erts: Fix crash in erts_validate_stack()

sverker · sverker · commit c78ec315282d · 2025-08-25T14:43:16.000+02:00
during call_memory tracing with +JPperf true.

Problem:
erts_validate_stack() checks BeamIsReturnCallAccTrace(p-&gt;i)
but p-&gt;i was not updated after returning from erts_call_trace_return(),
so it assumed it's still such a frame on the stack.

Solution:
Make sure p-&gt;i is updated after we "return" from trace stack frames.
diff --git a/erts/emulator/beam/erl_gc.c b/erts/emulator/beam/erl_gc.c
@@ -3853,7 +3853,10 @@ void erts_validate_stack(Process *p, Eterm *frame_ptr, Eterm *stack_top) {
     ASSERT((next_fp != NULL) ^ (stack_top == stack_bottom));
 
     /* If the GC happens when we are about to execute a trace we
-       need to skip the trace instructions */
+       need to skip the trace instructions.
+       Note: It's not safe in general to assume p->i is up-to-date in GC.
+       However the return trace intructions do update p->i after returning.
+       */
     if (BeamIsReturnTrace(p->i)) {
         /* Skip MFA and tracer. */
         ASSERT_MFA((ErtsCodeMFA*)cp_val(scanner[0]));
diff --git a/erts/emulator/beam/jit/arm/beam_asm.hpp b/erts/emulator/beam/jit/arm/beam_asm.hpp
@@ -1374,7 +1374,8 @@ class BeamModuleAssembler : public BeamAssembler,
     void emit_tuple_assertion(const ArgSource &Src, a64::Gp tuple_reg);
 #endif
 
-    void emit_dispatch_return();
+    void emit_return_do(bool set_I);
+    void emit_dispatch_return(bool set_I);
 
 #include "beamasm_protos.h"
 
diff --git a/erts/emulator/beam/jit/arm/instr_call.cpp b/erts/emulator/beam/jit/arm/instr_call.cpp
@@ -35,13 +35,13 @@ void BeamGlobalAssembler::emit_dispatch_return() {
     a.b(labels[context_switch_simplified]);
 }
 
-void BeamModuleAssembler::emit_dispatch_return() {
+void BeamModuleAssembler::emit_dispatch_return(bool set_I) {
 #ifdef JIT_HARD_DEBUG
     /* Validate return address and {x,0} */
     emit_validate(ArgVal(ArgVal::Type::Word, 1));
 #endif
 
-    if (erts_alcu_enable_code_atags) {
+    if (erts_alcu_enable_code_atags || set_I) {
         /* See emit_i_test_yield. */
         a.str(a64::x30, arm::Mem(c_p, offsetof(Process, i)));
     }
@@ -57,13 +57,17 @@ void BeamModuleAssembler::emit_dispatch_return() {
 }
 
 void BeamModuleAssembler::emit_return() {
+    emit_return_do(false);
+}
+
+void BeamModuleAssembler::emit_return_do(bool set_I) {
     emit_leave_erlang_frame();
-    emit_dispatch_return();
+    emit_dispatch_return(set_I);
 }
 
 void BeamModuleAssembler::emit_move_deallocate_return() {
     a.ldp(XREG0, a64::x30, arm::Mem(E).post(16));
-    emit_dispatch_return();
+    emit_dispatch_return(false);
 }
 
 void BeamModuleAssembler::emit_i_call(const ArgLabel &CallTarget) {
diff --git a/erts/emulator/beam/jit/arm/instr_trace.cpp b/erts/emulator/beam/jit/arm/instr_trace.cpp
@@ -164,7 +164,10 @@ void BeamModuleAssembler::emit_return_trace() {
     emit_leave_runtime<Update::eHeapAlloc>(1);
 
     emit_deallocate(ArgVal(ArgVal::Type::Word, BEAM_RETURN_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_call_trace_return() {
@@ -189,7 +192,10 @@ void BeamModuleAssembler::emit_i_call_trace_return() {
 
     emit_deallocate(
             ArgVal(ArgVal::Type::Word, BEAM_RETURN_CALL_ACC_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnCallAccTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_return_to_trace() {
@@ -207,7 +213,10 @@ void BeamModuleAssembler::emit_i_return_to_trace() {
     emit_leave_runtime<Update::eHeapAlloc>(1);
 
     emit_deallocate(ArgVal(ArgVal::Type::Word, BEAM_RETURN_TO_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnToTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_hibernate() {
diff --git a/erts/emulator/beam/jit/x86/beam_asm.hpp b/erts/emulator/beam/jit/x86/beam_asm.hpp
@@ -1520,6 +1520,8 @@ class BeamModuleAssembler : public BeamAssembler,
     void emit_tuple_assertion(const ArgSource &Src, x86::Gp tuple_reg);
 #endif
 
+    void emit_return_do(bool set_I);
+
 #include "beamasm_protos.h"
 
     const Label &resolve_beam_label(const ArgLabel &Lbl) const {
diff --git a/erts/emulator/beam/jit/x86/instr_call.cpp b/erts/emulator/beam/jit/x86/instr_call.cpp
@@ -41,6 +41,10 @@ void BeamGlobalAssembler::emit_dispatch_return() {
 }
 
 void BeamModuleAssembler::emit_return() {
+    emit_return_do(false);
+}
+
+void BeamModuleAssembler::emit_return_do(bool set_I) {
 #ifdef JIT_HARD_DEBUG
     /* Validate return address and {x,0} */
     emit_validate(ArgWord(1));
@@ -53,7 +57,7 @@ void BeamModuleAssembler::emit_return() {
     a.mov(getCPRef(), imm(NIL));
 #endif
 
-    if (erts_alcu_enable_code_atags) {
+    if (erts_alcu_enable_code_atags || set_I) {
         /* See emit_i_test_yield. */
 #if defined(NATIVE_ERLANG_STACK)
         a.mov(ARG3, x86::qword_ptr(E));
diff --git a/erts/emulator/beam/jit/x86/instr_trace.cpp b/erts/emulator/beam/jit/x86/instr_trace.cpp
@@ -194,7 +194,10 @@ void BeamModuleAssembler::emit_return_trace() {
     emit_leave_runtime<Update::eHeapAlloc>();
 
     emit_deallocate(ArgWord(BEAM_RETURN_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_call_trace_return() {
@@ -217,7 +220,10 @@ void BeamModuleAssembler::emit_i_call_trace_return() {
     emit_leave_runtime<Update::eHeapAlloc>();
 
     emit_deallocate(ArgWord(BEAM_RETURN_CALL_ACC_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnCallAccTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_return_to_trace() {
@@ -239,7 +245,10 @@ void BeamModuleAssembler::emit_i_return_to_trace() {
     emit_leave_runtime<Update::eReductions | Update::eHeapAlloc>();
 
     emit_deallocate(ArgWord(BEAM_RETURN_TO_TRACE_FRAME_SZ));
-    emit_return();
+
+    /* Return and set c_p->i to avoid calls to BeamIsReturnToTrace(c_p->i)
+       to assume there is still a trace frame on the stack. */
+    emit_return_do(true);
 }
 
 void BeamModuleAssembler::emit_i_hibernate() {
