Hello everyone,
I tried to reproduce this issue inside a minimal qemu VM,
with an available X server, and investigate with the help
of rr-debugger and valgrind.
First in camp::picture::shipout3, line 1404 the process asy
forks, and following failure happens in the child thereof.
In the backtrace [1] the malloc error is written.
This happens while being inside a signal handler of
a SIGSEGV, which attempts to to log something.
As far as I understand are such complex things inside
a signal handler likely to fail.
The SIGSEGV before seems to be caused because by a double free,
once in builtin_builder::release [2] and before that,
once in builtin_builder::~builtin_builder [3],
both below the __run_exit_handlers.
Maybe the order of the exit handlers is important here?
This also shows up with valgrind at the bottom of the run.
rr was working with current git head and the
environment LP_NO_RAST=1 set, otherwise I got a SIGFPE, which
might be an issue in rr.
It seems to depend on using the mesa software renderer.
Therefore it may be better reproducible on regular desktops
with e.g. LIBGL_ALWAYS_SOFTWARE=true and
GALLIUM_DRIVER=llvmpipe.
In my test VM with GALLIUM_DRIVER=softpipe it shows
"malloc_consolidate(): invalid chunk size", but have
not followed that further.
Kind regards,
Bernhard
[1]
(rr) bt
#0 malloc_printerr (str=str@entry=0x7f76cc2c6678 "malloc(): unsorted double linked list corrupted") at malloc.c:5347
#1 0x00007f76cc1bfd74 in _int_malloc (av=av@entry=0x7f76cc2f5b80 <main_arena>, bytes=bytes@entry=8192) at malloc.c:3744
#2 0x00007f76cc1c1299 in __GI___libc_malloc (bytes=bytes@entry=8192) at malloc.c:3066
#3 0x00007f76cc5220b5 in operator new (sz=8192) at ../../../../src/libstdc++-v3/libsupc++/new_op.cc:50
#4 0x00007f76cc5220f5 in operator new[] (sz=<optimized out>) at ../../../../src/libstdc++-v3/libsupc++/new_opv.cc:32
#5 0x00007f76cc57c0b4 in std::basic_filebuf<char, std::char_traits<char> >::_M_allocate_internal_buffer (this=0x7ffc31779080) at /build/gcc-10-Km9U7s/gcc-10-10.2.1/build/x86_64-linux-gnu/libstdc++-v3/include/bits/fstream.tcc:49
#6 std::basic_filebuf<char, std::char_traits<char> >::_M_allocate_internal_buffer (this=0x7ffc31779080) at /build/gcc-10-Km9U7s/gcc-10-10.2.1/build/x86_64-linux-gnu/libstdc++-v3/include/bits/fstream.tcc:49
#7 0x00007f76cc57ffe3 in std::basic_filebuf<char, std::char_traits<char> >::open (this=0x7ffc31779080, __s=0x7f76ca30f860 "/usr/share/asymptote/three.asy", __mode=std::_S_in) at /build/gcc-10-Km9U7s/gcc-10-10.2.1/build/x86_64-linux-gnu/libstdc++-v3/include/bits/fstream.tcc:188
#8 0x000055744bd819b9 in std::basic_ifstream<char, std::char_traits<char> >::open (__mode=<optimized out>, __s=<optimized out>, this=<optimized out>) at /usr/include/c++/10/bits/ios_base.h:130
#9 std::basic_ifstream<char, std::char_traits<char> >::basic_ifstream (__mode=<optimized out>, __s=<optimized out>, this=<optimized out>, __in_chrg=<optimized out>, __vtt_parm=<optimized out>) at /usr/include/c++/10/fstream:533
#10 operator<< (out=..., pos=...) at errormsg.cc:30
#11 0x000055744bd81fd6 in errorstream::message (this=0x55744bef6270 <em>, pos=..., s="runtime: ") at errormsg.cc:63
#12 0x000055744bd8220a in errorstream::runtime (this=0x55744bef6270 <em>, pos=...) at errormsg.cc:81
#13 0x000055744be12ce6 in sigsegv_handler (emergency=<optimized out>) at main.cc:78
#14 sigsegv_handler (emergency=1277376864) at main.cc:75
#15 0x00007f76cccc82d0 in sigsegv_handler (sig=<optimized out>, sip=<optimized out>, ucp=0x7ffc31779440) at handler-unix.c:267
#16 <signal handler called>
#17 0x00007f76c6b532cf in unsafe_free (info=0x55744c2662a0) at ../src/util/ralloc.c:307
#18 0x00007f76c6b538a2 in unsafe_free (info=<optimized out>) at ../src/util/ralloc.c:308
#19 ralloc_free (ptr=0x55744c2339a0) at ../src/util/ralloc.c:278
#20 ralloc_free (ptr=0x55744c2339a0) at ../src/util/ralloc.c:269
#21 0x00007f76c6a94b8c in (anonymous namespace)::builtin_builder::release (this=0x7f76c7aacfd0 <builtins>) at ../src/compiler/glsl/builtin_functions.cpp:1326
#22 _mesa_glsl_builtin_functions_decref () at ../src/compiler/glsl/builtin_functions.cpp:7759
#23 0x00007f76c6831245 in _mesa_free_context_data (ctx=ctx@entry=0x7f76be008010, destroy_debug_output=destroy_debug_output@entry=false) at ../src/mesa/main/context.c:1402
#24 0x00007f76c67c2a87 in st_destroy_context (st=0x55744c4aa880) at ../src/mesa/state_tracker/st_context.c:1146
#25 0x00007f76c67a495e in dri_destroy_context (cPriv=<optimized out>) at ../src/gallium/frontends/dri/dri_context.c:247
#26 0x00007f76c6ca3903 in driDestroyContext (pcp=0x55744c1ca700) at ../src/mesa/drivers/dri/common/dri_util.c:533
#27 0x00007f76ca5d1a7f in drisw_destroy_context (context=0x55744c1ca570) at ../src/glx/drisw_glx.c:379
#28 0x00007f76ca5d722e in glx_display_free (priv=priv@entry=0x55744c1c1a90) at ../src/glx/glxext.c:245
#29 0x00007f76ca5d72bf in __glXCloseDisplay (dpy=0x55744c1a7870, codes=<optimized out>) at ../src/glx/glxext.c:304
#30 0x00007f76cc00cbc2 in XCloseDisplay (dpy=0x55744c1a7870) at ../../src/ClDisplay.c:65
#31 0x00007f76ccceda7f in fgDeinitialize () at freeglut_init.c:524
#32 fgDeinitialize () at freeglut_init.c:411
#33 0x00007f76cc1754d7 in __run_exit_handlers (status=0, listp=0x7f76cc2f5718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#34 0x00007f76cc17567a in __GI_exit (status=<optimized out>) at exit.c:139
#35 0x000055744be02ae2 in gl::quit () at glrender.cc:652
#36 0x000055744be07ebf in gl::glrender (prefix=<error: Cannot access memory at address 0xfc>, pic=0x7f76ca581f20, format=<error reading variable: Cannot access memory at address 0x4669>, width=6.5947378298252455e-96, height=5.4110892682213118e-312, angle=5.4110892682213118e-312, zoom=0, m=..., M=..., shift=..., margin=..., t=0x55744c1a5110, background=0x55744c1969b0, nlightsin=140721138367920, lights=0x7f76c9758548, diffuse=0x7f76c97583f0, specular=0x7f76c9758230, view=false, oldpid=0) at glrender.cc:1866
#37 0x000055744bb9a01a in camp::picture::shipout3 (this=0x0, prefix=<error: Cannot access memory at address 0x841f0f2e66c3>, format=<error reading variable: Cannot access memory at address 0x4669>, width=6.5947378298252455e-96, height=5.4110892682213118e-312, angle=5.4110892682213118e-312, zoom=0, m=..., M=..., shift=..., margin=..., t=0x55744c1a5110, background=0x55744c1969b0, nlights=3, lights=0x7f76c9758548, diffuse=0x7f76c97583f0, specular=0x7f76c9758230, view=true) at picture.cc:1417
#38 0x000055744bcf9921 in run::gen_runpicture43 (Stack=0x55744c1969b0) at runpicture.in:485
#39 0x000055744bd95fee in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c96cfd38, vars=0x4661, parent=0x55744c2662a0) at stack.cc:463
#40 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c8f1eff0, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#41 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c90e3e68, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#42 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c8f4aaf0, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#43 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c90f52f8, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#44 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c9624c08, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#45 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c985b5d0, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#46 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c9ab6370, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#47 0x000055744bd95f25 in vm::stack::runWithOrWithoutClosure (this=0x7ffc31770fc0, l=0x7f76c9144118, vars=0x4661, parent=0x55744c2662a0) at stack.cc:521
#48 0x000055744bdc219e in icore::postRun (s=..., this=<optimized out>) at process.cc:211
#49 ifile::postRun (this=0x7ffc317798b0, e=..., s=...) at process.cc:383
#50 0x000055744bdc69de in icore::doRun (this=0x55744c2662a0, purge=32, tm=(TRANS_NORMAL | unknown: 0x4660)) at process.cc:238
#51 0x0000000000000000 in ?? ()
(rr) when
Current event: 9570
[2]
(rr) bt
#0 0x00007f76c6b5383b in get_header (ptr=<optimized out>) at ../src/util/ralloc.c:96
#1 ralloc_free (ptr=<optimized out>) at ../src/util/ralloc.c:276
#2 ralloc_free (ptr=0x55744c2339a0) at ../src/util/ralloc.c:269
#3 0x00007f76c6a94b8c in (anonymous namespace)::builtin_builder::release (this=0x7f76c7aacfd0 <builtins>) at ../src/compiler/glsl/builtin_functions.cpp:1326
#4 _mesa_glsl_builtin_functions_decref () at ../src/compiler/glsl/builtin_functions.cpp:7759
#5 0x00007f76c6831245 in _mesa_free_context_data (ctx=ctx@entry=0x7f76be008010, destroy_debug_output=destroy_debug_output@entry=false) at ../src/mesa/main/context.c:1402
#6 0x00007f76c67c2a87 in st_destroy_context (st=0x55744c4aa880) at ../src/mesa/state_tracker/st_context.c:1146
#7 0x00007f76c67a495e in dri_destroy_context (cPriv=<optimized out>) at ../src/gallium/frontends/dri/dri_context.c:247
#8 0x00007f76c6ca3903 in driDestroyContext (pcp=0x55744c1ca700) at ../src/mesa/drivers/dri/common/dri_util.c:533
#9 0x00007f76ca5d1a7f in drisw_destroy_context (context=0x55744c1ca570) at ../src/glx/drisw_glx.c:379
#10 0x00007f76ca5d722e in glx_display_free (priv=priv@entry=0x55744c1c1a90) at ../src/glx/glxext.c:245
#11 0x00007f76ca5d72bf in __glXCloseDisplay (dpy=0x55744c1a7870, codes=<optimized out>) at ../src/glx/glxext.c:304
#12 0x00007f76cc00cbc2 in XCloseDisplay (dpy=0x55744c1a7870) at ../../src/ClDisplay.c:65
#13 0x00007f76ccceda7f in fgDeinitialize () at freeglut_init.c:524
#14 fgDeinitialize () at freeglut_init.c:411
#15 0x00007f76cc1754d7 in __run_exit_handlers (status=0, listp=0x7f76cc2f5718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#16 0x00007f76cc17567a in __GI_exit (status=<optimized out>) at exit.c:139
#17 0x000055744be02ae2 in gl::quit () at glrender.cc:652
...
(rr) when
Current event: 9541
[3]
(rr) reverse-cont
Continuing.
Breakpoint 5, 0x00007f76c6b5383b in get_header (ptr=<optimized out>) at ../src/util/ralloc.c:96
96 ralloc_header *info = (ralloc_header *) (((char *) ptr) -
1: x/i $pc
=> 0x7f76c6b5383b <ralloc_free+11>: lea -0x30(%rdi),%r12
2: ptr = <optimized out>
(rr) bt
#0 0x00007f76c6b5383b in get_header (ptr=<optimized out>) at ../src/util/ralloc.c:96
#1 ralloc_free (ptr=<optimized out>) at ../src/util/ralloc.c:276
#2 ralloc_free (ptr=0x55744c2339a0) at ../src/util/ralloc.c:269
#3 0x00007f76c6a6830d in (anonymous namespace)::builtin_builder::~builtin_builder (this=<optimized out>, __in_chrg=<optimized out>) at ../src/compiler/glsl/builtin_functions.cpp:1280
#4 0x00007f76cc1754d7 in __run_exit_handlers (status=0, listp=0x7f76cc2f5718 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#5 0x00007f76cc17567a in __GI_exit (status=<optimized out>) at exit.c:139
#6 0x000055744be02ae2 in gl::quit () at glrender.cc:652
#7 0x000055744be07ebf in gl::glrender (prefix="polly-delicm\000polly-enable-delicm\000-passes=licm\000.licm\000enable-loop-versioning-licm\000disable-machine-licm\000disable-postra-machine-licm\000experimental-zbm\000llvm.ppc.vsx.xxgenpcvbm\000llvm.ppc.altivec.vmsumubm\000tbm\000"..., pic=0x0, format=Traceback (most recent call last): File "/lib/x86_64-linux-gnu/../../share/gcc/python/libstdcxx/v6/printers.py", line 903, in to_string return ptr.lazy_string (length = length)OverflowError: int too big to convert, width=0, height=2.8480999736851678e-306, angle=2.8480999736437188e-306, zoom=2.8480999736437207e-306, m=..., M=..., shift=..., margin=..., t=0x55744c1a5110, background=0x55744c1969b0, nlightsin=140721138367920, lights=0x7f76c9758548, diffuse=0x7f76c97583f0, specular=0x7f76c9758230, view=false, oldpid=0) at glrender.cc:1866
#8 0x000055744bb9a01a in camp::picture::shipout3 (this=0x0, prefix=<error reading variable: Cannot access memory at address 0x8>, format=Traceback (most recent call last): File "/lib/x86_64-linux-gnu/../../share/gcc/python/libstdcxx/v6/printers.py", line 903, in to_string return ptr.lazy_string (length = length)OverflowError: int too big to convert, width=0, height=2.8480999736851678e-306, angle=2.8480999736437188e-306, zoom=2.8480999736437207e-306, m=..., M=..., shift=..., margin=..., t=0x55744c1a5110, background=0x55744c1969b0, nlights=3, lights=0x7f76c9758548, diffuse=0x7f76c97583f0, specular=0x7f76c9758230, view=true) at picture.cc:1417
#9 0x000055744bcf9921 in run::gen_runpicture43 (Stack=0x55744c1969b0) at runpicture.in:485
...
(rr) when
Current event: 9519