Try   HackMD

The Panic

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Investigation

Lighthouse is panicking with an out-of-bounds slice access at position 144115188075905177. Let's call that position p.

In binary, p isn't very interesting:

>>> math.log2(p)
57.00000000000049
>>> bin(p)
'0b1000000000000000000000000000000000000000001100000010011001'

If the slice contained u8, a slice of length p would be 144 petabytes. So, it seems that we're getting a wildly incorrect slice index.

The panic is the last line of this function:

    /// Mutably iterate through all values in some allocation.
    fn iter_mut(&mut self, alloc_id: usize) -> Result<impl Iterator<Item = &mut T>, Error> {
        let range = self.range(alloc_id)?;
        Ok(self.backing[range].iter_mut())
    }

It must be Self::range that's giving us p:

    /// Returns the range in `self.backing` that is occupied by some allocation.
    fn range(&self, alloc_id: usize) -> Result<Range<usize>, Error> {
        let start = *self
            .offsets
            .get(alloc_id)
            .ok_or(Error::UnknownAllocId(alloc_id))?;
        let end = self
            .offsets
            .get(alloc_id + 1)
            .copied()
            .unwrap_or(self.backing.len());

        Ok(start..end)
    }

Therefore, p must be either:

  1. A value in self.offsets.
  2. The length of self.backing.

The type of self.backing is Vec<Hash256>, so the user would need about 4,611 petabytes of RAM to allocate that slice. The Blue Waters supercomputer at the University of Illinois boasts 1.5 petabytes of RAM, so let's assume that the user is not running a super computer and therefore (2) is impossible because a slice of that length would never have been allocated in the first place.

Therefore, p must be a value in self.offsets. There are three places where self.offsets is set:

  1. It is instantiated in Self::alloc based on the length of aself.backing.
  2. It is mutated in Self::grow.
  3. It is mutated in Self::shrink.

We must rule out (1) for the same reason we ruled out the previous (1); the user has (unfortuately) not hijacked the worlds largest supercomputer and installed Windows and Lighthouse on it.

Subsequently, we must look at the only use of Self::grow:

Ordering::Less => self.grow(alloc_id, self.backing.len() - prev_len)?,

Ah ha! Unchecked subtraction! It's an underflow!

Oh wait, if we zoom out we can see there's a std::cmp::Ord::cmp preventing underflow:

        match prev_len.cmp(&self.backing.len()) {
            Ordering::Greater => self.shrink(alloc_id, prev_len - self.backing.len())?,
            Ordering::Less => self.grow(alloc_id, self.backing.len() - prev_len)?,
            Ordering::Equal => {}
        }

To get an underflow we'd need self.backing.len() to be less than prev_len. But the match statement prevents us from trying to subtract when that's the case (example playground showing Ord::cmp behaviour).

Therefore, Self::grow can only be called by a value that is less than self.backing.len(). The not-a-super-computer argument rules out Self::grow.

Now, let us look at the only use of Self::shrink:

Ordering::Greater => self.shrink(alloc_id, prev_len - self.backing.len())?,

Spoiler, it's from the previous match statement. I'll repeat it here for readability:

        match prev_len.cmp(&self.backing.len()) {
            Ordering::Greater => self.shrink(alloc_id, prev_len - self.backing.len())?,
            Ordering::Less => self.grow(alloc_id, self.backing.len() - prev_len)?,
            Ordering::Equal => {}
        }

The Ord::cmp means that there is no underflow in prev_len - self.backing.len(). If we scroll up a few lines we can see prev_len being instantiated:

let prev_len = self.backing.len();

As long as we believe the match statement prevents underflow, we must believe that the value being provided to Self::shrink is less than self.backing.len(). The not-a-super-computer argument saves us again.

Conclusion

In my analysis, I can't see how it's possible to index self.backing with a value that is longer than it's length.

Although my analysis could be wrong, I also note that we haven't meaningfully modified this code in years and we've never seen this panic before.

Therefore, I am presently concluding that there is an issue with the user's hardware causing some sort of memory or compute corruption.

Last changed by 
Paul Hauner
0
190

Read more

SnowyHitch Panics

https://hackmd.io/Z-kpqUApTHuYWb9N0z35Mw

Aug 7, 2023
Serialization Overview for Ethereum CL Devs

From a CL developer perspective, there are three serialization formats for consensus structures (e.g. BeaconBlock, ExecutionPayload): Format Primary Use Primary Goal Endianness Specs SSZ P2P comms &amp; hashing

Mar 3, 2023
Debugging

Logs: https://drive.google.com/file/d/1M5rcOt_WvilZIUgxabjMrSg7kMtPRBTQ/view What happened to 0x5e060d315a364b3cc84cd3984ddca9792057f853218e9197c3f49104361fb189? Note: This document refers to two blocks: The parent: 1b28 The child: 5e06

Sep 27, 2022
Lighthouse v3.1.0 [DRAFT RELEASE NOTES]

Summary This high-priority release contains an important fix to ensure that Lighthouse does not attempt to produce invalid blocks. Furthermore, it improves block production efficiency, thereby increasing the likelihood of a Lighthouse-produced block being included in (and rewarded by) the canonical chain. We recommend all mainnet users update before the Bellatrix upgrade on Sept 6, 2022, 11:34:47am UTC. Testnet users should upgrade at their next convenience. Notable changes include: Improved handling of offline EEs during sync (#3428) Optimisations to block production (#3312) Improvements to how builder-enabled VCs interact with non-builder BNs (#3488)

Sep 1, 2022
Read more from Paul Hauner
Published on HackMD