heap corruption / segfault during Python GC inside capture_while (found in 1.13.0.dev20260422)

[adenzler-nvidia]

Summary

A deterministic SIGSEGV (or double free or corruption on glibc) hits during Python garbage collection while a warp.capture_while region is active on the CPU device. The same workload runs cleanly on 1.13.0.dev20260421 and crashes on 1.13.0.dev20260422, so it's a one-day regression.

The crash profile points at a missed reference-retention path in the new CPU graph-capture / APIC replay work added in #1349.

Reproducer

Any workload that drives mujoco-warp on CPU inside a graph capture reproduces. Concrete example (from newton-physics/newton):

git clone https://github.com/newton-physics/newton.git
cd newton
# pin the bad nightly
uv lock --upgrade-package warp-lang
# ensure warp-lang==1.13.0.dev20260422 is resolved
CUDA_VISIBLE_DEVICES= uv run --extra dev -m newton.tests \
    -k test_selection.example_selection_cartpole_cpu

Expected: test passes.
Actual: SIGSEGV (-11) or SIGABRT (-6) partway through the simulation loop. Happens across Ubuntu x86_64, Ubuntu arm64, macOS (arm64), Windows, and on a CUDA box when CUDA is hidden.

Stack traces

Two observed crash sites, both during Garbage-collecting — which is characteristic of heap corruption rather than a single logic bug (GC just happens to be where the trap fires):

Site A — GC during array construction

Fatal Python error: Segmentation fault
Current thread 0x... (most recent call first):
  Garbage-collecting
  File ".../warp/_src/types.py", line 2304 in __init__
  File ".../warp/_src/types.py", line 3878 in __ctype__
  File ".../warp/_src/context.py", line 7610 in pack_arg
  File ".../warp/_src/context.py", line 8292 in pack_args
  File ".../warp/_src/context.py", line 8297 in launch
  File ".../mujoco_warp/_src/solver.py", line 3240 in _solver_iteration
  File ".../warp/_src/context.py", line 9743 in capture_while
  File ".../mujoco_warp/_src/solver.py", line 3335 in _solve
  ...

Site B — GC during kernel compilation

Fatal Python error: Segmentation fault
Current thread 0x... (most recent call first):
  Garbage-collecting
  File ".../ast.py", line 52 in parse
  File ".../warp/_src/codegen.py", line 1038 in __init__      # Adjoint.__init__
  File ".../warp/_src/context.py", line 781 in __init__       # Function.__init__
  File ".../warp/_src/context.py", line 1362 in wrapper
  File ".../mujoco_warp/_src/solver.py", line 1809 in update_constraint_efc
  File ".../warp/_src/context.py", line 9743 in capture_while
  ...

Both traces have warp.capture_while live on the CPU path above the crashing frame.

Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg, _warp_fastcall, _cbor2

Bisect

Nightly	Result
1.13.0.dev20260421	✅ passes full Newton suite
1.13.0.dev20260422	❌ segfault in test_selection.example_selection_cartpole_cpu

Nothing between those nightlies touches the CPU execution path except the work landed for #1349 ("Add graph capture for APIC serialization and CPU replay"). The commit message explicitly calls out reference retention for CPU capture (base array in _regions, ModuleExec on the graph) and mentions a follow-up to "Retain ModuleExec on CPU APIC graphs to prevent use-after-unload" — our symptom looks like a retention site that was missed for the per-launch array views / packed kernel args that mujoco-warp creates.

Environment

• OS: reproduced on Ubuntu 22.04 x86_64, Ubuntu 24.04 arm64, Windows, macOS (arm64), and a CUDA runner with CUDA_VISIBLE_DEVICES=""
• Python: 3.12
• warp-lang: 1.13.0.dev20260422 (installed from https://pypi.nvidia.com/)
• mujoco-warp: 3.7.0.1
• Device: CPU (the test forces --device cpu)

Workaround

Pin to warp-lang==1.13.0.dev20260421 until a fix lands.

Suspected cause

Heap/refcount bug in the new CPU APIC capture/replay machinery — something a kernel launch needs to stay alive for the duration of capture_while (likely an array view, apic_array_t, a per-launch param record, or a function-pointer-carrying struct) is being reaped by Python GC before the recorded operation runs, and later use of the dangling pointer segfaults.

[c0d1f1ed]

Multiple reproduction and bisecting efforts show this is not an APIC / CPU graph regression but rather pre-existing for quite some time. Instead there appear to be two distinct bugs:

1. Access Violation inside notify_model_changed. Some kernel in _update_model_inertial_properties / _update_joint_properties / the _mujoco_warp.set_* calls reads or writes out of bounds. Goes away when skipping it. This appears to be a Newton or mujoco-warp bug, not Warp itself.
2. Heap corruption inside _mujoco_warp.step()'s forward dynamics kernels (fwd_position / fwd_velocity / make_constraint). This still occurs when skipping notify_model_changed and thus needs a separate investigation. The prime candidates would be kernels that run during the step loop with data that was populated in _convert_to_mjc's Python-side data copies.

Latest investigation noted: issue-1385-investigation.md

[c0d1f1ed]

Bug Summary (updated)

Originally filed as a regression bisected to d11116fca (APIC MVP). Further investigation shows this is a pre-existing latent bug — Warp 1.12.1 (tagged 2026-04-05, ~2 weeks before the APIC merge) reproduces the same Windows heap-corruption / access-violation crash at ~25 % failure rate on the same test. The APIC merge changes allocation density and shifts heap layout, which raises the detection rate to ~60–80 %, but does not introduce the corrupting write. Every Warp-side code change between 1.12.0 and HEAD that could plausibly be the cause has been audited and ruled out (details below).

Full investigation notes, reproduction recipe, per-commit crash-rate table, and ruled-out hypotheses with code references are in issue-1385-investigation.md.

Symptoms

Running the Newton selection-cartpole CPU example in a loop on Windows under CUDA_VISIBLE_DEVICES= produces, non-deterministically:

• Windows access violation (0xC0000005) inside invoke() → hooks.forward(),
• Windows heap corruption (0xC0000374) inside get_kernel_hooks → runtime.llvm.wp_lookup,
• Windows fatal exception with <no Python frame> during process teardown,
• Silent numerical corruption — simulation runs to completion but fails physics-invariant checks.

All four are faces of the same underlying heap damage. The faulthandler stacks point at detection sites (where the Windows allocator next validates the damaged region), not corruption sites.

Reproduction (Windows)

cd c:/src/newton
for i in 1 2 3 4 5 6 7; do
  CUDA_VISIBLE_DEVICES= uv run \
    --with "warp-lang @ file:///c:/src/warp-apic-mvp-v2" \
    --extra dev -m newton.tests \
    -k test_selection.example_selection_cartpole_cpu
done

Simpler scaffolds (capture_while on CPU with a minimal kernel; a mujoco-shaped struct-args scaffold) do not reproduce — the bug requires the full Newton + mujoco-warp kernel corpus + allocation density.

Evidence it is pre-existing

Warp version / commit	Config	Failure rate
1.12.1 (2026-04-05; pre-APIC, pre-JITLink)	stock PyPI, RTDyld	25 % (5/20)
5f44d27b9 (2026-04-21; pre-APIC)	JITLink	43 %
b7d484365 (2026-04-14; launch_bounds_t templated)	JITLink	40 %
HEAD post-APIC, fresh cache	JITLink	60 %
HEAD post-APIC, fresh cache	legacy_cpu_linker=True	71 %

1.12.1 hits only access-violation (no HC); the HC variant appears somewhere between Apr 5 and Apr 13, before the APIC merge. Both variants persist through HEAD.

Hypotheses ruled out

All verified by audit of current code against v1.12.1 and the APIC merge diff.

• launch_bounds_t ABI mismatch between Python ctypes and C++: Python and C++ produce the same 24 B / 32 B layouts on MSVC x64; the launch path is self-consistent on HEAD. (1.12.1 used a non-templated launch_bounds_t; it also crashes.)
• APIC-specific CPU launch path: runtime._apic_capture is None throughout the failing test; the launch takes the non-APIC invoke() branch in context.py. Signature change to wp_cpu_launch_kernel is ABI-matched in the ctypes binding.
• ModuleExec GC unloading JIT memory while a cached function pointer is still in use: module_exec and hooks are local to each launch() call in the non-record-cmd path. A dangling pointer would also segfault inside the JIT'd kernel, not inside the Windows heap validator during malloc.
• _aligned_malloc / _aligned_free mismatch in wp_alloc_host: identical pair used in 1.12.1 and HEAD.
• JITLink vs RTDyld linker (Sporadic CPU kernel crashes in Newton examples #1346, commit 397af7dfb): forcing legacy_cpu_linker=True leaves the failure rate essentially unchanged.
• Stale kernel-cache ABI drift across launch-bounds changes: clearing the cache increases failure rate, the opposite of what a stale-cache theory predicts.
• Newton-side suspects (wp.clone(d.qpos), kernel early-returns, state-swap alternation, notify_model_changed): bypassing each in turn shifts the AV rate but leaves the HC rate unchanged — these are detection sites, not the corrupter.

Best current model

A stray C++ write — most likely a JIT-compiled CPU kernel or a Warp runtime primitive it calls — lands outside its intended buffer. Where the write lands determines the visible symptom:

• inside a neighbouring Warp array → silent numerical corruption,
• inside Windows NT-heap LFH metadata → HC at the next malloc / free,
• inside a JIT tracker block → AV on next lookup / kernel call.

Strong evidence: on one run, _cdof ran cleanly (all inputs verified live, launch returned), the simulation completed, physics invariants then failed (wrong numbers), and a fatal AV fired at process teardown. The silent-numerical variant rules out any dangling-pointer / ABI / lifetime theory — those would crash, not silently produce wrong floats.

Candidate corrupters (can't discriminate from code-reading alone):

1. a mujoco-warp kernel indexing past a declared shape (e.g. the body_tree[i] ragged-iteration in _subtree_com_acc),
2. a Warp runtime primitive (sort, hashgrid, runlength_encode) with a sizing bug triggered by a specific input distribution,
3. a Warp codegen artifact (e.g. stale strides on a rebuilt array_t).

What's needed next

Print-debugging and bisection are poor fits — every intervention that changes heap layout shuffles the symptom. The next useful step is allocator-level instrumentation that catches the write at the moment it happens:

• Windows Page Heap (gflags /p +hpa python.exe) — places each allocation on its own page with a trailing guard; a one-byte overflow AVs at the exact writing instruction. Cheapest first step.
• Application Verifier — adds heap validation plus handle / lock checks.
• AddressSanitizer build of warp.dll / warp-clang.dll (-fsanitize=address on Clang-CL / MSVC) — catches heap-buffer-overflow / use-after-free at the C++ source line; requires rebuilding the native libraries. Tracked separately in NVIDIA/warp#1387 — wiring ASan into the Warp build is a prerequisite for using it here.
• WinDbg post-mortem on a procdump -mm crash dump — inspect heap metadata around the reported block to identify the overflowing neighbour.

Relation to the APIC merge

The APIC merge amplifies, does not cause. Reverting it would mask the symptom on some Newton workloads by lowering detection rate from ~60 % back to ~43 % on current-HEAD Warp (and to ~25 % on v1.12.1), but the underlying corruption is unchanged. The fix belongs at the corrupting write, not at heap-layout shims.

[c0d1f1ed]

The optimization of wp.tid() in b7d4843 caused Newton to access arrays out of bounds due to the "folding" behavior when more dimensions are used in the launch than the kernel uses. It was reverted wholesale in d8f5e52. Newton also addressed the undesired use of an extra dimension in newton-physics/newton#2546. Follow-up will be done as part of GH-1389 to see how to safely re-introduce the wp.tid() optimization.

That said, issue-1385-investigation.md showed there were crashes before the original wp.tid() optimization as well that still need to be root-caused and addressed.