Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Class with generic that extends another class causes core dump and unexpected memory issue #50392

Closed
Jtplouffe opened this issue Nov 5, 2022 · 2 comments
Assignees
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. P2 A bug or feature request we're likely to work on

Comments

@Jtplouffe
Copy link

Jtplouffe commented Nov 5, 2022

Issue

There seems to be something wrong when having a class with a generic that extends another class.

The issue describe bellow only happens when compiling and running with machine code (dart compile exe).
Running with JIT (dart run) does not cause any issue.

The core issue originally occurred in a production flutter app compiled in release mode (debug mode does not crash).

The best way to understand the issue is to have a look a this gist (3 different sample):
https://gist.github.com/Jtplouffe/b6db1916e43f0d0c9814eee7995b98d4

This gist has 3 files, with 3 different sample:

crash.dart is a core dumped. The value inside the instantiated object evaluates to null when printed, but when null-checked, acts like a non-null value. When calling methods on this value, dart crashes with the following error:

../../runtime/vm/code_descriptors.cc: 816: error: expected: current_pc_offset <= pc_offset
zsh: IOT instruction (core dumped)  ./bin/main.exe

object_value_becomes_random.dart makes a variable value become random. After creating an object in a factory, with the nested value coming from a switch case, the value is null, until it is returned from the factory, where it becomes random.

object_value_changes.dart: The value of a variable becomes the value assigned in an else branch, which is never entered.

It think all of these samples / results are caused by the same issue. If it is not the case, let my know if I need to create separate issues.

Platforms

Tested on:

  • Linux (Fedora 36), kernel 6.0.5
    • Dart 2.18.4, tested with dart only and with Flutter desktop
  • MacOS (12.5)
    • Dart 2.18.4, tested with dart only and with Flutter desktop
    • Dart 2.19.0-374.0.dev (dev)
  • Android (12, 13)
    • Dart 2.18.4, bundled with flutter 3.3.7
    • Tested on Pixel 5 and 6 (Android 12, 13) and on a Samsung device
  • iOS
    • Dart 2.18.4, bundled with flutter 3.3.7
@lrhn lrhn added the area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. label Nov 7, 2022
@mraleph
Copy link
Member

mraleph commented Nov 7, 2022

@alexmarkov could you take a look?

@a-siva a-siva added P2 A bug or feature request we're likely to work on vm-triaged labels Nov 7, 2022
@alexmarkov
Copy link
Contributor

@Jtplouffe Thank you for the detailed bug report!

This crash and incorrect behavior is caused by an incorrect handling of type parameters inside factory constructors in AOT compiler (in TFA). In the expression value as T?, analysis incorrectly ignored the nullability of type parameter and made the incorrect conclusion that parameter of Model._ constructor and field Model.value are never null, causing incorrect optimizations. The effects you saw are the results of those optimizations. In the 2nd and the 3rd examples the cast as T? is implicit, where dynamic value is passed to Model._ constructor which takes T?.

Fix: https://dart-review.git.corp.google.com/c/sdk/+/268381.

copybara-service bot pushed a commit that referenced this issue Nov 19, 2022
…actory constructors

TFA represents type parameters inside factory constructors as
additional parameters. In a summary, type parameter type is represented
simply as a reference to a parameter. This approach ignores
nullability of a type parameter type, which is not correct.

This change add a new ApplyNullability operation to a summary in order
to apply any extra nullability ('?' or '*') on top of the type argument
passed to a factory constructor.

TEST=pkg/vm/testcases/transformations/type_flow/transformer/regress_50392_nnbd_strong.dart
Fixes #50392

Cherry-pick: https://dart-review.googlesource.com/c/sdk/+/268381
Change-Id: I74080813663fbb7176ad30c0daf9f75de087506b
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/268500
Reviewed-by: Siva Annamalai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. P2 A bug or feature request we're likely to work on
Projects
None yet
Development

No branches or pull requests

5 participants