe () at compact.c:547
fw =
fp = 170.748871
#4 0x00000000004daf4a in caml_major_collection_slice (howmuch=howmuch@entry=-1) at major_gc.c:785
p = 0.0043600637275738388
dp =
filt_p = 0.0043600637275738388
spend =
computed_work = 1522479
i =
#5 0x00000000004dbedf in caml_gc_dispatch () at minor_gc.c:463
trigger =
#6 0x00000000004dbf77 in caml_check_urgent_gc (extra_root=) at minor_gc.c:482
caml__frame = 0x0
caml__roots_extra_root = {next = 0x0, ntables = 1, nitems = 1, tables = {0x7fffffffd758, 0x7fffffffd870, 0x4dc96a <caml_alloc_shr+170>, 0x22, 0x7fff9d02f6b0}}
#7 0x00000000004dcfe5 in caml_alloc_string (len=65497) at alloc.c:103
result =
offset_index =
wosize = 8188
#8 0x000000000047205c in camlBytearray__sub_1422 () at /root/unison-git/src/bytearray.ml:63
No locals.
#9 0x0000000000447812 in camlTransfer__receiveRec_1568 () at /root/unison-git/src/transfer.ml:295
No locals.
#10 0x0000000000427cef in camlCopy__decompr_2936 () at /root/unison-git/src/transfer.ml:304
No locals.
#11 0x0000000000426bca in camlCopy__fun_3367 () at /root/unison-git/src/copy.ml:401
No locals.
#12 0x000000000046cc11 in camlUtil__convertUnixErrorsToExn_1955 () at /root/unison-git/src/ubase/util.ml:170
No locals.
#13 0x000000000043f46a in camlRemote__processStream_2291 () at /root/unison-git/src/remote.ml:664
No locals.
#14 0x000000000043fe26 in camlRemote__fun_4468 () at /root/unison-git/src/remote.ml:732
No locals.
#15 0x0000000000464e4d in camlLwt__apply_1225 () at /root/unison-git/src/lwt/lwt.ml:75
No locals.
#16 0x000000000046510e in camlLwt__fun_1451 () at /root/unison-git/src/lwt/lwt.ml:94
No locals.
#17 0x000000000048d101 in camlList__iter_1252 () at list.ml:77
No locals.
#18 0x0000000000464b2e in camlLwt__restart_1211 () at /root/unison-git/src/lwt/lwt.ml:31
No locals.
#19 0x000000000046182e in camlLwt_unix_impl__fun_2430 () at /root/unison-git/src/lwt/generic/lwt_unix_impl.ml:153
No locals.
#20 0x000000000048d101 in camlList__iter_1252 () at list.ml:77
No locals.
#21 0x0000000000461671 in camlLwt_unix_impl__run_1579 () at /root/unison-git/src/lwt/generic/lwt_unix_impl.ml:148
No locals.
#22 0x000000000040e80a in camlUitext__doTransport_1863 () at /root/unison-git/src/uitext.ml:490
No locals.
#23 0x000000000040f84e in camlUitext__doit_1922 () at /root/unison-git/src/uitext.ml:556
No locals.
#24 0x0000000000410034 in camlUitext__synchronizeOnce_1968 () at /root/unison-git/src/uitext.ml:718
No locals.
#25 0x000000000041094a in camlUitext__loop_2237 () at /root/unison-git/src/uitext.ml:788
No locals.
#26 0x0000000000410b4d in camlUitext__synchronizeUntilDone_2242 () at /root/unison-git/src/uitext.ml:810
No locals.
#27 0x0000000000410df7 in camlUitext__start_2249 () at /root/unison-git/src/uitext.ml:870
No locals.
#28 0x00000000004085fa in camlMain__Body_1550 () at /root/unison-git/src/main.ml:241
No locals.
#29 0x0000000000407a93 in camlLinktext__entry () at /root/unison-git/src/linktext.ml:19
No locals.
#30 0x0000000000404369 in caml_program ()
No symbol table info available.
#31 0x00000000004ef12e in caml_start_program ()
No symbol table info available.
#32 0x00000000004ef475 in caml_main (argv=0x7fffffffdca8) at startup.c:145
exe_name =
proc_self_exe = "/usr/local/bin/unison", '\000' <repeats 234 times>
res =
tos = 0 '\000'
#33 0x0000000000403c5c in main (argc=, argv=) at main.c:37
No locals.
(gdb)
===SNIP===
File attachments
The text was updated successfully, but these errors were encountered: