search

PRL-PRG / UFOs

User Fault Objects: making vectors lazy and forgetful.
12 stars 3 forks source link

Too much freedom #15

Closed kondziu closed 4 years ago

kondziu commented 4 years ago

Now that we have automatic shutdown, I found some problems with it.

R example (create any vector and quit): 

/opt/R-3.6.0/bin/R
library(ufoseq)
ufo_seq(1,10,1)
quit()
double free or corruption (fasttop)
Aborted (core dumped)

In fact, it also happens when you just manually run init and shutdown:

library(ufos)
ufos:::ufo_initialize()
ufos:::jeff_goldbloom()
double free or corruption (fasttop)
Aborted (core dumped)

However it does not happen when running init and shutdown in ufoTest

./ufoTest 0
./ufoTest 1
./ufoTest 10
kondziu commented 4 years ago

I ran R with gdb and observed when the instance is initialized. It is at location: 0x555557043930. I then put breakpoints on free if its argument is 0x555557043930.

The first time the breakpoint hit ran and showed the following backtrace:

#1  0x00007ffff08073be in handlerShutdown (i=0x555557043930, selfFree=true) at userfaultCore.c:123
#2  0x00007ffff080826e in handler (arg=0x555557043930) at userfaultCore.c:385
#3  0x00007ffff5c536db in start_thread (arg=0x7ffff0804700) at pthread_create.c:463
#4  0x00007ffff597c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

The second time it hit it showed this backtrace:

#0  __GI___libc_free (mem=0x555557043930) at malloc.c:3086
#1  0x00007ffff0808942 in ufAwaitShutdown (instance=0x555557043930) at userfaultCore.c:532
#2  0x00007ffff08089e5 in ufShutdown (instance=0x555557043930, free=true) at userfaultCore.c:549
#3  0x00007ffff0806d3e in ufo_shutdown () at ufos.c:23
#4  0x0000555555644586 in do_dotcall (call=call@entry=0x555557c17490, op=<optimized out>, args=<optimized out>, args@entry=0x555557e93658, env=env@entry=0x555557e93690)
    at dotcode.c:1252
#5  0x000055555567ff69 in bcEval (body=body@entry=0x555557c17538, rho=rho@entry=0x555557e93690, useCache=useCache@entry=TRUE) at eval.c:7283
#6  0x0000555555689270 in Rf_eval (e=0x555557c17538, rho=rho@entry=0x555557e93690) at eval.c:620
#7  0x000055555568af0f in R_execClosure (call=call@entry=0x555557e905f0, newrho=newrho@entry=0x555557e93690, sysparent=<optimized out>, rho=rho@entry=0x555555c14bc0, 
    arglist=arglist@entry=0x555555be2550, op=op@entry=0x555557c178b8) at eval.c:1780
#8  0x000055555568bbbd in Rf_applyClosure (call=call@entry=0x555557e905f0, op=op@entry=0x555557c178b8, arglist=<optimized out>, rho=rho@entry=0x555555c14bc0, 
    suppliedvars=<optimized out>) at eval.c:1706
#9  0x00005555556893fd in Rf_eval (e=e@entry=0x555557e905f0, rho=rho@entry=0x555555c14bc0) at eval.c:743
#10 0x00005555556b844d in Rf_ReplIteration (rho=0x555555c14bc0, savestack=0, browselevel=0, state=0x7fffffffcaa0) at main.c:260
#11 0x00005555556b8811 in R_ReplConsole (rho=0x555555c14bc0, savestack=0, browselevel=0) at main.c:310
#12 0x00005555556b88c2 in run_Rmainloop () at main.c:1086
#13 0x00005555556b8912 in Rf_mainloop () at main.c:1093
#14 0x00005555555bf838 in main (ac=ac@entry=1, av=av@entry=0x7fffffffdbe8) at Rmain.c:29
#15 0x00007ffff587cb97 in __libc_start_main (main=0x5555555bf820 <main>, argc=1, argv=0x7fffffffdbe8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffdbd8) at ../csu/libc-start.c:310
#16 0x00005555555bf86a in _start ()
kondziu commented 4 years ago

Investigating the first free, it happens in handlerShutdown at line 123.

static void handlerShutdown(ufInstance* i, bool selfFree){
  // don't need events anymore
  close(i->epollFd);

  // This should have been done already and we expect this to return an error
  // nobody should write to us anymore
  close(i->msgPipe[1]);

  //Nuke all the objects
  /* ... more code here ... */
  close(i->msgPipe[0]);

  free(i->buffer);

  close(i->ufFd); //Do this last. If something is still (improperly) active this will likely crash the whole program
  if(selfFree)
    free(i); // <--------------- it fails here
}
kondziu commented 4 years ago

Fixed by 0a7076f398a45b96b0055784bc7a4477a32ec589