EXC_BAD_ACCESS in ScavengerVisitorBase<true>::ProcessRoots

[blaugold]

I recently started experimenting with using Finalizer and I am now seeing crashes on iOS and macOS that seem to be GC related. I have not tested other platforms. The included back traces are from an iPhone 8.
The crashes occur during a benchmark where thousands of objects per second are created, then attached to a Finalizer and become quickly unreachable again.

Back traces of the two threads performing GC:

  thread #28, name = 'DartWorker'
    frame #0: 0x0000000104e26328 Flutter`dart::ScavengerVisitorBase<true>::VisitCompressedPointers(unsigned long, dart::CompressedObjectPtr*, dart::CompressedObjectPtr*) + 148
    frame #1: 0x0000000104e25448 Flutter`dart::ScavengerVisitorBase<true>::ProcessSurvivors() + 336
    frame #2: 0x0000000104e24290 Flutter`dart::ParallelScavengerTask::RunEnteredIsolateGroup() + 156
    frame #3: 0x0000000104e22758 Flutter`dart::Scavenger::Scavenge(dart::GCReason) + 1576
    frame #4: 0x0000000104e10618 Flutter`dart::Heap::CollectNewSpaceGarbage(dart::Thread*, dart::GCReason) + 528
    frame #5: 0x0000000104d1eba8 Flutter`dart::Object::Allocate(long, long, dart::Heap::Space, bool) + 1492
    frame #6: 0x0000000104ce8570 Flutter`dart::IsolateMessageHandler::HandleMessage(std::__1::unique_ptr<dart::Message, std::__1::default_delete<dart::Message> >) + 2212
    frame #7: 0x0000000104cfd3e8 Flutter`dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) + 576
    frame #8: 0x0000000104cfce90 Flutter`dart::MessageHandlerTask::Run() + 616
    frame #9: 0x0000000104dfdd14 Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 400
    frame #10: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #11: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116

* thread #31, name = 'DartWorker', stop reason = EXC_BAD_ACCESS (code=2, address=0x121fb8920)
  * frame #0: 0x0000000104e24f88 Flutter`dart::ScavengerVisitorBase<true>::ProcessRoots() + 756
    frame #1: 0x0000000104e24270 Flutter`dart::ParallelScavengerTask::RunEnteredIsolateGroup() + 124
    frame #2: 0x0000000104e267bc Flutter`dart::ParallelScavengerTask::Run() + 224
    frame #3: 0x0000000104dfdd14 Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 400
    frame #4: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #5: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116

Back traces of all threads

(lldb) bt all
  thread #1, queue = 'com.apple.main-thread'
    frame #0: 0x00000001bb537aac libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x00000001bb53807c libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000180d63768 CoreFoundation`__CFRunLoopServiceMachPort + 368
    frame #3: 0x0000000180d67a70 CoreFoundation`__CFRunLoopRun + 1160
    frame #4: 0x0000000180d7ac30 CoreFoundation`CFRunLoopRunSpecific + 572
    frame #5: 0x00000001a1795988 GraphicsServices`GSEventRunModal + 160
    frame #6: 0x0000000183575c50 UIKitCore`-[UIApplication _run] + 1080
    frame #7: 0x000000018330f3d0 UIKitCore`UIApplicationMain + 336
    frame #8: 0x000000010075f26c Runner`main at AppDelegate.swift:5:13 [opt]
    frame #9: 0x00000001007d03d0 dyld`start + 444
  thread #5, name = 'com.apple.uikit.eventfetch-thread'
    frame #0: 0x00000001bb537aac libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x00000001bb53807c libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000180d63768 CoreFoundation`__CFRunLoopServiceMachPort + 368
    frame #3: 0x0000000180d67a70 CoreFoundation`__CFRunLoopRun + 1160
    frame #4: 0x0000000180d7ac30 CoreFoundation`CFRunLoopRunSpecific + 572
    frame #5: 0x0000000182483eac Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 232
    frame #6: 0x00000001824c2e90 Foundation`-[NSRunLoop(NSRunLoop) runUntilDate:] + 88
    frame #7: 0x00000001834f50a0 UIKitCore`-[UIEventFetcher threadMain] + 512
    frame #8: 0x00000001824d0d2c Foundation`__NSThread__start__ + 792
    frame #9: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #9, name = 'io.flutter.1.ui'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x0000000104e20a6c Flutter`dart::SafepointHandler::BlockForSafepoint(dart::Thread*) + 220
    frame #3: 0x0000000104dc17d8 Flutter`dart::DRT_InstantiateTypeArguments(dart::NativeArguments) + 176
    frame #4: 0x00000001077baa28 App`Stub_CallToRuntime + 92
  thread #10, name = 'io.flutter.1.raster'
    frame #0: 0x00000001bb537aac libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x00000001bb53807c libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000180d63768 CoreFoundation`__CFRunLoopServiceMachPort + 368
    frame #3: 0x0000000180d67a70 CoreFoundation`__CFRunLoopRun + 1160
    frame #4: 0x0000000180d7ac30 CoreFoundation`CFRunLoopRunSpecific + 572
    frame #5: 0x0000000104a35078 Flutter`fml::MessageLoopDarwin::Run() + 88
    frame #6: 0x0000000104a34134 Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::Thread::Thread(std::__1::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0> >(void*) + 208
    frame #7: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #11, name = 'io.flutter.1.io'
    frame #0: 0x00000001bb537aac libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x00000001bb53807c libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000180d63768 CoreFoundation`__CFRunLoopServiceMachPort + 368
    frame #3: 0x0000000180d67a70 CoreFoundation`__CFRunLoopRun + 1160
    frame #4: 0x0000000180d7ac30 CoreFoundation`CFRunLoopRunSpecific + 572
    frame #5: 0x0000000104a35078 Flutter`fml::MessageLoopDarwin::Run() + 88
    frame #6: 0x0000000104a34134 Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::Thread::Thread(std::__1::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0> >(void*) + 208
    frame #7: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #12, name = 'io.flutter.1.profiler'
    frame #0: 0x00000001bb537aac libsystem_kernel.dylib`mach_msg_trap + 8
    frame #1: 0x00000001bb53807c libsystem_kernel.dylib`mach_msg + 72
    frame #2: 0x0000000180d63768 CoreFoundation`__CFRunLoopServiceMachPort + 368
    frame #3: 0x0000000180d67a70 CoreFoundation`__CFRunLoopRun + 1160
    frame #4: 0x0000000180d7ac30 CoreFoundation`CFRunLoopRunSpecific + 572
    frame #5: 0x0000000104a35078 Flutter`fml::MessageLoopDarwin::Run() + 88
    frame #6: 0x0000000104a34134 Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::Thread::Thread(std::__1::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0> >(void*) + 208
    frame #7: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #13, name = 'io.worker.1'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #14, name = 'io.worker.2'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #15, name = 'io.worker.3'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #16, name = 'io.worker.4'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #17, name = 'io.worker.5'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #18, name = 'io.worker.6'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee4860 libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1224
    frame #2: 0x00000001985c289c libc++.1.dylib`std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 24
    frame #3: 0x0000000104a2ed2c Flutter`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fml::ConcurrentMessageLoop::ConcurrentMessageLoop(unsigned long)::$_0> >(void*) + 316
    frame #4: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #19, name = 'dart:io EventHandler'
    frame #0: 0x00000001bb539294 libsystem_kernel.dylib`kevent + 8
    frame #1: 0x0000000104c17a90 Flutter`dart::bin::EventHandlerImplementation::EventHandlerEntry(unsigned long) + 436
    frame #2: 0x0000000104c49460 Flutter`dart::bin::ThreadStart(void*) + 44
    frame #3: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #25, name = 'DartWorker'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee488c libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1268
    frame #2: 0x0000000104d87a60 Flutter`dart::Monitor::WaitMicros(long long) + 128
    frame #3: 0x0000000104dfde2c Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 680
    frame #4: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #5: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #26, name = 'DartWorker'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee488c libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1268
    frame #2: 0x0000000104d87a60 Flutter`dart::Monitor::WaitMicros(long long) + 128
    frame #3: 0x0000000104ceb48c Flutter`dart::MutatorThreadPool::OnEnterIdleLocked(dart::MonitorLocker*) + 384
    frame #4: 0x0000000104dfde6c Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 744
    frame #5: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #6: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #28, name = 'DartWorker'
    frame #0: 0x0000000104e26328 Flutter`dart::ScavengerVisitorBase<true>::VisitCompressedPointers(unsigned long, dart::CompressedObjectPtr*, dart::CompressedObjectPtr*) + 148
    frame #1: 0x0000000104e25448 Flutter`dart::ScavengerVisitorBase<true>::ProcessSurvivors() + 336
    frame #2: 0x0000000104e24290 Flutter`dart::ParallelScavengerTask::RunEnteredIsolateGroup() + 156
    frame #3: 0x0000000104e22758 Flutter`dart::Scavenger::Scavenge(dart::GCReason) + 1576
    frame #4: 0x0000000104e10618 Flutter`dart::Heap::CollectNewSpaceGarbage(dart::Thread*, dart::GCReason) + 528
    frame #5: 0x0000000104d1eba8 Flutter`dart::Object::Allocate(long, long, dart::Heap::Space, bool) + 1492
    frame #6: 0x0000000104ce8570 Flutter`dart::IsolateMessageHandler::HandleMessage(std::__1::unique_ptr<dart::Message, std::__1::default_delete<dart::Message> >) + 2212
    frame #7: 0x0000000104cfd3e8 Flutter`dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool) + 576
    frame #8: 0x0000000104cfce90 Flutter`dart::MessageHandlerTask::Run() + 616
    frame #9: 0x0000000104dfdd14 Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 400
    frame #10: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #11: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #29, name = 'DartWorker'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee488c libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1268
    frame #2: 0x0000000104d87a60 Flutter`dart::Monitor::WaitMicros(long long) + 128
    frame #3: 0x0000000104dfde2c Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 680
    frame #4: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #5: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
* thread #31, name = 'DartWorker', stop reason = EXC_BAD_ACCESS (code=2, address=0x121fb8920)
  * frame #0: 0x0000000104e24f88 Flutter`dart::ScavengerVisitorBase<true>::ProcessRoots() + 756
    frame #1: 0x0000000104e24270 Flutter`dart::ParallelScavengerTask::RunEnteredIsolateGroup() + 124
    frame #2: 0x0000000104e267bc Flutter`dart::ParallelScavengerTask::Run() + 224
    frame #3: 0x0000000104dfdd14 Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 400
    frame #4: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #5: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #40
    frame #0: 0x00000001bb538014 libsystem_kernel.dylib`__workq_kernreturn + 8
  thread #45, name = 'DartWorker'
    frame #0: 0x00000001bb538484 libsystem_kernel.dylib`__psynch_cvwait + 8
    frame #1: 0x00000001dbee488c libsystem_pthread.dylib`_pthread_cond_wait$VARIANT$armv81 + 1268
    frame #2: 0x0000000104d87a60 Flutter`dart::Monitor::WaitMicros(long long) + 128
    frame #3: 0x0000000104dfde2c Flutter`dart::ThreadPool::Worker::Main(unsigned long) + 680
    frame #4: 0x0000000104d873e8 Flutter`dart::ThreadStart(void*) + 288
    frame #5: 0x00000001dbee5348 libsystem_pthread.dylib`_pthread_start + 116
  thread #46
    frame #0: 0x00000001bb538014 libsystem_kernel.dylib`__workq_kernreturn + 8
  thread #47
    frame #0: 0x0000000000000000

Flutter 2.13.0-0.0.pre.618 • channel master • https://github.com/flutter/flutter.git
Framework • revision ef5a6da35a (24 hours ago) • 2022-04-19 19:19:08 +0800
Engine • revision acd27a4b58
Tools • Dart 2.18.0 (build 2.18.0-30.0.dev) • DevTools 2.12.2

Update
I was able to capture this back trace on macOS:

.[./../third_party/dart/runtime/vm/raw_object.cc](): 348: error: Invalid cid: 0, obj: 0x134d06cd0, tags: 10. Corrupt heap?
version=2.18.0-30.0.dev (dev) (Mon Apr 18 01:06:35 2022 -0700) on "macos_arm64"
pid=36641, thread=74099, isolate_group=main(0x11600a200), isolate=(nil)(0x0)
isolate_instructions=1113e9250, vm_instructions=1113e4800
  pc 0x0000000109668cd8 fp 0x000000016c0a1b00 dart::Profiler::DumpStackTrace(void*)+0x90
  pc 0x0000000109572030 fp 0x000000016c0a1b20 dart::Assert::Fail(char const*, ...) const+0x28
  pc 0x00000001096747cc fp 0x000000016c0a1b70 dart::UntaggedObject::VisitPointersPredefined(dart::ObjectPointerVisitor*, long)+0x69c
  pc 0x00000001096fc920 fp 0x000000016c0a1c30 void dart::Scavenger::IterateStoreBuffers<true>(dart::ScavengerVisitorBase<true>*)+0xcc
  pc 0x00000001096fc7ec fp 0x000000016c0a1cd0 void dart::Scavenger::IterateRoots<true>(dart::ScavengerVisitorBase<true>*)+0x144
  pc 0x00000001096fc270 fp 0x000000016c0a1e00 dart::ScavengerVisitorBase<true>::ProcessRoots()+0xa8
  pc 0x00000001096face8 fp 0x000000016c0a1eb0 dart::ParallelScavengerTask::RunEnteredIsolateGroup()+0x68
  pc 0x00000001096fa354 fp 0x000000016c0a1f80 dart::Scavenger::ParallelScavenge(dart::SemiSpace*)+0x1ec
  pc 0x00000001096f9dfc fp 0x000000016c0a2090 dart::Scavenger::Scavenge(dart::GCReason)+0x188
  pc 0x00000001096e7e6c fp 0x000000016c0a21a0 dart::Heap::CollectNewSpaceGarbage(dart::Thread*, dart::GCReason)+0x1a0
  pc 0x00000001096e726c fp 0x000000016c0a21e0 dart::Heap::AllocateNew(long)+0x15c
  pc 0x00000001095f9d34 fp 0x000000016c0a2240 dart::Object::Allocate(long, long, dart::Heap::Space, bool)+0x64
  pc 0x000000010969e330 fp 0x000000016c0a2300 dart::DRT_AllocateObject(dart::NativeArguments)+0x168
  pc 0x00000001113e6ef0 fp 0x000000016c0a2330 Stub_CallToRuntime+0x5c
  pc 0x00000001113e70dc fp 0x000000016c0a2358 Stub_AllocateObjectSlow+0x30
  pc 0x00000001117706c8 fp 0x000000016c0a2370 ListBaseoperator_andObjectoperator_andListMixin.skip_16078+0x24
  pc 0x00000001116b638c fp 0x000000016c0a23a0 IsolatePacketCodec.decodePacket_12680+0xe4
  pc 0x00000001118189a4 fp 0x000000016c0a23d8 Decoder.convert_19171+0x2c
  pc 0x00000001116b6490 fp 0x000000016c0a23f8 Decoder.convert_12683+0x2c
  pc 0x000000011182d3b8 fp 0x000000016c0a2420 ChunkConversionSinkTransformer.add_19379+0x40
  pc 0x000000011182d458 fp 0x000000016c0a2440 ConverterStreamEventSink.add_19380+0x64
  pc 0x00000001116a4bb0 fp 0x000000016c0a2498 SinkTransformerStreamSubscription._handleData_12356+0x74
  pc 0x00000001116a4c28 fp 0x000000016c0a24b8 SinkTransformerStreamSubscription._handleData_12357+0x2c
  pc 0x000000011187152c fp 0x000000016c0a2528 RootZone.runUnaryGuarded_20525+0x84
  pc 0x00000001118619bc fp 0x000000016c0a2568 BufferingStreamSubscription._sendData_20207+0xb4
  pc 0x0000000111801c98 fp 0x000000016c0a2590 BufferingStreamSubscription._add_18731+0x90
  pc 0x0000000111801a30 fp 0x000000016c0a25c0 StreamController._add_18728+0x98
  pc 0x000000011182bb8c fp 0x000000016c0a25e0 StreamController.add_19339+0x5c
  pc 0x00000001114709bc fp 0x000000016c0a2600 StreamController.add_2657+0x2c
  pc 0x000000011187152c fp 0x000000016c0a2670 RootZone.runUnaryGuarded_20525+0x84
  pc 0x00000001118619bc fp 0x000000016c0a26b0 BufferingStreamSubscription._sendData_20207+0xb4
  pc 0x0000000111801c98 fp 0x000000016c0a26d8 BufferingStreamSubscription._add_18731+0x90
  pc 0x0000000111801a30 fp 0x000000016c0a2708 StreamController._add_18728+0x98
  pc 0x000000011182bb8c fp 0x000000016c0a2728 StreamController.add_19339+0x5c
  pc 0x000000011182bd70 fp 0x000000016c0a2748 StreamSinkWrapper.add_19347+0x58
  pc 0x00000001116c57e0 fp 0x000000016c0a2768 StreamSinkWrapper.add_12991+0x2c
  pc 0x000000011187152c fp 0x000000016c0a27d8 RootZone.runUnaryGuarded_20525+0x84
  pc 0x00000001116bf650 fp 0x000000016c0a2868 CastStreamSubscription._onData_12855+0xf8
  pc 0x00000001116bf808 fp 0x000000016c0a2888 CastStreamSubscription._onData_12856+0x2c
  pc 0x000000011187152c fp 0x000000016c0a28f8 RootZone.runUnaryGuarded_20525+0x84
  pc 0x00000001118619bc fp 0x000000016c0a2938 BufferingStreamSubscription._sendData_20207+0xb4
  pc 0x0000000111801c98 fp 0x000000016c0a2960 BufferingStreamSubscription._add_18731+0x90
  pc 0x0000000111801a30 fp 0x000000016c0a2990 StreamController._add_18728+0x98
  pc 0x000000011182bb8c fp 0x000000016c0a29b0 StreamController.add_19339+0x5c
  pc 0x00000001114709bc fp 0x000000016c0a29d0 StreamController.add_2657+0x2c
  pc 0x00000001118d177c fp 0x000000016c0a2a40 Closure.call_22531+0x2b8
  pc 0x00000001116b4ae0 fp 0x000000016c0a2a68 RawReceivePortImpl._handleMessage_12618+0xd4
  pc 0x00000001113e6b28 fp 0x000000016c0a2b40 Stub_InvokeDartCode+0xdc
  pc 0x00000001095ae9e4 fp 0x000000016c0a2be0 dart::DartEntry::InvokeCode(dart::Code const&, unsigned long, dart::Array const&, dart::Array const&, dart::Thread*)+0x118
  pc 0x00000001095ae830 fp 0x000000016c0a2c30 dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long)+0xe0
  pc 0x00000001095b134c fp 0x000000016c0a2c80 dart::DartLibraryCalls::HandleMessage(long long, dart::Instance const&)+0x144
  pc 0x00000001095c6ee0 fp 0x000000016c0a2d70 dart::IsolateMessageHandler::HandleMessage(std::__1::unique_ptr<dart::Message, std::__1::default_delete<dart::Message> >)+0x284
  pc 0x00000001095d58e4 fp 0x000000016c0a2df0 dart::MessageHandler::HandleMessages(dart::MonitorLocker*, bool, bool)+0x148
  pc 0x00000001095d6020 fp 0x000000016c0a2e60 dart::MessageHandler::TaskCallback()+0x208
  pc 0x00000001096cf6e4 fp 0x000000016c0a2f10 dart::ThreadPool::WorkerLoop(dart::ThreadPool::Worker*)+0x114
  pc 0x00000001096cfabc fp 0x000000016c0a2f50 dart::ThreadPool::Worker::Main(unsigned long)+0x8c
  pc 0x0000000109666240 fp 0x000000016c0a2fc0 dart::ThreadStart(void*)+0xb4
  pc 0x00000001b0cba26c fp 0x000000016c0a2fe0 _pthread_start+0x94
-- End of DumpStackTrace
  pc 0x0000000000000000 fp 0x000000016c0a2330 sp 0x0000000000000000 [Optimized] 2284077056
  pc 0x00000001113e70dc fp 0x000000016c0a2358 sp 0x000000016c0a2340 [Stub] AllocateObjectSlow
  pc 0x00000001117706c8 fp 0x000000016c0a2370 sp 0x000000016c0a2368 [Optimized] _ListBase&Object&ListMixin@3220832.skip
  pc 0x00000001116b638c fp 0x000000016c0a23a0 sp 0x000000016c0a2380 [Optimized] IsolatePacketCodec.decodePacket
  pc 0x00000001118189a4 fp 0x000000016c0a23d8 sp 0x000000016c0a23b0 [Optimized] _Decoder@265405626.convert
  pc 0x00000001116b6490 fp 0x000000016c0a23f8 sp 0x000000016c0a23e8 [Optimized] _Decoder@265405626.convert
  pc 0x000000011182d3b8 fp 0x000000016c0a2420 sp 0x000000016c0a2408 [Optimized] _ChunkConversionSinkTransformer@265405626.add
  pc 0x000000011182d458 fp 0x000000016c0a2440 sp 0x000000016c0a2430 [Optimized] _ConverterStreamEventSink@10003594.add
  pc 0x00000001116a4bb0 fp 0x000000016c0a2498 sp 0x000000016c0a2450 [Optimized] _SinkTransformerStreamSubscription@4048458._handleData@4048458
  pc 0x00000001116a4c28 fp 0x000000016c0a24b8 sp 0x000000016c0a24a8 [Optimized] _SinkTransformerStreamSubscription@4048458._handleData@4048458
  pc 0x000000011187152c fp 0x000000016c0a2528 sp 0x000000016c0a24c8 [Optimized] _RootZone@4048458.runUnaryGuarded
  pc 0x00000001118619bc fp 0x000000016c0a2568 sp 0x000000016c0a2538 [Optimized] _BufferingStreamSubscription@4048458._sendData@4048458
  pc 0x0000000111801c98 fp 0x000000016c0a2590 sp 0x000000016c0a2578 [Optimized] _BufferingStreamSubscription@4048458._add@4048458
  pc 0x0000000111801a30 fp 0x000000016c0a25c0 sp 0x000000016c0a25a0 [Optimized] _StreamController@4048458._add@4048458
  pc 0x000000011182bb8c fp 0x000000016c0a25e0 sp 0x000000016c0a25d0 [Optimized] _StreamController@4048458.add
  pc 0x00000001114709bc fp 0x000000016c0a2600 sp 0x000000016c0a25f0 [Optimized] _StreamController@4048458.add
  pc 0x000000011187152c fp 0x000000016c0a2670 sp 0x000000016c0a2610 [Optimized] _RootZone@4048458.runUnaryGuarded
  pc 0x00000001118619bc fp 0x000000016c0a26b0 sp 0x000000016c0a2680 [Optimized] _BufferingStreamSubscription@4048458._sendData@4048458
  pc 0x0000000111801c98 fp 0x000000016c0a26d8 sp 0x000000016c0a26c0 [Optimized] _BufferingStreamSubscription@4048458._add@4048458
  pc 0x0000000111801a30 fp 0x000000016c0a2708 sp 0x000000016c0a26e8 [Optimized] _StreamController@4048458._add@4048458
  pc 0x000000011182bb8c fp 0x000000016c0a2728 sp 0x000000016c0a2718 [Optimized] _StreamController@4048458.add
  pc 0x000000011182bd70 fp 0x000000016c0a2748 sp 0x000000016c0a2738 [Optimized] _StreamSinkWrapper@4048458.add
  pc 0x00000001116c57e0 fp 0x000000016c0a2768 sp 0x000000016c0a2758 [Optimized] _StreamSinkWrapper@4048458.add
  pc 0x000000011187152c fp 0x000000016c0a27d8 sp 0x000000016c0a2778 [Optimized] _RootZone@4048458.runUnaryGuarded
  pc 0x00000001116bf650 fp 0x000000016c0a2868 sp 0x000000016c0a27e8 [Optimized] CastStreamSubscription._onData@9040228
  pc 0x00000001116bf808 fp 0x000000016c0a2888 sp 0x000000016c0a2878 [Optimized] CastStreamSubscription._onData@9040228
  pc 0x000000011187152c fp 0x000000016c0a28f8 sp 0x000000016c0a2898 [Optimized] _RootZone@4048458.runUnaryGuarded
  pc 0x00000001118619bc fp 0x000000016c0a2938 sp 0x000000016c0a2908 [Optimized] _BufferingStreamSubscription@4048458._sendData@4048458
  pc 0x0000000111801c98 fp 0x000000016c0a2960 sp 0x000000016c0a2948 [Optimized] _BufferingStreamSubscription@4048458._add@4048458
  pc 0x0000000111801a30 fp 0x000000016c0a2990 sp 0x000000016c0a2970 [Optimized] _StreamController@4048458._add@4048458
  pc 0x000000011182bb8c fp 0x000000016c0a29b0 sp 0x000000016c0a29a0 [Optimized] _StreamController@4048458.add
  pc 0x00000001114709bc fp 0x000000016c0a29d0 sp 0x000000016c0a29c0 [Optimized] _StreamController@4048458.add
  pc 0x00000001118d177c fp 0x000000016c0a2a40 sp 0x000000016c0a29e0 [Optimized] _Closure@0150898.dyn:call
  pc 0x00000001116b4ae0 fp 0x000000016c0a2a68 sp 0x000000016c0a2a50 [Optimized] _RawReceivePortImpl@1026248._handleMessage@1026248
  pc 0x00000001113e6b28 fp 0x000000016c0a2b40 sp 0x000000016c0a2a78 [Stub] InvokeDartCode

[mraleph]

Seems like corrupt heap. Possible bug in Finalizer implementation. Can you try to reduce your code to some reproduction that you could share with us?

/cc @dcharkes @rmacnak-google

[blaugold]

It's all open-source, so I can share the exact setup to reproduce this.

1. Clone the repo and start the app:

git clone https://github.com/blaugold/embedded_db_benchmark --depth 1 -b gc-crash-repro
cd embedded_db_benchmark/packages/app
flutter pub get
flutter run -d macos --profile

2. Once the app is running, start the benchmarks by clicking on the play button. Usually, the app crashes before all benchmarks are done.

If there is too much going on, I can try to find a simpler setup.

[dcharkes]

I can reproduce this with multiple tries:

../../third_party/dart/runtime/vm/raw_object.cc: 348: error: Invalid cid: 0, obj: 0x11aa23e30, tags: 10. Corrupt heap?
version=2.17.0-266.1.beta (beta) (Mon Apr 11 14:05:54 2022 +0200) on "macos_x64"
pid=59775, thread=67891, isolate_group=main(0x7fd2c801fa00), isolate=(nil)(0x0)
isolate_instructions=111409700, vm_instructions=1114055c0
  pc 0x00000001094b40c5 fp 0x0000700003326a90 dart::Profiler::DumpStackTrace(void*)+0x85
  pc 0x00000001093bd1f4 fp 0x0000700003326b70 dart::Assert::Fail(char const*, ...) const+0x84
  pc 0x00000001094c005b fp 0x0000700003326ba0 dart::UntaggedObject::VisitPointersPredefined(dart::ObjectPointerVisitor*, long)+0x5cb
  pc 0x000000010954927f fp 0x0000700003326c40 void dart::Scavenger::IterateStoreBuffers<true>(dart::ScavengerVisitorBase<true>*)+0xdf
  pc 0x000000010954910b fp 0x0000700003326cc0 void dart::Scavenger::IterateRoots<true>(dart::ScavengerVisitorBase<true>*)+0x11b
  pc 0x0000000109548b24 fp 0x0000700003326dc0 dart::ScavengerVisitorBase<true>::ProcessRoots()+0xb4
  pc 0x0000000109547563 fp 0x0000700003326e50 dart::ParallelScavengerTask::RunEnteredIsolateGroup()+0x53
  pc 0x0000000109548993 fp 0x0000700003326e90 dart::ParallelScavengerTask::Run()+0x73
  pc 0x000000010951fa28 fp 0x0000700003326f20 dart::ThreadPool::WorkerLoop(dart::ThreadPool::Worker*)+0x148
  pc 0x000000010951fd60 fp 0x0000700003326f50 dart::ThreadPool::Worker::Main(unsigned long)+0x80
  pc 0x00000001094b1385 fp 0x0000700003326fb0 dart::ThreadStart(void*)+0xb5
  pc 0x00007ff8048b34e1 fp 0x0000700003326fd0 _pthread_start+0x7d
  pc 0x00007ff8048aef6b fp 0x0000700003326ff0 thread_start+0xf
-- End of DumpStackTrace

I can only reproduce this on the x64 Macbook, not on the m1, I haven't figured out how to build a Flutter app there.

$ flutter --version
Flutter 2.13.0-0.1.pre • channel beta • https://github.com/flutter/flutter
Framework • revision 13a2fb10b8 (8 days ago) • 2022-04-12 15:34:25 -0500
Engine • revision 499984f99c
Tools • Dart 2.17.0 (build 2.17.0-266.1.beta) • DevTools 2.12.1

I can see if I can reproduce this in Dart standalone, that would be easier to diagnose.

[blaugold]

I have been able to reproduce this issue on an M1, but on the Flutter master channel.

[dcharkes]

I recently started experimenting with using Finalizer

I can't seem to find any use of Finalizer in the repo: $ grep -r Finalizer . only yields binaries and build files. What am I missing? Are the finalizers in one of the packages?

If there is too much going on, I can try to find a simpler setup.

It only reproduces one in every 10-20 runs here.

Things that would make it simpler:

• More often repro 😄
• Dart standalone instead of Flutter dart xyz.dart.
  • flutter test also uses standalone Dart, so if it reproduces there it probably also reproduces in dart xyz.dart. Does your repro actually need a Flutter app?
  • We can use --trace-finalizers in Dart standalone, and more easily step with the debugger.
• Smaller repro. I would imagine the databases themselves might not be needed if it is an issue with Finalizer.
  • We might need fairly complicated object graphs though. (The store buffer keeps track of old-space objects referring to new-space objects. And by the looks of it the store buffer contains a corrupted reference.)
• --debug instead of --profile. We might hit earlier asserts. But so far no repro on debug for me.

off-topic: I can't seem to run on arm64 even on the master channel:

<...>/blaugold/embedded_db_benchmark/packages/app/macos/Runner.xcodeproj: error: The linked framework 'Pods_Runner.framework' is missing one or more architectures required by this target: arm64. (in target 'Runner' from project 'Runner')

[blaugold]

I can't seem to find any use of Finalizer in the repo: $ grep -r Finalizer . only yields binaries and build files. What am I missing? Are the finalizers in one of the packages?

Sorry about that. I should have explained that better. The finalizer is in the cbl package here, on a feature branch, which is pulled in with a dependency override in pubspec.yaml.

I'll try and see if I can do something about the points you mentioned.

<...>/blaugold/embedded_db_benchmark/packages/app/macos/Runner.xcodeproj: error: The linked framework 'Pods_Runner.framework' is missing one or more architectures required by this target: arm64. (in target 'Runner' from project 'Runner')

Maybe a flutter clean helps if you switched channels between rebuilds?

[dcharkes]

Maybe a flutter clean helps if you switched channels between rebuilds?

👍 😅

Though on the last master --profile build triggers a new error, both on M1 and x64.

• "too many compact unwind infos in" in ld in --profile flutter/flutter#102281

It does also reproduce on --release, but I get no stacktrace there.

I'll try and see if I can do something about the points you mentioned.

Cool! Let me know if you make any progress.

[blaugold]

More often repro 😄

On a Mac mini M1 and the Flutter beta channel with --profile I get crashes almost on every try.

Flutter 2.13.0-0.2.pre • channel beta • https://github.com/flutter/flutter.git
Framework • revision 8662e22bac (19 hours ago) • 2022-04-20 08:21:52 -0700
Engine • revision 24a02fa5ee
Tools • Dart 2.17.0 (build 2.17.0-266.5.beta) • DevTools 2.12.2

Dart standalone instead of Flutter dart xyz.dart.

I have updated the repro branch so that the cli package uses the Finalizer class as well, but was unable to reproduce the issue when running the same benchmarks through the CLI:

cd packages/cli
dart bin/cli.dart run -d cbl -e async

Smaller repro. I would imagine the databases themselves might not be needed if it is an issue with Finalizer.

I'll try to isolate the problem more. Since I'm using FFI there's also a chance that the native database library is somehow corrupting memory.

Is this commit related to this issue at all?

--debug instead of --profile. We might hit earlier asserts. But so far no repro on debug for me.

I can repro the issue with a debug build, but only with a different dev build of the database C library. This dev build has an optimization which cuts down execution time of a few operations significantly, which seems to change the timing so that the issue is also observable with a debug build. I did not run in to any other asserts, though.
This is a crash report from a debug build.

[dcharkes]

Is this commit related to this issue at all?

No, It still happens on the last master channel, which includes that commit Tools • Dart 2.18.0 (build 2.18.0-43.0.dev).

I can repro the issue with a debug build

Same here, even with the same db. Same crash report in the Console. (Bad access generates a crash report, hitting the invalid cid prints in the console and hangs or exits.)

This means it happens both in JIT and AOT.

On a Mac mini M1

On the Macbook with M1 it does crash more often than on the x64 Macbook indeed (but still only once in a couple of runs).

I have updated the repro branch so that the cli package uses the Finalizer class as well, but was unable to reproduce the issue when running the same benchmarks through the CLI:

I have no reproductions either. I tried running the debug/release/product(profile) standalone dart built from the main branch, both with dart xyz.dart (JIT) and dart compile exe xyz.dart (AOT).

Even with running the GC verification flags (e.g. --verify-store-buffer)

sdk/runtime/vm/flag_list.h

Lines 237 to 244 in a5a7b4c

	P(verbose_gc, bool, false, "Enables verbose GC.") \
	P(verbose_gc_hdr, int, 40, "Print verbose GC header interval.") \
	R(verify_after_gc, false, bool, false, \
	"Enables heap verification after GC.") \
	R(verify_before_gc, false, bool, false, \
	"Enables heap verification before GC.") \
	R(verify_store_buffer, false, bool, false, \
	"Enables store buffer verification before and after scavenges.") \

dacoharkes-macbookpro2:cli dacoharkes$ ~/dart-sdk/sdk/xcodebuild/ReleaseARM64/dart-sdk/bin/dart --verify-store-buffer bin/cli.dart run -d cbl -e async

Unfortunately we cannot pass the same flags to flutter:

$ flutter run --dart-flags=--verify-store-buffer -d macos --debug
[FATAL:flutter/shell/common/switches.cc(437)] Encountered disallowed Dart VM flag: --verify-store-buffer

https://github.com/flutter/engine/blob/c2de44a59cf1e41709c27f67b507081d52fd3dd7/shell/common/switches.cc#L53-L72

I can try to work around that my making a local build with the flags enabled.

It might be something related to Flutter, but it could also be that the timing is just slightly different in standalone.

As far as I can see, Flutter uses the same Scavenger settings:

sdk/runtime/vm/flag_list.h

Lines 141 to 143 in a5a7b4c

	P(scavenger_tasks, int, 2, \
	"The number of tasks to spawn during scavenging (0 means " \
	"perform all marking on main thread).") \

The crash is always happening on the second thread.

sdk/runtime/vm/flag_list.h

Lines 156 to 159 in a5a7b4c

	P(new_gen_semi_max_size, int, kDefaultNewGenSemiMaxSize, \
	"Max size of new gen semi space in MB") \
	P(new_gen_semi_initial_size, int, (kWordSize <= 4) ? 1 : 2, \
	"Initial size of new gen semi space in MB") \

sdk/runtime/vm/flag_list.h

Lines 167 to 169 in a5a7b4c

	P(old_gen_heap_size, int, kDefaultMaxOldGenHeapSize, \
	"Max size of old gen heap size in MB, or 0 for unlimited," \
	"e.g: --old_gen_heap_size=1024 allows up to 1024MB old gen heap") \

Also the heap size defaults seem to not be overwritten in the Flutter code base.

I'll try to isolate the problem more. Since I'm using FFI there's also a chance that the native database library is somehow corrupting memory.

👍

[blaugold]

I have updated main.dart to run only one benchmark and for a longer time, which makes the crash much more probable.

I have also been able to isolate the issue a bit more and frame scheduling seems to play into it somehow, not sure whether it's just influencing the timing in a way that makes the issue more probable, though.

The Flutter app now just runs the benchmark (no call to runApp) and schedules frames when it makes progress. When the benchmark is run without scheduling frames while running, I can't replicate the crashes.

  // packages/app/lib/main.dart
  ...
  await runBenchmark(
    onProgress: WidgetsBinding.instance.scheduleForcedFrame,
  );
  ...

test/debug_test.dart is a Flutter unit test which does the same as the updated Flutter app, and running it with flutter test also causes a native crash.

[dcharkes]

@zanderso I'm trying to build arm64 mac on an arm64 mac host.

I took the command from flutter/flutter#84453 and https://flutter-review.googlesource.com/c/recipes/+/25800/2/recipes/engine.py#1113

But it seems that one of our dependencies doesn't support arm64.

$ flutter/tools/gn --mac --mac-cpu arm64 --runtime-mode debug --no-lto --full-dart-sdk --prebuilt-dart-sdk
Using prebuilt Dart SDK binary. If you are editing Dart sources and wish to compile the Dart SDK, set `--no-prebuilt-dart-sdk`.
Generating GN files in: out/mac_debug_arm64
ERROR at //third_party/swiftshader_flutter/BUILD.gn:162:5: Assertion failed.
    assert(false, "Unsupported platform.")
    ^-----
Unsupported platform.
See //flutter/lib/spirv/test/BUILD.gn:14:7: which caused the file to be included.
      "//third_party/swiftshader_flutter:spvtools",
      ^-------------------------------------------

  if (current_cpu == "x64") {
    defines += [
      "SZTARGET=X8664",
      "SUBZERO_TARGET=X8664",
    ]
  } else if (current_cpu == "x86") {
    defines += [
      "SZTARGET=X8632",
      "SUBZERO_TARGET=X8632",
    ]
  } else {
    assert(false, "Unsupported platform.")
  }

Did you see this before?

Are you cross-compiling from x64 instead of compiling on arm64?

My goal is to do $ flutter/tools/gn --mac --mac-cpu arm64 --runtime-mode debug --no-lto --full-dart-sdk --no-prebuilt-dart-sdk so that I can triage the GC crash reported here within a Flutter app.

Edit: turns out we don't have support for build Mac arm64 on Mac arm64 just yet.

[dcharkes]

test/debug_test.dart is a Flutter unit test which does the same as the updated Flutter app, and running it with flutter test also causes a native crash.

@blaugold Thanks!

With this I've been able to use a local engine build on Mac x64 with --trace-finalizers --verify-store-buffers (flutter test output). I've tracked it down to the storebuffer containing an address of where used to be a FinalizerEntry object (--trace-finalizers prints the addresses of the objects related to finalizers in memory).

Since I'm using FFI there's also a chance that the native database library is somehow corrupting memory.

I think this is rather unlikely with the new information. Every crash is trying to read memory where used to be a FinalizerEntry object. And that address is in the store buffer every time.

Any chance you could make your repro project run on Linux?

[blaugold]

Any chance you could make your repro project run on Linux?

It should already work on Ubuntu x86, but I haven't tried it yet and don't know whether it reproduces there. I'll finally have to get my Linux box running again. 😅

[dcharkes]

Okay, I am now able to repro the issue in a unit test. 🎉

@blaugold while I work on a fix, a temporary workaround would be to create a new finalizer object for every time you want to attach a finalizer. This will be less efficient, but should prevent the crash for the time being.

[dcharkes]

Fix underway: https://dart-review.googlesource.com/c/sdk/+/243262

[a-siva]

Can this be closed ?

[dcharkes]

It is closed?