Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 169EA429E25 for ; Sun, 28 Aug 2011 14:27:57 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -0.799 X-Spam-Level: X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBcdffUtvCiR for ; Sun, 28 Aug 2011 14:27:56 -0700 (PDT) Received: from mail-qy0-f174.google.com (mail-qy0-f174.google.com [209.85.216.174]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id 66546431FB6 for ; Sun, 28 Aug 2011 14:27:56 -0700 (PDT) Received: by qyk15 with SMTP id 15so524440qyk.5 for ; Sun, 28 Aug 2011 14:27:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:in-reply-to:references:user-agent:date :message-id:mime-version:content-type; bh=sOjh0HDAk6mwLBOH/i3AU5PBlVyB1xjPpDiXlchbDQs=; b=XoPOyY4+D3hu/NRIPa2NLyC41zGulmrCQO2rUYx5hmsSWhVH8tHs8zh2nRhkNOJPlU lrPg5HW0x9nrOtU4qaIe1ezTth6lrBGxmk8TbLCKmywrmnsO4xF7Ezl/3tXWcYPFFvft BaRAifb8V/WHUVpGWW8qU3U2zOyFttEvzSPDI= Received: by 10.229.67.220 with SMTP id s28mr4830435qci.270.1314566873903; Sun, 28 Aug 2011 14:27:53 -0700 (PDT) Received: from localhost (pool-96-240-192-157.spfdma.east.verizon.net [96.240.192.157]) by mx.google.com with ESMTPS id m11sm2999795qcw.43.2011.08.28.14.27.52 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 28 Aug 2011 14:27:52 -0700 (PDT) From: Ben Gamari To: Bart Massey , haskell-cafe@haskell.org, glasgow-haskell-users@haskell.org Subject: Bug in GC's ordering of ForeignPtr finalization? In-Reply-To: <8739h1pbaq.fsf@gmail.com> References: <8739h1pbaq.fsf@gmail.com> User-Agent: Notmuch/0.6.1-76-g1635f57 (http://notmuchmail.org) Emacs/23.2.1 (x86_64-pc-linux-gnu) Date: Sun, 28 Aug 2011 17:27:49 -0400 Message-ID: <87pqjprzu2.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: notmuch@notmuchmail.org X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Aug 2011 21:27:57 -0000 On Tue, 16 Aug 2011 12:32:13 -0400, Ben Gamari wrote: > It seems that the notmuch-haskell bindings (version 0.2.2 built against > notmuch from git master; passes notmuch-test) aren't dealing with memory > management properly. In particular, the attached test code[1] causes > talloc to abort. Unfortunately, while the issue is consistently > reproducible, it only occurs with some queries (see source[1]). I have > been unable to establish the exact criterion for failure. > > It seems that the crash is caused by an invalid access to a freed Query > object while freeing a Messages object (see Valgrind trace[3]). I've > taken a brief look at the bindings themselves but, being only minimally > familiar with the FFI, there's nothing obviously wrong (the finalizers > passed to newForeignPtr look sane). I was under the impression that > talloc was reference counted, so the Query object shouldn't have been > freed unless if there was still a Messages object holding a > reference. Any idea what might have gone wrong here? Thanks! > After looking into this issue in a bit more depth, I'm even more confused. In fact, I would not be surprised if I have stumbled into a bug in the GC. It seems that the notmuch-haskell bindings follow the example of the python bindings in that child objects keep references to their parents to prevent the garbage collector from releasing the parent, which would in turn cause talloc to free the child objects, resulting in odd behavior when the child objects were next accessed. For instance, the Query and Messages objects are defined as follows, type MessagesPtr = ForeignPtr S__notmuch_messages type MessagePtr = ForeignPtr S__notmuch_message newtype Query = Query (ForeignPtr S__notmuch_query) data MessagesRef = QueryMessages { qmpp :: Query, msp :: MessagesPtr } | ThreadMessages { tmpp :: Thread, msp :: MessagesPtr } | MessageMessages { mmspp :: Message, msp :: MessagesPtr } data Message = MessagesMessage { msmpp :: MessagesRef, mp :: MessagePtr } | Message { mp :: MessagePtr } type Messages = [Message] As seen in the Valgrind dump given in my previous message, it seems that the Query object is being freed before the Messages object. Since the Messages object is a child of the Query object, this fails. In my case, I'm calling queryMessages which begins by issuing a given notmuch Query, resulting in a MessagesPtr. This is then packaged into a QueryMessages object which is then passed off to unpackMessages. unpackMessages iterates over this collection, creating MessagesMessage objects which themselves refer to the QueryMessages object. Finally, these MessagesMessage objects are packed into a list, resulting in a Messages object. Thus we have the following chain of references, MessagesMessage | | msmpp \/ QueryMessages | | qmpp \/ Query As we can see, each MessagesMessage object in the Messages list resulting from queryMessages holds a reference to the Query object from which it originated. For this reason, I fail to see how it is possible that the RTS would attempt to free the Query before freeing the MessagesPtr. Did I miss something in my analysis? Are there tools for debugging issues such as this? Perhaps this is a bug in the GC? Any help at all would be greatly appreciated. Cheers, - Ben