beam[8449]: segfault at 0 ip 0000000000437e10 sp 00007fffce250948 error 4 in beam[400000+174000]

[Eric Liang]

Hi all,
I got this message from /var/log/messages when I use tsung:

    May 24 14:55:26 dev-3 kernel: [264002.592197] beam[8449]: segfault
    at 0 ip 0000000000437e10 sp 00007fffce250948 error 4 in
    beam[400000+174000]

The process is like this one:

    sunny     4796  0.9  1.8 134320 76444 ?        Sl   10:58   0:00
    /usr/lib/erlang/erts-5.7.2/bin/beam -A 256 -P 250000 -- -root
    /usr/lib/erlang -progname erl -- -home /home/sunny -noshell -noinput
    -noshell -noinput -master [hidden email]
    <http://erlang.2086793.n4.nabble.com/user/SendEmail.jtp?type=node&node=2229475&i=0>
    -name [hidden email]
    <http://erlang.2086793.n4.nabble.com/user/SendEmail.jtp?type=node&node=2229475&i=1>
    -s slave slave_start [hidden email]
    <http://erlang.2086793.n4.nabble.com/user/SendEmail.jtp?type=node&node=2229475&i=2>
    slave_waiter_2 -rsh ssh -noshell -noinput -setcookie tsung -smp disable

(Never mind the process number, they're different because the latter is
the command when I reproduced the problem.)

And the system is:

    sunny@REDACTED:~$ uname -a
    Linux dev-3 2.6.31-14-server #48-Ubuntu SMP Fri Oct 16 15:07:34 UTC
    2009 x86_64 GNU/Linux

    sunny@REDACTED:~$ dmesg | grep CPU
    [    0.000000] SMP: Allowing 32 CPUs, 24 hotplug CPUs
    [    0.000000] NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:32 nr_node_ids:2
    [    0.000000] PERCPU: Remapped at ffffc90000000000 with large
    pages, static data 90720 bytes
    [    0.000000] Initializing CPU#0
    [    0.000000] SLUB: Genslabs=14, HWalign=64, Order=0-3,
    MinObjects=0, CPUs=32, Nodes=2
    [    0.023346] CPU: Physical Processor ID: 1
    [    0.023347] CPU: Processor Core ID: 0
    [    0.023351] CPU: L1 I cache: 32K, L1 D cache: 32K
    [    0.023353] CPU: L2 cache: 256K
    [    0.023355] CPU: L3 cache: 4096K
    [    0.023358] CPU 0/0x10 -> Node 0
    [    0.023361] mce: CPU supports 9 MCE banks
    [    0.023373] CPU0: Thermal monitoring enabled (TM1)
    [    0.023377] CPU 0 MCA banks CMCI:2 CMCI:3 CMCI:5 CMCI:6 CMCI:8
    [    0.131977] CPU0: Intel(R) Xeon(R) CPU           E5504  @ 2.00GHz
    stepping 05

I attatched the running process by gdb, and here is the result:

    Program received signal SIGSEGV, Segmentation fault.
    unlink_free_block (allctr=0x7ad480, block=0x0) at
    beam/erl_goodfit_alloc.c:453
    453        Uint sz = BLK_SZ(blk);
    (gdb) whe
    #0  unlink_free_block (allctr=0x7ad480, block=0x0) at
    beam/erl_goodfit_alloc.c:453
    #1  0x0000000000437fd6 in get_free_block (allctr=0x7ad480,
    size=<value optimized out>, cand_blk=0x0, cand_size=0)
        at beam/erl_goodfit_alloc.c:421
    #2  0x00000000004322c6 in mbc_alloc_block (allctr=0x7ad480, size=72)
    at beam/erl_alloc_util.c:631
    #3  mbc_alloc (allctr=0x7ad480, size=72) at beam/erl_alloc_util.c:758
    #4  0x00000000004b1697 in erts_alloc () at beam/erl_alloc.h:179
    #5  exit_async () at beam/erl_async.c:132
    #6  0x000000000043c13d in system_cleanup (exit_code=<value optimized
    out>) at beam/erl_init.c:1306
    #7  0x000000000043c443 in erl_exit (n=0, fmt=0x54649c "") at
    beam/erl_init.c:1380
    #8  0x000000000045d042 in halt_0 (A__p=<value optimized out>) at
    beam/bif.c:3319
    #9  0x00000000004d081f in process_main () at beam/beam_emu.c:2008
    #10 0x000000000043d56c in erl_start (argc=34, argv=<value optimized
    out>) at beam/erl_init.c:1233
    #11 0x00000000004269b9 in main (argc=8049792, argv=0x0) at
    sys/unix/erl_main.c:29
    (gdb) f 1
    #1  0x0000000000437fd6 in get_free_block (allctr=0x7ad480,
    size=<value optimized out>, cand_blk=0x0, cand_size=0)
        at beam/erl_goodfit_alloc.c:421
    421        unlink_free_block(allctr, blk);
    (gdb) l 421
    416        /* We are guaranteed to find a block that fits in this
    bucket */
    417        blk = search_bucket(allctr, min_bi, size);
    418        ASSERT(blk);
    419        if (cand_blk && cand_size <= BLK_SZ(blk))
    420        return NULL; /* cand_blk was better */
    421        unlink_free_block(allctr, blk);
    422        return blk;
    423    }
    424   
    425   
    (gdb)

As the running process use the no-debug symbol version beam, I guess the
ASSERT in line:418 does not work. So I dig in

    (gdb) p allctr
    $1 = (Allctr_t *) 0x7ad480
    (gdb) p min_bi
    $2 = <value optimized out>
    (gdb) p size
    $3 = <value optimized out>
    (gdb) p *allctr
    $4 = {name_prefix = 0x534227 "sl_", alloc_no = 3, name = {alloc = 0,
    realloc = 0, free = 0},
      vsn_str = 0x53602f "2.1", t = 0, ramv = 0, sbc_threshold = 524288,
    sbc_move_threshold = 80,
      mbc_move_threshold = 50, main_carrier_size = 131072, max_mseg_sbcs
    = 256, max_mseg_mbcs = 5,
      largest_mbc_size = 10485760, smallest_mbc_size = 1048576,
    mbc_growth_stages = 10, mseg_opt = {cache = 1,
        preserv = 1, abs_shrink_th = 4145152, rel_shrink_th = 80},
    mbc_header_size = 32, sbc_header_size = 32,
      min_mbc_size = 16384, min_mbc_first_free_size = 4096,
    min_block_size = 32, mbc_list = {first = 0x7f4f93a5d010,
        last = 0x7f4f93a5d010}, sbc_list = {first = 0x0, last = 0x0},
    main_carrier = 0x7f4f93a5d010,
      get_free_block = 0x437f40 <get_free_block>, link_free_block =
    0x437d00 <link_free_block>,
      unlink_free_block = 0x437e10 <unlink_free_block>, info_options =
    0x438480 <info_options>,
      get_next_mbc_size = 0x430e40 <get_next_mbc_size>, creating_mbc =
    0x438100 <update_last_aux_mbc>,
      destroying_mbc = 0x438100 <update_last_aux_mbc>, init_atoms =
    0x4385c0 <init_atoms>, mutex = {mtx = {pt_mtx = {
            __data = {__lock = 0, __count = 0, __owner = 0, __nusers =
    0, __kind = 0, __spins = 0, __list = {
                __prev = 0x0, __next = 0x0}}, __size = '\000' <repeats
    39 times>, __align = 0}, is_rec_mtx = 0,
          prev = 0x0, next = 0x0}}, thread_safe = 0, ts_list = {prev =
    0x0, next = 0x0}, atoms_initialized = 0,
      stopped = 0, calls = {this_alloc = {giga_no = 0, no = 2460},
    this_free = {giga_no = 0, no = 2458},
        this_realloc = {giga_no = 0, no = 0}, mseg_alloc = {giga_no = 0,
    no = 0}, mseg_dealloc = {giga_no = 0, no = 0},
        mseg_realloc = {giga_no = 0, no = 0}, sys_alloc = {giga_no = 0,
    no = 1}, sys_free = {giga_no = 0, no = 0},
        sys_realloc = {giga_no = 0, no = 0}}, sbcs = {curr_mseg = {no =
    0, size = 0}, curr_sys_alloc = {no = 0,
          size = 0}, max = {no = 0, size = 0}, max_ever = {no = 0, size
    = 0}, blocks = {curr = {no = 0, size = 0},
          max = {no = 0, size = 0}, max_ever = {no = 0, size = 0}}},
    mbcs = {curr_mseg = {no = 0, size = 0},
        curr_sys_alloc = {no = 1, size = 131112}, max = {no = 1, size =
    131112}, max_ever = {no = 0, size = 0},
        blocks = {curr = {no = 4, size = 384}, max = {no = 144, size =
    13848}, max_ever = {no = 0, size = 0}}}}
    (gdb)

I've discussed this in erlang-questions mailling list with Mikael
Pettersson( thanks Mikael ):

    http://erlang.2086793.n4.nabble.com/beam-8449-segfault-at-0-ip-0000000000437e10-sp-00007fffce250948-error-4-in-beam-400000-174000-td2228295.html#a2244144

It looks like I should ask the question here. Does anyone have any idea
on this problem? TIA.

Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20100613/28a7b611/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20100613/28a7b611/attachment.bin>