Can someone enlighten me to find the bug?

Here's a way to replicate the bug. 4 steps. I'm on Ubuntu 11.04 64bit.¶

1. extract the attached app¶

% unzip segfault.zip
% cd segfault

2. install bundler via rubygems¶

% gem install bundler --user-install
% export PATH=$PATH:/home/nahi/.gem/ruby/1.9.1/bin

3. run bundle to install gems to ./ruby¶

% bundle install --path=.

4. execute it¶

% ruby -rbundler -e 'Bundler.setup; require "rspec/core"; RSpec::Core::Runner.run(["spec"], $stderr, $stdout)'¶

And here's my gdb session.¶

% gdb /usr/local/bin/ruby
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/bin/ruby...done.
(gdb) run -rbundler -e 'Bundler.setup; require "rspec/core"; RSpec::Core::Runner.run(["spec"], $stderr, $stdout)'
Starting program: /usr/local/bin/ruby -rbundler -e 'Bundler.setup; require "rspec/core"; RSpec::Core::Runner.run(["spec"], $stderr, $stdout)'
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff6682700 (LWP 13255)]
[Thread 0x7ffff6682700 (LWP 13255) exited]
[New Thread 0x7ffff6682700 (LWP 13257)]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ab5c99 in st_foreach (table=0x28b5020, func=0x7ffff7a0c230 <mark_entry>, arg=140737488315296) at ../st.c:745
745 key = (st_data_t)table->bins[i*2];
(gdb) where
#0 0x00007ffff7ab5c99 in st_foreach (table=0x28b5020, func=0x7ffff7a0c230 <mark_entry>, arg=140737488315296) at ../st.c:745
#1 0x00007ffff7a0be88 in mark_tbl (objspace=0x6038a0, ptr=19563040, lev=5) at ../gc.c:1445
#2 gc_mark_children (objspace=0x6038a0, ptr=19563040, lev=5) at ../gc.c:1801
#3 0x00007ffff7a0b8d8 in gc_mark_children (objspace=0x6038a0, ptr=35333200, lev=4) at ../gc.c:1795
#4 0x00007ffff7a0b8d8 in gc_mark_children (objspace=0x6038a0, ptr=35333280, lev=3) at ../gc.c:1795
#5 0x00007ffff7a0c1d6 in mark_const_entry_i (key=, ce=, data=)
at ../gc.c:1562
#6 0x00007ffff7ab5d1c in st_foreach (table=0x19131a0, func=0x7ffff7a0c1c0 <mark_const_entry_i>, arg=140737488315616)
at ../st.c:787
#7 0x00007ffff7a0bead in mark_const_tbl (objspace=0x6038a0, ptr=10364280, lev=2) at ../gc.c:1573
#8 gc_mark_children (objspace=0x6038a0, ptr=10364280, lev=2) at ../gc.c:1802
#9 0x00007ffff7a0bb7e in gc_mark_children (objspace=0x6038a0, ptr=27521040, lev=1) at ../gc.c:1688
#10 0x00007ffff7b02bb5 in iseq_mark (ptr=0x2398250) at ../iseq.c:106
#11 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=30252840, lev=3) at ../gc.c:1839
#12 0x00007ffff7a0c2c8 in mark_method_entry (key=, me=, data=)
at ../gc.c:1506
#13 mark_method_entry_i (key=, me=, data=) at ../gc.c:1530
#14 0x00007ffff7ab5d1c in st_foreach (table=0x23d4f70, func=0x7ffff7a0c270 <mark_method_entry_i>, arg=140737488315968)
at ../st.c:787
#15 0x00007ffff7a0be59 in mark_m_tbl (objspace=0x6038a0, ptr=21024760, lev=2) at ../gc.c:1541
#16 gc_mark_children (objspace=0x6038a0, ptr=21024760, lev=2) at ../gc.c:1800
#17 0x00007ffff7a0b8d8 in gc_mark_children (objspace=0x6038a0, ptr=41607400, lev=1) at ../gc.c:1795
#18 0x00007ffff7a0df82 in mark_locations_array (start=, end=) at ../gc.c:1401
#19 gc_mark_locations (start=, end=) at ../gc.c:1414
#20 rb_gc_mark_locations (start=, end=) at ../gc.c:1420
#21 0x00007ffff7b0768e in env_mark (ptr=0x2bfda70) at ../vm.c:238
#22 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=41607040, lev=1) at ../gc.c:1839
#23 0x00007ffff7a0df82 in mark_locations_array (start=, end=) at ../gc.c:1401
#24 gc_mark_locations (start=, end=) at ../gc.c:1414
#25 rb_gc_mark_locations (start=, end=) at ../gc.c:1420
#26 0x00007ffff7b0768e in env_mark (ptr=0x2562950) at ../vm.c:238
#27 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=41607000, lev=1) at ../gc.c:1839
#28 0x00007ffff79fc9d5 in proc_mark (ptr=0x277bf80) at ../proc.c:53
#29 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=41606920, lev=2) at ../gc.c:1839
#30 0x00007ffff7a0c2fc in mark_method_entry (key=, me=, data=)
at ../gc.c:1509
#31 mark_method_entry_i (key=, me=, data=) at ../gc.c:1530
#32 0x00007ffff7ab5d1c in st_foreach (table=0x25b2070, func=0x7ffff7a0c270 <mark_method_entry_i>, arg=140737488316608)
at ../st.c:787
#33 0x00007ffff7a0be59 in mark_m_tbl (objspace=0x6038a0, ptr=33366880, lev=1) at ../gc.c:1541
#34 gc_mark_children (objspace=0x6038a0, ptr=33366880, lev=1) at ../gc.c:1800
#35 0x00007ffff7b02ba5 in iseq_mark (ptr=0x27528f0) at ../iseq.c:107
#36 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=33147080, lev=2) at ../gc.c:1839
#37 0x00007ffff7a0be2b in gc_mark_children (objspace=0x6038a0, ptr=, lev=1) at ../gc.c:1815
#38 0x00007ffff7b02bf5 in iseq_mark (ptr=0x27520f0) at ../iseq.c:102
#39 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=33147560, lev=2) at ../gc.c:1839
#40 0x00007ffff7a0be2b in gc_mark_children (objspace=0x6038a0, ptr=, lev=1) at ../gc.c:1815
#41 0x00007ffff7b02bf5 in iseq_mark (ptr=0x2751db0) at ../iseq.c:102
#42 0x00007ffff7a0baba in gc_mark_children (objspace=0x6038a0, ptr=33148280, lev=5) at ../gc.c:1839
#43 0x00007ffff7a0c2c8 in mark_method_entry (key=, me=, data=)
at ../gc.c:1506
#44 mark_method_entry_i (key=, me=, data=) at ../gc.c:1530
#45 0x00007ffff7ab5d1c in st_foreach (table=0x27e52d0, func=0x7ffff7a0c270 <mark_method_entry_i>, arg=140737488317232)
---Type to continue, or q to quit---quit
at ../st.Quit
(gdb) up 2
#2 gc_mark_children (objspace=0x6038a0, ptr=19563040, lev=5) at ../gc.c:1801
1801 mark_tbl(objspace, RCLASS_IV_TBL(obj), lev);
(gdb) p *obj
$1 = {as = {free = {flags = 4130, next = 0x665b20}, basic = {flags = 4130, klass = 6708000}, object = {basic = {flags = 4130,
klass = 6708000}, as = {heap = {numiv = 42751520, ivptr = 0x2af3720, iv_index_tbl = 0x0}, ary = {42751520, 45037344,
0}}}, klass = {basic = {flags = 4130, klass = 6708000}, ptr = 0x28c5620, m_tbl = 0x2af3720, iv_index_tbl = 0x0},
flonum = {basic = {flags = 4130, klass = 6708000}, float_value = 2.1122057339494968e-316}, string = {basic = {
flags = 4130, klass = 6708000}, as = {heap = {len = 42751520, ptr = 0x2af3720 "\340\263\333\367\377\177", aux = {
capa = 0, shared = 0}}, ary = " V\214\002\000\000\000\000 7\257\002", '\000' <repeats 11 times>}}, array = {
basic = {flags = 4130, klass = 6708000}, as = {heap = {len = 42751520, aux = {capa = 45037344, shared = 45037344},
ptr = 0x0}, ary = {42751520, 45037344, 0}}}, regexp = {basic = {flags = 4130, klass = 6708000}, ptr = 0x28c5620,
src = 45037344, usecnt = 0}, hash = {basic = {flags = 4130, klass = 6708000}, ntbl = 0x28c5620, iter_lev = 45037344,
ifnone = 0}, data = {basic = {flags = 4130, klass = 6708000}, dmark = 0x28c5620, dfree = 0x2af3720, data = 0x0},
typeddata = {basic = {flags = 4130, klass = 6708000}, type = 0x28c5620, typed_flag = 45037344, data = 0x0}, rstruct = {
basic = {flags = 4130, klass = 6708000}, as = {heap = {len = 42751520, ptr = 0x2af3720}, ary = {42751520, 45037344,
0}}}, bignum = {basic = {flags = 4130, klass = 6708000}, as = {heap = {len = 42751520, digits = 0x2af3720}, ary = {
42751520, 0, 45037344, 0, 0, 0}}}, file = {basic = {flags = 4130, klass = 6708000}, fptr = 0x28c5620}, node = {
flags = 4130, nd_reserved = 6708000, u1 = {node = 0x28c5620, id = 42751520, value = 42751520, cfunc = 0x28c5620,
tbl = 0x28c5620}, u2 = {node = 0x2af3720, id = 45037344, argc = 45037344, value = 45037344}, u3 = {node = 0x0, id = 0,
state = 0, entry = 0x0, cnt = 0, value = 0}}, match = {basic = {flags = 4130, klass = 6708000}, str = 42751520,
rmatch = 0x2af3720, regexp = 0}, rational = {basic = {flags = 4130, klass = 6708000}, num = 42751520, den = 45037344},
complex = {basic = {flags = 4130, klass = 6708000}, real = 42751520, imag = 45037344}}}
(gdb) p 4130 & 0x1f
$2 = 2
(gdb) p obj.as.klass
$3 = {basic = {flags = 4130, klass = 6708000}, ptr = 0x28c5620, m_tbl = 0x2af3720, iv_index_tbl = 0x0}
(gdb) p obj.as.klass.m_tbl
$4 = (struct st_table *) 0x2af3720
(gdb) p *obj.as.klass.m_tbl
$5 = {type = 0x7ffff7dbb3e0, num_bins = 11, entries_packed = 1, num_entries = 0, bins = 0x28c1730, head = 0x0, tail = 0x0}
(gdb) p obj.as.klass.m_tbl.bins[0]
$6 = (struct st_table_entry *) 0x0
(gdb)

Hiroshi Nakamura nakahiro@gmail.com wrote:

Can someone enlighten me to find the bug?

I started looking into this, too, but haven't found the exact
cause/solution, either.

It does not seem to be in the tinytds nor bcrypt C extensions,
I put in early returns for each extensions' Init_* functions
to avoid hitting C code outside of Ruby trunk.

It seems to be related to how the parser/loader sets up (or fails to set
up) objects for GC. Some backtraces I get are very deep inside gc_mark*
functions (500-700+ C stack frames).

I cannot reproduce this with GC.disable or a huge malloc limit
(RUBY_GC_MALLOC_LIMIT=800000000).

Eric Hodel drbrain@segment7.net wrote:

Does GC.stress help?

I tried it for a while but lost patience while waiting. I suppose
I'll try it again while I poke at other things...

--
Eric Wong

On Sat, Jul 23, 2011 at 07:56, Eric Wong normalperson@yhbt.net wrote:

Does GC.stress help?

I tried it for a while but lost patience while waiting.  I suppose
I'll try it again while I poke at other things...

Yeah, I waited 2 hours before I quit the way. :-(

Adding rb_gc() to several part at load.c but I still cannot narrow
down where the broken object created...

Regards,
// NaHi

Random note;

• SEGV on trunk, ruby_1_9_3 and 1.9.2-p280
• SEGV on x86_64-linux but NOT on x86_64-darwin10.8.0 according to @nagachika (Tomoyuki Chikanaga)
• SEGV at GC mark or sweep, and the broken object looks like a singleton class object
• SEGV caused at autoload from autoload from autoload... or at finalizing VM at exit.
• slight change of code, different location of SEGV.
• lack of RB_GC_GUARD for a Node which is used in particular code?

Hello,

Thank you for the reproducing process. I could also comfirmed it.
This is one of the most difficult bug that I have seen...

In short, I've not solved this issue, but I found valgrind with -O0
enlightens us the (maybe) important point:

Follow-up.

I found activesupport uses UnboundMethod and #bind to check whether
a class instance is singleton or not.

102 def singleton_class?
103 # in case somebody is crazy enough to overwrite allocate
104 allocate = Class.instance_method(:allocate)
105 # object.class always points to a real (non-singleton) class
106 allocate.bind(self).call.class != self
107 rescue TypeError
108 # MRI/YARV/JRuby all disallow creating new instances of a
singleton class
109 true
110 end

Of course, this is not a fault of activesupport, but this seems
one factor to this SEGV.
If you need to work around this issue right now, the following patch
for activesupport might work.

$ diff -u active_support/core_ext/class/attribute.rb.orig
active_support/core_ext/class/attribute.rb
--- active_support/core_ext/class/attribute.rb.orig 2011-07-24
11:51:32.690364370 +0900
+++ active_support/core_ext/class/attribute.rb 2011-07-24
11:51:35.990380754 +0900
@@ -100,6 +100,7 @@

private
def singleton_class?

• return !ancestors.include?(self)

  in case somebody is crazy enough to overwrite allocate¶

  allocate = Class.instance_method(:allocate)

  object.class always points to a real (non-singleton) class¶

At least, SEGV does not occur with this patch on my machine.
Could anyone please try it?

Again, this is not a fault of activesupport. This is just workaround
patch.

--
Yusuke Endoh mame@tsg.ne.jp

2011/7/24 Yusuke ENDOH mame@tsg.ne.jp:

If you need to work around this issue right now, the following patch
for activesupport might work.

FYI, Aaron fixed activesupport in trunk so quickly :-)

https://github.com/rails/rails/commit/cdc4274931c2d6bafdf2b97f7e4ecedf89a8202e

--
Yusuke Endoh mame@tsg.ne.jp

Yusuke Endoh mame@tsg.ne.jp wrote:

I probably managed to fix this issue.
Could anyone try the attached patch?

Seems to work for me.

sidenote: I didn't realize xmalloc() (via rb_unlink_method_entry) is
safe/allowed inside bm_free(); but apparently it's only rb_new_obj()
that's prevented inside GC.

--
Eric Wong

Yusuke Endoh wrote:

I probably managed to fix this issue.
Could anyone try the attached patch?
ko1: May I commit it?

With the patch, both trunk and ruby_1_9_3 run without SEGV. My hat's off to you for your exhausting job.

(2011/07/25 6:35), Hiroshi Nakamura wrote:

With the patch, both trunk and ruby_1_9_3 run without SEGV. My hat's off to you for your exhausting job.

Me too. Thanks a lot.

--
// SASADA Koichi at atdot dot net

With the patch, both trunk and ruby_1_9_3 run without SEGV. My hat's off to you for your exhausting job.

Me too. Thanks a lot.

Me too. You are great.

Offtopic: now 1.9.3 have two high priority (i.e. crash related) bug, #5039 and this. And this was
most mysterious and difficult one. Now I don't doubt 1.9.3 is going to be released on a planned schedule.
Of course, there still are several normal priority bugs. we'll do our best.

Thank you for the trying the patch.
Nobu pointed out that the patch may cause memory leak.
I'll commit a revised version soon.

2011/7/25 Eric Wong normalperson@yhbt.net:

sidenote: I didn't realize xmalloc() (via rb_unlink_method_entry) is
safe/allowed inside bm_free(); but apparently it's only rb_new_obj()
that's prevented inside GC.

Good point. I was not aware of this.
Indeed, GC does not occur recursively even if vm_xmalloc is called
during GC. But NoMemoryError may be raised from bm_free()... It
will probably make the interpreter state inconsistent, so I guess
it is not possible to sanely continue the execution by rescue'ing
the exception.
But I have no solution about the case. Frankly speaking, I think
we can do nothing if just few dozens byte allocation is failed.

2011/7/25 Motohiro KOSAKI kosaki.motohiro@gmail.com:

With the patch, both trunk and ruby_1_9_3 run without SEGV. My hat's off to you for your exhausting job.

Me too. Thanks a lot.

Me too. You are great.

Thanks for the compliment!

--
Yusuke Endoh mame@tsg.ne.jp

Yusuke ENDOH mame@tsg.ne.jp wrote:

2011/7/25 Eric Wong normalperson@yhbt.net:

sidenote: I didn't realize xmalloc() (via rb_unlink_method_entry) is
safe/allowed inside bm_free(); but apparently it's only rb_new_obj()
that's prevented inside GC.

Good point. I was not aware of this.
Indeed, GC does not occur recursively even if vm_xmalloc is called
during GC. But NoMemoryError may be raised from bm_free()... It
will probably make the interpreter state inconsistent, so I guess
it is not possible to sanely continue the execution by rescue'ing
the exception.
But I have no solution about the case. Frankly speaking, I think
we can do nothing if just few dozens byte allocation is failed.

We can pre-allocate the unlinked_method_entry_list_entry struct
in the METHOD struct and then push it into unlinked_method_entry_list
in bm_free (untested patch below):

--- a/proc.c
+++ b/proc.c
@@ -19,6 +19,7 @@ struct METHOD {
VALUE rclass;
ID id;
rb_method_entry_t *me;

• struct unlinked_method_entry_list_entry *ume;
  };

VALUE rb_cUnboundMethod;
@@ -868,7 +869,11 @@ static void
bm_free(void *ptr)
{
struct METHOD *data = ptr;

• rb_unlink_method_entry(data->me);

• struct unlinked_method_entry_list_entry *ume = data->ume;
• ume->me = data->me;
• ume->next = GET_VM()->unlinked_method_entry_list;
• GET_VM()->unlinked_method_entry_list = ume;
  xfree(ptr);
  }

@@ -978,6 +983,7 @@ mnew(VALUE klass, VALUE obj, ID id, VALUE mclass, int scope)
data->me = me2;
*data->me = *me;
data->me->def->alias_count++;

• data->ume = ALLOC(struct unlinked_method_entry_list_entry);

  OBJ_INFECT(method, klass);

@@ -1088,6 +1094,7 @@ method_unbind(VALUE obj)
*data->me = *orig->me;
if (orig->me->def) orig->me->def->alias_count++;
data->rclass = orig->rclass;

• data->ume = ALLOC(struct unlinked_method_entry_list_entry);
  OBJ_INFECT(method, obj);

  return method;
  --
  Eric Wong

2011/7/25 Eric Wong normalperson@yhbt.net:

We can pre-allocate the unlinked_method_entry_list_entry struct
in the METHOD struct and then push it into unlinked_method_entry_list
in bm_free (untested patch below):

I see! I'll import it if make check passes. Thanks.

--
Yusuke Endoh mame@tsg.ne.jp