[erlang-bugs] bug in HiPE for <<_/utf8,...>>

Sebastian Egner <>
Mon Sep 9 16:20:38 CEST 2013


There seems to be a Heisenbug in HiPE related to matching <<_/utf8,...>>.

After a long and bloody fight, we have been able to isolate the problem to the degree
that it is sufficiently reproducible. See details below.

We strongly suspect that the problem is a genuine bug related to the binary matching
and the garbage collector. Whether the bug is hit depends on the memory contents
of previously allocated heap-allocated binaries.

Best regards,
Johannes Weissl and Sebastian Egner.


- The program 'crash.erl' loads a JSON sample file. Then it parses the file again and again,
  and after a wildly varying number of iterations (100-100000) the parser fails.
- To run the program, execute "crash_it" in a directory containing "crash.erl" and "data.jsn".
  When the bug is hit, the program stops. This takes several seconds to minutes.
- The problem manifests itself when <<"0123...">> does not match <<_/utf8,_/binary>>
  in the function crash:check_utf8_binary/1. (The program aborts with an exception exit.)
- Surprisingly, we have not been able to reduce the program even more.
  In particular, when randomize_memory/0 is not called, the problem is much less frequent.
- The bug is present in R13B02, R14B04, R16B01, "maint" (2f28245) and master (45eaf81).
- The bug is present under MacOSX (10.8.4), Debian GNU/Linux and a Linux in an ARM emulator.
  This indicates that the bug is not related to the operating system platform.
- We have run the program in Valgrind and found conditionals that depend on uninitialised
  values. Refer to "valgrind.out" for details.

MD5 (crash.erl) = 1f1507c8238e2136d9163314bcac0045
MD5 (crash_it) = 4061276b89dfc822cbfc22002f202358
MD5 (data.jsn) = c5b503cc61d76adc7dcb60832a123b99
MD5 (valgrind.out) = 2e6f67bf06b3df66c6daf728444b9b66

-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash_it
Type: application/octet-stream
Size: 107 bytes
Desc: crash_it
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130909/238d5e3d/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash.erl
Type: application/octet-stream
Size: 4296 bytes
Desc: crash.erl
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130909/238d5e3d/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: data.jsn
Type: application/octet-stream
Size: 13826 bytes
Desc: data.jsn
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130909/238d5e3d/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: valgrind.out
Type: application/octet-stream
Size: 1308 bytes
Desc: valgrind.out
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20130909/238d5e3d/attachment-0007.obj>

More information about the erlang-bugs mailing list