Re: Segfault (LuaJIT)

[Pierre Chapuis <catwell@...>]

On 2012-04-06 18:38, Alexander Gladysh wrote:
> 06.04.2012, в 18:14, Pierre Chapuis <catwell@archlinux.us> 
> написал(а):
>
> > One of my programs that uses FFI somtimes (rarely) segfaults
> > in LuaJIT, even with -joff. I have recompiled luajit with debug
> > symbols and -O0 and obtained a core dump which I could analyse
> > in GCC. Here is the error:
> >
> > #0  0x00000000004672ca in lj_cconv_ct_ct (cts=0x41d8e4a0, 
> > d=0x41d95ba0,
> >    s=0x41d95b20, dp=0x4199f480 "",
> >    sp=0x4095b000 <Address 0x4095b000 out of bounds>, flags=0)
> >    at lj_cconv.c:241
> > 241        else i = *(uint8_t *)sp;
> >
> > And the backtrace:
> >
> > #0  0x00000000004672ca in lj_cconv_ct_ct (cts=0x41d8e4a0, 
> > d=0x41d95ba0,
> >    s=0x41d95b20, dp=0x4199f480 "",
> >    sp=0x4095b000 <Address 0x4095b000 out of bounds>, flags=0)
> >    at lj_cconv.c:241
> > #1  0x0000000000467c51 in lj_cconv_tv_ct (cts=0x41d8e4a0, 
> > s=0x41d95b20, sid=6,
> >    o=0x4199f480, sp=0x4095b000 <Address 0x4095b000 out of bounds>)
> >    at lj_cconv.c:388
> > #2  0x0000000000466560 in lj_cdata_get (cts=0x41d8e4a0, 
> > s=0x41d95b20,
> >    o=0x4199f480, sp=0x4095b000 <Address 0x4095b000 out of bounds>)
> >    at lj_cdata.c:237
> > #3  0x000000000042a6fe in lj_cf_ffi_meta___index (L=0x41e09378)
> >    at lib_ffi.c:150
> > #4  0x000000000042fb33 in lj_BC_FUNCC ()
> > #5  0x0000000000410acb in lua_pcall (L=0x41e09378, nargs=2, 
> > nresults=-1,
> >    errfunc=2) at lj_api.c:1034
> > #6  0x00000000004039cd in docall (L=0x41e09378, narg=2, clear=0)
> >    at luajit.c:126
> > #7  0x0000000000404392 in handle_script (L=0x41e09378, 
> > argv=0x7fffe2c26df8,
> >    n=4) at luajit.c:290
> > #8  0x0000000000404f60 in pmain (L=0x41e09378) at luajit.c:525
> > #9  0x000000000042fb33 in lj_BC_FUNCC ()
> > #10 0x0000000000410c95 in lua_cpcall (L=0x41e09378, func=0x404dd3 
> > <pmain>,
> >    ud=0x7fffe2c26cf0) at lj_api.c:1056
> >
> > Can anybody help me understand what is going on there? I am
> > probably doing something wrong with the FFI somewhere but I
> > cannot pinpoint exactly where in the program, and it looks
> > like the segfault doesn't always happen at the same stage
> > so I suspect it happens on deallocation by the GC...

> We also see segfaults in one of our utilities, in about one of six
> launches (this is a separate issue from what I reported earlier with
> bogus stacktraces).
>
> We still need to confirm that this is LJ2 fault, but that code does
> not use many third party modules, so this is not unlikely. So, maybe
> this is the same issue that is reported here.
>
> Will get back as soon as I would have more details.

I found the origin of this precise issue and it is probably not
the same thing (so you should open a separate thread).

I am working with data similar to black and white images which
is stored in arrays allocated with the FFI.

I have a method that resizes one of these images and a particular
edge case made me access data out of this array (gory details
related to floating point precision omitted...).

So GDB was right, I was simply accessing out of bounds data.

As far as I am concerned, problem solved.

--
Pierre Chapuis