rakudo icon indicating copy to clipboard operation
rakudo copied to clipboard
verified publisher icon rakudo

Segfault when creating a new shaped array

Open MasterDuke17 opened this issue 5 years ago • 6 comments

my num @nums .= new(:shape(3;3;3)); causes a segfault.

Bisectable6 logs https://gist.github.com/Whateverable/4428e43178e957101595baafff6a4b9e and https://gist.github.com/Whateverable/8ca5a4e47d000cabb6a8c974c8563881 point to 090432bb60decd3f31e2de6533e93904dac1f1a7

gdb log:

[dan@alexandria perl6]$ gdb --args ./install/bin/raku -e 'my num @nums .=new():shape(3;3;3);'
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./install/bin/raku...
(gdb) r
Starting program: /home/dan/Source/perl6/install/bin/raku -e my\ num\ @nums\ .=new\(\):shape\(3\;3\;3\)\;
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[New Thread 0x7ffff6dfa640 (LWP 1123543)]

Thread 1 "raku" received signal SIGSEGV, Segmentation fault.
copy_elements (tc=0x55555555a0b0, src=0x7ffff7037730, dest=0x7ffff6fb5930, s_offset=0, d_offset=0, elems=3) at src/6model/reprs/VMArray.c:825
825                 switch (s_repr_data->slot_type) {
(gdb) bt
#0  copy_elements (tc=0x55555555a0b0, src=0x7ffff7037730, dest=0x7ffff6fb5930, s_offset=0, d_offset=0, elems=3) at src/6model/reprs/VMArray.c:825
#1  0x00007ffff788d125 in MVM_interp_run (tc=0x0, initial_invoke=0x7ffff70375d8, initial_invoke@entry=0x7ffff7999020 <toplevel_initial_invoke>, invoke_data=0x7ffff70375d8, invoke_data@entry=0x7ffff7999020 <toplevel_initial_invoke>, 
    outer_runloop=outer_runloop@entry=0x0) at src/core/interp.c:2426
#2  0x00007ffff799a184 in MVM_vm_run_file (instance=instance@entry=0x555555559590, filename=filename@entry=0x555555559520 "/home/dan/Source/perl6/install/share/perl6/runtime/perl6.moarvm") at src/moar.c:504
#3  0x00005555555557c4 in main (argc=<optimized out>, argv=0x7fffffffe3a8) at src/vm/moar/runner/main.c:472
(gdb) p s_repr_data
$1 = (MVMArrayREPRData *) 0x0
(gdb) call MVM_dump_backtrace(tc)
   at SETTING::src/core.c/native_array.pm6:1515  (/home/dan/Source/perl6/install/share/perl6/runtime/CORE.c.setting.moarvm:STORE)
 from SETTING::src/core.c/native_array.pm6:31  (/home/dan/Source/perl6/install/share/perl6/runtime/CORE.c.setting.moarvm:STORE)
 from -e:1  (<ephemeral file>:<unit>)
 from -e:1  (<ephemeral file>:<unit-outer>)
 from gen/moar/stage2/NQPHLL.nqp:1946  (/home/dan/Source/perl6/install/share/nqp/lib/NQPHLL.moarvm:eval)
 from gen/moar/stage2/NQPHLL.nqp:2056  (/home/dan/Source/perl6/install/share/nqp/lib/NQPHLL.moarvm:)
 from gen/moar/stage2/NQPHLL.nqp:2055  (/home/dan/Source/perl6/install/share/nqp/lib/NQPHLL.moarvm:command_eval)
 from gen/moar/Compiler.nqp:109  (/home/dan/Source/perl6/install/share/perl6/lib/Perl6/Compiler.moarvm:command_eval)
 from gen/moar/stage2/NQPHLL.nqp:2036  (/home/dan/Source/perl6/install/share/nqp/lib/NQPHLL.moarvm:command_line)
 from gen/moar/rakudo.nqp:127  (/home/dan/Source/perl6/install/share/perl6/runtime/perl6.moarvm:MAIN)
 from gen/moar/rakudo.nqp:1  (/home/dan/Source/perl6/install/share/perl6/runtime/perl6.moarvm:<mainline>)
 from <unknown>:1  (/home/dan/Source/perl6/install/share/perl6/runtime/perl6.moarvm:<main>)
 from <unknown>:1  (/home/dan/Source/perl6/install/share/perl6/runtime/perl6.moarvm:<entry>)
(gdb)

Spotted by @stoned

MasterDuke17 avatar Nov 29 '20 23:11 MasterDuke17

Golfed to:

my int @nums = array[int].new(:shape)

AKA, the shape doesn't matter, but it must be specified. The .= doesn't matter either.

The code is incorrect in that it should probably die in a typecheck, similar to:

my int @nums := array[int].new(:shape)
Type check failed in binding; expected Positional[int] but got array[int] (array[int].new(:shap...)

lizmat avatar Nov 29 '20 23:11 lizmat

Further golfed to:

$ raku -e 'use nqp; nqp::splice(my int @a,array[int].new(:shape),0,1)'
Segmentation fault: 11

so it looks like a problem with nqp::splice()

lizmat avatar Dec 11 '20 14:12 lizmat

The SEGV seems to have disappeared with commit a9490436e649df

dogbert17 avatar Oct 03 '21 14:10 dogbert17

This is still happening:

> r 'my int @nums = array[int].new(:shape)'
fish: Job 29, './rakudo-m --ll-exception -e "$…' terminated by signal SIGSEGV (Address boundary error)

> ./rakudo-m -v
Welcome to Rakudoâ„¢ v2024.04-136-g45966a8cd.
Implementing the Raku® Programming Language v6.d.
Built on MoarVM version 2024.04-8-gf1173cb26.

> uname -a
Darwin <omitted>.local 23.4.0 Darwin Kernel Version 23.4.0: Wed Feb 21 21:45:49 PST 2024; root:xnu-10063.101.15~2/RELEASE_ARM64_T6020 arm64

ab5tract avatar May 29 '24 19:05 ab5tract 

Thread 1 "rakudo-m" received signal SIGSEGV, Segmentation fault.
0x00007ffff78836c5 in copy_elements (tc=0x3943c020180, src=0x3943c1ca3c8, dest=0x3943c120970, s_offset=0, 
    d_offset=0, elems=1) at src/6model/reprs/VMArray.c:864
864                 MVMuint16 source_kind = slot_type_to_kind(s_repr_data->slot_type);

[...]

(gdb) list copy_elements
834             default:
835                 abort(); /* never reached, silence compiler warnings */
836         }
837     }
838
839     static void copy_elements(MVMThreadContext *tc, MVMObject *src, MVMObject *dest, MVMint64 s_offset, MVMint64 d_offset, MVMint64 elems) {
840         MVMArrayBody     *s_body      = (MVMArrayBody *)OBJECT_BODY(src);
841         MVMArrayBody     *d_body      = (MVMArrayBody *)OBJECT_BODY(dest);
842         MVMArrayREPRData *s_repr_data = REPR(src)->ID == MVM_REPR_ID_VMArray
843                                         ? (MVMArrayREPRData *)STABLE(src)->REPR_data  : NULL;

[...]

#0  0x00007ffff78836c5 in copy_elements (tc=0x3943c020180, src=0x3943c1ca3c8, dest=0x3943c120970, s_offset=0, 
    d_offset=0, elems=1) at src/6model/reprs/VMArray.c:864
864                 MVMuint16 source_kind = slot_type_to_kind(s_repr_data->slot_type);
(gdb) print REPR(src)->ID
$2 = 39
(gdb) print MVM_REPR_ID_MultiDimArray 
$3 = 39

the copy_elements function realizes that it can't get a MVMArrayREPRData from something that isn't a VMArray, but doesn't then later check if the repr_data is null.

a few lines further up in the code it does check if s_repr_data is not-null before trying to see if source and destination have the same slot type, as an optimization, but if the optimization doesn't apply, it does no further checks.

long story short: copying from anything except VMArray is NYI and will cause a null pointer dereference as long as nqp::elems on the thing it tries to copy from is > 0

this comes from SETTING::src/core.c/native_array.pm6:934 (/var/home/timo/raku/rakudo/../prefix/share/perl6/runtime/CORE.c.setting.moarvm:STORE)

ok after tracking all this down i realize i'm on a super old rakudo and moarvm, so errrrr, take this with a mountain of salt: 2023.04.122.g.149.dd.8801 built on MoarVM version 2023.04.8.gb.9.df.871.d.1

timo avatar May 31 '24 12:05 timo

compiled a fresh moar/nqp/rakudo, now the line for STORE is SETTING::src/core.c/native_array.rakumod:933 (/home/timo/raku/prefix/share/perl6/runtime/CORE.c.setting.moarvm:STORE), i'm on 2024.05.6.g.5.c.10672.ca built on MoarVM version 2024.05.1.ga.7.b.452.e.53, it looks like the code didn't change so my previous message can be enjoyed without salt

timo avatar May 31 '24 12:05 timo