otp icon indicating copy to clipboard operation
otp copied to clipboard
verified publisher icon erlang

Coredump in erts_cleanup_offheap for re_run_trap

Open zzydxm opened this issue 1 month ago • 3 comments

Describe the bug It seems like re bif can crash during the cleanup stage of a process, see the stacktrace of the coredump we have below

To Reproduce We don't have a clean reproduce yet, will keep posted here when investigating

Expected behavior Should not coredump

Affected versions OTP 28 at d04f6a0b261cf23e316e48e2febe14b30c592dc5

Additional context stack

* thread #1, name = 'beam.frmptr.smp', stop reason = SIGSEGV: address not mapped to object (fault address=0xf8ffffffff9)
  * frame #0: 0x000000000073a48a beam.frmptr.smp`get_used_allctr(busy_pcrr_pp=0x00007f4ab7cf79a0, sizep=0x0000000000000000, p=0x00000f9000000001, pref_lock=1, pref_allctr=0x00007f4ac9d997c0) at erl_alloc_util.c:1746:9
    frame #1: 0x000000000073a48a beam.frmptr.smp`erts_alcu_free_thr_pref(type=5347, extra=0x0000000001016ca8, p=0x00000f9000000001) at erl_alloc_util.c:6223:16
    frame #2: 0x0000000000a74aab beam.frmptr.smp`pcre2_free_restart_data_8(mdata=0x000000000111c490) at pcre2_match.c:8648:7
    frame #3: 0x00000000008ff1b8 beam.frmptr.smp`cleanup_restart_context(rc=0x00007f4b35648818) at erl_bif_re.c:747:2 [inlined]
    frame #4: 0x00000000008ff1a8 beam.frmptr.smp`cleanup_restart_context_bin(bp=0x00007f4b356487e0) at erl_bif_re.c:776:5
    frame #5: 0x00000000007d8b14 beam.frmptr.smp`erts_bin_free(bp=<unavailable>) at erl_binary.h:377:14 [inlined]
    frame #6: 0x00000000007d8b00 beam.frmptr.smp`erts_bin_release(bp=<unavailable>) at erl_binary.h:393:9 [inlined]
    frame #7: 0x00000000007d8af0 beam.frmptr.smp`erts_cleanup_offheap_list(first=<unavailable>) at erl_message.c:177:13
    frame #8: 0x00000000007d9b9c beam.frmptr.smp`erts_cleanup_offheap(offheap=<unavailable>) at erl_message.c:190:5 [artificial]
    frame #9: 0x00000000006081bb beam.frmptr.smp`delete_process(p=0x00007f4c4a31aec0) at erl_process.c:13443:5
    frame #10: 0x0000000000626346 beam.frmptr.smp`erts_continue_exit_process(p=0x00007f4c4a31aec0) at erl_process.c:14781:2
    frame #11: 0x00000000006ed891 beam.frmptr.smp`terminate_proc(Value=139971870871434, c_p=0x00007f4c4a31aec0) at beam_common.c:722:5
    frame #12: 0x00000000006ed860 beam.frmptr.smp`handle_error(c_p=<unavailable>, pc=<unavailable>, reg=<unavailable>, bif_mfa=<unavailable>) at beam_common.c:570:5

frame select 2

p *mdata
(pcre2_match_data_8) {
  memctl = {
    malloc = 0x00000000008fdf70 (beam.frmptr.smp`our_pcre2_malloc at erl_bif_re.c:57:1)
    free = 0x00000000008fdb00 (beam.frmptr.smp`our_pcre2_free at erl_bif_re.c:64:1)
    memory_data = 0x0000000000000000
  }

frame select 9

p *(p->current)
(const ErtsCodeMFA)  (module = 15435, function = 36427, arity = 3)

(lldb) p (byte*)&((ErlHeapBits*)(((Atom*) (&erts_atom_table)->seg_table[15435>>16][(15435>>6)&1023])->u.bin-2))->data[0]
(byte *) 0x00007f4aca611d30 "erlang"
(lldb) p (byte*)&((ErlHeapBits*)(((Atom*) (&erts_atom_table)->seg_table[36427>>16][(36427>>6)&1023])->u.bin-2))->data[0]
(byte *) 0x00007f4aca6142c0 "re_run_trap"

zzydxm avatar Dec 03 '25 01:12 zzydxm

Interesting. Looks like the process exits while yielding inside re:run.

sverker avatar Dec 04 '25 14:12 sverker

I can reproduce SEGV with this code:

-module(sverker).

-export([go/0]).

go() ->
    Bin = binary:copy(~"hejsan", 10_000_000),
    {ok, RE} = re:compile(~B"\w+\d", []),
    {Pid, _MRef} = spawn_monitor(fun() -> re:run(Bin, RE) end),
    erlang:yield(),
    exit(Pid, kill),
    receive M -> M end.

sverker avatar Dec 04 '25 15:12 sverker

Proposed PR #10439. Will hopefully make it into OTP 28.3 next week.

sverker avatar Dec 04 '25 19:12 sverker

We don't see re coredumps anymore with the fix, closing this issue

zzydxm avatar Dec 16 '25 16:12 zzydxm