runtime: non-empty mark queue after concurrent mark

[neild]

Test failure on https://go.dev/cl/617376/2, which I don't think was responsible for the failure. Only builder to fail was gotip-linux-amd64-aliastypeparams.

runtime: full=0xc0000d38000006 next=129 jobs=128 nDataRoots=1 nBSSRoots=1 nSpanRoots=16 nStackRoots=108
panic: non-empty mark queue after concurrent mark
fatal error: panic on system stack

runtime stack:
runtime.throw({0x6dcdac?, 0x73cf70?})
	/home/swarming/.swarming/w/ir/x/w/goroot/src/runtime/panic.go:1074 +0x48 fp=0x7fdc4b7fdd30 sp=0x7fdc4b7fdd00 pc=0x472a48
panic({0x67f660?, 0x73cf70?})
	/home/swarming/.swarming/w/ir/x/w/goroot/src/runtime/panic.go:751 +0x33b fp=0x7fdc4b7fdde0 sp=0x7fdc4b7fdd30 pc=0x47295b
runtime.gcMark(0x47b2ed?)
	/home/swarming/.swarming/w/ir/x/w/goroot/src/runtime/mgc.go:1531 +0x3ec fp=0x7fdc4b7fde58 sp=0x7fdc4b7fdde0 pc=0x41b78c
runtime.gcMarkTermination.func1()
	/home/swarming/.swarming/w/ir/x/w/goroot/src/runtime/mgc.go:980 +0x17 fp=0x7fdc4b7fde70 sp=0x7fdc4b7fde58 pc=0x41ab77
runtime.systemstack(0x800000)
	/home/swarming/.swarming/w/ir/x/w/goroot/src/runtime/asm_amd64.s:514 +0x4a fp=0x7fdc4b7fde80 sp=0x7fdc4b7fde70 pc=0x47792a

Full log at: https://logs.chromium.org/logs/golang/buildbucket/cr-buildbucket/8734717093063296065/+/u/step/11/log/2?format=raw

[gabyhelp]

Related Issues and Documentation

• runtime: panic: non-empty mark queue after concurrent mark (Go1.14, Go1.15) #41303 (closed)
• runtime: TestStackOverflow panics on linux #11049 (closed)
• runtime.gc bug #23715 (closed)
• runtime: fatal error: unexpected signal during runtime execution #16331 (closed)
• runtime or cmd/compile: runtime:cpu124 test crash or stall when GO_GCFLAGS=-N -l #15859 (closed)
• runtime: "lock ordering problem" in (*gcSweepBuf).push #38441 (closed)
• runtime: crash in gcInstallStackBarrier #11057 (closed)
• runtime: copystack: no locals info for runtime.sigtramp #8668 (closed)
• runtime: index out of range panic, runtime.heapBitsForAddr #46728 (closed)
• runtime: fatal error: unexpected signal during runtime execution #60783 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mknyszek]

This suggests there was an out-standing GC mark buf after we'd already passed through mark termination, meaning the mark termination algorithm failed to catch something. It could also mean that GC work was generated during mark termination in a way that we missed.

However, this should already be caught here: https://cs.opensource.google/go/go/+/master:src/runtime/mgc.go;l=900;drc=123594d3863b0a4b9094a569957d1bd94ebe7512

We do already know that mark termination is buggy (we very rarely miss work, see #27993). But it should never reach this back-up check and I don't see how that would be possible. The mark buf pointer looks almost legit, but the 0x6 in the bottom bits is incredibly fishy which makes me think that some kind of memory corruption occurred.

EDIT: The 0x6 is a red herring. This is an lfstack tagged pointer, so the lower bits are used for some lock-free shenanigans.

[mknyszek]

I have a hunch as to what's going on here.

I think this may be a super subtle bug in https://go.dev/cl/610396 that may be related to our broken mark termination condition (#27993). In particular, the re-check we do to paper over the broken termination condition only checks to make sure each P's work buf is empty after a write barrier buffer flush, but does not check the global list.

What if the call to shade, which queues pointers into work bufs directly, happens enough times before the stop-the-world (in a way that queues new pointers, so the pointers have to have been not observed by the GC before this cycle) to force a flush of a mark work buffer? On the one hand this sounds a little absurd, since each P's work buffer is something like 2 KiB, so it can hold something like 256 pointers, and that's a lot of pointers to queue for this to happen. (I think technically you might need 512, if the second checked-out buffer also happens to be empty. Not sure how likely that is.) But also, anything can happen while trying to stop the world, there's no time bound. Someone using the unique package could get unlucky and queue >256 unmarked (ha) objects in that window.

This could, in theory happen with write barriers too, which was the original reason the condition was broken. But it would take a lot of missed writes for it to happen. First, the write barrier buffers would have to be filled, and then flushed, and then there's enough space to fill the write barrier buffers again before anything gets flushed to the global queue.

If my theory is right, then:

• Adding an explicit check on work.full and restarting here should fully fix the problem.
• Replacing shade(ptr) with getg().m.p.ptr().wbBuf.get1()[0] = uintptr(ptr) in https://go.dev/cl/610396 should paper over the problem, possibly enough to prevent it from happening.

If I'm right, this is kinda bad. It would be much better (but harder) to actually fix mark termination. And however we fix mark termination in the future, it's clear to me that we need to account for this weak-to-strong conversion explicitly. It may be that we simply have to block the conversion from happening at a certain point during mark termination. (This would also be a valid solution to the problem if my theory is right.)

[mknyszek]

I discussed this a bit more with @aclements and I'd misunderstood exactly what was going wrong in #27993. I really should have just read Austin's very clear explanation in #27993 (comment).

But, this is almost certainly an issue of the weak->strong conversion being able to generate new GC work at any time. I think the clearest fix to this would be to force weak->strong conversions to block during mark termination, to prevent the creation of new GC work once we've entered mark termination. We can do this efficiently by setting a global flag before the ragged barrier. The weak->strong conversion will then check this flag (non-atomic, the ragged barrier ensures it is observed), park the current goroutine, and place it on a list. During the mark termination STW, the flag will be unset, and all parked goroutines will be unparked.

I'm not certain what kind of adverse affects this will have, but assuming we want to backport this, it would be best to keep the solution as simple as possible. I would expect this to be efficient, even under heavy use of unique, since it guarantees mark termination progress. At that point in the GC cycle, that progress is important to latency, so I suspect this would work better than, for example, retrying mark termination if a weak->strong conversion is detected.

[gopherbot]

Change https://go.dev/cl/623615 mentions this issue: runtime: prevent weak->strong conversions from creating more GC work

[mknyszek]

@gopherbot Please open a backport issue for Go 1.23. This bug causes random crashes with no workaround for anything using the unique package, which includes applications using net/http.

[gopherbot]

Backport issue(s) opened: #70323 (for 1.23).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/627615 mentions this issue: [release-branch.go1.23] runtime: prevent weak->strong conversions during mark termination