-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash, invalid free in monterey #107929
Comments
@kali I have an arm64 Monterey. Happy to work with you to repro this on my machine if that's still worth doing at this point! |
@atsuzaki Well I guess it may be an extra clue. Just try the program and tell us how it goes :) |
I did try on an M1 on Monterey and it didn’t reproduce there. |
While it looks like a system allocator bug, it seemed interesting to have an issue here:
It's not clear however how to move forward with this investigation, or how to fix it, so I'd like to ask for the macos group's help, if they see something obvious we're missing here, have ever encountered a similar issue, or if they know what procedure to follow (maybe filing a Radar on Apple's bug tracker) ? @rustbot ping macos Thanks in advance. |
Hey MacOS Group! This issue or PR could use some MacOS-specific guidance. Could one |
Can you try the following example? fn main() {
let mut stuff = vec!(vec!(1));
for i in 0..50000 {
let len = (stuff[i].len() * 134775813) % 4096;
stuff.push((1234123414u32..).take(len).collect());
}
std::mem::drop(stuff);
let _ = vec!((Box::new(()), vec![[0u64; 8]])).as_slice().to_owned();
} Just minimized away the enums into a simple array with the same size/align. Should behave the exact same and would let us definitely rule out the enum optimization as just an accidental issue exposer on this code and nothing relevant. |
@Nilstrieb This is one I had tried before. I've just given it a shot again, but no such luck, without the enumeration, no repro. |
Just found this naturally in my codebase, In my repo here, This is far from a minimal example but i have the stack trace in llvm and it was caused by resizing a Vector |
I was made aware of this fix #110128 on nightly. I tested again and the monterey crash seems to be gone with nightly, whether or not this was the cause. |
Bisected the fix to |
Bug disappears with commit: 0c61c7a, which is a LLVM bump. Can't say whether the bug is fixed or the repro does not work anymore. |
Presumptively declaring victory, I guess? |
The following code, compiled optimized on MacOS Monterey, x64, will crash with an invalid free message.
Copy as a
monterey-crasher.rs
file.This shell script will loop 100 times over the generated executable, and will likely crash in the first couple of runs.
Meta
Reproducible with any stable version since 1.65. As far as we can tell it is a regression that appeared first with 512bd84
Output
Crash stack trace In LLDB:
Notes
.as_slice().to_owned()
bit. One of the breakthrough was realizing that most of the remaining code was actually just putting non-zero bits in memory. At that point we could remove most of the remaining stuff and replace it by the pseudo-random allocation at the beginning of the main.We don't know if it reproduces on arm64 monterey (not tried, could not find a machine).We could only reproduce on x86-64 Monterey, not arm64 Monterey, not Ventura.MallocNanoZone=0
in the environment as a workaround. VScode actually does it: the bug does not appear in its terminal (unless running withenv -i
to discard the switch).The text was updated successfully, but these errors were encountered: