Possible bug - UB

[Kixunil]

Based on recent reddit post there may be a bug in CondVar::wait_until_internal(). Sadly the OP didn't provide more information and I didn't find anything wrong in the code. I didn't check too deeply so it'd be nice if someone else tried to check too if I missed something.

[Amanieu]

ThreadData::new calls grow_hashtable which is a pretty large chunk of unsafe code. That's the only thing I can think of that could potentially segfault in that function.

[Kixunil]

Exactly that was my thinking. I was suspecting hashmap being empty when created first but that's not actually the case since it's always created with three elements. Maybe testing that part of code under fuzzer and miri would help.

[jefshe]

OP here! I've reproduced this bug in debug mode with the following stacktrace. As suspected it is happening in grow_hashtable

#0  0x00007f1eca5f9a9b in __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:309
#1  0x000055a0b5cc4ab9 in core::intrinsics::copy_nonoverlapping (src=0x7f1d6affb508, dst=0x7f1ec5cf4120 <inflate_fast+64>, count=1) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/intrinsics.rs:1860
#2  0x000055a0b5cc6c73 in core::ptr::swap_nonoverlapping_one (x=0x7f1ec5cf4120 <inflate_fast+64>, y=0x7f1d6affb508) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/ptr/mod.rs:455
#3  0x000055a0b5cc4e24 in core::mem::swap (x=0x7f1ec5cf4120 <inflate_fast+64>, y=0x7f1d6affb508) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/mem/mod.rs:688
#4  0x000055a0b5cc4f9c in core::mem::replace (dest=0x7f1ec5cf4120 <inflate_fast+64>, src=0x0) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/mem/mod.rs:815
#5  0x000055a0b5cbf495 in core::cell::Cell<T>::replace (self=0x7f1ec5cf4120 <inflate_fast+64>, val=0x0) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/cell.rs:393
#6  0x000055a0b5cbf374 in core::cell::Cell<T>::set (self=0x7f1ec5cf4120 <inflate_fast+64>, val=0x0) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/cell.rs:344
#7  0x000055a0b5cbe8f5 in parking_lot_core::parking_lot::rehash_bucket_into (bucket=0x7f1eac000d80, table=0x7f1d77c578f0) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:314
#8  0x000055a0b5cbe55d in parking_lot_core::parking_lot::grow_hashtable (num_threads=11) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:277
#9  0x000055a0b5cbdfa2 in parking_lot_core::parking_lot::ThreadData::new () at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:156
#10 0x000055a0b5cbea4e in parking_lot_core::parking_lot::with_thread_data::THREAD_DATA::__init () at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:178
#11 0x000055a0b5cc59e0 in core::ops::function::FnOnce::call_once () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/ops/function.rs:227
#12 0x000055a0b5cbfa0a in std::thread::local::lazy::LazyKeyInner<T>::initialize (self=0x7f1d6affd118, init=0x7f1eca4ff968 <_int_malloc+1304>) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:304
#13 0x000055a0b5cbf766 in std::thread::local::fast::Key<T>::try_initialize (self=0x7f1d6affd118, init=0x0) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:473
#14 0x000055a0b5cbf8ab in std::thread::local::fast::Key<T>::get (self=0x7f1d6affd118, init=0x7f1d6affd540) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:456
#15 0x000055a0b5cbea7d in parking_lot_core::parking_lot::with_thread_data::THREAD_DATA::__getit () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:183
#16 0x000055a0b5cbd53b in std::thread::local::LocalKey<T>::try_with (self=0x55a0b6572690, f=...) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:271
#17 0x000055a0b5cbbfb6 in parking_lot_core::parking_lot::with_thread_data (f=...) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:179
#18 0x000055a0b5cbbfb6 in parking_lot_core::parking_lot::park (key=94149138538176, validate=..., before_sleep=..., timed_out=..., park_token=..., timeout=Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x0:
#19 0x000055a0b5cb9303 in parking_lot::raw_mutex::RawMutex::lock_slow (self=0x55a0cdf55ec0, timeout=...)
    at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.1/src/raw_mutex.rs:262
#20 0x000055a0b5bda53b in <parking_lot::raw_mutex::RawMutex as lock_api::mutex::RawMutex>::lock (self=0x55a0cdf55ec0) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.1/src/raw_mutex.rs:72
#21 0x000055a0b5bd2d39 in lock_api::mutex::Mutex<R,T>::lock (self=0x55a0cdf55ec0) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/lock_api-0.4.2/src/mutex.rs:207
#22 0x000055a0b5bf1d5f in tokio::loom::std::parking_lot::Mutex<T>::lock (self=0x55a0cdf55ec0) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.0.1/src/loom/std/parking_lot.rs:38
#23 0x000055a0b5c4bafd in tokio::runtime::blocking::pool::Inner::run (self=0x55a0cdf55ec0, worker_thread_id=1) at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.0.1/src/runtime/blocking/pool.rs:270
#24 0x000055a0b5c4b96e in tokio::runtime::blocking::pool::Spawner::spawn_thread::{{closure}} () at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.0.1/src/runtime/blocking/pool.rs:257
#25 0x000055a0b5bce7d3 in std::sys_common::backtrace::__rust_begin_short_backtrace (f=...) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/sys_common/backtrace.rs:125
#26 0x000055a0b5bfce23 in std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}} () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/mod.rs:474
#27 0x000055a0b5bae223 in <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once (self=..., _args=()) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panic.rs:322
#28 0x000055a0b5c38ff2 in std::panicking::try::do_call (data=0x7f1d6affc448 "\001") at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:381
#29 0x000055a0b5c4426d in __rust_try ()
#30 0x000055a0b5c38a54 in std::panicking::try (f=...) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panicking.rs:345
#31 0x000055a0b5bae723 in std::panic::catch_unwind (f=...) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/panic.rs:396
#32 0x000055a0b5bfcbe4 in std::thread::Builder::spawn_unchecked::{{closure}} () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/mod.rs:473
#33 0x000055a0b5c25f6f in core::ops::function::FnOnce::call_once{{vtable-shim}} () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/ops/function.rs:227
#34 0x000055a0b5cf410a in <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/alloc/src/boxed.rs:1307
#35 0x000055a0b5cf410a in <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once () at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/alloc/src/boxed.rs:1307
#36 0x000055a0b5cf410a in std::sys::unix::thread::Thread::new::thread_start () at library/std/src/sys/unix/thread.rs:71
#37 0x00007f1ecae056db in start_thread (arg=0x7f1d6affd700) at pthread_create.c:463
#38 0x00007f1eca58c71f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[Amanieu]

How does current end pointing to a code address...

0x7f1ec5cf4120 <inflate_fast+64>

[Amanieu]

If you still have this open in GDB, can you go to frame 7 (rehash_bucket_into) and print bucket.queue_head?

[Kixunil]

I attempted to "ask the compiler" by refactoring locking and unlocking a bit hoping it'd uncover the problem. Sadly it didn't but I thought the change could still be useful so I opened #279. Maybe more invariants can be checked this way, I just didn't find enough time to do it yet.

[Kixunil]

current.next_in_queue ins not cleared (set to ptr::null()) here

Doesn't look correct to me but maybe I'm missing something?

[Kixunil]

And rehash_bucket_into() doesn't clear bucket.queue_head nor bucket_queue_tail which also seems wrong or at least dangerous.

[Amanieu]

current.next_in_queue ins not cleared (set to ptr::null()) here

Doesn't look correct to me but maybe I'm missing something?

It it cleared here.

And rehash_bucket_into() doesn't clear bucket.queue_head nor bucket_queue_tail which also seems wrong or at least dangerous.

That shouldn't matter since we are publishing a newer hash table. lock_bucket will immediately abort and retry with the new hash table, and never read the invalid pointers.

[jefshe]

If you still have this open in GDB, can you go to frame 7 (rehash_bucket_into) and print bucket.queue_head?

Time zones blow, Here is the output from another run of gdb

#0  0x00007f387f755a9b in __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:309
#1  0x000055ff5211aca9 in core::intrinsics::copy_nonoverlapping (src=0x7f371fffd4b8, dst=0x7f387b654180 <_tr_flush_block+1488>, count=1) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/intrinsics.rs:1860
#2  0x000055ff521141c3 in core::ptr::swap_nonoverlapping_one (x=0x7f387b654180 <_tr_flush_block+1488>, y=0x7f371fffd4b8)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/ptr/mod.rs:455
#3  0x000055ff5211b014 in core::mem::swap (x=0x7f387b654180 <_tr_flush_block+1488>, y=0x7f371fffd4b8)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/mem/mod.rs:688
#4  0x000055ff5211b12c in core::mem::replace (dest=0x7f387b654180 <_tr_flush_block+1488>, src=0x0)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/mem/mod.rs:815
#5  0x000055ff52115645 in core::cell::Cell<T>::replace (self=0x7f387b654180 <_tr_flush_block+1488>, val=0x0)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/cell.rs:393
#6  0x000055ff521155e4 in core::cell::Cell<T>::set (self=0x7f387b654180 <_tr_flush_block+1488>, val=0x0)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/cell.rs:344
#7  0x000055ff52113d05 in parking_lot_core::parking_lot::rehash_bucket_into (bucket=0x7f3854000dc0, table=0x7f3701e2c870)
    at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:314
#8  0x000055ff5211396d in parking_lot_core::parking_lot::grow_hashtable (num_threads=11)
    at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:277
#9  0x000055ff521133b2 in parking_lot_core::parking_lot::ThreadData::new ()
    at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:156
#10 0x000055ff52113e5e in parking_lot_core::parking_lot::with_thread_data::THREAD_DATA::__init ()
    at /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.2/src/parking_lot.rs:178
#11 0x000055ff5211bc10 in core::ops::function::FnOnce::call_once ()
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/core/src/ops/function.rs:227
#12 0x000055ff52115c3a in std::thread::local::lazy::LazyKeyInner<T>::initialize (self=0x7f371ffff178, init=0x0)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:304
#13 0x000055ff52115996 in std::thread::local::fast::Key<T>::try_initialize (self=0x7f371ffff178, init=0x0)
    at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:473
#14 0x000055ff52115adb in std::thread::local::fast::Key<T>::get (self=0x7f371ffff178, init=0x55ff5208272f <tokio::runtime::task::state::State::fetch_update+255>) at /rustc/e1884a8e3c3e813aada8254edfa120e85bf5ffca/library/std/src/thread/local.rs:456

(gdb) p bucket.queue_head
$3 = core::cell::Cell<*const parking_lot_core::parking_lot::ThreadData> {value: core::cell::UnsafeCell<*const parking_lot_core::parking_lot::ThreadData> {value: 0x7f387b654178 <_tr_flush_block+1480>}}

It looks like the old table has somehow been poisoned with a bad memory address

(gdb) p old_table.entries.data_ptr[7].queue_head
$18 = core::cell::Cell<*const parking_lot_core::parking_lot::ThreadData> {value: core::cell::UnsafeCell<*const parking_lot_core::parking_lot::ThreadData> {value: 0x7f387b654178 <_tr_flush_block+1480>}}

I'll keep trying to debug this to try and see what is poisoning the table

[Amanieu]

Can you try compiling and running the program with RUSTFLAGS=-Zsanitizer=address?

[jefshe]

Sorry for the late response I've only gotten around to trying this out now. I can't seem to compile with that flag on. Is there something silly im missing? It seems like any dependency I have which uses procedural macros doesn't like having this flag turned on:

error: ../target/release/deps/libpin_project_internal-87d44c67eb2e6a2b.so: undefined symbol: __asan_option_detect_stack_use_after_return
  --> /home/opencpu/.cargo/registry/src/github.com-1ecc6299db9ec823/pin-project-1.0.5/src/lib.rs:83:9
   |
83 | pub use pin_project_internal::pin_project;
   |         ^^^^^^^^^^^^^^^^^^^^

As a side note, I tried disabling the parking_lot optimizations from tokio and now my reproducible example doesn't segfault.

[bjorn3]

Try passing --target x86_64-unknown-linux-gnu or whatever your system is to cargo. This will prevent cargo from using RUSTFLAGS when building host dependencies like proc macros and build scripts.

[glittershark]

I've got a segfault on code in a similar area (caused by next_in_queue containing a null invalid pointer) - here's the top of the trace from asan:

=================================================================
==1853596==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f908396717e bp 0x7f907a9d3940 sp 0x7f907a9d30f8 T1151)
==1853596==The signal is caused by a READ memory access.
==1853596==Hint: address points to the zero page.
    #0 0x7f908396717e in __memcpy_sse2_unaligned_erms (/nix/store/1jn6apz0fa9h9x7rl3v6vwiymwnjznwv-glibc-2.32-40/lib/libc.so.6+0xa617e)
    #1 0x55f30ab43677 in __asan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x55f313c53118 in core::intrinsics::copy_nonoverlapping::h6166e80050960140 /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics.rs:1867:14
    #3 0x55f313c59b7d in core::ptr::read::h213d49fbf792bde1 /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:699:9
    #4 0x55f313c586b9 in core::ptr::swap_nonoverlapping_one::h5ecaf08e473401f0 /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:458:21
    #5 0x55f313c43913 in core::mem::swap::h28d6cbbf5937c01d /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:695:9
    #6 0x55f313c43c22 in core::mem::replace::h0033c5855627b22b /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:822:5
    #7 0x55f313c4514f in core::cell::Cell$LT$T$GT$::replace::h1a7fb7d0fbae8217 /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/cell.rs:393:9
    #8 0x55f313c44fe3 in core::cell::Cell$LT$T$GT$::set::h1445a778083dc723 /home/grfn/.rustup/toolchains/nightly-2021-01-01-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/cell.rs:344:19
    #9 0x55f313c27d05 in parking_lot_core::parking_lot::unpark_requeue::h10019ce5f23b01d9 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot_core-0.8.3/src/parking_lot.rs:931:13
    #10 0x55f313c1b8b4 in parking_lot::condvar::Condvar::notify_one_slow::hf4af2e338d20f2a5 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.1/src/condvar.rs:173:23
    #11 0x55f313969486 in parking_lot::condvar::Condvar::notify_one::hf13bf6f7163e897a /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.1/src/condvar.rs:135:9
    #12 0x55f313954069 in tokio::loom::std::parking_lot::Condvar::notify_one::h8d41a977c1327d6d /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/loom/std/parking_lot.rs:77:9
    #13 0x55f3138e49a1 in tokio::runtime::blocking::pool::Spawner::spawn::h7c7c35689357a8f2 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/runtime/blocking/pool.rs:221:17
    #14 0x55f310eb5cf3 in tokio::runtime::handle::Handle::spawn_blocking::h1ac242d47e491511 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/runtime/handle.rs:202:17
    #15 0x55f310ded8c4 in tokio::runtime::blocking::pool::spawn_blocking::h7d1ba936fb254f59 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/runtime/blocking/pool.rs:86:5
    #16 0x55f310dca32f in tokio::runtime::thread_pool::worker::block_in_place::_$u7b$$u7b$closure$u7d$$u7d$::hd825238e601e52c2 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/runtime/thread_pool/worker.rs:256:9
    #17 0x55f310e2b5e3 in tokio::macros::scoped_tls::ScopedKey$LT$T$GT$::with::h4bbde8d26e61ce01 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/macros/scoped_tls.rs:74:22
    #18 0x55f310dbe630 in tokio::runtime::thread_pool::worker::block_in_place::hf37088e833dddf7e /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/runtime/thread_pool/worker.rs:203:5
    #19 0x55f30fd5f094 in tokio::task::blocking::block_in_place::hbc5549afbcf1ef95 /home/grfn/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.5.0/src/task/blocking.rs:50:9

I'm not yet convinced that this isn't my fault, though, so it could potentially be a red herring.

[glittershark]

Never mind, that segfault appears to have been caused by another library.

[Amanieu]

Can you tell me more about it? It seems very strange that another library could affect the internals of parking_lot.

I think there is a bug somewhere in parking_lot, but it is very difficult for me to debug this without having a way to reproduce the crash.

[glittershark]

I ran the same code with threadsan and saw a lot of race conditions caused by https://github.com/DoumanAsh/async-timer. After replacing async-timer with tokio::time the segfault went away 🤷🏻‍♂️

Unfortunately the code itself is closed source, otherwise I'd totally share it with you

[glittershark]

I had the thought of rring it and breaking when that address gets 0x8 assigned to it (I thought it was null at first but it's not - it's actually 8!) but rr doesn't work on my cpu 😢