Segmentation fault linked to a big closure allocation with OCaml 5.0

[thierry-martinez]

I observed a segmentation fault with OCaml 5.0 (alpha0, alpha1 and ocaml/opam:debian-11-ocaml-5.0 docker image), which can be reproduced with the following steps. The same steps do not trigger segmentation fault with OCaml 4.14 and below (but the problem looks such fragile with respect to any change that I am not sure it is related to OCaml 5.0).

$ docker run -it --rm ocaml/opam:debian-11-ocaml-5.0
opam@...:~$ opam pin add https://github.com/thierry-martinez/stdcompat.git#disable-magic
opam@...:~$ opam pin add https://github.com/thierry-martinez/metapp.git
opam@...:~$ opam pin add https://github.com/thierry-martinez/metaquot.git#ocaml-5.0-segfault
opam@...:~$ opam install refl

I wish I would be able to make a more standalone and small example, to be sure that the fault is not in my code, but I am stuck in how I can reduce it without making the segmentation fault disappears. I already asked for help on discuss.ocaml.org and @lthls commented:

I’ve started debugging the issue, and it looks like there is a big closure allocation (size 552, start of environment at 527) that is being initialized, and the GC is running in the middle of the initialization. Because the block is not initialized yet, the start_of_env field is not yet set properly, so the block is pushed on the mark stack with offset 0 (i.e. not skipping code pointers). After a bit of marking, the block is put back on the mark stack with a non-zero offset, and execution resumes. The initialization code finishes running, and when marking resumes it starts trying to mark code pointers. This is what triggers the segfault. I haven’t found yet why the GC manages to run between the initial allocation and its initialization though: the window is very short, and doesn’t contain any code that looks likely to trigger a GC. Hopefully someone more familiar than me about the GC will find the answer.

Sorry for such a non minimal example, and thank you very much!

[lthls]

I've digged a bit further, and found more details. Here are the basic steps leading to the segfault:

• The OCaml code allocates a closure bigger than M̀AX_YOUNG_SIZE. This means that the compiler generates a call to caml_alloc, followed by several calls to caml_initialize.
• In caml_alloc, the number of words allocated on the major heap gets big enough to trigger a major slice (code here)
• The freshly allocated block (full of 1s) gets partially marked during the slice, and put back on the mark stack with an offset that is non-zero but below the future start of environment.
• The OCaml code then resumes, initializing the closure, and continues on
• Eventually another major slice starts, resumes marking the closure block from the stored offset, and ends up trying to mark code pointers -> segfault

It might be possible to build a reproduction example by repeatedly allocating big closures until we get interrupted during the closure allocation, but I don't know if we can reliably get the closure block partly marked. Maybe by tweaking the GC parameters ? I might give it a try later if no one else does.

[shindere]

@damiendoligez, in case nobody could help before you come back from vacations, I thinkn this is definitely an area where your insight may be very helpful. Very big appreciation to both Thierry and Vincent, I find both the report and the investigation very inspiring.

[xavierleroy]

Something really weird is going on here.

• If a block is marked by the major GC, even partially, it means it is reachable from the roots at the time of the major GC.
• A closure block with the wrong "start of environment" offset is not fully initialized yet.
• Only fully-initialized blocks can be reachable from roots, otherwise GC just crashes.

Note that alloc_shr does not trigger a major GC slice; it can only requests such a slice to take place as soon as it is safe to do so.

So, the mystery remains: how comes the major GC sees an uninitialized closure block?

[lthls]

So, the mystery remains: how comes the major GC sees an uninitialized closure block?

It's passed as parameter to caml_check_urgent_gc by caml_alloc (here) and caml_check_urgent_gc registers it as a root if it has to actually run some GC code (here).

[stedolan]

Note that alloc_shr does not trigger a major GC slice; it can only requests such a slice to take place as soon as it is safe to do so.

So, the mystery remains: how comes the major GC sees an uninitialized closure block?

The function that ocamlopt calls for allocations larger than Max_young_wosize is not alloc_shr but caml_alloc. The latter can trigger a major GC, but tries to ensure that the newly-allocated value is fully initialised with dummy values beforehand.

Unfortunately, it is not possible to initialise a closure with dummy values - you need to know exactly how many Infix_tag closures it will contain and this number may not change.

I think the fix here is to have ocamlopt actually call alloc_shr, guaranteeing that no GC occurs between allocation and initialisation, at least for Closure_tag values.

(I suspect you could also get this to crash in OCaml 4 under no-naked-pointers mode)

[xavierleroy]

Thanks, @lthls and @stedolan, for explaining the mystery to me.

I agree that ocamlopt could generate code that calls caml_alloc_shr instead of caml_alloc for large allocations. In the old days, the block was filled using caml_modify, so unit-initialization of the block was needed, but since #673 the block is filled with caml_initialize, which is compatible with caml_alloc_shr.

The only downside is that we're checking for urgent major GC less often...

An alternative would be to check for urgent GC in caml_alloc before allocating the block, so that the new block doesn't end up as a root.

[xavierleroy]

Yet another option is to not check for urgent major GC in caml_alloc if the tag is Closure_tag, but this is getting ugly.

[lthls]

I thought about setting the start of env to the size of the block when allocating a closure with caml_alloc. It will get overwritten to the correct value by the caml_initialize calls, so will have no impact after initialization, and until the block is initialized there's nothing that needs to be scanned anyway. But I'm not sure it's better than the alternatives above.

[damiendoligez]

I agree that ocamlopt could generate code that calls caml_alloc_shr instead of caml_alloc for large allocations. In the old days, the block was filled using caml_modify, so unit-initialization of the block was needed, but since #673 the block is filled with caml_initialize, which is compatible with caml_alloc_shr.

Note that caml_initialize must not be used after the GC has seen the block, even for non-closure blocks, because it doesn't do the major-gc part of the write barrier. The initialization performed by caml_alloc in this case is not only useless overhead, it also makes the bug (which is present for all large allocations) very hard to trigger.

The only downside is that we're checking for urgent major GC less often...

What the compiler needs to call is a function that doesn't call the GC after allocating the block, and doesn't need to initialize the fields, but still calls check_urgent_gc. I see two solutions:

1. define a new function, caml_alloc_uninitialized for this purpose
2. continue using caml_alloc but move the call to check_urgent_gc to have it before the allocation (and carefully document the dual use of caml_alloc).

[edit: in fact it works (except for closures) but I still don't like calling caml_initialize on fields that the GC has already seen.]