Update resume with The Podcast App

[personal/website.git] / source / blog / posts / 2009 / 09 / life-in-hell.rst

Title: Life in hell
Tags: en, d, dgc, naive, gc, debug, gdb, dil, asm, statistics, benchmark, dgcbench

.. warning:: Long post ahead =)

As I said before, `debug is hell`__ in D_, at least if you're using
a compiler that doesn't write proper debug information and you're writing
a garbage collector. But you have to do it when things go wrong. And things
usually go wrong.

__ /blog/blog/post/-288428a1
.. _D: http://www.digitalmars.com/d/

This is a small chronicle about how I managed to debug a weird problem =)

I had my `Naive GC`_ working and getting `good stats`__ with some small
micro-benchmarks_, so I said *let's benchmark something real*. There is almost
no real D_ applications out there, suitable for an automated GC benchmark at
least [#benchapp]_. Dil_ looked like a good candidate so I said *let's use Dil
in the benchmark suite!*.

.. _`Naive GC`: https://git.llucax.com/w/software/dgc/naive.git
__ /blog/blog/post/37e6cb2a
.. _micro-benchmarks: https://git.llucax.com/w/software/dgc/dgcbench.git
.. _Dil: http://code.google.com/p/dil

And I did. But Dil_ didn't work as I expected. Even when running it without
arguments, in which case a nice help message like this should be displayed::

    dil v1.000
    Copyright (c) 2007-2008 by Aziz Köksal. Licensed under the GPL3.

    Subcommands:
      help (?)
      compile (c)
      ddoc (d)
      highlight (hl)
      importgraph (igraph)
      python (py)
      settings (set)
      statistics (stats)
      tokenize (tok)
      translate (trans)

    Type 'dil help <subcommand>' for more help on a particular subcommand.

    Compiled with Digital Mars D v1.041 on Sat Aug 29 18:04:34 2009.

I got this instead::

    Generate an XML or HTML document from a D source file.
    Usage:
      dil gen file.d [Options]

    Options:
      --syntax         : generate tags for the syntax tree
      --xml            : use XML format (default)
      --html           : use HTML format

    Example:
      dil gen Parser.d --html --syntax > Parser.html

Which it isn't even a valid Dil_ command (it looks like a *dead* string in some
``data/lang_??.d`` files__).

__ http://github.com/azizk/dil/blob/e284797bb48769a67f4b3d2d61f3bc0b4fcf5011/data/lang_en.d#L77

I ran Valgrind_ on it and detected a suspicious invalid read of size 4 when
reading the last byte of a 13 bytes long class instance. I thought maybe the
compiler was assuming the GC allocated block with size multiples of the word
size, so I made `gc_malloc()`_ `allocate multiples of the word size`__, but
nothing happened. Then I thought that maybe the memory blocks should be aligned
to a multiple of a word, so I made `gc_malloc()`_ `align the data portion of
the cell to a multiple of a word`__, but nothing.

.. _Valgrind: http://valgrind.org/
.. _`gc_malloc()`: https://git.llucax.com/w/software/dgc/naive.git/blob/2d8639409b4749afd92266347f20b99da80e14c9:/gc/gc.d#l502
__ https://git.llucax.com/w/software/dgc/naive.git/commitdiff/39707a88bed116fbda8c590c9b6ff9193f30f58f
__ https://git.llucax.com/w/software/dgc/naive.git/commitdiff/39707a88bed116fbda8c590c9b6ff9193f30f58f

Since Valgrind_ only detected that problem, which was at the static constructor
of the module ``tango.io.Console``, I though it might be a Tango_ bug, so
I `report`__\ ed it. But it wasn't Tango_\ 's fault. The invalid read looked
like a DMD 1.042 bug; DMD 1.041 didn't have that problem, but my collector
still failed to run Dil_\ . So I was back to zero.

.. _Tango: http://www.dsource.org/projects/tango
__ http://www.dsource.org/projects/tango/ticket/1734

I tried the `Tango stub collector`__ and it worked, so I tried mine disabling
the collections, and it worked too. So finally I could narrow the problem to
the collection phase (which isn't much, but it's something). The first thing
I could think it could be wrong in a collection is that cells still in use are
swept as if they were unused, so I then disabled the sweep phase only, and it
kept working.

__ http://www.dsource.org/projects/tango/browser/tags/releases/0.99.8/lib/gc/stub/gc.d

So, everything pointer to prematurely freed cells. But why my collector was
freeing cells prematurely being so, so simple? I reviewed the code a couple of
times and couldn't find anything evidently wrong. To confirm my theory and with
the hope of getting some extra info, I decided to `write a weird pattern`__ in
the swept cells and then check if that pattern was intact when giving them back
to the mutator (the `basic GC`__ can do that too if compiled with
``-debug=MEMSTOMP``). That would confirm that the swept memory were still in
use. And it did.

__ https://git.llucax.com/w/software/dgc/naive.git/commitdiff/bc664a95db5c7bab194f2e64cf96b6f092c5e60c
__ http://www.dsource.org/projects/tango/browser/tags/releases/0.99.8/lib/gc/basic

The I tried this modified GC with *memory stomp* with my micro-benchmarks_ and
they worked just fine, so I started to doubt again that it was my GC's problem.
But since those benchmarks didn't use much of the GC API, I thought maybe Dil_
was using some strange features of making some assumptions that were only true
for the current implementation, so I asked Aziz Köksal (Dil_ creator) and he
pointed me to some `portion of code`__ that allocated memory from the C heap,
overriding the operators ``new`` and ``delete`` for the ``Token`` struct. There
is a bug__ in Dil_ there, because apparently that struct store pointers to the
GC heap but it's not registered as a root, so it looks like a good candidate.

__ http://github.com/azizk/dil/blob/e284797bb48769a67f4b3d2d61f3bc0b4fcf5011/src/dil/lexer/Token.d#L262
__ http://code.google.com/p/dil/issues/detail?id=11

So I commented out the overridden ``new`` and ``delete`` operators, so the
regular GC-based operators were used. But I still got nothing, the wrong help
message were printed again. Then I saw that Dil_ was manually freeing memory
using ``delete``. So I decided to make my `gc_free()`_ implementation a ``NOP``
to let the GC take over of **all** memory management... And *finally* all
[#all]_ worked out fine!  =)

So, the problem should be either my `gc_free()`_ implementation (which is
really simple) or a  Dil_ bug.

.. _`gc_free()`: https://git.llucax.com/w/software/dgc/naive.git/blob/2d8639409b4749afd92266347f20b99da80e14c9:/gc/gc.d#l661

In order to get some extra information on where the problem is, I changed the
`Cell.alloc()`_ implementation to use mmap_ to `allocate whole pages`__, one
for the cell's header, and one or more for the cell *data*. This way, could
easily mprotect_ the cell *data* when the cell was swept (and un\ -mprotect_\
ing them when they were give back to the program) in order to make Dil_
segfault exactly where the freed memory was used.

.. _`Cell.alloc()`: https://git.llucax.com/w/software/dgc/naive.git/blob/346f04b3e1026ded5af3ac95a483b2c3d05a6d60:/gc/cell.d#l86
.. _mmap: http://www.kernel.org/doc/man-pages/online/pages/man2/mmap.2.html
__ https://git.llucax.com/w/software/dgc/naive.git/commitdiff/cc637a89be9b51945246bd65fa15080464a90aca
.. _mprotect: http://www.kernel.org/doc/man-pages/online/pages/man2/mprotect.2.html

I ran Dil_ using strace_ and this is what happened::

    [...]
     (a)  write(1, "Cell.alloc(80)\n", 15)        = 15
     (b)  mmap2(NULL, 8192, PROT_READ|PROT_WRITE, ...) = 0xb7a2e000
    [...]
     (c)  mprotect(0xb7911000, 4096, PROT_NONE)   = 0
          mprotect(0xb7913000, 4096, PROT_NONE)   = 0
    [...]
          mprotect(0xb7a2b000, 4096, PROT_NONE)   = 0
          mprotect(0xb7a2d000, 4096, PROT_NONE)   = 0
     (d)  mprotect(0xb7a2f000, 4096, PROT_NONE)   = 0
          mprotect(0xb7a43000, 4096, PROT_NONE)   = 0
          mprotect(0xb7a3d000, 4096, PROT_NONE)   = 0
    [...]
          mprotect(0xb7a6b000, 4096, PROT_NONE)   = 0
     (e)  mprotect(0xb7a73000, 4096, PROT_NONE)   = 0
     (f)  mprotect(0xb7a73000, 4096, PROT_READ|PROT_WRITE) = 0
          mprotect(0xb7a6b000, 4096, PROT_READ|PROT_WRITE) = 0
    [...]
          mprotect(0xb7a3f000, 4096, PROT_READ|PROT_WRITE) = 0
     (g)  mprotect(0xb7a3d000, 4096, PROT_READ|PROT_WRITE) = 0
          --- SIGSEGV (Segmentation fault) @ 0 (0) ---
          +++ killed by SIGSEGV (core dumped) +++

.. _strace: http://en.wikipedia.org/wiki/Strace

**(a)** is a debug print, showing the size of the `gc_malloc()`_ call  that got
the address ``0xb7a2e000``. The mmap_ **(b)** is ``8192`` bytes in size because
I allocate a page for the cell header (for internal GC information) and another
separated page for the data (so I can only mprotect_ the data page and keep the
header page read/write); that allocation asked for a new fresh couple of pages
to the OS (that's why you see a mmap_).

From **(c)** to **(e)** you can see a sequence of several mprotect_, that are
cells being swept by a collection (protecting the cells against read/write so
if the mutator tries to touch them, a ``SIGSEGV`` is on the way).

From **(f)** to **(g)** you can see another sequence of mprotect_, this time
giving the mutator permission to touch that pages, so that's `gc_malloc()`_
recycling the recently swept cells.

**(d)** shows the cell allocated in **(a)** being swept. Why the address is not
the same (this time is ``0xb7a2f000`` instead of ``0xb7a2e000``)? Because, as
you remember, the first page is used for the cell header, so the data should be
at ``0xb7a2e000 + 4096``, which is exactly ``0xb7a2f000``, the start of the
memory block that the sweep phase (and `gc_free()`_ for that matter) was
protecting.

Finally we see the program getting his nice ``SIGSEGV`` and dumping a nice
little core_ for touching what it shouldn't.

.. _core: http://en.wikipedia.org/wiki/Core_dump

Then I opened the core_ with GDB_ and did something like this [#demangle]_::

    Program terminated with signal 11, Segmentation fault.
    (a)  #0  0x08079a96 in getDispatchFunction ()
         (gdb) print $pc
    (b)  $1 = (void (*)()) 0x8079a96 <getDispatchFunction+30>
         (gdb) disassemble $pc
         Dump of assembler code for function
         getDispatchFunction:
         0x08079a78 <getDispatchFunction+0>:  push   %ebp
         0x08079a79 <getDispatchFunction+1>:  mov    %esp,%ebp
         0x08079a7b <getDispatchFunction+3>:  sub    $0x8,%esp
         0x08079a7e <getDispatchFunction+6>:  push   %ebx
         0x08079a7f <getDispatchFunction+7>:  push   %esi
         0x08079a80 <getDispatchFunction+8>:  mov    %eax,-0x4(%ebp)
         0x08079a83 <getDispatchFunction+11>: mov    -0x4(%ebp),%eax
         0x08079a86 <getDispatchFunction+14>: call   0x80bccb4 <objectInvariant>
         0x08079a8b <getDispatchFunction+19>: push   $0xb9
         0x08079a90 <getDispatchFunction+24>: mov    0x8(%ebp),%edx
         0x08079a93 <getDispatchFunction+27>: add    $0xa,%edx
    (c)  0x08079a96 <getDispatchFunction+30>: movzwl (%edx),%ecx
         [...]
         (gdb) print /x $edx
    (d)  $2 = 0xb7a2f000

.. _GDB: http://www.gnu.org/software/gdb/

First, in **(a)**, GDB_ tells where the program received the ``SIGSEGV``. In
**(b)** I print the program counter register to get a more readable  hint on
where the program segfaulted. It was at ``getDispatchFunction+30``, so
I disassemble that function to see that the ``SIGSEGV`` was received when doing
``movzwl (%edx),%ecx`` (moving the contents of the ``ECX`` register to the
memory pointed to by the address in the register ``EDX``) at **(c)**. In
**(d)** I get the value of the ``EDX`` register, and it's ``0xb7a2f000``. Do
you remember that value? Is the data address for the cell at ``0xb7a2e000``,
the one that was recently swept (and mprotect_\ ed). That's not good for
business.

This is the offending method (at `dil/src/ast/Visitor.d`__)::

    Node function(Visitor, Node) getDispatchFunction()(Node n)
    {
        return cast(Node function(Visitor, Node))dispatch_vtable[n.kind];
    }

__ http://github.com/azizk/dil/blob/e284797bb48769a67f4b3d2d61f3bc0b4fcf5011/src/dil/ast/Visitor.d

Since I can't get any useful information from GDB_ (I can't even get a proper
backtrace [#backtrace]_) except for the mangled function name (because the
wrong debug information produced by DMD), I had to split that function into
smaller functions to confirm that the problem was in ``n.kind`` (I guess
I could figure that out by eating some more assembly, but I'm not *that* well
trained at eating asm yet =). This means that the ``Node`` instance ``n`` is
the one prematurely freed.

This is particularly weird, because it looks like the node is being swept, not
prematurely freed using an explicit ``delete``. So it seems like the GC is
missing some roots (or there are non-aligned pointers or weird stuff like
that). The fact that this works fine with the Tango_ basic collector is
intriguing too. One thing I can come up with to explain why it works in the
basic collector is because it makes a lot less collections than the `naive GC`
(the latter is really lame =). So maybe the *rootless* object becomes really
free before the basic collector has a chance to run a collection and because of
that the problem is never detected.

I spent over 10 days now investigating this issue (of course this is not near
a full-time job for me so I can only dedicate a couple of days a week to this
=), and I still can't find a clear cause for this problem, but I'm a little
inclined towards a Dil_ bug, so I report__\ ed one =). So we'll see how this
evolves; for now I'll just make `gc_free()`_ a NOP to continue my testing...

__ http://code.google.com/p/dil/issues/detail?id=12


.. [#benchapp] Please let me know if you have any working, real, Tango-based
    D_ application suitable for GC benchmarks (i.e., using the GC and easily
    scriptable to run it automatically).

.. [#all] *all* being running Dil_ without arguments to get the right help
    message =)

.. [#demangle] I have shortened the name of the functions because they were
   huge, cryptic, mangled names =). The real name of ``getDispatchFunction`` is
   ``_D3dil3ast7Visitor7Visitor25__T19getDispatchFunctionZ19getDispatchFunctionMFC3dil3ast4Node4NodeZPFC3dil3ast7Visitor7VisitorC3dil3ast4Node4NodeZC3dil3ast4Node4Node``
   (is not much better when demangled: ``class dil.ast.Node.Node function(class
   dil.ast.Visitor.Visitor, class dil.ast.Node.Node)*
   dil.ast.Visitor.Visitor.getDispatchFunction!().getDispatchFunction(class
   dil.ast.Node.Node)`` =). The real name of ``objectInvariant`` is
   ``D9invariant12_d_invariantFC6ObjectZv`` and has no demagled name that
   I know of, but I guessed is the Object class invariant.

.. [#backtrace] Here is what I get from GDB_::

        (gdb) bt
        #0  0x08079a96 in getDispatchFunction ()
        #1  0xb78d5000 in ?? ()
        #2  0xb789d000 in ?? ()
        Backtrace stopped: previous frame inner to this frame (corrupt stack?)

    (function name unmangled and shortened for readbility)


.. vim: set et sw=4 sts=4 :