Segmentation fault when calling DebugAllocator's deinit function

[qiuweishengx]

Zig Version

0.14.0-dev.3180+75df7e502

Steps to Reproduce and Observed Behavior

const std = @import("std");

pub fn main() !void {
    const config = std.heap.DebugAllocatorConfig{ };
    var debug_allocator = std.heap.DebugAllocator(config){};
    const allocator = debug_allocator.allocator();
    const size = config.page_size >> 2;
    const slice1 = try allocator.alloc(u8, size);
    const slice2 = try allocator.alloc(u8, size);
    _ = try allocator.alloc(u8, size);
    allocator.free(slice1);
    allocator.free(slice2);
    std.debug.print("{}\n", .{debug_allocator.deinit()});
} 

Output:

# some stack traces about memory leak
# ...
Segmentation fault at address 0x104b9ff30
aborting due to recursive panic

What cause this is that the singly-linked bucket list is not maintained when a bucket is removed.

// std/heap/debug_allocator.zig

fn free(
    context: *anyopaque,
    old_memory: []u8,
    alignment: mem.Alignment,
    return_address: usize,
) void {
   // ...
    bucket.freed_count += 1;
    if (bucket.freed_count == bucket.allocated_count) {
        if (self.buckets[size_class_index] == bucket) {
            self.buckets[size_class_index] = null;
        }
        if (!config.never_unmap) {
            const page: [*]align(page_size) u8 = @ptrFromInt(page_addr);
            self.backing_allocator.rawFree(page[0..page_size], page_align, @returnAddress());
        }
    }
   // ...
}

This can also cause the debug allocator to not report leaked memory correctly. For example:

const std = @import("std");

pub fn main() !void {
    const config = std.heap.DebugAllocatorConfig{};
    var debug_allocator = std.heap.DebugAllocator(config){};
    const allocator = debug_allocator.allocator();
    const size = config.page_size >> 2;
    _ = try allocator.alloc(u8, size);
    _ = try allocator.alloc(u8, size);
    const slice = try allocator.alloc(u8, size);
    allocator.free(slice);
    std.debug.print("{}\n", .{debug_allocator.deinit()});
}

should print:

heap.Check.leak

instead it print:

heap.Check.ok

By the way, should the memory used by the buckets be free in deinit()?

// std/heap/debug_allocator.zig

pub fn deinit(self: *Self) std.heap.Check {
    const leaks = if (config.safety) self.detectLeaks() else false;
    // Should the leaked buckets be free here
    if (config.retain_metadata) self.freeRetainedMetadata();
    self.large_allocations.deinit(self.backing_allocator);
    self.* = undefined;
    return if (leaks) .leak else .ok;
}

Expected Behavior

Should print stack traces about memory leak. Then print:

heap.Check.leak

[alexrp]

cc @andrewrk

[andrewrk]

cc @andrewrk

Believe it or not I have notifications enabled for all issues, pull requests, and comments 🙂

[SuperAuguste]

Completely missed this issue (I blame GitHub's issue search) but #23390 describes the same behavior and fixes it! :)

[kevinboulain]

I'm hitting the assert introduced in #23390 (Zig 0.14.1), how should one go about debugging it efficiently? I've already intercepted all calls to the allocator (around 40) and tried a repro, without luck (maybe because it's not the single thing that's allocating in the program?). Something like this:

// [gpa] info: small alloc 128 bytes at 0x7fbd7dd00000
// [main] warning: gpa: alloc ptr=7fbd7dd00000 len=128 alignment=mem.Alignment.8
const _7fbd7dd00000 = allocator.vtable.alloc(allocator.ptr, 128, mem.Alignment.@"8", @returnAddress()).?;
// [main] warning: gpa: free ptr=7fbd7dd00000 alignment=mem.Alignment.8                                                                                                                 
// [gpa] info: small free 128 bytes at u8@7fbd7dd00000                                                                                                                                     
allocator.vtable.free(allocator.ptr, _7fbd7dd00000[0..128], mem.Alignment.@"8", @returnAddress());
[...]

/nix/store/abbrb7rs5x1ib5ppv794f3clj68d04yb-zig-0.14.1/lib/zig/std/debug.zig:550:14: 0x106740d in assert (main)
    if (!ok) unreachable; // assertion failure
             ^
/nix/store/abbrb7rs5x1ib5ppv794f3clj68d04yb-zig-0.14.1/lib/zig/std/heap/debug_allocator.zig:951:27: 0x112e7ce in free (main)
                    assert(self.buckets[size_class_index] == bucket);
                          ^
/nix/store/abbrb7rs5x1ib5ppv794f3clj68d04yb-zig-0.14.1/lib/zig/std/mem/Allocator.zig:147:25: 0x112bbc1 in destroy__anon_147809 (main)
    return a.vtable.free(a.ptr, memory, alignment, ret_addr);
                        ^

[mrtowers]

shouldn't this be closed by #23390? i cannot reproduce this behavior anymore