Julia: Segfault using ForwardDiff

Created on 17 Aug 2018 · 10Comments · Source: JuliaLang/julia

MWE:

using StaticArrays
using ForwardDiff
using LinearAlgebra

struct Gaussian{T,S}
    μ::T
    Σ::S
end

predicted_state(state_prior::Gaussian, transition_noise::Gaussian) =
    # Inlining (manually) this function makes the segfault disappear
    (state_prior.μ + transition_noise.μ,
     state_prior.Σ + transition_noise.Σ)

function kfilter(state_prior::Gaussian, a, b1, b2, c1, c2)
    transition_noise = Gaussian([c1, c2], SDiagonal(b1, b2))
    C = @SMatrix [1.0 15.0]
    y = 1.0

    μ, Σ = predicted_state(state_prior, transition_noise) 
    ŷ = C * μ
    S = C * Σ * C' .+ a

    K = Σ * C' / S
    r = y - ŷ
    return Gaussian(μ + K*r, (I - K*C) * Σ)
end

function log_likelihood(params)
    state = Gaussian(SVector(2.42, 0.12), @SMatrix [0.2 0.0; 0.0 0.06])
    for t in 1:100
        state = kfilter(state, params...)
    end
    return 0.0
end

initial_x = [0.1, 1.e-4, 1.e-6, 1.e-3, 3.e-5]
ForwardDiff.gradient(log_likelihood, initial_x)

(DiffSegfault) pkg> st
    Status `~/DiffSegfault/Project.toml`
  [f6369f11] ForwardDiff v0.8.5
  [90137ffa] StaticArrays v0.8.3
  [37e2e46d] LinearAlgebra 

julia> versioninfo()
Julia Version 0.7.0
Commit a4cb80f3ed (2018-08-08 06:46 UTC)
Platform Info:
  OS: Linux (x86_64-pc-linux-gnu)
  CPU: Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-6.0.0 (ORCJIT, haswell)

julia> include(joinpath("/home/cst-jean/Advisory/test/segfault.jl"))

signal (11): Segmentation fault
in expression starting at /home/cst-jean/Advisory/test/segfault.jl:38
+ at ./float.jl:395 [inlined]
+ at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/dual.jl:353 [inlined]
macro expansion at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:30 [inlined]
_map at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:21 [inlined]
map at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/mapreduce.jl:17 [inlined]
+ at /home/cst-jean/.julia/packages/StaticArrays/Ze5H3/src/linalg.jl:10 [inlined]
predicted_state at /home/cst-jean/Advisory/test/segfault.jl:10
kfilter at /home/cst-jean/Advisory/test/segfault.jl:20
unknown function (ip: 0x7fa10ca9b5f9)
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
jl_apply at /buildworker/worker/package_linux64/build/src/julia.h:1538 [inlined]
jl_f__apply at /buildworker/worker/package_linux64/build/src/builtins.c:563
log_likelihood at /home/cst-jean/Advisory/test/segfault.jl:32 [inlined]
vector_mode_dual_eval at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/apiutils.jl:35
vector_mode_gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:96
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:17
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:15
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
gradient at /home/cst-jean/.julia/packages/ForwardDiff/kTOVi/src/gradient.jl:15
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
do_call at /buildworker/worker/package_linux64/build/src/interpreter.c:324
eval_value at /buildworker/worker/package_linux64/build/src/interpreter.c:428
eval_stmt_value at /buildworker/worker/package_linux64/build/src/interpreter.c:363 [inlined]
eval_body at /buildworker/worker/package_linux64/build/src/interpreter.c:686
jl_interpret_toplevel_thunk_callback at /buildworker/worker/package_linux64/build/src/interpreter.c:799
unknown function (ip: 0xfffffffffffffffe)
unknown function (ip: 0x7fa11942339f)
unknown function (ip: (nil))
jl_interpret_toplevel_thunk at /buildworker/worker/package_linux64/build/src/interpreter.c:808
jl_toplevel_eval_flex at /buildworker/worker/package_linux64/build/src/toplevel.c:831
jl_parse_eval_all at /buildworker/worker/package_linux64/build/src/ast.c:841
jl_load at /buildworker/worker/package_linux64/build/src/toplevel.c:865
include at ./boot.jl:317 [inlined]
include_relative at ./loading.jl:1038
include at ./sysimg.jl:29
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
include at ./client.jl:398
jl_fptr_trampoline at /buildworker/worker/package_linux64/build/src/gf.c:1829
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
do_call at /buildworker/worker/package_linux64/build/src/interpreter.c:324
eval_value at /buildworker/worker/package_linux64/build/src/interpreter.c:428
eval_stmt_value at /buildworker/worker/package_linux64/build/src/interpreter.c:363 [inlined]
eval_body at /buildworker/worker/package_linux64/build/src/interpreter.c:686
jl_interpret_toplevel_thunk_callback at /buildworker/worker/package_linux64/build/src/interpreter.c:799
unknown function (ip: 0xfffffffffffffffe)
unknown function (ip: 0x7fa1198ae67f)
unknown function (ip: (nil))
jl_interpret_toplevel_thunk at /buildworker/worker/package_linux64/build/src/interpreter.c:808
jl_toplevel_eval_flex at /buildworker/worker/package_linux64/build/src/toplevel.c:831
jl_toplevel_eval_in at /buildworker/worker/package_linux64/build/src/builtins.c:633
eval at ./boot.jl:319
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
eval_user_input at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v0.7/REPL/src/REPL.jl:85
macro expansion at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v0.7/REPL/src/REPL.jl:117 [inlined]
#28 at ./task.jl:262
jl_apply_generic at /buildworker/worker/package_linux64/build/src/gf.c:2182
jl_apply at /buildworker/worker/package_linux64/build/src/julia.h:1538 [inlined]
start_task at /buildworker/worker/package_linux64/build/src/task.c:268
unknown function (ip: 0xffffffffffffffff)
Allocations: 20812980 (Pool: 20808395; Big: 4585); GC: 43
Segmentation fault (core dumped)

bug codegen upstream

Source

cstjean

Most helpful comment

No, thank you for the reproducible bug report.

Keno on 17 Aug 2018

❤5 👍3

All 10 comments

I can reproduce this. Taking a look.

Keno on 17 Aug 2018

My money is on SLP...

KristofferC on 17 Aug 2018

Probably a good bet.

Keno on 17 Aug 2018

Indeed, turning off SLP makes it go away.

Keno on 17 Aug 2018

The faulting instruction is

0x7f5f9dda107c <julia_predicted_state_35559+140>        vmovapd 0x28(%rdx),%xmm3

Where $rdx is

0x7f5fbb0af2d0

so it looks like the loaded address is

julia> mod(0x7f5fbb0af2d0+0x28, 16)
8

not aligned, causing the fault.

Keno on 17 Aug 2018

Seems to be fixed in LLVM master. I'll bisect to figure out what commit fixed it.

Keno on 17 Aug 2018

Bisect isn't quite done yet, but I suspect the fixing commit is https://reviews.llvm.org/rL326967

Keno on 17 Aug 2018

Well, that was quick. Bisect is done and confirms my suspicion.

Keno on 17 Aug 2018

4 hours from bug report to bugfix for a segfault is fantastic, thank you!

cstjean on 17 Aug 2018

No, thank you for the reproducible bug report.

Keno on 17 Aug 2018

❤5 👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Another illegal instruction

tkoolen · 3Comments

split() enhancement, keep_splitter

i-apellaniz · 3Comments

Broken booleans as numbers?

TotalVerb · 3Comments

TypeVars in tuples in type parameters

iamed2 · 3Comments

Broadcasting a function on an array gives an expression

dpsanders · 3Comments