use libmimalloc.so ,segmentfault error always occured when i free heap-data

[DavidWzh]

i use libmimalloc.so.1.7 in a complex project with threadpool(over 20 thread)，and the device is aarch64-linux-gnu, gcc is 6.2.1。
i try to use gdb to debug, the bt is '

Thread 22 "Other" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xffff51969170 (LWP 1603)]
mi_free_generic (segment=0xffff34000000, local=false, p=0xffff34000940) at mimalloc-master/src/alloc.c:440
(gdb) bt
#0 mi_free_generic (segment=0xffff34000000, local=false, p=0xffff34000940) at mimalloc-master/src/alloc.c:440

i try to print ags and local vals, as :

(gdb) p p
$1 = (void *) 0xffff34000940
(gdb) p *p
Attempt to dereference a generic pointer.
(gdb) p segment
$2 = {memid = 281471554158624, mem_is_pinned = false, mem_is_committed = false, abandoned_next = 0x21000,
next = 0x21000, prev = 0x300000000, abandoned = 0, abandoned_visits = 0, used = 0, capacity = 0, segment_size = 0,
segment_info_size = 0, cookie = 0, page_shift = 0, thread_id = 0, page_kind = MI_PAGE_SMALL, pages = {{
segment_idx = 224 '\340', segment_in_use = 1 '\001', is_reset = 1 '\001', is_committed = 1 '\001',
is_zero_init = 1 '\001', capacity = 13312, reserved = 65535, flags = {full_aligned = 0 '\000', x = {
in_full = 0 '\000', has_aligned = 0 '\000'}}, is_zero = 0 '\000', retire_expire = 0 '\000', free = 0x0,
used = 872415352, xblock_size = 65535, local_free = 0xffff34000078, xthread_free = 281471554158728,
xheap = 281471554158728, next = 0xffff34000098, prev = 0xffff34000098}}}
(gdb) p (mi_block_t)p
$3 = (mi_block_t *) 0xffff34000940

i dont know why it always trigger segmentfault, who can give me some useful info

[DavidWzh]

i find src code in alloc. the func is mi_decl_noinline_mi_free_generic()。

[devnexen]

In your project, do you use mimalloc as a malloc replacement (linked or pre loaded) or do you use the mimalloc api ?

[DavidWzh]

I USE LD_PRELOAD=libmimalloc.so to replace the malloc 。

[DavidWzh]

if dont use mimalloc，the segmentfault will not happen

[DavidWzh]

so my code is correct

[DavidWzh]

so my code is correct

[DavidWzh]

so my code is correct

[DavidWzh]

so my code is correct

[DavidWzh]

i also find if the data is freed in the same thread， the program will not crush。

[devnexen]

did you try with another allocator e.g. jemalloc ?

[DavidWzh]

no , i use malloc from libc before.

[DavidWzh]

could u give me some advises to slove this problem.

[DavidWzh]

currently, i think i have not understood mimalloc enough.

[devnexen]

I meant using jemalloc in same way as mimalloc i.e.

LD_PRELOAD=libjemalloc.so

to see if your application crashes with it too.

[DavidWzh]

if my project also crashes with jemalloc,
what problems can we prove

[mjp41]

I would recommend you try running address sanitizer on your project. This will help eliminate if you program has an underlying memory corruption. Memory corruption can result in very different behaviour on different allocators. (That is why @devnexen is suggesting trying a different allocator.)

Is your crash after a short time, or a long time. Thread start up can be a source of problems if the particular platform you are using is less tested. Have all the threads done some amount of allocation? Have they all done some deallocation?

Can you share your application, or a small repro of the corruption?

[DavidWzh]

3q for ur advice，i will try to use asan to save the error log。

[DavidWzh]

i try to use the following command to preload asan and mimalloc，it seems thar mimalloc is override by asan，so mimalloc is not working on app。
env MIMALLOC_VERBOSE=1 MIMALLOC_SHOW_STATS=1 LD_PRELOAD="libasan.so libmimalloc.so" ./test
i can not see any log that i add in mimalloc src code.
so , what should i do to use asan debug mimalloc

[devnexen]

Did you try asan alone ?

[DavidWzh]

yeah，use asan alone is ok，but when preload asan and mimalloc together，mimalloc will not work。

[devnexen]

Can you share your application, or a small repro of the corruption?

[DavidWzh]

sorry，i‘m afraid not，maybe i should study the source code of mimalloc

[DavidWzh]

sorry，i‘m afraid not，maybe i should study the source code of mimalloc

[daanx]

Hmm, that is not good -- but it seems like a double free (although in that case asan should find it but perhaps you did not recompile correctly for asan? you should not preload libasan.so).

1. If you use clang, can you ensure you build with asan like this:

clang++ -O1 -g -fsanitize=address -fno-omit-frame-pointer  -c mycode.cpp
clang++ -g -fsanitize=address  mycode.cpp

and then run the program as is without preloading anything.

2. As an alternative, If you run with the debug version of mimalloc, then it may find an error as well. From the mimalloc directory, build it as:

mkdir -p out/debug  
cd out/debug
cmake ../.. -DCMAKE_BUILD_TYPE=Debug  -DMI_DEBUG_FULL=ON
cmake --build .

which creates libmimalloc-debug.so that you can then preload instead of libmimalloc.so.
Run as:

MIMALLOC_VERBOSE=1 LD_PRELOAD=libmimalloc.so <mycode>

Hope we can find what is causing this. Thanks.

[DavidWzh]

thanks，if i use gcc asan，what should i do to use asan and mimalloc together correctly。

[DavidWzh]

i get the following error log by using debug version ：

mimalloc: warning: mi_free: pointer might not point to a valid heap region: 0xffff34000940
(this may still be a valid very large allocation (over 64MiB))
mimalloc: error: mi_free: pointer does not point to a valid heap space: 0xffff34000940
mimalloc: assertion failed: at "mimalloc-master/include/mimalloc-internal.h":427, _mi_segment_page_idx_of
assertion: "idx < segment->capacity"

Thread 23 "Other" received signal SIGABRT, Aborted.
[Switching to Thread 0xffff516cb170 (LWP 27527)]
0x0000ffffb70a5168 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x0000ffffb70a5168 in raise () from /lib/libc.so.6
#1 0x0000ffffb70a655c in abort () from /lib/libc.so.6
#2 0x0000ffffb7f99d1c in _mi_assert_fail (assertion=0xffffb7f9f8e8 "idx < segment->capacity",
fname=0xffffb7f9f768 "mimalloc-master/include/mimalloc-internal.h", line=427,
func=0xffffb7fa0018 <func.4459> "_mi_segment_page_idx_of") at mimalloc-master/src/options.c:360
#3 0x0000ffffb7f91dc4 in _mi_segment_page_idx_of (segment=0xffff34000000, p=0xffff34000940)
at mimalloc-master/include/mimalloc-internal.h:427
#4 0x0000ffffb7f91e2c in _mi_segment_page_of (segment=0xffff34000000, p=0xffff34000940)
at mimalloc-master/include/mimalloc-internal.h:434
#5 0x0000ffffb7f93ff0 in mi_free (p=0xffff34000940) at mimalloc-master/src/alloc.c:493
。。。。。。

[DavidWzh]

heap stats: peak total freed current unit count
normal 1: 7.3 KiB 496.8 KiB 489.6 KiB 7.1 KiB 8 B 63.3 K not all freed!
normal 4: 99.3 KiB 3.9 MiB 3.8 MiB 97.7 KiB 32 B 129.1 K not all freed!
normal 6: 50.5 KiB 15.2 MiB 15.1 MiB 31.6 KiB 48 B 332.3 K not all freed!
normal 8: 39.5 KiB 2.7 MiB 2.7 MiB 26.6 KiB 64 B 45.6 K not all freed!
normal 9: 20.8 KiB 5.2 MiB 5.2 MiB 15.2 KiB 80 B 68.9 K not all freed!
normal 10: 11.1 KiB 1.8 MiB 1.8 MiB 9.0 KiB 96 B 19.9 K not all freed!
normal 11: 22.6 KiB 16.2 MiB 16.2 MiB 21.3 KiB 112 B 152.1 K not all freed!
normal 12: 32.0 KiB 1.9 MiB 1.8 MiB 22.4 KiB 128 B 15.5 K not all freed!
normal 13: 26.6 KiB 11.0 MiB 11.0 MiB 15.2 KiB 160 B 72.4 K not all freed!
normal 14: 43.2 KiB 1.9 MiB 1.8 MiB 42.7 KiB 192 B 10.5 K not all freed!
normal 15: 290.3 KiB 1.8 MiB 1.5 MiB 289.6 KiB 224 B 8.6 K not all freed!
normal 16: 9.7 KiB 1.6 MiB 1.6 MiB 9.2 KiB 256 B 6.8 K not all freed!
normal 17: 75.9 KiB 18.2 MiB 18.1 MiB 74.9 KiB 320 B 59.8 K not all freed!
normal 18: 41.7 KiB 1.9 MiB 1.9 MiB 38.4 KiB 384 B 5.3 K not all freed!
normal 19: 18.0 KiB 1.2 MiB 1.2 MiB 17.1 KiB 448 B 3.0 K not all freed!
normal 20: 5.0 KiB 1.3 MiB 1.3 MiB 4.0 KiB 512 B 2.6 K not all freed!
normal 21: 52.7 KiB 20.2 MiB 20.2 MiB 8.1 KiB 640 B 33.2 K not all freed!
normal 22: 53.4 KiB 2.1 MiB 2.0 MiB 51.2 KiB 768 B 2.9 K not all freed!
normal 23: 120.3 KiB 3.0 MiB 2.9 MiB 79.0 KiB 896 B 3.5 K not all freed!
normal 24: 55.2 KiB 1.6 MiB 1.6 MiB 53.2 KiB 1.0 KiB 1.7 K not all freed!
normal 25: 215.8 KiB 18.6 MiB 18.5 MiB 125.4 KiB 1.2 KiB 15.2 K not all freed!
normal 26: 24.0 KiB 2.7 MiB 2.7 MiB 21.0 KiB 1.5 KiB 1.8 K not all freed!
normal 27: 28.1 KiB 2.8 MiB 2.7 MiB 24.5 KiB 1.7 KiB 1.6 K not all freed!
normal 28: 32.1 KiB 2.8 MiB 2.7 MiB 28.1 KiB 2.0 KiB 1.4 K not all freed!
normal 29: 102.9 KiB 312.9 MiB 312.8 MiB 92.8 KiB 2.5 KiB 128.1 K not all freed!
normal 30: 231.9 KiB 6.6 MiB 6.4 MiB 225.8 KiB 3.0 KiB 2.2 K not all freed!
normal 31: 112.4 KiB 6.0 MiB 5.9 MiB 105.4 KiB 3.5 KiB 1.7 K not all freed!
normal 32: 46.6 MiB 637.2 MiB 590.7 MiB 46.5 MiB 4.0 KiB 163.1 K not all freed!
normal 33: 331.2 KiB 17.1 MiB 16.8 MiB 306.1 KiB 5.0 KiB 3.5 K not all freed!
normal 34: 228.8 KiB 15.1 MiB 15.0 MiB 162.6 KiB 6.0 KiB 2.5 K not all freed!
normal 35: 196.7 KiB 14.3 MiB 14.1 MiB 196.7 KiB 7.0 KiB 2.0 K not all freed!
normal 36: 843.2 KiB 16.3 MiB 15.5 MiB 843.2 KiB 8.0 KiB 2.0 K not all freed!
normal 37: 2.7 MiB 57.2 MiB 56.8 MiB 401.5 KiB 10.0 KiB 5.8 K not all freed!
normal 38: 301.1 KiB 38.5 MiB 38.2 MiB 289.1 KiB 12.0 KiB 3.2 K not all freed!
normal 39: 491.9 KiB 43.9 MiB 43.4 MiB 477.8 KiB 14.0 KiB 3.2 K not all freed!
normal 40: 1.5 MiB 46.3 MiB 45.7 MiB 530.0 KiB 16.0 KiB 2.9 K not all freed!
normal 41: 642.5 KiB 100.6 MiB 100.0 MiB 622.4 KiB 20.0 KiB 5.1 K not all freed!
normal 42: 650.5 KiB 98.5 MiB 97.8 MiB 626.4 KiB 24.0 KiB 4.2 K not all freed!
normal 43: 758.9 KiB 114.7 MiB 113.9 MiB 730.8 KiB 28.1 KiB 4.1 K not all freed!
normal 44: 835.2 KiB 109.8 MiB 109.1 MiB 738.8 KiB 32.1 KiB 3.5 K not all freed!
normal 45: 3.7 MiB 230.0 MiB 226.3 MiB 3.7 MiB 40.1 KiB 5.8 K not all freed!
normal 46: 722.8 KiB 130.9 MiB 130.3 MiB 626.4 KiB 48.1 KiB 2.7 K not all freed!
normal 47: 1.1 MiB 59.3 MiB 58.2 MiB 1.0 MiB 56.2 KiB 1.0 K not all freed!
normal 48: 1.1 MiB 11.8 MiB 10.6 MiB 1.1 MiB 64.2 KiB 190 not all freed!
normal 49: 1.6 MiB 9.2 MiB 7.6 MiB 1.5 MiB 80.3 KiB 118 not all freed!
normal 50: 1.5 MiB 3.9 MiB 2.4 MiB 1.5 MiB 96.3 KiB 42 not all freed!
normal 51: 1.7 MiB 4.1 MiB 2.5 MiB 1.6 MiB 112.4 KiB 38 not all freed!
normal 52: 1.1 MiB 3.0 MiB 1.8 MiB 1.1 MiB 128.5 KiB 24 not all freed!
normal 53: 1.7 MiB 9.3 MiB 7.6 MiB 1.7 MiB 160.6 KiB 60 not all freed!
normal 54: 1.3 MiB 3.5 MiB 2.4 MiB 1.1 MiB 192.7 KiB 19 not all freed!
normal 55: 2.1 MiB 4.8 MiB 2.8 MiB 1.9 MiB 224.8 KiB 22 not all freed!
normal 56: 2.2 MiB 9.7 MiB 7.5 MiB 2.2 MiB 257.0 KiB 39 not all freed!
normal 57: 2.1 MiB 5.9 MiB 3.7 MiB 2.1 MiB 321.2 KiB 19 not all freed!
normal 58: 1.5 MiB 2.6 MiB 1.5 MiB 1.1 MiB 385.5 KiB 7 not all freed!
normal 59: 2.6 MiB 6.1 MiB 3.5 MiB 2.6 MiB 449.7 KiB 14 not all freed!
normal 60: 2.5 MiB 4.5 MiB 2.0 MiB 2.5 MiB 514.0 KiB 9 not all freed!
normal 61: 4.3 MiB 9.3 MiB 5.0 MiB 4.3 MiB 642.5 KiB 15 not all freed!
normal 62: 2.2 MiB 4.5 MiB 2.2 MiB 2.2 MiB 771.0 KiB 6 not all freed!
normal 63: 7.0 MiB 11.3 MiB 4.3 MiB 7.0 MiB 899.5 KiB 13 not all freed!
normal 64: 3.0 MiB 4.0 MiB 1.0 MiB 3.0 MiB 1.0 MiB 4 not all freed!
normal 65: 2.5 MiB 5.0 MiB 2.5 MiB 2.5 MiB 1.2 MiB 4 not all freed!
normal 67: 3.5 MiB 3.5 MiB 0 3.5 MiB 1.7 MiB 2 not all freed!
heap stats: peak total freed current unit count
normal: 105.0 Mi 2.2 Gi 2.1 Gi 104.2 Mi 1.6 KiB 1.4 M not all freed!
huge: 17.7 Mi 23.7 Mi 6.0 Mi 17.7 Mi 5.9 MiB 4 not all freed!
giant: 0 0 0 0 ok
total: 122.8 MiB 2.2 GiB 2.1 GiB 122.0 MiB not all freed!
malloc req: 117.0 MiB 2.1 GiB 2.0 GiB 116.2 MiB not all freed!
reserved: 256.0 MiB 256.0 MiB 0 256.0 MiB not all freed!
committed: 256.0 MiB 256.0 MiB 0 256.0 MiB not all freed!
reset: 12.0 MiB 23.4 MiB 26.7 MiB -3.2 MiB ok
touched: 147.3 MiB 270.6 MiB 123.9 MiB 146.7 MiB not all freed!
segments: 36 63 27 36 not all freed!
-abandoned: 0 0 0 0 ok
-cached: 0 0 0 0 ok
pages: 974 1.7 Ki 801 962 not all freed!
-abandoned: 0 0 0 0 ok
-extended: 1.9 Ki
-noretire: 1.8 Ki
mmaps: 1
commits: 0
threads: 0 0 0 0 ok
searches: 1.6 avg
numa nodes: 1
elapsed: 597.917 s
process: user: 11.644 s, system: 0.616 s, faults: 2, rss: 151.6 MiB, commit: 256.0 MiB
mimalloc: process done: 0xffff88170e20

[daanx]

mimalloc: error: mi_free: pointer does not point to a valid heap space: 0xffff34000940

Usually this means that an invalid pointer is freed (usually coming from another allocator than mimalloc), but since you are overriding, this is probably a double free: freeing a pointer that was already freed before in your application. (of course, it might be a bug in mimalloc as well).

One way to track this down is to run in gdb and get a stack trace at this point and see if you can figure out of the free was valid or not.

But the easiest way is probably running with the address sanitizer. Note again -- mimalloc should not be used when using the address sanitizer. We are just building with the address sanitizer to see if the bug is in your code (e.g. a double free or buffer overrun) or in mimalloc as such. The address sanitizer uses its own allocator that is build specifically to find bugs. With gcc you can build as:

gcc -c main.c -fsanitize=address -g. 
gcc main.o -o main -fsanitize=address -static-libasan
./main

see https://www.osc.edu/resources/getting_started/howto/howto_use_address_sanitizer for example.

[DavidWzh]

thanks, i will try your advice.

[DavidWzh]

in my project, i malloc many mem in different threads, but why it always crash in the same point, while it just a normal malloc.

[DavidWzh]

maybe，should i take another way to use mimalloc as using mimalloc header and allocator instead of overriding

[DavidWzh]

maybe，should i take another way to use mimalloc as using mimalloc header and allocator instead of overriding

[daanx]

I am going to close this issue for now; if running with the address sanitizer works correctly we can reopen this.