Opened 6 years ago

Closed 5 years ago

#723 closed defect (fixed)

using set-finalizer in this loop triggers a OOM panic / segfault

Reported by: ckeen Owned by: felix
Priority: major Milestone:
Component: unknown Version: 4.7.x
Keywords: Cc:
Estimated difficulty:

Description

This innocent looking program crashes:

(use lolevel)

(define (make-stuff)
  (let ((mem (allocate 100)))
    (set-finalizer! mem free)
    mem))

(let lp ((i 0))
  (make-stuff)
  (lp (add1 i)))

This has been confirmed by Peter on NetBSD, I have the situation that it works for me if I add a (print i) before (make-stuff). Peter cannot see the same behaviour on his machine.

I have tried 4.5.0 4.7.0 and master from last week. All show the same strange thing.

Am I misusing this? I stumbled upon it during some allocation in an egg for a FFI buffer...

Change History (12)

comment:1 Changed 6 years ago by ckeen

I managed to get a stacktrace from gdb:

Starting program: /home/ckeen/proj/chicken/doodle/small-test 

Program received signal SIGSEGV, Segmentation fault.
[Switching to process 1287, thread 0x88518400]
0x0b075c74 in really_remark (x=0x7c5bd1e8) at runtime.c:3300
3300        h = p->header;
(gdb) bt
#0  0x0b075c74 in really_remark (x=0x7c5bd1e8) at runtime.c:3300
#1  0x0b075903 in C_rereclaim2 (size=516388, double_plus=0) at runtime.c:3211
#2  0x0b0b31a9 in allocate_vector_2 (dummy=0x2ae686c0) at runtime.c:7003
#3  0x0b0716b7 in CHICKEN_run (toplevel=0x0) at runtime.c:1312
#4  0x0b06f5c6 in CHICKEN_main (argc=1, argv=0xcfbefef8, toplevel=0x1c000df1) at runtime.c:532
#5  0x1c000db8 in main (argc=Cannot access memory at address 0x0
(gdb) p p->header
Cannot access memory at address 0xa9a414
(gdb) p *(C_SCHEME_BLOCK*)h
$5 = {header = 687865857, data = {-2114364416}}

comment:2 Changed 6 years ago by felix

Does this happen with the current HEAD? I can't reproduce this right now (only tried on Windows). What is shown when the code is compiled and run with "-:d" ?

comment:3 Changed 6 years ago by ckeen

gah, this is weird...

(use lolevel)

(define (make-stuff)
  (let ((mem (allocate 1000)))
    (set-finalizer! mem free)
    mem))

(let lp ((i 0))
  (print i)
  (make-stuff)
  (lp (add1 i)))

either one of these version crashes for me now on OpenBSD 32 bit 4.7.0 (sorry I don't have a more recent version there)

The above program does crash with current master on 64 bit linux when adding -O3. With the print output sent to /dev/null I get this:

 ./bla -:d >/dev/null
[debug] application startup...
[debug] heap resized to 500000 bytes
[debug] stack bottom is 0x7ffff803d090.
[debug] entering toplevel toplevel...
[debug] stack resized to 262144 bytes
[debug] entering toplevel library_toplevel...
[debug] entering toplevel build_2dversion_toplevel...
[debug] resizing heap dynamically from 500k to 1032k ...
[debug] entering toplevel eval_toplevel...
[debug] entering toplevel expand_toplevel...
[debug] entering toplevel modules_toplevel...
[debug] entering toplevel lolevel_toplevel...
[debug] entering toplevel srfi_2d69_toplevel...
[debug] resizing heap dynamically from 1032k to 2196k ...
[panic] out of memory - heap full while resizing - execution terminated

...more...
bla.scm:6: set-finalizer!
bla.scm:12: lp
bla.scm:10: print
bla.scm:11: make-stuff
bla.scm:5: allocate
bla.scm:6: set-finalizer!
bla.scm:12: lp
bla.scm:10: print
bla.scm:11: make-stuff
bla.scm:5: allocate
bla.scm:6: set-finalizer!
bla.scm:12: lp
bla.scm:10: print
bla.scm:11: make-stuff
bla.scm:5: allocate
bla.scm:6: set-finalizer! 	<--

comment:4 Changed 6 years ago by sjamaan

Note that it only crashes when compiled! (the OP forgot to mention this)

comment:5 Changed 6 years ago by ckeen

Chicken is after all a compiler in the first place... ;)

comment:6 Changed 6 years ago by sjamaan

I can even reproduce it on my ancient 4.4.0 installation

comment:7 Changed 5 years ago by felix

I suggest to postpone investigating this to after the 4.8.0 release.

comment:8 Changed 5 years ago by felix

  • Milestone 4.8.0 deleted

comment:9 Changed 5 years ago by ckeen

I am now unable to reproduce this anymore...

comment:10 Changed 5 years ago by sjamaan

Still crashes for me

comment:11 Changed 5 years ago by sjamaan

No longer crashes when the patch from here http://lists.nongnu.org/archive/html/chicken-hackers/2012-06/msg00080.html is applied

comment:12 Changed 5 years ago by ckeen

  • Resolution set to fixed
  • Status changed from new to closed

Yep, seems to do the right thing now. Thanks!

Note: See TracTickets for help on using tickets.