[BUG] crash because of a bad use of unsafe.Pointer?

Question

[BUG] crash because of a bad use of unsafe.Pointer?

dunglas opened this issue 9 months ago · 4 comments

Description

I tried to use Otter in FrankenPHP and it made our test suite crash when using the race detector with the following error:

runtime: marked free object in span 0x7f1032cb5358, elemsize=48 freeindex=4 (bad use of unsafe.Pointer? try -d=checkptr)

It looks like it crashes when calling internal/core.NewCache().

To Reproduce

Here is the PR: dunglas/frankenphp#540
And the specific patch to switch to Otter (that creates the crash): dunglas/frankenphp@3dfc3e2 (#540)

Expected behavior

No crash :)

Environment

OS: Ubuntu (GitHub Actions)

FrankenPHP relies a lot on cgo (but not where otter is used).

Additional context

Relevant logs

runtime: marked free object in span 0x7f1032cb5358, elemsize=48 freeindex=4 (bad use of unsafe.Pointer? try -d=checkptr)
0xc000210000 alloc marked  
0xc000210030 alloc marked  
0xc000210060 alloc unmarked
0xc000210090 alloc marked  
0xc0002100c0 alloc marked  
0xc0002100f0 alloc unmarked
0xc000210120 alloc marked  
0xc000210150 free  unmarked
0xc000210180 free  unmarked
0xc0002101b0 free  unmarked
0xc0002101e0 free  unmarked
0xc000210210 alloc unmarked
0xc000210240 free  unmarked
0xc000210270 free  unmarked
0xc0002102a0 free  marked   zombie
0x000000c0002102a0:  0x746163696c707061  0x77772d782f6e6f69 
0x000000c0002102b0:  0x752d6d726f662d77  0x65646f636e656c72 
0x000000c0002102c0:  0x0000000000000064  0x0000000000000000 
0xc0002102d0 alloc marked  
0xc000210300 alloc unmarked
0xc000210330 alloc unmarked
0xc000210360 free  unmarked
0xc000210390 alloc unmarked
0xc0002103c0 alloc marked  
0xc0002103f0 free  unmarked
0xc000210420 alloc unmarked
0xc000210450 alloc marked  
0xc000210480 alloc marked  
github.com/dunglas/frankenphp_test.runTest.func1({0xba4770, 0xc0002a4d40}, 0xc00067b200)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:72 +0x127 fp=0xc000249d18 sp=0xc000249c88 pc=0x9c2767
github.com/dunglas/frankenphp_test.TestPostSuperGlobals_worker.testPostSuperGlobals.func1(0xc0004ca3e0, 0x0?, 0x63)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:281 +0x44e fp=0xc000249f70 sp=0xc000249d18 pc=0x9c8eee
github.com/dunglas/frankenphp_test.runTest.func2(0x63)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:86 +0x6e fp=0xc000249fb8 sp=0xc000249f70 pc=0x9c25ae
github.com/dunglas/frankenphp_test.runTest.gowrap2()
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:88 +0x42 fp=0xc000249fe0 sp=0xc000249fb8 pc=0x9c2502
runtime.goexit({})
	/opt/hostedtoolcache/go/1.22.0/x64/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000249fe8 sp=0xc000249fe0 pc=0x483441
created by github.com/dunglas/frankenphp_test.runTest in goroutine 793
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:85 +0x9fb

goroutine 1716 gp=0xc000203340 m=nil [select]:
runtime.gopark(0xb0c940, 0x0, 0x9, 0x3, 0x1)
	/opt/hostedtoolcache/go/1.22.0/x64/src/runtime/proc.go:402 +0x136 fp=0xc00022d9d0 sp=0xc00022d9a0 pc=0x447776
runtime.selectgo(0xc00022dc30, 0xc00022dbb0, 0xc00022dc50?, 0x1, 0x12?, 0x1)
	/opt/hostedtoolcache/go/1.22.0/x64/src/runtime/select.go:327 +0xac6 fp=0xc00022db80 sp=0xc00022d9d0 pc=0x45b5c6
github.com/dunglas/frankenphp.ServeHTTP({0xba4770, 0xc0002a43c0}, 0xc00067a120)
	/home/runner/work/frankenphp/frankenphp/frankenphp.go:462 +0x325 fp=0xc00022dc88 sp=0xc00022db80 pc=0x926de5
github.com/dunglas/frankenphp_test.runTest.func1({0xba4770, 0xc0002a43c0}, 0xc00067a000)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:72 +0x127 fp=0xc00022dd18 sp=0xc00022dc88 pc=0x9c2767
github.com/dunglas/frankenphp_test.TestPostSuperGlobals_worker.testPostSuperGlobals.func1(0xc0004ca3e0, 0x4d45545f52454e4e?, 0x5b)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:281 +0x44e fp=0xc00022df70 sp=0xc00022dd18 pc=0x9c8eee
github.com/dunglas/frankenphp_test.runTest.func2(0x5b)
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:86 +0x6e fp=0xc00022dfb8 sp=0xc00022df70 pc=0x9c25ae
github.com/dunglas/frankenphp_test.runTest.gowrap2()
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:88 +0x42 fp=0xc00022dfe0 sp=0xc00022dfb8 pc=0x9c2502
runtime.goexit({})
	/opt/hostedtoolcache/go/1.22.0/x64/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc00022dfe8 sp=0xc00022dfe0 pc=0x483441
created by github.com/dunglas/frankenphp_test.runTest in goroutine 793
	/home/runner/work/frankenphp/frankenphp/frankenphp_test.go:85 +0x9fb

Answer 1 · 2024-02-13T08:57:52.000Z

Hi, thanks for the issue!

I'll try to figure it out, but it looks a bit strange since otter uses unsafe.Pointer as well as atomic.Pointer and doesn't release them by hand in any way.

Answer 2 · 2024-02-13T09:21:57.000Z

The error is extremely odd. If otter had a synchronization error, it would crash with the error panic: runtime error: invalid memory address or nil pointer dereference. It feels like keys or values were freed while in the cache.

Answer 3 · 2024-02-13T11:04:42.000Z

It looks like this error is caused by freeing dynamic_variables with cgo.

Answer 4 · 2024-02-13T13:57:36.000Z

Indeed, my bad. Thank you so much for this library and for taking the time to investigate!