Segmentation fault in realm_callback_token_schema::~realm_callback_token_schema

[nirinchev]

I'm seeing the following crash during test teardown in the dart SDK:

===== CRASH =====
si_signo=Segmentation fault: 11(11), si_code=2, si_addr=0x29000000000000
version=3.2.6 (stable) (Wed Jan 24 13:41:58 2024 +0000) on "macos_arm64"
pid=75501, thread=14083, isolate_group=main(0x14b00a200), isolate=(nil)(0x0)
os=macos, arch=arm64, comp=no, sim=no
isolate_instructions=104f3dfe0, vm_instructions=104f3dfe0
fp=16b98a1d0, sp=16b98a080, pc=1824e9b10
  pc 0x00000001824e9b10 fp 0x000000016b98a1d0 __dynamic_cast+0x30
  pc 0x000000013c9451bc fp 0x000000016b98a220 realm_callback_token_schema::~realm_callback_token_schema()+0x44
  pc 0x000000013c945270 fp 0x000000016b98a240 realm_callback_token_schema::~realm_callback_token_schema()+0x1c
  pc 0x000000013c94529c fp 0x000000016b98a260 realm_callback_token_schema::~realm_callback_token_schema()+0x1c
  pc 0x000000013c98e2e8 fp 0x000000016b98a280 realm_release+0x54
  pc 0x000000013c9940b0 fp 0x000000016b98a2a0 handle_finalizer(void*, void*)+0x1c
  pc 0x000000010539be18 fp 0x000000016b98a2e0 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x4a7e18
  pc 0x000000010507a278 fp 0x000000016b98a360 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x186278
  pc 0x000000010507b4b4 fp 0x000000016b98a8b0 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x1874b4
  pc 0x00000001053a01f4 fp 0x000000016b98ae00 Dart_ShutdownIsolate+0xe0
  pc 0x000000010509c2c8 fp 0x000000016b98ae60 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x1a82c8
  pc 0x00000001051a4218 fp 0x000000016b98af20 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x2b0218
  pc 0x00000001051a4490 fp 0x000000016b98af50 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x2b0490
  pc 0x000000010512e7c4 fp 0x000000016b98afc0 /opt/homebrew/Caskroom/flutter/3.16.0/flutter/bin/cache/dart-sdk/bin/dart+0x23a7c4
  pc 0x0000000182532034 fp 0x000000016b98afe0 _pthread_start+0x88
-- End of DumpStackTrace

I haven't been able to dive deeper into it, but I believe it has something to do with the destructor being called nondeterministically for the SharedRealm and the realm_callback_token_schema. Since realm_callback_token_schema takes a raw pointer to the Realm, I don't believe it's legal to use it after the realm has been closed. Unfortunately, when dealing with garbage collected languages, we can't control the order in which the destructors will be called, so the C API should somehow guard against this.

[sync-by-unito]

➤ PM Bot commented:

Jira ticket: RCORE-2003

[nirinchev]

@nicola-cab or @jedelbo can you take a look here - it's not extremely urgent, but it's related to our mixed support in dart.

[nicola-cab]

Highly likely something odd with how the object is finalized and garbage collected... can you point me out to the test?

[nirinchev]

Unfortunately, it's not a specific test that fails - instead, when the isolate is torn down and all objects in it are finalized, we get the crash. It appears to be a race condition as it only happens in 40-50% of the cases, which makes me believe it is caused by the non-deterministic order of calling the destructors (e.g. if the callback token is destroyed before the Realm, it's fine, otherwise we get this crash).

[nicola-cab]

mmm, probably order of destruction... I'll try to reproduce it with a multithreading test..

[nicola-cab]

Internal note: verify if this PR #7437 is fixing the problem.