Bugs item #1760168, was opened at 2007-07-25 11:39
Message generated for change (Comment added) made by stmane
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=482468&aid=1760168&group_id=56967
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: PF general
Group: Pathfinder CVS Head
Status: Closed
Resolution: None
Priority: 5
Private: No
Submitted By: Jan Rittinger (tsheyar)
Assigned to: Nobody/Anonymous (nobody)
Summary: PF: Mserver crashes in gdk_atoms.mx
Initial Comment:
If I run the following XQuery query:
declare function int-check($ylist as xs:integer*) { $ylist };
int-check(distinct-values(1 to 3))
MonetDB exits with a segfault:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1342772320 (LWP 11960)]
lngFromStr (src=0xe454dabb <Address 0xe454dabb out of bounds>, len=0xaff683fc,
dst=0xaff68400) at /local_tmp/work/MonetDB/src/gdk/gdk_atoms.mx:1528
1528 while (GDKisspace(*p))
(gdb) bt
#0 lngFromStr (src=0xe454dabb <Address 0xe454dabb out of bounds>,
len=0xaff683fc, dst=0xaff68400) at
/local_tmp/work/MonetDB/src/gdk/gdk_atoms.mx:1528
#1 0xb7e182e7 in interpret_batcast (atom=0xb7c44060 "lng", argc=2,
val=0xaff68684, res=0xaff6d3ac) at
/local_tmp/work/MonetDB4/src/monet/monet_interpreter.mx:1684
#2 0xb7e1cf3d in interpret (stk=560, lt=0x818ade0, res=0xaff6d3ac) at
/local_tmp/work/MonetDB4/src/monet/monet_interpreter.mx:1188
If I run the same query with debug=10 I get the following error message:
MAPI = [EMAIL PROTECTED]:50000
QUERY = declare function int-check($ylist as xs:integer*) { $ylist };
int-check(distinct-values(1 to 3))
ERROR = !ERROR: err:FORG0001: could not cast value from string to integer.
The reason is either the typing of fn:distinct-values or the implementation of
distinct-values. The former provides values of type untypedAtomic* whereas the
MIL implementation produces the more specific int*. The result is that the MIL
implementation tries to lookup values in the wrong container.
To come back to the real bug report: Mserver shouldn't segfault!
----------------------------------------------------------------------
>Comment By: Stefan Manegold (stmane)
Date: 2007-08-02 23:10
Message:
Logged In: YES
user_id=572415
Originator: NO
Was it intended that this bug has been closed with neither a "Resolution",
nor a fix, nor a test in CVS ?
----------------------------------------------------------------------
Comment By: Peter Boncz (boncz)
Date: 2007-08-02 21:31
Message:
Logged In: YES
user_id=591107
Originator: NO
Hm, to obtain full speed on leftfetchjoin, it is AFAIK the only BAT
operator where we do *not* check properly whether the outer OID is in range
of the void inner bat.
Its implementation comes doen to:
for(i=0;i<n; i++) res[i] = inner[outer[i]]
Lack of checking is further exploited logically in leftfetchjoin by making
leftfetchjoin an indentity operation (zero cost, returns self) on the
inner BAT, iff the outer BAT is a bat[void,void] with equal head and tail
seqbase.
That is why it was not strrictly necessary to add that [EMAIL PROTECTED] tuple
to the
NID_RID column in ws_create... This BAT is never really filled during
element construction, but is used in leftfetchjoins.. where the NID-RID
(and -PRE) are identity operations, zero cost.
so leftfetchjoin should be used with a lot of care.. closing now
----------------------------------------------------------------------
Comment By: Sjoerd Mullender (sjoerd)
Date: 2007-08-02 10:59
Message:
Logged In: YES
user_id=43607
Originator: NO
If you look at the output of
echo 'declare function int-check($ylist as xs:integer*) { $ylist };
int-check(distinct-values(1 to 3))' | pf
you'll see a line
var cast_val := item.leftfetchjoin(str_values).[lng]();
It is in this [lng] cast that the crash occurs. Printing the values
involved just before this line reveals some interesting info:
str_values.print();
#-----------------#
# t h # name
# void str # type
#-----------------#
[ [EMAIL PROTECTED], "" ]
item.print();
#-----------------#
# h t # name
# void oid # type
#-----------------#
[ [EMAIL PROTECTED], [EMAIL PROTECTED] ]
[ [EMAIL PROTECTED], [EMAIL PROTECTED] ]
[ [EMAIL PROTECTED], [EMAIL PROTECTED] ]
item.leftfetchjoin(str_values).print();
#-----------------#
# h t # name
# void str # type
#-----------------#
[ [EMAIL PROTECTED], "" ]
[ [EMAIL PROTECTED], "" ]
[ [EMAIL PROTECTED], "" ]
The conclusion is inescapable: the leftfetchjoin is not allowed here. The
item BAT contains values in the tail which do not have a corresponding
value in the str_values BAT.
By the way, I seem to get the crash consistently the *second* time I run
the query. But in any case, the error happens before this bat cast.
----------------------------------------------------------------------
Comment By: Jan Rittinger (tsheyar)
Date: 2007-07-27 13:51
Message:
Logged In: YES
user_id=993208
Originator: YES
Added annotated MIL script (as the way to trigger the bug does not work
anymore).
File Added: bug-1760168.mil
----------------------------------------------------------------------
Comment By: Stefan Manegold (stmane)
Date: 2007-07-25 17:44
Message:
Logged In: YES
user_id=572415
Originator: NO
Provided some more info about this bug.
Please correct me if I'm wrong!
----------------------------------------------------------------------
Comment By: Stefan Manegold (stmane)
Date: 2007-07-25 12:58
Message:
Logged In: YES
user_id=572415
Originator: NO
A simple initial check shows that with property checking enabled, we get a
"proper" (also expected/correct??) runtime error, but no segfault:
========
$ echo '
declare function int-check($ylist as xs:integer*) { $ylist };
int-check(distinct-values(1 to 3))
' | pf | Mserver -d10 --dbinit='module(pathfinder);' --set
monet_prompt=''
--------
# MonetDB Server v4.19.0
# based on GDK v1.19.0
# Copyright (c) 1993-2007, CWI. All rights reserved.
# Compiled for x86_64-redhat-linux-gnu/64bit with 64bit OIDs; dynamically
linked.
# Visit http://monetdb.cwi.nl/ for further information.
# MonetDB/XQuery module v0.19.0 loaded
# XRPC administrative console at http://localhost:50001/admin
!ERROR: err:FORG0001: could not cast value from string to integer.
========
Without property checking, the segfautl occurs in
========
0x00002aaaac5095da in lngFromStr (src=0xdbdbdbdbdcd55e43 <Address
0xdbdbdbdbdcd55e43 out of bounds>, len=0x7fff48eadcfc, dst=0x7fff48eadd00)
at
/ufs/manegold/_/scratch0/Monet/Testing/Current/source/MonetDB/src/gdk/gdk_atoms.mx:1528
1528 while (GDKisspace(*p))
========
because
========
#1 0x00002aaaabbfea47 in interpret_batcast (atom=0x2aaaac93cd20 "lng",
argc=2, val=0x7fff48eae240, res=0x7fff48eb5350) at
/ufs/manegold/_/scratch0/Monet/Testing/Current/source/MonetDB4/src/monet/monet_interpreter.mx:1684
1684 (*fromstr)
(BUNtvar(b, p), &len, &v);
========
is apparently called with a corrupted BAT:
========
(gdb) print *b
$4 = {GDKversion = 25105, batCacheid = 267, dims = {headtype = 0 '\0',
tailtype = 13 '\r', headloc = 0, tailloc = 0, headkey = 1 '\001', tailkey =
0 '\0', headvarsized = 1 '\001', tailvarsized = 1 '\001', bunshift = 3
'\003', bunwidth = 8, hseq = 0, tseq = 0}, batBuns = 0x112a7e0, hhash =
0x0, thash = 0x0,
H = 0x112a720, T = 0x112a770, P = 0x112a7c0, U = 0x112a7e0, void_tid =
1, void_cnt = 1, void_seq1 = 0, void_seq2 = 9223372036854775808}
(gdb) print *b.U
$5 = {buns = {maxsize = 2048, free = 24, size = 2048, base = 0x12820c8 "\b
", storage = 0 '\0', copied = 0 '\0', newstorage = 0 '\0', filename =
0x7c4328 "04/413.buns"}, deleted = 0x12820c8 "\b ", first = 0x12820c8 "\b
", inserted = 0x12820c8 "\b ", count = 3}
^^^^^^^^^
(gdb) print BATprint(BATslice(b,0,1))
^^^
#-----------------#
# h t # name
# void str # type
#-----------------#
[ [EMAIL PROTECTED], "" ]
$6 = 16843009
(gdb) print BATprint(BATslice(b,0,2))
^^^
Program received signal SIGSEGV, Segmentation fault.
0x00002aaaac50abee in strPut (h=0x631618, dst=0xf87c30,
v=0xdbdbdbdbdcd55e43 <Address 0xdbdbdbdbdcd55e43 out of bounds>) at
/ufs/manegold/_/scratch0/Monet/Testing/Current/source/MonetDB/src/gdk/gdk_atoms.mx:1993
1993 size_t i = GDK_STRLEN(v);
The program being debugged was signaled while in a function called from
GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on"
Evaluation of the expression containing the function (BATslice) will be
abandoned.
========
see attached LOG for more details --- further investigation is required
...
File Added: LOG
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=482468&aid=1760168&group_id=56967
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Monetdb-bugs mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/monetdb-bugs
