Dart FFI crashes on ScopeBuilder::LookupVariable

[bsutton]

I'm working on the native_sychronise package to add in timeouts.

The package makes ffi calls into the posix system.

Merging the latest changes from upstream are causing a segfault and the stack trace seems to indicate a dart/ffi issue.

I've tested the code against dart 3.5.0 and 3.4.0 with the same crash occurring.

I've created a branch of the project that will reproduce the issue:

https://github.com/onepub-dev/native_synchronization/tree/ffi-crash

To reproduce the problem run the ' mailbox - timeout' unit test in 'mailbox_test.dart.

The presence of line 148 in mailbox.dart causes the crash.
Simply commenting out this line and the code no longer crashes.

starting isolate
Isolate: started
Mailbox::_takeTimed - enter
Mutex::runLocked: 0:00:02.000000
Mutex: about to call lock
 PosixMutex:Lock - enter
PosixMutex::_timedLock: 0:00:02.000000
1723168023
0
call posiz timed lock
returned from posiz timed lock
PosixMutex::_timedLock: returned
 PosixMutex:Lock - return
Mutex: calling action

===== CRASH =====
si_signo=Segmentation fault(11), si_code=SEGV_MAPERR(1), si_addr=0x20
version=3.5.0 (stable) (Tue Jul 30 02:17:59 2024 -0700) on "linux_x64"
pid=3090829, thread=3090915, isolate_group=main(0x7ca38c027010), isolate=(nil)((nil))
os=linux, arch=x64, comp=no, sim=no
isolate_instructions=55e4af511d00, vm_instructions=55e4af511d00
fp=7ca39cdfb2d0, sp=7ca39cdfb250, pc=55e4af949f3c
  pc 0x000055e4af949f3c fp 0x00007ca39cdfb2d0 dart::kernel::ScopeBuilder::LookupVariable+0x1cc
  pc 0x000055e4af949d2f fp 0x00007ca39cdfb2f0 dart::kernel::ScopeBuilder::VisitVariableGet+0xf
  pc 0x000055e4af94855e fp 0x00007ca39cdfb330 dart::kernel::ScopeBuilder::VisitExpression+0x6ce
  pc 0x000055e4af949978 fp 0x00007ca39cdfb360 dart::kernel::ScopeBuilder::VisitArguments+0x58
  pc 0x000055e4af947f64 fp 0x00007ca39cdfb3a0 dart::kernel::ScopeBuilder::VisitExpression+0xd4
  pc 0x000055e4af948058 fp 0x00007ca39cdfb3e0 dart::kernel::ScopeBuilder::VisitExpression+0x1c8
  pc 0x000055e4af9484f6 fp 0x00007ca39cdfb420 dart::kernel::ScopeBuilder::VisitExpression+0x666
  pc 0x000055e4af949248 fp 0x00007ca39cdfb4d0 dart::kernel::ScopeBuilder::VisitStatement+0x308
  pc 0x000055e4af948faf fp 0x00007ca39cdfb580 dart::kernel::ScopeBuilder::VisitStatement+0x6f
  pc 0x000055e4af949248 fp 0x00007ca39cdfb630 dart::kernel::ScopeBuilder::VisitStatement+0x308
  pc 0x000055e4af948dcb fp 0x00007ca39cdfb6d0 dart::kernel::ScopeBuilder::VisitFunctionNode+0x13b
  pc 0x000055e4af946ccc fp 0x00007ca39cdfb860 dart::kernel::ScopeBuilder::BuildScopes+0xdbc
  pc 0x000055e4af71d828 fp 0x00007ca39cdfbbc0 dart::ParsedFunction::EnsureKernelScopes+0x38
  pc 0x000055e4af911b43 fp 0x00007ca39cdfbbf0 dart::kernel::StreamingFlowGraphBuilder::ParseKernelASTFunction+0x53
  pc 0x000055e4af9119b2 fp 0x00007ca39cdfbc80 dart::kernel::StreamingFlowGraphBuilder::BuildGraph+0xa2
  pc 0x000055e4af9231b5 fp 0x00007ca39cdfbf40 dart::kernel::FlowGraphBuilder::BuildGraph+0x65
  pc 0x000055e4af7a1a60 fp 0x00007ca39cdfc150 dart::DartCompilationPipeline::BuildFlowGraph+0x40
  pc 0x000055e4af7a2aae fp 0x00007ca39cdfc8c0 dart::CompileParsedFunctionHelper::Compile+0x54e
  pc 0x000055e4af7a348e fp 0x00007ca39cdfcfc0 dart::CompileFunctionHelper+0x40e
  pc 0x000055e4af7a305a fp 0x00007ca39cdfd050 dart::Compiler::CompileFunction+0xfa
  pc 0x000055e4af6ce261 fp 0x00007ca39cdfd090 dart::Function::EnsureHasCodeNoThrow+0x41
  pc 0x000055e4af6ce1b4 fp 0x00007ca39cdfd0b0 dart::Function::EnsureHasCode+0x34
  pc 0x000055e4af7a1dc5 fp 0x00007ca39cdfd610 dart::DRT_CompileFunction+0x115
  pc 0x00007ca3b0783093 fp 0x00007ca39cdfd658 Unknown symbol
  pc 0x00007ca3b07830f4 fp 0x00007ca39cdfd688 Unknown symbol
  pc 0x00007ca39c76ffe7 fp 0x00007ca39cdfd720 Unknown symbol
  pc 0x00007ca39c76f94b fp 0x00007ca39cdfd778 Unknown symbol
  pc 0x00007ca39c76f66f fp 0x00007ca39cdfd7d8 Unknown symbol
  pc 0x00007ca39c76f4c0 fp 0x00007ca39cdfd810 Unknown symbol
  pc 0x00007ca39c76f3c6 fp 0x00007ca39cdfd870 Unknown symbol
  pc 0x00007ca39c76eb24 fp 0x00007ca39cdfd8e0 Unknown symbol
  pc 0x00007ca39c76dc80 fp 0x00007ca39cdfd9a8 Unknown symbol
  pc 0x00007ca39c76cfd1 fp 0x00007ca39cdfda40 Unknown symbol
  pc 0x00007ca39c75f454 fp 0x00007ca39cdfda98 Unknown symbol
  pc 0x00007ca39c75d523 fp 0x00007ca39cdfdae8 Unknown symbol
  pc 0x00007ca39d1d6be9 fp 0x00007ca39cdfdb38 Unknown symbol
  pc 0x00007ca39d1ce311 fp 0x00007ca39cdfdbb8 Unknown symbol
  pc 0x00007ca39d1ce197 fp 0x00007ca39cdfdc20 Unknown symbol
  pc 0x00007ca39d1ce023 fp 0x00007ca39cdfdcb8 Unknown symbol
  pc 0x00007ca39d1d68cd fp 0x00007ca39cdfdd08 Unknown symbol
  pc 0x00007ca39d1d65b8 fp 0x00007ca39cdfdd68 Unknown symbol
  pc 0x00007ca39d1d5745 fp 0x00007ca39cdfdde8 Unknown symbol
  pc 0x00007ca39d1d42aa fp 0x00007ca39cdfde30 Unknown symbol
  pc 0x00007ca39c74b1d8 fp 0x00007ca39cdfde78 Unknown symbol
  pc 0x00007ca3b078920e fp 0x00007ca39cdfdea8 Unknown symbol
  pc 0x00007ca39d1d6be9 fp 0x00007ca39cdfdef8 Unknown symbol
  pc 0x00007ca39d1ce311 fp 0x00007ca39cdfdf78 Unknown symbol
  pc 0x00007ca39d1ce197 fp 0x00007ca39cdfdfe0 Unknown symbol
  pc 0x00007ca39d1ce023 fp 0x00007ca39cdfe078 Unknown symbol
  pc 0x00007ca39c75f1c6 fp 0x00007ca39cdfe0c8 Unknown symbol
  pc 0x00007ca39d1bebde fp 0x00007ca39cdfe140 Unknown symbol
  pc 0x00007ca39d1be914 fp 0x00007ca39cdfe1a0 Unknown symbol
  pc 0x00007ca39d1be240 fp 0x00007ca39cdfe230 Unknown symbol
  pc 0x00007ca39d1d3ecb fp 0x00007ca39cdfe2a0 Unknown symbol
  pc 0x00007ca39d1d3db7 fp 0x00007ca39cdfe2e0 Unknown symbol
  pc 0x00007ca39d1d3b57 fp 0x00007ca39cdfe328 Unknown symbol
  pc 0x00007ca39d1d37c2 fp 0x00007ca39cdfe368 Unknown symbol
  pc 0x00007ca39d1d36e3 fp 0x00007ca39cdfe390 Unknown symbol
  pc 0x00007ca39d1cbc39 fp 0x00007ca39cdfe3d0 Unknown symbol
  pc 0x00007ca39c759671 fp 0x00007ca39cdfe450 Unknown symbol
  pc 0x00007ca39c757b4d fp 0x00007ca39cdfe488 Unknown symbol
  pc 0x00007ca39c757876 fp 0x00007ca39cdfe4b8 Unknown symbol
  pc 0x00007ca39d1a1339 fp 0x00007ca39cdfe520 Unknown symbol
  pc 0x00007ca39d1a0230 fp 0x00007ca39cdfe578 Unknown symbol
  pc 0x00007ca3b07834d6 fp 0x00007ca39cdfe5f0 Unknown symbol
  pc 0x000055e4af654505 fp 0x00007ca39cdfe650 dart::DartEntry::InvokeFunction+0x165
  pc 0x000055e4af655ec3 fp 0x00007ca39cdfe690 dart::DartLibraryCalls::HandleMessage+0x123
  pc 0x000055e4af67350f fp 0x00007ca39cdfec20 dart::IsolateMessageHandler::HandleMessage+0x2bf
  pc 0x000055e4af6958da fp 0x00007ca39cdfec90 dart::MessageHandler::HandleMessages+0x11a
  pc 0x000055e4af695cd8 fp 0x00007ca39cdfece0 dart::MessageHandler::TaskCallback+0x1f8
  pc 0x000055e4af792c77 fp 0x00007ca39cdfed60 dart::ThreadPool::WorkerLoop+0x137
  pc 0x000055e4af792f02 fp 0x00007ca39cdfed90 dart::ThreadPool::Worker::Main+0x72
  pc 0x000055e4af71ca36 fp 0x00007ca39cdfee50 dart::ThreadStart+0xd6
-- End of DumpStackTrace
  pc 0x0000000000000000 fp 0x00007ca39cdfd658 sp 0x0000000000000000 [Stub] CallToRuntime
  pc 0x00007ca3b07830f4 fp 0x00007ca39cdfd688 sp 0x00007ca39cdfd668 [Stub] LazyCompile
  pc 0x00007ca39c76ffe7 fp 0x00007ca39cdfd720 sp 0x00007ca39cdfd698 [Unoptimized] Mutex.runLocked
  pc 0x00007ca39c76f94b fp 0x00007ca39cdfd778 sp 0x00007ca39cdfd730 [Unoptimized] Mailbox._takeTimed@19439123
  pc 0x00007ca39c76f66f fp 0x00007ca39cdfd7d8 sp 0x00007ca39cdfd788 [Unoptimized] Mailbox.take
  pc 0x00007ca39c76f4c0 fp 0x00007ca39cdfd810 sp 0x00007ca39cdfd7e8 [Unoptimized] main.<anonymous closure>.<anonymous closure>
  pc 0x00007ca39c76f3c6 fp 0x00007ca39cdfd870 sp 0x00007ca39cdfd820 [Unoptimized] [email protected]:call
  pc 0x00007ca39c76eb24 fp 0x00007ca39cdfd8e0 sp 0x00007ca39cdfd880 [Unoptimized] Throws.matchAsync
  pc 0x00007ca39c76dc80 fp 0x00007ca39cdfd9a8 sp 0x00007ca39cdfd8f0 [Unoptimized] _expect@107346600
  pc 0x00007ca39c76cfd1 fp 0x00007ca39cdfda40 sp 0x00007ca39cdfd9b8 [Unoptimized] expect
  pc 0x00007ca39c75f454 fp 0x00007ca39cdfda98 sp 0x00007ca39cdfda50 [Unoptimized] main.<anonymous closure>
  pc 0x00007ca39c75d523 fp 0x00007ca39cdfdae8 sp 0x00007ca39cdfdaa8 [Unoptimized] Declarer.test.<anonymous closure>.<anonymous closure>
  pc 0x00007ca39d1d6be9 fp 0x00007ca39cdfdb38 sp 0x00007ca39cdfdaf8 [Unoptimized] _SuspendState@[email protected]
  pc 0x00007ca39d1ce311 fp 0x00007ca39cdfdbb8 sp 0x00007ca39cdfdb48 [Unoptimized] _rootRunUnary@4048458
  pc 0x00007ca39d1ce197 fp 0x00007ca39cdfdc20 sp 0x00007ca39cdfdbc8 [Unoptimized] _rootRunUnary@4048458
  pc 0x00007ca39d1ce023 fp 0x00007ca39cdfdcb8 sp 0x00007ca39cdfdc30 [Unoptimized] [email protected]
  pc 0x00007ca39d1d68cd fp 0x00007ca39cdfdd08 sp 0x00007ca39cdfdcc8 [Unoptimized] [email protected]
  pc 0x00007ca39d1d65b8 fp 0x00007ca39cdfdd68 sp 0x00007ca39cdfdd18 [Unoptimized] _Future@[email protected]
  pc 0x00007ca39d1d5745 fp 0x00007ca39cdfdde8 sp 0x00007ca39cdfdd78 [Unoptimized] _Future@4048458._propagateToListeners@4048458
  pc 0x00007ca39d1d42aa fp 0x00007ca39cdfde30 sp 0x00007ca39cdfddf8 [Unoptimized] _Future@4048458._completeWithValue@4048458
  pc 0x00007ca39c74b1d8 fp 0x00007ca39cdfde78 sp 0x00007ca39cdfde40 [Unoptimized] _SuspendState@4048458._returnAsync@4048458
  pc 0x00007ca3b078920e fp 0x00007ca39cdfdea8 sp 0x00007ca39cdfde88 [Stub] ReturnAsync
  pc 0x00007ca39d1d6be9 fp 0x00007ca39cdfdef8 sp 0x00007ca39cdfdeb8 [Unoptimized] _SuspendState@[email protected]
  pc 0x00007ca39d1ce311 fp 0x00007ca39cdfdf78 sp 0x00007ca39cdfdf08 [Unoptimized] _rootRunUnary@4048458
  pc 0x00007ca39d1ce197 fp 0x00007ca39cdfdfe0 sp 0x00007ca39cdfdf88 [Unoptimized] _rootRunUnary@4048458
  pc 0x00007ca39d1ce023 fp 0x00007ca39cdfe078 sp 0x00007ca39cdfdff0 [Unoptimized] [email protected]
  pc 0x00007ca39c75f1c6 fp 0x00007ca39cdfe0c8 sp 0x00007ca39cdfe088 [Unoptimized] _SuspendState@[email protected]
  pc 0x00007ca39d1bebde fp 0x00007ca39cdfe140 sp 0x00007ca39cdfe0d8 [Unoptimized] _rootRun@4048458
  pc 0x00007ca39d1be914 fp 0x00007ca39cdfe1a0 sp 0x00007ca39cdfe150 [Unoptimized] _rootRun@4048458
  pc 0x00007ca39d1be240 fp 0x00007ca39cdfe230 sp 0x00007ca39cdfe1b0 [Unoptimized] [email protected]
  pc 0x00007ca39d1d3ecb fp 0x00007ca39cdfe2a0 sp 0x00007ca39cdfe240 [Unoptimized] [email protected]
  pc 0x00007ca39d1d3db7 fp 0x00007ca39cdfe2e0 sp 0x00007ca39cdfe2b0 [Unoptimized] [email protected].<anonymous closure>
  pc 0x00007ca39d1d3b57 fp 0x00007ca39cdfe328 sp 0x00007ca39cdfe2f0 [Unoptimized] _microtaskLoop@4048458
  pc 0x00007ca39d1d37c2 fp 0x00007ca39cdfe368 sp 0x00007ca39cdfe338 [Unoptimized] _startMicrotaskLoop@4048458
  pc 0x00007ca39d1d36e3 fp 0x00007ca39cdfe390 sp 0x00007ca39cdfe378 [Unoptimized] _startMicrotaskLoop@4048458
  pc 0x00007ca39d1cbc39 fp 0x00007ca39cdfe3d0 sp 0x00007ca39cdfe3a0 [Unoptimized] _runPendingImmediateCallback@1026248
  pc 0x00007ca39c759671 fp 0x00007ca39cdfe450 sp 0x00007ca39cdfe3e0 [Unoptimized] _Timer@1026248._runTimers@1026248
  pc 0x00007ca39c757b4d fp 0x00007ca39cdfe488 sp 0x00007ca39cdfe460 [Unoptimized] _Timer@1026248._handleMessage@1026248
  pc 0x00007ca39c757876 fp 0x00007ca39cdfe4b8 sp 0x00007ca39cdfe498 [Unoptimized] _Timer@1026248._handleMessage@1026248
  pc 0x00007ca39d1a1339 fp 0x00007ca39cdfe520 sp 0x00007ca39cdfe4c8 [Unoptimized] [email protected]:call
  pc 0x00007ca39d1a0230 fp 0x00007ca39cdfe578 sp 0x00007ca39cdfe530 [Unoptimized] _RawReceivePort@1026248._handleMessage@1026248
  pc 0x00007ca3b07834d6 fp 0x00007ca39cdfe5f0 sp 0x00007ca39cdfe588 [Stub] InvokeDartCode
=== Crash occurred when compiling package:native_synchronization/mailbox.dart_Mailbox__takeTimed@19439123_<anonymous closure> in unoptimized JIT mode in unknown pass
=== Flow Graph not available

Exited (-6).

[dart-github-bot]

Summary: The native_synchronise package crashes when making FFI calls to the POSIX system, specifically when using the ScopeBuilder::LookupVariable function. The crash occurs on Dart versions 3.5.0 and 3.4.0, and can be reproduced by running the mailbox - timeout unit test in mailbox_test.dart.

[bsutton]

edit the stack trace to include the full trace.

[dcharkes]

@bsutton Thanks for the repro! I can reproduce this locally.

(off-topic: Don't use Finalizers for freeing native memory. They are not guaranteed to be run on isolate shutdown. Instead use NativeFinalizers. If you need to free more than one thing: write a helper function in C to free both things in one go.)

Ingredients for small repro: Finalizable, named arguments, and a throw.

[mraleph]

(off-topic: the person who have written those Finalizers is fully aware. cause that person is me - this is a pure Dart package so it is waiting for native assets to ship to migrate to NativeFinalizer)

[dcharkes]

(off-topic: 🤣 I had an eerie was feeling Mutex was looking so familiar, but I didn't put one and one together.)

[mraleph]

Any news on this issue @dcharkes?

[dcharkes]

I have a minimal example repro. And I believe the bug is in the scope builder (the minimal repro sails through the scope builder and crashes later), but I need to reverse engineer what the scopes should be.

[bsutton]

Do we know what version of dart this will be published in?

Is it likely to be back ported to prior dart versions?

[dcharkes]

Do we know what version of dart this will be published in?

Version 3.6.0-173.0.dev (or later)

Is it likely to be back ported to prior dart versions?

The chance of hitting these bugs is quite small, using a named argument in earlier position, nested functions, and finalizable in a single repro. I doubt anyone else is hit by this.

Are you in need of a cherry pick for stable or can you use Dart dev / Flutter master @bsutton?

[bsutton]

I use the package in dcli which has a reasonable sized user base. Popularity on pub.dev of 94%

…

On Mon, 26 Aug 2024, 5:58 pm Daco Harkes, ***@***.***> wrote: Do we know what version of dart this will be published in? Version 3.6.0-173.0.dev (or later) Is it likely to be back ported to prior dart versions? The chance of hitting these bugs is quite small, using a named argument in earlier position, nested functions, and finalizable in a single repro. I doubt anyone else is hit by this. Are you in need of a cherry pick for stable or can you use Dart dev / Flutter master @bsutton <https://github.com/bsutton>? — Reply to this email directly, view it on GitHub <#56412 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG32OETXCNXBXWOA3Y2GMLZTLNZHAVCNFSM6AAAAABMHSJSE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBZGU4DKMBVGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dcharkes]

Is it likely to be back ported to prior dart versions?

@mraleph Any opinions? I can create a cherry pick if we want to get this in to 3.5.