Ephemeron segfault with missing write barrier

[stedolan]

Ephemerons don't use the normal write barrier, and because they're marked incrementally this can lead to the lost object problem, where an object becomes reachable only from an ephemeron that's already marked and never ends up getting marked.

It's difficult to trigger because it relies on the timing of incremental GC, but here's an example that hits the bug on trunk.

module E = Ephemeron.K1

let key = ref 1
let mk_ephe () =
  let e = E.create () in
  E.set_key e key;
  e

let eph = mk_ephe ()
let other = ref "beep"

let () =
  for stop = 100 to 2000 do
    E.set_data eph (ref "hello");
    Gc.major ();
    Gc.minor (); Gc.major_slice 1 |> ignore; Gc.major_slice 1 |> ignore;
    (* let _ = Array.init 1 (fun _ -> mk_ephe ()) in *)
    let e = mk_ephe () in
    (* let _ = Array.init 3 (fun _ -> mk_ephe ()) in *)
    for i = 1 to 2000 do
      Gc.major_slice 1 |> ignore;
      if i = stop then begin
          E.blit_data eph e;
          E.set_data eph other;
        end;
    done;
    let r = match E.get_data e with None -> assert false | Some r -> r in
    Printf.printf "[%03d] %s\n%!" stop !r;
    Gc.full_major ();
  done

I'm not sure what the fix is. It may be as simple as adding darkening in blit_data (and maybe set_data?), but I don't understand what the marking invariants are for ephemerons.

[rwmjones]

We've seen crashes in Coq on Fedora Rawhide. The stack trace is shown at the bottom of the following email: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/EANYCMJWU5RQNCJ4Y5JMISGZ7A3XBUAM/

Could this be related to this bug?

[stedolan]

It's hard to say. That stacktrace looks like it might be corrupted: I can't see any route by which caml_ephe_set_key can call caml_alloc_shr. How hard is it to reproduce?

[rwmjones]

It's very hard to reproduce. I usually have to run the build over and over for days to see this even once. I also cannot see a way to get from caml_ephe_set_key to caml_alloc_shr, but the stack trace is unfortunately all we have.

[mshinwell]

Do you have a core dump?

[rwmjones]

Right now I have core dumps, but the original coqc binary from the build directory was deleted so they are not much use.

However I will now run the build in a loop until it crashes again, and will collect the binary, compiler and core dump and upload them for you. I must stress this process may take many hours (maybe even days).

[mshinwell]

It would be worth preserving the environment on the build machine if possible, as some addresses won't resolve correctly having transported the executable elsewhere.

[rwmjones]

I killed this just now. It ran for 2 days without reproducing the bug. What changed is that our Coq package has moved to the final Coq / OCaml 4.10.0 patch. Both new and old patches touch the GC, so it's entirely possible that the old patch was simply to blame.

[bobot]

Weak pointers indeed are marked during read not during write because during mark scanning they don't directly mark the destination when the source is marked.

• during mark phase, reading marks the data (x) with this criteria:

/** The minor heap is considered alive. */
#if defined (NATIVE_CODE) && defined (NO_NAKED_POINTERS)
/** The minor heap doesn't have to be marked, outside they should
    already be black
*/
Caml_inline int Must_be_Marked_during_mark(value x)
{
  CAMLassert (x != caml_ephe_none);
  CAMLassert (caml_gc_phase == Phase_mark);
  return Is_block (x) && !Is_young (x);
}
#else
Caml_inline int Must_be_Marked_during_mark(value x)
{
  CAMLassert (x != caml_ephe_none);
  CAMLassert (caml_gc_phase == Phase_mark);
  return Is_block (x) && Is_in_heap (x);
}
#endif

• during clean phase, a data that is not marked is not returned.

#define CAMLassert_not_dead_value(v) do{        \
    CAMLassert ( caml_gc_phase != Phase_clean   \
                 || !Is_block(v)                \
                 || !Is_in_heap (v)             \
                 || !Is_white_val(v) );         \
}while(0)

• At the end of the clean phase, every remaining data must be marked because of this assertion at the end of caml_ephe_clean which is called before set_data, blit_data and for all ephemerons:

        CAMLassert(caml_gc_phase == Phase_clean);
        ...
        /* If we scanned all the keys and the data field remains filled,
           then the mark phase must have marked it */
        CAMLassert( !(offset_start == 2 && offset_end == Wosize_hd (Hd_val(v))
                      && Is_block (child) && Is_in_heap (child)
                      && Is_white_val (child)));

Do you think this seems sound, and should not segfault (if the segfault is that a not marked value is returned by get_data)?

Now that "what should be" is explained, I will debug your test case.

[bobot]

I'm not able to obtain the segfault only 1901 hellos, with 1d76e2c and:

./configure
make
./ocamlopt.opt -nostdlib -I stdlib test.ml -o test
./test
./ocamlc.opt -nostdlib -I stdlib test.ml -o test
boot/ocamlrun ./test

Do you have the segfault with the variant with assertions?

EDIT: I don't have segfault also with -I runtime -runtime-variant d in native

[bobot]

But with 52dc5d7, I have one, and with the debug runtime_variant, this assertion is broken:

file caml/weak.h; line 208 ### Assertion failed: !(offset_start == 2 && offset_end == Wosize_hd (Hd_val(v)) && Is_block (child) && Is_in_heap (child) && Is_white_val (child))

[bobot]

A bug is that during mark phase, the blit move a white data from a not yet scanned ephemeron to a scanned ephemeron which keys are alive. It is particular to blit because blit tries not to darken things. I'm writing a fix.

[bobot]

The invariant during mark is described in major_gc.c, the most important is the set (1):

      - the ephemerons in (1) have a data alive or none
        (nb: new ephemerons are added in this part by weak.c)

@stedolan, the condition for the darkening is a little different from the normal write barrier, but you were completely right that it was missing in set_data and blit_data.

I still must check the condition for the set (2) during set_key, darkening of the data is perhaps needed, not for a segfault but for correction (not removing a data with alive keys). But it could go in another MR.

[stedolan]

• At the end of the clean phase, every remaining data must be marked because of this assertion at the end of caml_ephe_clean which is called before set_data, blit_data and for all ephemerons:

        CAMLassert(caml_gc_phase == Phase_clean);
        ...
        /* If we scanned all the keys and the data field remains filled,
           then the mark phase must have marked it */
        CAMLassert( !(offset_start == 2 && offset_end == Wosize_hd (Hd_val(v))
                      && Is_block (child) && Is_in_heap (child)
                      && Is_white_val (child)));

Do you think this seems sound, and should not segfault (if the segfault is that a not marked value is returned by get_data)?

I agree that that assertion should hold at the end of marking, but I don't see what makes it hold.

What I'd like to see is some description of the marking invariant for ephemerons. Some examples of these:

Tri-colour invariant (not what OCaml uses): There are no pointers from white objects to black objects. To enforce this, the write barrier checks to see if it is creating such a pointer and makes one of the objects involved grey.

Weak tri-colour invariant (what OCaml uses): All white objects pointed to by black objects are also reachable from gray objects along white paths. To enforce this, the write barrier ensures that it never makes a white object unreachable, by making white objects grey when references to them are overwritten.

Both of these invariants ensure correctness of marking, because if they are true when there are no gray objects left then all reachable objects are black.

I'd like to understand a similar invariant about ephemerons, but at the moment I don't. It's certainly not one of the two standard invariants above. Is there an invariant for ephemerons that's true throughout marking and implies your assertion when marking completes?