Bug #12670
closed
Segmentation fault on `Magick::Image#get_pixels` on ruby since ruby-2.2
Added by ShockwaveNN (Pavel Lobashov) about 9 years ago. Updated about 8 years ago.
Description
- Create test.rb this code
require 'rmagick'
include Magick
(0..10).each do |_|
ImageList.new('1.bmp').get_pixels(0, 0, 1600, 800).each_slice(1600).to_a
end
- Create any 1.bmp file with dimension at least 1600*800 (Include zip file with it, extract it in directory with test.tb)
- Install ruby 2.1.9 (via RVM for example) and run
ruby -v # ruby 2.1.9p490 (2016-03-30 revision 54437) [x86_64-linux]
ruby test.rb # Nothing output, all good
- Install ruby 2.3.1 (via RVM for example) and run
ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
ruby test.rb # You get a big log of Segmentation failed
I issued an problem on rmagick issue tracker (https://github.com/rmagick/rmagick/issues/212) but there is no progress at all
So I thought since both rubies use same version of rmagick I think problem may be in ruby itself.
Files
| out.log (25.8 KB) out.log | Segmentation fault at 0x0000000000001c | ShockwaveNN (Pavel Lobashov), 08/11/2016 12:22 PM | |
| 1.bmp.zip (37.7 KB) 1.bmp.zip | zip file with bmp | ShockwaveNN (Pavel Lobashov), 08/11/2016 12:24 PM | |
| core_dump.log (23.5 KB) core_dump.log | ShockwaveNN (Pavel Lobashov), 11/04/2016 10:26 AM | ||
| Dockerfile (667 Bytes) Dockerfile | wanabe (_ wanabe), 11/05/2016 04:41 PM | ||
| segv.c (306 Bytes) segv.c | wanabe (_ wanabe), 05/22/2017 12:28 AM | ||
| segv.rb (209 Bytes) segv.rb | wanabe (_ wanabe), 05/22/2017 12:28 AM | ||
| segv.c (365 Bytes) segv.c | wanabe (_ wanabe), 05/22/2017 05:03 AM |
Updated by wanabe (_ wanabe) about 9 years ago
Actions
#1
[ruby-core:76895]
It may be related to #10440 r48239, as git bisect shown.
Updated by wanabe (_ wanabe) about 9 years ago
Actions
#2
[ruby-core:76896]
Line 5426 of gc.c at v2_3_1 https://github.com/ruby/ruby/blob/v2_3_1/gc.c#L5426 that is pointed by out.log, is about GC but r48239 is not include a change of GC, as I see.
r48239 may not be related...
Updated by wanabe (_ wanabe) about 9 years ago
Actions
#3
[ruby-core:77143]
I got it.
SEGV is raised from gc_marks_continue(), line 5426: slots = heap->free_pages->free_slots,
as pointed by out.log. https://github.com/ruby/ruby/blob/v2_3_1/gc.c#L5426
My gdb shows the value of heap->free_pages is NULL when SEGV.
heap_page_resurrect() can return page even if page->freelist is NULL. It is intended - see r43461.
In the case, heap_add_freepage() does not set heap->free_pages and still keeps it NULL.
Updated by nagachika (Tomoyuki Chikanaga) about 9 years ago
Actions
#4
[ruby-core:77393]
- Status changed from Open to Assigned
- Assignee set to ko1 (Koichi Sasada)
Updated by nagachika (Tomoyuki Chikanaga) about 9 years ago
Actions
#5
[ruby-core:77394]
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN to 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: REQUIRED
wanabe san, thank you for your great investigation!
Sasada san, could you take a look at the lines wanabe san pointed out?
Updated by ko1 (Koichi Sasada) almost 9 years ago
Actions
#6
- Status changed from Assigned to Closed
Applied in changeset r56558.
- gc.c (heap_page_resurrect): do not return tomb_pages when
page->freelist == NULL.
[Bug #12670]
Updated by ko1 (Koichi Sasada) almost 9 years ago
Actions
#7
[ruby-core:77911]
- Status changed from Closed to Feedback
I commit a fix on trunk. Could you check it?
Updated by ShockwaveNN (Pavel Lobashov) almost 9 years ago
Actions
#8
[ruby-core:77913]
- File core_dump.log core_dump.log added
- ruby -v changed from 2.31 to 2.4
Koichi Sasada wrote:
I commit a fix on trunk. Could you check it?
Seems nothing changed. Errors looks like same
ruby -v
ruby 2.4.0dev (2016-11-04 trunk 56558) [x86_64-linux]
Attached a terminal output file.
Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago
Actions
#9
[ruby-core:77948]
- Status changed from Feedback to Assigned
Updated by wanabe (_ wanabe) almost 9 years ago
Actions
#10
[ruby-core:77980]
I think the status is changed, but there is another issue.
We can see a assertion fail when I set RGENGC_CHECK_MODE as 1 in gc.c.
$ bundle exec ruby test.rb
ruby: ../gc.c:1532: heap_page_allocate: Assertion `heap_allocated_pages <= heap_pages_sorted_length' failed.
Aborted (core dumped)
This is in heap_page_allocate().
heap_pages_sorted_length, length of heap_pages_sorted[], must be greater than heap_allocated_pages when ruby call the function.
Otherwise, it causes invalid MEMMOVE() or assignment (heap_pages_sorted[hi] = page;).
Updated by ko1 (Koichi Sasada) almost 9 years ago
Actions
#11
[ruby-core:77985]
On my linux VM, I can't reproduce with and without previous patch.
- ruby 2.4.0dev (2016-11-05 trunk 56574) [x86_64-linux]
- ruby 2.4.0dev (2016-11-01 trunk 56534) [x86_64-linux]
Sorry...
Updated by ShockwaveNN (Pavel Lobashov) almost 9 years ago
Actions
#12
[ruby-core:77987]
Koichi Sasada wrote:
On my linux VM, I can't reproduce with and without previous patch.
- ruby 2.4.0dev (2016-11-05 trunk 56574) [x86_64-linux]
- ruby 2.4.0dev (2016-11-01 trunk 56534) [x86_64-linux]
Sorry...
I have several PC and this problem reproduces even in TravisCi. But all my PC's and travis images are Ubuntu-based. It may be important. Whis linux VM are you using?
Updated by ko1 (Koichi Sasada) almost 9 years ago
Actions
#13
[ruby-core:77993]
I'm also using "Ubuntu 14.04.5 LTS" with gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3).
Updated by wanabe (_ wanabe) almost 9 years ago
Actions
#14
[ruby-core:78000]
- File Dockerfile Dockerfile added
The attached Dockerfile may help to reproduce.
Updated by ko1 (Koichi Sasada) over 8 years ago
Actions
#15
[ruby-core:81241]
Sorry for late response.
Unfortunately I have no enough disk to run docker. Try later when I get new machine.
Updated by wanabe (_ wanabe) over 8 years ago
Actions
#16
[ruby-core:81322]
I reduced repro codes, segv.c and segv.rb.
They cause assertion failure with RGENGC_CHECK_MODE=1.
ruby 2.5.0dev (2017-05-21 trunk 58832) [x86_64-linux]
creating Makefile
linking shared-object segv.so
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
ruby: ../../gc.c:1533: heap_page_allocate: Assertion `heap_allocated_pages <= heap_pages_sorted_length' failed.
Aborted (core dumped)
Updated by nobu (Nobuyoshi Nakada) over 8 years ago
Actions
#17
[ruby-core:81324]
Data_Wrap_Struct(rb_cData, NULL, dummy_free, &i);
Wrapping the pointer to a local variable?
Obviously it is a bug.
If it is the thing what happens in RMagick, it's a bug in object lifetime management of RMagick.
Updated by wanabe (_ wanabe) over 8 years ago
Actions
#18
[ruby-core:81326]
Updated by nobu (Nobuyoshi Nakada) over 8 years ago
Actions
#19
[ruby-core:81327]
It reproduced "incorrect checksum for freed object", with a fix.
- Data_Wrap_Struct(rb_cData, NULL, dummy_free, destroy_pixel);
+ Data_Wrap_Struct(rb_cData, NULL, destroy_pixel, pixel);
Updated by nobu (Nobuyoshi Nakada) over 8 years ago
Actions
#20
- Status changed from Assigned to Closed
Updated by nobu (Nobuyoshi Nakada) over 8 years ago
Actions
#21
- Status changed from Closed to Assigned
Updated by nobu (Nobuyoshi Nakada) over 8 years ago
Actions
#22
- Status changed from Assigned to Closed
Applied in changeset trunk|r59136.
gc.c: expand sorted pages
- gc.c (heap_page_allocate): expand sorted pages before inserting
allocated new page. [Bug #12670]
Updated by usa (Usaku NAKAMURA) over 8 years ago
Actions
#23
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: REQUIRED to 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: REQUIRED, 2.4: REQUIRED
Updated by usa (Usaku NAKAMURA) over 8 years ago
Actions
#24
[ruby-core:81866]
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: REQUIRED, 2.4: REQUIRED to 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: DONE, 2.4: REQUIRED
ruby_2_3 r59234 merged revision(s) 56558,59116,59136.
Updated by nagachika (Tomoyuki Chikanaga) over 8 years ago
Actions
#25
[ruby-core:81983]
- Backport changed from 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: DONE, 2.4: REQUIRED to 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: DONE, 2.4: DONE
ruby_2_4 r59302 merged revision(s) 56558,59116,59136.
Updated by ShockwaveNN (Pavel Lobashov) about 8 years ago
Actions
#26
[ruby-core:82796]
nagachika (Tomoyuki Chikanaga) wrote:
ruby_2_4 r59302 merged revision(s) 56558,59116,59136.
Can confirm bug is fixed.
Checked again with attached Dockerfile
Bug reproduced on:
v2_4_1
v2_3_4
v2_2_8
Bug fixed on:
v2_4_2
v2_3_5
Updated by nobu (Nobuyoshi Nakada) about 8 years ago
Actions
#27
- Has duplicate Bug #13900: Segmentation fault - 2 different machines added