Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#200 closed defect (fixed)

Kill StX with some kind of overflow

Reported by: patrik.svestka@… Owned by:
Priority: major Milestone: 8.0.0
Component: default Keywords:
Cc: Also affects CVS HEAD (eXept version): no

Description

I have managed to kill the VM with executing the following code in the Workspace:

| test |
test := Unicode16String new.
test := 'コーヒーアイスクリームケーキビールすしかき空'. 
200 timesRepeat:[test := test,test].
test size.

Please see attached log file for more details

Attachments (5)

smalltalk_2018-04-04_utf8.log (363.8 KB ) - added by patrik.svestka@… 6 years ago.
Log file from the VM segfault
issue_200_trace_v1.ps1 (2.8 KB ) - added by jan vrany 6 years ago.
vmap_snapshots.7z (31.1 KB ) - added by patrik.svestka@… 6 years ago.
vmap snapshots
regression_fix_1_of_1_rev_0376b01956f1_Issue__200__added_regression_tests.patch (4.8 KB ) - added by jan vrany 6 years ago.
libbasic_fix_1_of_1_rev_574962856f04_Issue__200__fixed___basicAt_______basicAt_put___to_work_with_objects_bigger_than_2GB.patch (31.3 KB ) - added by jan vrany 6 years ago.

Download all attachments as: .zip

Change History (14)

by patrik.svestka@…, 6 years ago

Log file from the VM segfault

comment:1 by patrik.svestka@…, 6 years ago

Milestone: 8.0.0

comment:2 by patrik.svestka@…, 6 years ago

Further analysis by running the following code

stx.com -P "t := Unicode
16String new: 46. [ 1 to: 200 do:[:i | Stdout nextPutLine: i printString , '-',
(t size*2) printString. t := t , t ] ] on: Error do:[:ex | Stdout nextPutLine: e
x description]. Stdout nextPutLine: 'Passed'"

1) First run:

1-92
2-184
3-368
4-736
5-1472
6-2944
7-5888
8-11776
9-23552
10-47104
11-94208
12-188416
13-376832
14-753664
15-1507328
16-3014656
17-6029312
18-12058624
19-24117248
20-48234496
21-96468992
22-192937984
23-385875968
24-771751936
25-1543503872
VM [sigsegv]: sigNo 11 context=6868878 sp=68687e0
VM [sigsegv]: pc=6576bd15 [4304]
VM [error] (18-04-05 16:14:07): sigsegv pc= 6576bd15
 new: 2600000 .. 2800000  old: 7fff0000 .. 1f1ccc000
 surv: 23f0000 .. 23f0000 .. 25f0000
VM [error] (18-04-05 16:14:07): in process 5
last selector: replaceFrom:to:with:startingAt:
last class: ArrayedCollection
sigsegv 4635
sigsegv 4643
os signal interrupt

2) Second run:

1-92
2-184
3-368
4-736
5-1472
6-2944
7-5888
8-11776
9-23552
10-47104
11-94208
12-188416
13-376832
14-753664
15-1507328
16-3014656
17-6029312
18-12058624
19-24117248
20-48234496
21-96468992
22-192937984
23-385875968
24-771751936
25-1543503872
VM [sigsegv]: sigNo 11 context=6958878 sp=69587e0
VM [sigsegv]: pc=6576bd15 [4304]
VM [error] (18-04-05 16:18:45): sigsegv pc= 6576bd15
 new: 25f0000 .. 27f0000  old: 7fff0000 .. 1f1ccc000
 surv: 2800000 .. 2800000 .. 2a00000
VM [error] (18-04-05 16:18:45): in process 5
last selector: replaceFrom:to:with:startingAt:
last class: ArrayedCollection
sigsegv 4635
sigsegv 4643
os signal interrupt

3) Third run:

1-92
2-184
3-368
4-736
5-1472
6-2944
7-5888
8-11776
9-23552
10-47104
11-94208
12-188416
13-376832
14-753664
15-1507328
16-3014656
17-6029312
18-12058624
19-24117248
20-48234496
21-96468992
22-192937984
23-385875968
24-771751936
25-1543503872
VM [sigsegv]: sigNo 11 context=69d8878 sp=69d87e0
VM [sigsegv]: pc=6576bd15 [4304]
VM [error] (18-04-05 16:22:16): sigsegv pc= 6576bd15
 new: 2720000 .. 2920000  old: 7fff0000 .. 1f1ccc000
 surv: 2510000 .. 2510000 .. 2710000
VM [error] (18-04-05 16:22:16): in process 5
last selector: replaceFrom:to:with:startingAt:
last class: ArrayedCollection
sigsegv 4635
sigsegv 4643
os signal interrupt

by jan vrany, 6 years ago

Attachment: issue_200_trace_v1.ps1 added

comment:3 by jan vrany, 6 years ago

Thanks.

Could you please collect some more logs for me? I have tried to automate the collection a little, so:

  • Download attached trace script: [[atttachment:issuas e_200_trace_v1.ps1|issue_200_trace_v1.ps1]]
  • Save to to ...\build\stx\projects\smalltalk (i.e., to the same directory stx.com)
  • Run it: powershell -ExecutionPolicy Unrestricted .\issue_200_trace_v1.ps1
  • Follow the instruction printed by the above script
  • Attach resulting lngs.

Repeat 3 times so I have logs from 3 different runs.

I hope the script would work. It does on my system with your very build. If not, I believe you'd be able to fix it, it's fairly simple :-)

Thanks a lot!

comment:4 by patrik.svestka@…, 6 years ago

I have managed to run the script and the results of three runs are in vmap_snapshots.7z.

I'm looking forward to your investigation!

by patrik.svestka@…, 6 years ago

Attachment: vmap_snapshots.7z added

vmap snapshots

comment:5 by jan vrany, 6 years ago

Dumps were very useful! I can now reproduce the crash on both Windows and Linux, given that the host has at least 8GB physical RAM.

comment:6 by jan vrany, 6 years ago

Status: newtesting

Patrik,

could you please:

  1. Apply patch stx:goodies/regression 0376b01956f1 and run VMCrashTests?
  2. Then apply patch stx:libbasic 574962856f04 and test
  3. Run VMCrashTests again to make sure the above patch fixes the problem?

Thanks!

Ideally,

comment:7 by patrik.svestka@…, 6 years ago

Hi Jan,

ad 1) running the regression tests without the stx:libbasic patch leads to 12 tests,5 passed,4 failed,3 errors (VmCrashTests -> tests - regressions)

ad 2) After applying the patch my example code produces correctly warning WARNING: ObjectMemory [warning] (2018-04-13 16:23:50.700): almost out of memory

ad 3) Running the tests VMCrashTests leads to all passed.

Great work!

comment:8 by patrik.svestka@…, 6 years ago

Should I close it or you will do it when you are ready?

comment:9 by jan vrany, 6 years ago

Resolution: fixed
Status: testingclosed

Fixed in:

Some methods or their part used only 32bit int as an index to an object. If object
was larger than 2GB, 32bit index suddenly become negative, causing #basicAt:put:
writing outside the object itself.

To fix that we have to use INT (intptr_t)

Last edited 6 years ago by jan vrany (previous) (diff)
Note: See TracTickets for help on using tickets.