Skip to content

CL "[vm/ffi] Stop reifying type argument in Pointer" causes crashes at runtime #50678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
knopp opened this issue Dec 10, 2022 · 1 comment
Closed

CL "[vm/ffi] Stop reifying type argument in Pointer" causes crashes at runtime #50678

knopp opened this issue Dec 10, 2022 · 1 comment
Assignees
@dcharkes
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. library-ffi

Comments

@knopp
Copy link
Contributor

knopp commented Dec 10, 2022
edited
Loading

I noticed crash in super_drag_and_drop during FFI invocation and was able to bisect it to 827d166.

Steps to reproduce (macOS):

  1. Install Rust
  2. Install Melos: dart pub global activate melos
  3. git clone https://github.com/superlistapp/super_native_extensions
  4. cd super_native_extensions/super_drag_and_drop/example/
  5. melos bs
  6. flutter run -d macos --local-engine=host_debug_unopt

Start dragging any of the buttons and the application will crash.

Stacktrace:

Thread 6 Crashed:: io.flutter.ui
0   FlutterMacOS                  	       0x1187a6213 dart::Object::HandleImpl(dart::Zone*, dart::ObjectPtr, long) + 51
1   FlutterMacOS                  	       0x1188c010b dart::Function::FfiCSignatureContainsHandles() const + 123
2   FlutterMacOS                  	       0x118bdd6d0 dart::kernel::ScopeBuilder::BuildScopes() + 3168
3   FlutterMacOS                  	       0x118949e65 dart::ParsedFunction::EnsureKernelScopes() + 69
4   FlutterMacOS                  	       0x118b99455 dart::kernel::StreamingFlowGraphBuilder::ParseKernelASTFunction() + 101
5   FlutterMacOS                  	       0x118b991ee dart::kernel::StreamingFlowGraphBuilder::BuildGraph() + 222
6   FlutterMacOS                  	       0x118bb2c73 dart::kernel::FlowGraphBuilder::BuildGraph() + 115
7   FlutterMacOS                  	       0x118a05ffe dart::DartCompilationPipeline::BuildFlowGraph(dart::Zone*, dart::ParsedFunction*, dart::ZoneGrowableArray<dart::ICData const*>*, long, bool) + 78
8   FlutterMacOS                  	       0x118a07234 dart::CompileParsedFunctionHelper::Compile(dart::CompilationPipeline*) + 1396
9   FlutterMacOS                  	       0x118a07dfe dart::CompileFunctionHelper(dart::CompilationPipeline*, dart::Function const&, bool, long) + 1006
10  FlutterMacOS                  	       0x118a079c9 dart::Compiler::CompileFunction(dart::Thread*, dart::Function const&) + 265
11  FlutterMacOS                  	       0x1188c8f25 dart::Function::EnsureHasCode() const + 85
12  FlutterMacOS                  	       0x118a064d4 dart::DRT_CompileFunction(dart::NativeArguments) + 436
13  ???                           	       0x12f682bc3 ???
14  ???                           	       0x12f682c24 ???
15  ???                           	       0x136e94846 ???
16  ???                           	       0x136e94521 ???

The function pointer inside Function::EnsureHasCode seems to be invalid (it was not created by TrampolineFunction).
@knopp knopp mentioned this issue Dec 10, 2022
Closed
@mkustermann
Copy link
Member

Thank you for the report. We have already identified ine issue for which a fix is on its way.

@dcharkes dcharkes mentioned this issue Dec 12, 2022
Closed
@dcharkes dcharkes added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. library-ffi labels Dec 12, 2022
@dcharkes dcharkes mentioned this issue Dec 12, 2022
Closed
copybara-service bot pushed a commit that referenced this issue Dec 15, 2022
@dcharkes
[beta][vm/ffi] Fix FfiTrampolineData GC bug
bafb34c 
This lets the GC visit FfiTrampolineData::c_signature again.

https://dart-review.googlesource.com/c/sdk/+/272201 stopped adding
FfiTrampolineData::c_signature to snapshots. However, instead of
skipping it manually in app_shapshot.cc, we skipped it in
raw_object.h, which also caused the GC to skip it.
This CL adds it back in as we need it in JIT snapshots. This way we
keep it consistent between AOT/JIT snapshots.

TEST=tests/ffi/regress_b_261224444_test.dart

The c signatures of FFI trampolines were not properly traced in the
precompiler, causing us to hit an assert when the classes mentioned in
those types where only referenced from a signature and not retained
for any other reason.

TEST=tests/ffi/native_assets/process_test.dart (dartkp)

Closes: #50678
Bug: b/261224444
Change-Id: I104089db384224bac429a910787b04fd407b2bb5
Cherry-pick: https://dart-review.googlesource.com/c/sdk/+/274387
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/275060
Reviewed-by: Martin Kustermann <[email protected]>
Commit-Queue: Daco Harkes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dcharkes dcharkes

Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. library-ffi
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knopp @dcharkes @mkustermann