search

lambdaclass / cairo_native

A compiler to convert Cairo's intermediate representation "Sierra" code to MLIR.
https://lambdaclass.github.io/cairo_native/cairo_native
Apache License 2.0
116 stars 43 forks source link

Trace Dump: Segmentation Fault #840

Open JulianGCalderon opened 5 days ago

JulianGCalderon commented 5 days ago

When running transaction 0xde5066db6a374038d33b7c89cce4d3e09e6f645bd5b95ec0986713f51e0c69 with trace-dump feature, execution fails with segmentation fault.

This only happens when using trace dump. stacktrace:

(gdb) where
#0  core::ptr::non_null::NonNull<core::ptr::non_null::NonNull<()>>::read<core::ptr::non_null::NonNull<()>> (self=...)
    at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library/core/src/ptr/non_null.rs:922
#1  0x00007ffff25cf336 in cairo_native_runtime::trace_dump::read_value_ptr::{closure#0} ()
    at runtime/src/lib.rs:969
...
...
#14 0x00007ffff1fc870c in cairo_native_runtime::trace_dump::read_value_ptr (
    registry=0x555562299d68, type_id=0x7ffffffa1a30, value_ptr=..., 
    get_layout=0x55555657b8c0 <core::ops::function::FnOnce::call_once<blockifier::execution::native::entry_point_execution::execute_entry_point_call::{closure_env#0}, (&cairo_lang_sierra::ex--Type <RET> for more, q to quit, c to continue without paging--
tensions::core::CoreTypeConcrete, &cairo_lang_sierra::program_registry::ProgramRegistry<cairo_lang_sierra::extensions::core::CoreType, cairo_lang_sierra::extensions::core::CoreLibfunc>)>>)
    at runtime/src/lib.rs:960
#15 0x00007ffff1fc660e in cairo_native_runtime::trace_dump::cairo_native__trace_dump__state (
    trace_id=2, var_id=110, type_id=198, value_ptr=...) at runtime/src/lib.rs:690

The panic occurs when dumping felt dict entries.

JulianGCalderon commented 5 days ago

The segmentation fault happens when dereferencing an invalid pointer inside a DictFelt. I've executed it a few times and the pointer dereference has the value 0x1 or 0x8000000000000001 which is an odd value for a pointer.

The fact that the values changes between 0x1 and 0x8000000000000001 is odd, I don't know what causes this.

My guess is that it is stored in the dictionary as a literal and not as a pointer, which is why dereferencing it fails. We should check libfuncs dict_get and dict_finish as those are probably related with this.

FrancoGiachetta commented 5 days ago

I've run the same transaction and got this message: thread 'main' panicked at /home/dev/.cargo/registry/src/index.crates.io-6f17d22bba15001f/smol_str-0.2.2/src/lib.rs:551:31: range end index 240 out of range for slice of length 23

Couldn't find an explanation to it. Running it with the backtrace points out it might be related to serde_json when trying to parse the trace and failing to do so.