Open ADKaster opened 1 week ago
The LibWeb main thread VM is never destroyed. This has been the case for a long time. We have too many cycles in core objects.
After the LibGC refactor, it is now unsafe to destroy the VM in general.
This only seems to manifest in the Distribution build.
Repro:
cmake --preset Distribution -DCMAKE_C_COMPILER=clang-18 -DCMAKE_CXX_COMPILER=clang++-18 ninja -C Build/distribution js ./Build/distribution/bin/js -c "console.log('42')"
Output:
"42" Segmentation fault (core dumped)
Backtrace:
"42" VERIFICATION FAILED: m_ref_count at /home/andrew/ladybird-org/ladybird-browser/AK/RefCounted.h:47 /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x205d4df) [0x5555575b14df] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x22a8991) [0x5555577fc991] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x22a8c66) [0x5555577fcc66] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x22a02c7) [0x5555577f42c7] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x248eca6) [0x5555579e2ca6] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x248ac81) [0x5555579dec81] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x2489d9c) [0x5555579ddd9c] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x248922b) [0x5555579dd22b] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x23fb0a4) [0x55555794f0a4] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x2059866) [0x5555575ad866] /lib/x86_64-linux-gnu/libc.so.6(+0x47a66) [0x7ffff7847a66] /lib/x86_64-linux-gnu/libc.so.6(+0x47bae) [0x7ffff7847bae] /lib/x86_64-linux-gnu/libc.so.6(+0x2a1d1) [0x7ffff782a1d1] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x8b) [0x7ffff782a28b] /home/andrew/ladybird-org/ladybird-browser/Build/distribution/bin/js(+0x2051535) [0x5555575a5535] Program received signal SIGILL, Illegal instruction. ak_verification_failed () at /home/andrew/ladybird-org/ladybird-browser/AK/Assertions.cpp:102 102 __builtin_trap(); (gdb) bt #0 ak_verification_failed () at /home/andrew/ladybird-org/ladybird-browser/AK/Assertions.cpp:102 #1 0x00005555577fc991 in deref_base () at /home/andrew/ladybird-org/ladybird-browser/AK/RefCounted.h:47 #2 unref () at /home/andrew/ladybird-org/ladybird-browser/AK/RefCounted.h:61 #3 unref_if_not_null<AK::StringImpl const> () at /home/andrew/ladybird-org/ladybird-browser/AK/NonnullRefPtr.h:32 #4 ~NonnullRefPtr () at /home/andrew/ladybird-org/ladybird-browser/AK/NonnullRefPtr.h:97 #5 ~DeprecatedFlyString () at /home/andrew/ladybird-org/ladybird-browser/AK/DeprecatedFlyString.h:14 #6 ~Entry () at /home/andrew/ladybird-org/ladybird-browser/AK/HashMap.h:23 #7 ~HashTable () at /home/andrew/ladybird-org/ladybird-browser/AK/HashTable.h:166 #8 0x00005555577fcc66 in ~HashMap () at /home/andrew/ladybird-org/ladybird-browser/AK/HashMap.h:21 #9 ~Entry () at /home/andrew/ladybird-org/ladybird-browser/AK/HashMap.h:23 #10 delete_bucket<AK::HashTable<AK::HashMap<GC::Ptr<JS::Object const>, AK::HashMap<AK::DeprecatedFlyString, JS::Value (*)(JS::Realm&), AK::Traits<AK::DeprecatedFlyString>, AK::Traits<JS::Value (*)(JS::Realm&)>, false>, AK::Traits<GC::Ptr<JS::Object const> >, AK::Traits<AK::HashMap<AK::DeprecatedFlyString, JS::Value (*)(JS::Realm&), AK::Traits<AK::DeprecatedFlyString>, AK::Traits<JS::Value (*)(JS::Realm&)>, false> >, false>::Entry, AK::HashMap<GC::Ptr<JS::Object const>, AK::HashMap<AK::DeprecatedFlyString, JS::Value (*)(JS::Realm&), AK::Traits<AK::DeprecatedFlyString>, AK::Traits<JS::Value (*)(JS::Realm&)>, false>, AK::Traits<GC::Ptr<JS::Object const> >, AK::Traits<AK::HashMap<AK::DeprecatedFlyString, JS::Value (*)(JS::Realm&), AK::Traits<AK::DeprecatedFlyString>, AK::Traits<JS::Value (*)(JS::Realm&)>, false> >, false>::EntryTraits, false>::Bucket> () at /home/andrew/ladybird-org/ladybird-browser/AK/HashTable.h:725 #11 0x00005555577f42c7 in remove () at /home/andrew/ladybird-org/ladybird-browser/AK/HashTable.h:458 #12 remove () at /home/andrew/ladybird-org/ladybird-browser/AK/HashMap.h:71 #13 ~Object () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibJS/Runtime/Object.cpp:93 #14 0x00005555579e2ca6 in deallocate () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/HeapBlock.cpp:47 #15 0x00005555579dec81 in operator() () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:458 #16 operator()<GC::Cell> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/HeapBlock.h:66 #17 for_each_cell<(lambda at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/HeapBlock.h:64:23)> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/HeapBlock.h:58 #18 for_each_cell_in_state<(GC::Cell::State)0, (lambda at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:455:66)> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/HeapBlock.h:64 #19 operator()<GC::HeapBlock> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:455 #20 0x00005555579ddd9c in for_each_block<(lambda at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:452:20)> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/CellAllocator.h:37 #21 for_each_block<(lambda at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:452:20)> () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.h:125 #22 sweep_dead_cells () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:452 #23 0x00005555579dd22b in collect_garbage () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:258 #24 ~Heap () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibGC/Heap.cpp:47 #25 0x000055555794f0a4 in ~VM () at /home/andrew/ladybird-org/ladybird-browser/Libraries/LibJS/Runtime/VM.cpp:189 #26 0x00005555575ad866 in unref () at /home/andrew/ladybird-org/ladybird-browser/AK/RefCounted.h:65 #27 unref_if_not_null<JS::VM> () at /home/andrew/ladybird-org/ladybird-browser/AK/NonnullRefPtr.h:32 #28 clear () at /home/andrew/ladybird-org/ladybird-browser/AK/RefPtr.h:223 #29 ~RefPtr () at /home/andrew/ladybird-org/ladybird-browser/AK/RefPtr.h:103 #30 0x00007ffff7847a66 in __run_exit_handlers (status=0, listp=<optimized out>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at ./stdlib/exit.c:108 #31 0x00007ffff7847bae in __GI_exit (status=<optimized out>) at ./stdlib/exit.c:138 #32 0x00007ffff782a1d1 in __libc_start_call_main (main=main@entry=0x5555579d6c70 <main()>, argc=argc@entry=3, argv=argv@entry=0x7fffffffd928) at ../sysdeps/nptl/libc_start_call_main.h:74 #33 0x00007ffff782a28b in __libc_start_main_impl (main=0x5555579d6c70 <main()>, argc=3, argv=0x7fffffffd928, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd918) at ../csu/libc-start.c:360 #34 0x00005555575a5535 in _start ()
cc @shannonbooth
ADKaster
commented
1 week ago ADKaster
commented
1 week ago
The LibWeb main thread VM is never destroyed. This has been the case for a long time. We have too many cycles in core objects.
After the LibGC refactor, it is now unsafe to destroy the VM in general.
This only seems to manifest in the Distribution build.
Repro:
Output:
Backtrace: