Crash, may or may not be expansion sequence related
I can deterministically reproduce a crash by expanding scatter/gather in a loop many times (only a few times does not reproduce a crash).
diff --git a/suite/tests/client-interface/drx-scattergather.c b/suite/tests/client-interface/drx-scattergather.c
index 4c62be56..d4fcb04d 100644
--- a/suite/tests/client-interface/drx-scattergather.c
+++ b/suite/tests/client-interface/drx-scattergather.c
@@ -173,18 +173,20 @@ test_avx512_gather(void (*test_func)(uint32_t *, uint32_t *, uint32_t *),
uint32_t *ref_sparse_test_buf, uint32_t *ref_xmm_ymm_zmm,
uint32_t *test_idx_vec, uint32_t *output_xmm_ymm_zmm OUT)
{
- memset(output_xmm_ymm_zmm, 0, CONCAT_XMM_YMM_ZMM_U32 * sizeof(uint32_t));
- test_func(ref_sparse_test_buf, test_idx_vec, output_xmm_ymm_zmm);
- if (memcmp(output_xmm_ymm_zmm, ref_xmm_ymm_zmm,
- CONCAT_XMM_YMM_ZMM_U32 * sizeof(uint32_t)) != 0) {
- print("ERROR: gather result does not match\n");
- return false;
- }
- if (!test_avx512_mask_all_zero()) {
- print("ERROR: mask is not zero\n");
- return false;
+ for (int i = 0; i < 50; ++i) {
+ memset(output_xmm_ymm_zmm, 0, CONCAT_XMM_YMM_ZMM_U32 * sizeof(uint32_t));
+ test_func(ref_sparse_test_buf, test_idx_vec, output_xmm_ymm_zmm);
+ if (memcmp(output_xmm_ymm_zmm, ref_xmm_ymm_zmm,
+ CONCAT_XMM_YMM_ZMM_U32 * sizeof(uint32_t)) != 0) {
+ print("ERROR: gather result does not match\n");
+ return false;
+ }
+ if (!test_avx512_mask_all_zero()) {
+ print("ERROR: mask is not zero\n");
+ return false;
+ }
+ print("AVX-512 gather ok\n");
}
- print("AVX-512 gather ok\n");
return true;
}Leads to a SIGSEGV of the test under DynamoRIO
build/bin64/drrun -debug -code_api -c build/suite/tests/bin/libclient.drx-scattergather.dll.so -- build/suite/tests/bin/client.drx-scattergather(gdb) bt
#0 0x00007fb39f379952 in common_heap_free (tu=0x7fb2db233958, p_void=0xcdcdcdcdcdcdcdcd, size=3280, which=ACCT_IR) at /usr/local/google/home/hgreving/dynamorio/src/core/heap.c:4455
#1 0x00007fb39f37a7db in heap_free (dcontext=0x7fb2db232d80, p=0xcdcdcdcdcdcdcdcd, size=3280, which=ACCT_IR) at /usr/local/google/home/hgreving/dynamorio/src/core/heap.c:4588
#2 0x00007fb39f4246a0 in instr_free (dcontext=0x7fb2db232d80, instr=0x7fb2db2849a0) at /usr/local/google/home/hgreving/dynamorio/src/core/arch/instr_shared.c:185
#3 0x00007fb39f4243b2 in instr_destroy (dcontext=0x7fb2db232d80, instr=0x7fb2db2849a0) at /usr/local/google/home/hgreving/dynamorio/src/core/arch/instr_shared.c:103
#4 0x00007fb35b26b4d3 in free_einstr (drcontext=0x7fb2db232d80, label=0x7fb2db287e40) at /usr/local/google/home/hgreving/dynamorio/src/ext/drmgr/drmgr.c:2701
#5 0x00007fb39f424647 in instr_free (dcontext=0x7fb2db232d80, instr=0x7fb2db287e40) at /usr/local/google/home/hgreving/dynamorio/src/core/arch/instr_shared.c:171
#6 0x00007fb39f4243b2 in instr_destroy (dcontext=0x7fb2db232d80, instr=0x7fb2db287e40) at /usr/local/google/home/hgreving/dynamorio/src/core/arch/instr_shared.c:103
#7 0x00007fb39f434702 in instrlist_clear (dcontext=0x7fb2db232d80, ilist=0x7fb2db285e28) at /usr/local/google/home/hgreving/dynamorio/src/core/arch/instrlist.c:101
#8 0x00007fb39f3843e8 in end_and_emit_trace (dcontext=0x7fb2db232d80, cur_f=0x7fb2db3053d0) at /usr/local/google/home/hgreving/dynamorio/src/core/monitor.c:1590
#9 0x00007fb39f38665a in monitor_cache_enter (dcontext=0x7fb2db232d80, f=0x7fb2db3053d0) at /usr/local/google/home/hgreving/dynamorio/src/core/monitor.c:2093
#10 0x00007fb39f2c2117 in d_r_dispatch (dcontext=0x7fb2db232d80) at /usr/local/google/home/hgreving/dynamorio/src/core/dispatch.c:197
#11 0x00007fb35b20617f in ?? ()
#12 0x0000000000000000 in ?? ()The crash is also noticeably absent with -disable_traces