Segfault using ForwardDiff #28726

cstjean · 2018-08-17T15:47:18Z

MWE:

using StaticArrays
using ForwardDiff
using LinearAlgebra

struct Gaussian{T,S}
    μ::T
    Σ::S
end

predicted_state(state_prior::Gaussian, transition_noise::Gaussian) =
    # Inlining (manually) this function makes the segfault disappear
    (state_prior.μ + transition_noise.μ,
     state_prior.Σ + transition_noise.Σ)

function kfilter(state_prior::Gaussian, a, b1, b2, c1, c2)
    transition_noise = Gaussian([c1, c2], SDiagonal(b1, b2))
    C = @SMatrix [1.0 15.0]
    y = 1.0

    μ, Σ = predicted_state(state_prior, transition_noise) 
    ŷ = C * μ
    S = C * Σ * C' .+ a
    
    K = Σ * C' / S
    r = y - ŷ
    return Gaussian(μ + K*r, (I - K*C) * Σ)
end

function log_likelihood(params)
    state = Gaussian(SVector(2.42, 0.12), @SMatrix [0.2 0.0; 0.0 0.06])
    for t in 1:100
        state = kfilter(state, params...)
    end
    return 0.0
end

initial_x = [0.1, 1.e-4, 1.e-6, 1.e-3, 3.e-5]
ForwardDiff.gradient(log_likelihood, initial_x)

in

(DiffSegfault) pkg> st
    Status `~/DiffSegfault/Project.toml`
  [f6369f11] ForwardDiff v0.8.5
  [90137ffa] StaticArrays v0.8.3
  [37e2e46d] LinearAlgebra 

julia> versioninfo()
Julia Version 0.7.0
Commit a4cb80f3ed (2018-08-08 06:46 UTC)
Platform Info:
  OS: Linux (x86_64-pc-linux-gnu)
  CPU: Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-6.0.0 (ORCJIT, haswell)

julia> include(joinpath("/home/cst-jean/Advisory/test/segfault.jl"))

signal (11): Segmentation fault
in expression starting at /home/cst-jean/Advisory/test/segfault.jl:38
+ at ./float.jl:395 [inlined]
+ at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/dual.jl:353 [inlined]
macro expansion at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:30 [inlined]
_map at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:21 [inlined]
map at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:17 [inlined]
+ at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/linalg.jl:10 [inlined]
predicted_state at /home/cst-jean/Advisory/test/segfault.jl:10
kfilter at /home/cst-jean/Advisory/test/segfault.jl:20
unknown function (ip: 0x7fa10ca9b5f9)
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
jl_apply at /buildworker/worker/package_linux64/build/src/julia.h:1538 [inlined]
jl_f__apply at /buildworker/worker/package_linux64/build/src/builtins.c:563
log_likelihood at /home/cst-jean/Advisory/test/segfault.jl:32 [inlined]
vector_mode_dual_eval at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/apiutils.jl:35
vector_mode_gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:96
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:17
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:15
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:15
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
do_call at /buildworker/worker/package_linux64/build/src/interpreter.c:324
eval_value at /buildworker/worker/package_linux64/build/src/interpreter.c:428
eval_stmt_value at /buildworker/worker/package_linux64/build/src/interpreter.c:363 [inlined]
eval_body at /buildworker/worker/package_linux64/build/src/interpreter.c:686
jl_interpret_toplevel_thunk_callback at /buildworker/worker/package_linux64/build/src/interpreter.c:799
unknown function (ip: 0xfffffffffffffffe)
unknown function (ip: 0x7fa11942339f)
unknown function (ip: (nil))
jl_interpret_toplevel_thunk at /buildworker/worker/package_linux64/build/src/interpreter.c:808
jl_toplevel_eval_flex at /buildworker/worker/package_linux64/build/src/toplevel.c:831
jl_parse_eval_all at /buildworker/worker/package_linux64/build/src/ast.c:841
jl_load at /buildworker/worker/package_linux64/build/src/toplevel.c:865
include at ./boot.jl:317 [inlined]
include_relative at ./loading.jl:1038
include at ./sysimg.jl:29
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
include at ./client.jl:398
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
do_call at /buildworker/worker/package_linux64/build/src/interpreter.c:324
eval_value at /buildworker/worker/package_linux64/build/src/interpreter.c:428
eval_stmt_value at /buildworker/worker/package_linux64/build/src/interpreter.c:363 [inlined]
eval_body at /buildworker/worker/package_linux64/build/src/interpreter.c:686
jl_interpret_toplevel_thunk_callback at /buildworker/worker/package_linux64/build/src/interpreter.c:799
unknown function (ip: 0xfffffffffffffffe)
unknown function (ip: 0x7fa1198ae67f)
unknown function (ip: (nil))
jl_interpret_toplevel_thunk at /buildworker/worker/package_linux64/build/src/interpreter.c:808
jl_toplevel_eval_flex at /buildworker/worker/package_linux64/build/src/toplevel.c:831
jl_toplevel_eval_in at /buildworker/worker/package_linux64/build/src/builtins.c:633
eval at ./boot.jl:319
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
eval_user_input at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v0.7/REPL/src/REPL.jl:85
macro expansion at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v0.7/REPL/src/REPL.jl:117 [inlined]
#28 at ./task.jl:262
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
jl_apply at /buildworker/worker/package_linux64/build/src/julia.h:1538 [inlined]
start_task at /buildworker/worker/package_linux64/build/src/task.c:268
unknown function (ip: 0xffffffffffffffff)
Allocations: 20812980 (Pool: 20808395; Big: 4585); GC: 43
Segmentation fault (core dumped)

Keno · 2018-08-17T17:44:43Z

I can reproduce this. Taking a look.

KristofferC · 2018-08-17T17:55:34Z

My money is on SLP...

Keno · 2018-08-17T18:00:49Z

Probably a good bet.

Keno · 2018-08-17T18:02:11Z

Indeed, turning off SLP makes it go away.

Keno · 2018-08-17T18:20:51Z

The faulting instruction is

0x7f5f9dda107c <julia_predicted_state_35559+140>        vmovapd 0x28(%rdx),%xmm3

Where $rdx is

0x7f5fbb0af2d0

so it looks like the loaded address is

julia> mod(0x7f5fbb0af2d0+0x28, 16)
8

not aligned, causing the fault.

Keno · 2018-08-17T18:33:47Z

Seems to be fixed in LLVM master. I'll bisect to figure out what commit fixed it.

Keno · 2018-08-17T19:52:06Z

Bisect isn't quite done yet, but I suspect the fixing commit is https://reviews.llvm.org/rL326967

Keno · 2018-08-17T19:55:31Z

Well, that was quick. Bisect is done and confirms my suspicion.

This is rL326967 to fix #28726.

cstjean · 2018-08-17T20:05:53Z

4 hours from bug report to bugfix for a segfault is fantastic, thank you!

Keno · 2018-08-17T20:06:39Z

No, thank you for the reproducible bug report.

This is rL326967 to fix #28726.

This is rL326967 to fix #28726. (cherry picked from commit e99204b)

Keno added bug Indicates an unexpected problem or unintended behavior compiler:codegen Generation of LLVM IR and native code upstream The issue is with an upstream dependency, e.g. LLVM labels Aug 17, 2018

Keno self-assigned this Aug 17, 2018

Keno added a commit that referenced this issue Aug 17, 2018

Carry LLVM patch to fix incorrect codegen

78dac42

This is rL326967 to fix #28726.

Keno mentioned this issue Aug 17, 2018

Carry LLVM patch to fix incorrect codegen #28732

Merged

Keno closed this as completed in #28732 Aug 18, 2018

Keno added a commit that referenced this issue Aug 18, 2018

Carry LLVM patch to fix incorrect codegen

e99204b

This is rL326967 to fix #28726.

KristofferC pushed a commit that referenced this issue Sep 4, 2018

Carry LLVM patch to fix incorrect codegen

aeb8141

This is rL326967 to fix #28726. (cherry picked from commit e99204b)

KristofferC pushed a commit that referenced this issue Sep 8, 2018

Carry LLVM patch to fix incorrect codegen

4d2e536

This is rL326967 to fix #28726. (cherry picked from commit e99204b)

KristofferC pushed a commit that referenced this issue Sep 8, 2018

Carry LLVM patch to fix incorrect codegen

def8356

This is rL326967 to fix #28726. (cherry picked from commit e99204b)

KristofferC pushed a commit that referenced this issue Feb 11, 2019

Carry LLVM patch to fix incorrect codegen

fabbd27

This is rL326967 to fix #28726. (cherry picked from commit e99204b)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault using ForwardDiff #28726

Segfault using ForwardDiff #28726

cstjean commented Aug 17, 2018

Keno commented Aug 17, 2018

KristofferC commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018 •

edited

Loading

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

cstjean commented Aug 17, 2018

Keno commented Aug 17, 2018

Segfault using ForwardDiff #28726

Segfault using ForwardDiff #28726

Comments

cstjean commented Aug 17, 2018

Keno commented Aug 17, 2018

KristofferC commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018 • edited Loading

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018

cstjean commented Aug 17, 2018

Keno commented Aug 17, 2018

Keno commented Aug 17, 2018 •

edited

Loading