crash on macOS 10.15 (Catalina) beta 8 19A558d

[niedhui]

cargo run --release will crash when using jemallocator.
I tried on two machines running macOS 10.15 beta, both will produce the same result.

#[global_allocator]
static ALLOC: jemallocator::Jemalloc = jemallocator::Jemalloc;

fn main() {
    println!("Hello, world!");
}

got output:

fish: 'cargo run --release' terminated by signal SIGSEGV (Address boundary error)

backtrace is:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000328fd hello-jemalloctor`_rjem_je_tcache_bin_flush_small [inlined] atomic_load_p(a=0x0000000000000000, mo=atomic_memory_order_relaxed) at atomic.h:55:1 [
opt]
    frame #1: 0x00000001000328fd hello-jemalloctor`_rjem_je_tcache_bin_flush_small [inlined] rtree_leaf_elm_bits_read(tsdn=<unavailable>, rtree=<unavailable>, elm=0x00000000000000
00, dependent=true) at rtree.h:175 [opt]
    frame #2: 0x00000001000328fd hello-jemalloctor`_rjem_je_tcache_bin_flush_small [inlined] rtree_leaf_elm_extent_read(tsdn=<unavailable>, rtree=<unavailable>, elm=0x000000000000
0000, dependent=true) at rtree.h:214 [opt]
    frame #3: 0x00000001000328fd hello-jemalloctor`_rjem_je_tcache_bin_flush_small [inlined] rtree_extent_read(tsdn=0x0000000100064420, rtree=<unavailable>, rtree_ctx=<unavailable
>, key=<unavailable>, dependent=true) at rtree.h:423 [opt]
    frame #4: 0x00000001000328c9 hello-jemalloctor`_rjem_je_tcache_bin_flush_small [inlined] iealloc(tsdn=0x0000000100064420) at jemalloc_internal_inlines_b.h:82 [opt]
    frame #5: 0x00000001000328c9 hello-jemalloctor`_rjem_je_tcache_bin_flush_small(tsd=0x0000000100064420, tcache=<unavailable>, tbin=0x00000001000645f0, binind=0, rem=0) at tcach
e.c:117 [opt]
    frame #6: 0x0000000100034782 hello-jemalloctor`tcache_flush_cache(tsd=0x0000000100064420, tcache=0x00000001000645e0) at tcache.c:463:3 [opt]
    frame #7: 0x0000000100034ba1 hello-jemalloctor`tcache_destroy(tsd=0x0000000100064420, tcache=0x00000001000645e0, tsd_tcache=<unavailable>) at tcache.c:493:2 [opt]
    frame #8: 0x0000000100035df1 hello-jemalloctor`_rjem_je_tsd_cleanup [inlined] tsd_do_data_cleanup(tsd=0x0000000100064420) at tsd.c:209:2 [opt]
    frame #9: 0x0000000100035dcc hello-jemalloctor`_rjem_je_tsd_cleanup(arg=0x0000000100064420) at tsd.c:234 [opt]
    frame #10: 0x0000000100036146 hello-jemalloctor`_rjem_je_malloc_tsd_boot1 [inlined] tsd_boot1 at tsd_generic.h:108:2 [opt]
    frame #11: 0x0000000100036114 hello-jemalloctor`_rjem_je_malloc_tsd_boot1 at tsd.c:273 [opt]
    frame #12: 0x0000000100008216 hello-jemalloctor`jemalloc_constructor [inlined] malloc_init_hard at jemalloc.c:1552:2 [opt]
    frame #13: 0x0000000100007fa1 hello-jemalloctor`jemalloc_constructor [inlined] malloc_init at jemalloc.c:217 [opt]
    frame #14: 0x0000000100007fa1 hello-jemalloctor`jemalloc_constructor at jemalloc.c:3184 [opt]
    frame #15: 0x00000001002c6615 dyld`ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 539
    frame #16: 0x00000001002c6a3a dyld`ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 40
    frame #17: 0x00000001002c1913 dyld`ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageL
oader::UninitedUpwards&) + 493
    frame #18: 0x00000001002c067c dyld`ImageLoader::processInitializers(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUp
wards&) + 188
    frame #19: 0x00000001002c071c dyld`ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 82
    frame #20: 0x00000001002af4b2 dyld`dyld::initializeMainExecutable() + 199
    frame #21: 0x00000001002b4aab dyld`dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 6760
    frame #22: 0x00000001002ae227 dyld`dyldbootstrap::start(dyld3::MachOLoaded const*, int, char const**, dyld3::MachOLoaded const*, unsigned long*) + 453
    frame #23: 0x00000001002ae025 dyld`_dyld_start + 37

maybe it's a bug of macOS, I found a similar issue https://bugzilla.mozilla.org/show_bug.cgi?id=1570451#c41

[gnzlbg]

Could you report this as well to jemalloc upstream and link that bug report here? Thanks.

[velvia]

I'm getting the same thing on OSX 10.14.6 as well.

[saagarjha]

Since none of the relevant code is around in a recent version of jemalloc, perhaps someone who can reproduce the issue should try bumping the version shipped with jemallocator?

[virtualritz]

I am seeing a segfault on Catalina 10.15.4 when I swap the default allocator out for jemallocator in one of my projects. It only happens though when that project calls into a *-sys crate that binds to a third party DSO.

[saagarjha]

Hmm, that is strange…would you mind sharing a crash log? I was seeing this in jemalloc's constructor, and I can't reproduce it in your project :(

[virtualritz]

I never get a crash log.

Steps to repo (just tried):

# Assuming you are on macOS,
# cloned https://github.com/virtualritz/rust-diffusion-limited-aggregation.git
# and downloaded & installed 3Delight (I'm using 2.0.7 since today).

git checkout b3942167a0aa1817e4d44bb1203c606083a3480c
cargo build
target/debug/rdla -p 100 dump test.nsi
  [00:00:00] [████████████████████████████████████████] 100/100 (0s)
[1]    93067 segmentation fault  target/debug/rdla -p 100 dump test.nsi

[virtualritz]

Actually, I did get one; in Console:

Date/Time:             2020-05-05 04:38:46.819 +0200
OS Version:            Mac OS X 10.15.4 (19E287)
Report Version:        12
Anonymous UUID:        431E6A8B-D8DD-BC8A-E603-DC897D7AAD76

Sleep/Wake UUID:       08FA2E75-CEFB-4C83-883B-1FE9CBD40211

Time Awake Since Boot: 680000 seconds
Time Since Wake:       19000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000797475616562
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [93067]

VM Regions Near 0x797475616562:
    Stack                  000070000c054000-000070000c0d6000 [  520K] rw-/rwx SM=COW  thread 2
--> 
    MALLOC_TINY            00007fd35cc00000-00007fd35cd00000 [ 1024K] rw-/rwx SM=PRV  

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   lib3delight.dylib             	0x00000001072f51c7 0x1070b5000 + 2359751
1   lib3delight.dylib             	0x000000010717bac7 0x1070b5000 + 813767
2   lib3delight.dylib             	0x000000010717c3d2 0x1070b5000 + 816082
3   lib3delight.dylib             	0x000000010718b9d5 NSISetAttribute + 229
4   rdla                          	0x0000000105f30e7b nsi::Context::set_attribute::hece01fa6af020aae + 1291
5   rdla                          	0x0000000105ec75e8 rdla::dla::Model::output_scene_nsi::hf4e4db23fecfc048 + 6456 (dla.rs:680)
6   rdla                          	0x0000000105ec3f98 rdla::dla::Model::write_nsi::he138a2523116eab5 + 504 (dla.rs:214)
7   rdla                          	0x0000000105f6e29a rdla::run::h68fc195a66728b31 + 2746 (main.rs:189)
8   rdla                          	0x0000000105f6d377 rdla::main::h07d0073c095b8ae9 + 23 (main.rs:106)
9   rdla                          	0x0000000105e7342e std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h290cdda0e5709f42 + 14 (rt.rs:67)
10  rdla                          	0x000000010648ca59 std::rt::lang_start_internal::h2d2d7c5f224149f7 + 441 (rt.rs:51)
11  rdla                          	0x0000000105e73411 std::rt::lang_start::hfedcbb7371f0dcc8 + 65 (rt.rs:67)
12  rdla                          	0x0000000105f70432 main + 34
13  libdyld.dylib                 	0x00007fff6aac0cc9 start + 1