Valgrind for initial pass #7
Description
While writing the GitHub Action for the pull request #6 I came up again to the strange Segmentation fault error mentioned in the issue #2. I had assumed that the lack of debug symbols was to cause for the issue, however it doesn't appear that this is the case. The segmentation fault that I am referring to, occurs for the rcpp_use_after_deallocate function in the testSAN package.
Steps to reproduce
First of all I ran the test harness compilation procedure deepstate_harness_compile_run and it succesfully generated the compiled test harness. The first execution however leaves the rcpp_use_after_deallocate_output empty. So I decided to manually run the harness with the same seed that generated the segmentation fault(5) to understand the problem.
$ ../rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=5 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
INFO: Starting fuzzing
WARNING: No test specified, defaulting to first test defined (_)
input starts
EXTERNAL: qs v0.25.3.
array_size values: 467495432
input ends
[1] 52869 segmentation fault (core dumped) ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=5It appears that the segmentation fault occurs before deepstate can generate the output file. If I run the same program above using valgrind, the output folder is instead filled with a test file.
$ valgrind ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=5 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
==52956== Memcheck, a memory error detector
==52956== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==52956== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==52956== Command: ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=5 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
==52956==
INFO: Starting fuzzing
WARNING: No test specified, defaulting to first test defined (_)
input starts
EXTERNAL: qs v0.25.3.
array_size values: 467495432
input ends
==52956== Warning: set address range perms: large range [0xd65c040, 0x29432a48) (undefined)
==52956== Warning: set address range perms: large range [0xd65c028, 0x29432a60) (noaccess)
==52956== Invalid read of size 1
==52956== at 0x4D539AA: rcpp_use_after_deallocate(int) (use_after_deallocate.cpp:8)
==52956== by 0x114FB6: DeepState_Test__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:23)
==52956== by 0x114D58: DeepState_Run__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:14)
==52956== by 0x12B124: DeepState_RunTestNoFork (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B668: DeepState_FuzzOneTestCase (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B8FF: DeepState_Fuzz (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x11074A: main (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== Address 0xd65c045 is 5 bytes inside a block of size 467,495,432 free'd
==52956== at 0x4849A7F: operator delete[](void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==52956== by 0x4D539A9: rcpp_use_after_deallocate(int) (use_after_deallocate.cpp:7)
==52956== by 0x114FB6: DeepState_Test__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:23)
==52956== by 0x114D58: DeepState_Run__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:14)
==52956== by 0x12B124: DeepState_RunTestNoFork (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B668: DeepState_FuzzOneTestCase (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B8FF: DeepState_Fuzz (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x11074A: main (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== Block was alloc'd at
==52956== at 0x48472E3: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==52956== by 0x4D5399D: rcpp_use_after_deallocate(int) (use_after_deallocate.cpp:6)
==52956== by 0x114FB6: DeepState_Test__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:23)
==52956== by 0x114D58: DeepState_Run__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:14)
==52956== by 0x12B124: DeepState_RunTestNoFork (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B668: DeepState_FuzzOneTestCase (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x12B8FF: DeepState_Fuzz (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956== by 0x11074A: main (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==52956==
INFO: Done fuzzing! Ran 1 tests (1 tests/second) with 0 failed/1 passed/0 abandoned tests
==52956==
==52956== HEAP SUMMARY:
==52956== in use at exit: 51,641,784 bytes in 10,583 blocks
==52956== total heap usage: 33,306 allocs, 22,723 frees, 560,059,861 bytes allocated
==52956==
==52956== LEAK SUMMARY:
==52956== definitely lost: 0 bytes in 0 blocks
==52956== indirectly lost: 0 bytes in 0 blocks
==52956== possibly lost: 0 bytes in 0 blocks
==52956== still reachable: 51,641,784 bytes in 10,583 blocks
==52956== of which reachable via heuristic:
==52956== newarray : 4,264 bytes in 1 blocks
==52956== suppressed: 0 bytes in 0 blocks
==52956== Rerun with --leak-check=full to see details of leaked memory
==52956==
==52956== For lists of detected and suppressed errors, rerun with: -s
==52956== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)The inverse problem
@tdhock, I found this old conversation in the issue akhikolla/RcppDeepState#62 about using Vaglrind in the first steps, after the harness compilation. Based on this discussion, I discovered that when the seed is set to 2, if valgrind is used to run the test, no output file is produced.
As you can see running this test standalone generates an output file.
$ ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=2 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
INFO: Starting fuzzing
WARNING: No test specified, defaulting to first test defined (_)
input starts
EXTERNAL: qs v0.25.3.
array_size values: -92322737
input ends
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
ERROR: Failed: _
INFO: Saved test case in file `rcpp_use_after_deallocate_output/520d9b63d5d9e5fa249b7fae87d2621c419ddf0a.fail`
input starts
array_size values: 1957496050
input ends
[1] 53624 segmentation fault (core dumped) ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=2Instead, if Valgrind is used, the program is aborted ad stated in the message cannot throw exceptions and so is aborting instead. Sorry.
$ valgrind ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=2 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
==53705== Memcheck, a memory error detector
==53705== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==53705== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==53705== Command: ./rcpp_use_after_deallocate_DeepState_TestHarness --fuzz --timeout=1 --seed=2 --fuzz_save_passing --output_test_dir rcpp_use_after_deallocate_output
==53705==
INFO: Starting fuzzing
WARNING: No test specified, defaulting to first test defined (_)
input starts
EXTERNAL: qs v0.25.3.
array_size values: -92322737
input ends
==53705== Argument 'size' of function __builtin_vec_new has a fishy (possibly negative) value: -92322737
==53705== at 0x48472E3: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==53705== by 0x4D5399D: rcpp_use_after_deallocate(int) (use_after_deallocate.cpp:6)
==53705== by 0x114FB6: DeepState_Test__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:23)
==53705== by 0x114D58: DeepState_Run__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:14)
==53705== by 0x12B124: DeepState_RunTestNoFork (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x12B668: DeepState_FuzzOneTestCase (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x12B8FF: DeepState_Fuzz (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x11074A: main (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705==
**53705** new/new[] failed and should throw an exception, but Valgrind
**53705** cannot throw exceptions and so is aborting instead. Sorry.
==53705== at 0x484551C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==53705== by 0x4847355: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==53705== by 0x4D5399D: rcpp_use_after_deallocate(int) (use_after_deallocate.cpp:6)
==53705== by 0x114FB6: DeepState_Test__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:23)
==53705== by 0x114D58: DeepState_Run__() (rcpp_use_after_deallocate_DeepState_TestHarness.cpp:14)
==53705== by 0x12B124: DeepState_RunTestNoFork (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x12B668: DeepState_FuzzOneTestCase (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x12B8FF: DeepState_Fuzz (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705== by 0x11074A: main (in /home/fabri/test/testHarness/RcppDeepState/inst/testpkgs/testSAN/inst/testfiles/rcpp_use_after_deallocate/rcpp_use_after_deallocate_DeepState_TestHarness)
==53705==
==53705== HEAP SUMMARY:
==53705== in use at exit: 51,656,156 bytes in 10,684 blocks
==53705== total heap usage: 33,302 allocs, 22,618 frees, 92,559,782 bytes allocated
==53705==
==53705== LEAK SUMMARY:
==53705== definitely lost: 0 bytes in 0 blocks
==53705== indirectly lost: 0 bytes in 0 blocks
==53705== possibly lost: 0 bytes in 0 blocks
==53705== still reachable: 51,656,156 bytes in 10,684 blocks
==53705== of which reachable via heuristic:
==53705== newarray : 4,264 bytes in 1 blocks
==53705== suppressed: 0 bytes in 0 blocks
==53705== Rerun with --leak-check=full to see details of leaked memory
==53705==
==53705== For lists of detected and suppressed errors, rerun with: -s
==53705== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)