Segmentation fault if blosc2 is updated to version 2.15.2

[musicinmybrain]

I first observed this with the patched rust-blosc2-sys in Fedora Rawhide (or Fedora 41), which always uses the system C blosc2 library and always re-generates bindings; it appeared as a regression when Fedora’s blosc2 package was updated from 2.15.1 to 2.15.2. However, with some effort, I was able to reproduce it in a git checkout without anything Fedora-specific

First, get a branch of blosc2-rs/blosc2-sys with an updated C library, as in milesgranger/blosc2-rs#33:

$ git checkout https://github.com/milesgranger/blosc2-rs.git
$ cd blosc2-rs
$ git remote add musicinmybrain git@github.com:musicinmybrain/blosc2-rs.git
$ git fetch --all
$ git checkout c-blosc2-2.15.2
$ git submodule update --init --recursive
$ cargo test --workspace
(everything passes)

Now, build libcramjam with that:

$ cd ..
$ git checkout https://github.com/cramjam/libcramjam.git
$ cd libcramjam
$ vim Cargo.toml

diff --git a/Cargo.toml b/Cargo.toml
index e1c129d..4dbd7b0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -64,7 +64,7 @@ lz4            = { version = "^1", optional = true }
 flate2         = { version = "^1", optional = true }
 libdeflater    = { version = "^1", optional = true }
 libdeflate-sys = { version = "<1.20.0", optional = true }  # TODO: requires gcc>=4.9 not available on Python's CI wheel builds
-blosc2-rs      = { version = "0.3.1+2.15.1", optional = true, default-features = false }
+blosc2-rs      = { path = "../blosc2-rs", optional = true, default-features = false }
 zstd           = { version = "^0.13", optional = true }
 xz2            = { version = "0.1.7", optional = true }
 

$ cargo test --workspace
     Locking 2 packages to latest compatible versions
      Adding blosc2-rs v0.3.1+2.15.2 (/home/ben/src/forks/blosc2-rs)
      Adding blosc2-sys v0.3.1+2.15.2 (/home/ben/src/forks/blosc2-rs/blosc2-sys)
   Compiling libcramjam v0.6.0 (/home/ben/src/forks/libcramjam)
    Finished `test` profile [unoptimized + debuginfo] target(s) in 0.87s
     Running unittests src/lib.rs (target/debug/deps/libcramjam-a1c845d8657054f6)

running 57 tests
test lz4::block::tests::round_trip_store_size ... ok
test lz4::block::tests::round_trip_no_store_size ... ok
test blosc2::tests::test_compress ... ok
test igzip::tests::test_gzip_multiple_streams ... ok
test gzip::tests::test_gzip_multiple_streams ... ok
error: test failed, to rerun pass `--lib`

Caused by:
  process didn't exit successfully: `/home/ben/src/forks/libcramjam/target/debug/deps/libcramjam-a1c845d8657054f6` (signal: 11, SIGSEGV: invalid memory reference)
$ rust-gdb /home/ben/src/forks/libcramjam/target/debug/deps/libcramjam-a1c845d8657054f6
(gdb) run
running 57 tests
[New Thread 0x7ffff7c696c0 (LWP 3180234)]
[New Thread 0x7ffff7a686c0 (LWP 3180235)]
[New Thread 0x7ffff78676c0 (LWP 3180236)]
[New Thread 0x7ffff76666c0 (LWP 3180237)]
[New Thread 0x7ffff6e656c0 (LWP 3180238)]
[New Thread 0x7ffff6c3b6c0 (LWP 3180239)]
[New Thread 0x7ffff643a6c0 (LWP 3180240)]
[Thread 0x7ffff6e656c0 (LWP 3180238) exited]
[New Thread 0x7ffff62396c0 (LWP 3180241)]
[Thread 0x7ffff643a6c0 (LWP 3180240) exited]
[New Thread 0x7ffff5a386c0 (LWP 3180242)]
[New Thread 0x7ffff57e16c0 (LWP 3180243)]
[Thread 0x7ffff7a686c0 (LWP 3180235) exited]
[New Thread 0x7ffff4fe06c0 (LWP 3180244)]
[Thread 0x7ffff57e16c0 (LWP 3180243) exited]
[Thread 0x7ffff62396c0 (LWP 3180241) exited]
[Thread 0x7ffff6c3b6c0 (LWP 3180239) exited]
[Thread 0x7ffff76666c0 (LWP 3180237) exited]
[Thread 0x7ffff78676c0 (LWP 3180236) exited]
[Thread 0x7ffff7c696c0 (LWP 3180234) exited]
[New Thread 0x7ffff57e16c0 (LWP 3180245)]
[New Thread 0x7ffff62396c0 (LWP 3180246)]
[New Thread 0x7ffff6c3b6c0 (LWP 3180247)]
[New Thread 0x7ffff76666c0 (LWP 3180248)]
[New Thread 0x7ffff4d436c0 (LWP 3180249)]
[New Thread 0x7ffff4b426c0 (LWP 3180250)]
[New Thread 0x7ffff48b96c0 (LWP 3180251)]
[New Thread 0x7ffff46b86c0 (LWP 3180252)]
[New Thread 0x7ffff43806c0 (LWP 3180253)]
test lz4::block::tests::round_trip_no_store_size ... ok
[New Thread 0x7ffff6e656c0 (LWP 3180254)]
test lz4::block::tests::round_trip_store_size ... ok
[New Thread 0x7ffff643a6c0 (LWP 3180255)]
test gzip::tests::test_gzip_multiple_streams ... ok
[New Thread 0x7ffff7a686c0 (LWP 3180256)]
test igzip::tests::test_gzip_multiple_streams ... ok
[New Thread 0x7ffff78676c0 (LWP 3180257)]
test blosc2::tests::test_compress ... ok
[New Thread 0x7ffff7c696c0 (LWP 3180258)]

Thread 12 "tests::blosc2::" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff4fe06c0 (LWP 3180244)]
0x00005555559eefda in blosc2::schunk::SChunk::typesize (self=0x7ffff4fdebd8) at src/lib.rs:1038
1038                self.inner().typesize as _

[musicinmybrain]

Here’s the full backtrace:

(gdb) bt
#0  0x00005555559eefda in blosc2::schunk::SChunk::typesize (self=0x7ffff4fdebd8) at src/lib.rs:1038
#1  0x00005555559f194c in blosc2::schunk::SChunk::append_buffer<u8> (self=0x7ffff4fdebd8,
    data=&[u8](size=8192) = {...}) at src/lib.rs:848
#2  0x00005555559ef0df in blosc2::schunk::{impl#10}::write (self=0x7ffff4fdebd8,
    buf=&[u8](size=8192) = {...}) at src/lib.rs:1105
#3  0x00005555556d1f39 in std::io::Write::write_all<blosc2::schunk::SChunk> (self=0x7ffff4fdebd8,
    buf=&[u8](size=8192) = {...})
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/io/mod.rs:1705
#4  0x00005555555b4d34 in std::io::copy::{impl#3}::copy_to<&mut std::io::cursor::Cursor<&[u8]>, blosc2
::schunk::SChunk> (self=0x7ffff4fdf050, to=0x7ffff4fdebd8)
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/io/copy.rs:180
#5  0x000055555555cc84 in std::io::copy::generic_copy<std::io::buffered::bufreader::BufReader<&mut std
::io::cursor::Cursor<&[u8]>>, blosc2::schunk::SChunk> (reader=0x7ffff4fdf050, writer=0x7ffff4fdebd8)
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/io/copy.rs:86
#6  0x00005555555f3d43 in std::sys::pal::unix::kernel_copy::{impl#1}::copy<std::io::buffered::bufreade
r::BufReader<&mut std::io::cursor::Cursor<&[u8]>>, blosc2::schunk::SChunk> (self=...)
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/sys/pal/unix/kernel_co
py.rs:184
#7  0x000055555556d36d in std::sys::pal::unix::kernel_copy::copy_spec<std::io::buffered::bufreader::Bu
fReader<&mut std::io::cursor::Cursor<&[u8]>>, blosc2::schunk::SChunk> (read=0x7ffff4fdf050,
    write=0x7ffff4fdebd8)
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/sys/pal/unix/kernel_co
py.rs:78
#8  std::io::copy::copy<std::io::buffered::bufreader::BufReader<&mut std::io::cursor::Cursor<&[u8]>>, 
blosc2::schunk::SChunk> (reader=0x7ffff4fdf050, writer=0x7ffff4fdebd8)
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/std/src/io/copy.rs:68
#9  0x00005555555f57c6 in libcramjam::blosc2::compress<&mut std::io::cursor::Cursor<&[u8]>, std::io::c
ursor::Cursor<&mut alloc::vec::Vec<u8, alloc::alloc::Global>>> (rdr=0x7ffff4fdf368,
    wtr=0x7ffff4fdf380) at src/blosc2.rs:24
#10 0x0000555555573a69 in libcramjam::tests::blosc2::roundtrip_compress_via_slice_decompress_via_vecto
r () at src/lib.rs:99
#11 0x00005555556333f7 in libcramjam::tests::blosc2::roundtrip_compress_via_slice_decompress_via_vecto
r::{closure#0} () at src/lib.rs:89
#12 0x00005555555c9c36 in core::ops::function::FnOnce::call_once<libcramjam::tests::blosc2::roundtrip_
compress_via_slice_decompress_via_vector::{closure_env#0}, ()> ()
    at /builddir/build/BUILD/rust-1.83.0-build/rustc-1.83.0-src/library/core/src/ops/function.rs:250
#13 0x000055555572da5b in core::ops::function::FnOnce::call_once<fn() -> core::result::Result<(), allo
c::string::String>, ()> () at core/src/ops/function.rs:250
#14 test::__rust_begin_short_backtrace<core::result::Result<(), alloc::string::String>, fn() -> core::result::Result<(), alloc::string::String>> (f=0x10) at test/src/lib.rs:621
#15 0x000055555572d2b7 in test::run_test_in_process::{closure#0} () at test/src/lib.rs:644
#16 core::panic::unwind_safe::{impl#23}::call_once<core::result::Result<(), alloc::string::String>, test::run_test_in_process::{closure_env#0}> (self=...) at core/src/panic/unwind_safe.rs:272
#17 std::panicking::try::do_call<core::panic::unwind_safe::AssertUnwindSafe<test::run_test_in_process::{closure_env#0}>, core::result::Result<(), alloc::string::String>> (
    data=<error reading variable: Cannot access memory at address 0x0>) at std/src/panicking.rs:557
#18 std::panicking::try<core::result::Result<(), alloc::string::String>, core::panic::unwind_safe::Ass--Type <RET> for more, q to quit, c to continue without paging--c
ertUnwindSafe<test::run_test_in_process::{closure_env#0}>> (f=...) at std/src/panicking.rs:520
#19 std::panic::catch_unwind<core::panic::unwind_safe::AssertUnwindSafe<test::run_test_in_process::{closure_env#0}>, core::result::Result<(), alloc::string::String>> (f=...) at std/src/panic.rs:358
#20 test::run_test_in_process (id=..., desc=..., nocapture=<optimized out>, runnable_test=...,
    monitor_ch=..., time_opts=..., report_time=<optimized out>) at test/src/lib.rs:644
#21 test::run_test::{closure#0} () at test/src/lib.rs:565
#22 0x00005555556f25f4 in test::run_test::{closure#1} () at test/src/lib.rs:595
#23 std::sys::backtrace::__rust_begin_short_backtrace<test::run_test::{closure_env#1}, ()> (f=...)
    at std/src/sys/backtrace.rs:154
#24 0x00005555556f5d5e in std::thread::{impl#0}::spawn_unchecked_::{closure#1}::{closure#0}<test::run_test::{closure_env#1}, ()> () at std/src/thread/mod.rs:538
#25 core::panic::unwind_safe::{impl#23}::call_once<(), std::thread::{impl#0}::spawn_unchecked_::{closure#1}::{closure_env#0}<test::run_test::{closure_env#1}, ()>> (self=...)
    at core/src/panic/unwind_safe.rs:272
#26 std::panicking::try::do_call<core::panic::unwind_safe::AssertUnwindSafe<std::thread::{impl#0}::spawn_unchecked_::{closure#1}::{closure_env#0}<test::run_test::{closure_env#1}, ()>>, ()> (
    data=<optimized out>) at std/src/panicking.rs:557
#27 std::panicking::try<(), core::panic::unwind_safe::AssertUnwindSafe<std::thread::{impl#0}::spawn_unchecked_::{closure#1}::{closure_env#0}<test::run_test::{closure_env#1}, ()>>> (f=...)
    at std/src/panicking.rs:520
#28 std::panic::catch_unwind<core::panic::unwind_safe::AssertUnwindSafe<std::thread::{impl#0}::spawn_unchecked_::{closure#1}::{closure_env#0}<test::run_test::{closure_env#1}, ()>>, ()> (f=...)
    at std/src/panic.rs:358
#29 std::thread::{impl#0}::spawn_unchecked_::{closure#1}<test::run_test::{closure_env#1}, ()> ()
    at std/src/thread/mod.rs:537
#30 core::ops::function::FnOnce::call_once<std::thread::{impl#0}::spawn_unchecked_::{closure_env#1}<test::run_test::{closure_env#1}, ()>, ()> () at core/src/ops/function.rs:250
#31 0x0000555555a8a63b in alloc::boxed::{impl#48}::call_once<(), dyn core::ops::function::FnOnce<(), Output=()>, alloc::alloc::Global> (self=..., args=<optimized out>) at alloc/src/boxed.rs:2454
#32 alloc::boxed::{impl#48}::call_once<(), alloc::boxed::Box<dyn core::ops::function::FnOnce<(), Output=()>, alloc::alloc::Global>, alloc::alloc::Global> (self=0x555555ca9050, args=<optimized out>)
    at alloc/src/boxed.rs:2454
#33 std::sys::pal::unix::thread::{impl#2}::new::thread_start (main=0x555555ca9050)
    at std/src/sys/pal/unix/thread.rs:105
#34 0x00007ffff7cdd148 in start_thread (arg=<optimized out>) at pthread_create.c:448
#35 0x00007ffff7d610cc in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

[musicinmybrain]

It looks like each of these tests fails with a similar traceback:

roundtrip_compress_via_slice_decompress_via_slice
roundtrip_compress_via_slice_decompress_via_vector
roundtrip_compress_via_vector_decompress_via_slice
roundtrip_compress_via_vector_decompress_via_vector

[milesgranger]

Closed by #22