Runtime crash: 'freed pointer was not the last allocation'

[glbrntt]

Description

One of the tests in the attached repository reliably crashes at runtime. This seems to be related to DiscardingTaskGroup as switching to TaskGroup<Void> doesn't crash.

Reproduction

• Extract grpc-swift.zip
• Using Swift version 6.0-dev (LLVM 723ba90c22d3da1, Swift ae7e24dc658e067) (swiftlang/swift:nightly-6.0-jammy, sha256:4624a3c7404f479e55d69dc5e41f94e399cb0c11f291f81689d81e593b409610)
• On the crash branch run swift test --filter ClientRPCExecutorTests.testRetriesCantBeExecutedForTooManyRequestMessages

Stack dump

freed pointer was not the last allocation
*** Signal 6: Backtracing from 0xffff95f6f200... done ***

*** Program crashed: Aborted at 0x0000000000002b82 ***

Thread 0 crashed:

 0                  0x0000ffff95f6f200 <unknown> in libc.so.6
 1 [ra]             0x0000ffff95f2a67c <unknown> in libc.so.6
 2 [ra]             0x0000ffff95f17130 <unknown> in libc.so.6
 3 [ra]             0x0000ffff96fa4c24 swift::swift_Concurrency_fatalErrorv(unsigned int, char const*, std::__va_list) + 43 in libswift_Concurrency.so
 4 [ra]             0x0000ffff96fa4c84 swift::swift_Concurrency_fatalError(unsigned int, char const*, ...) + 95 in libswift_Concurrency.so
 5 [ra]             0x0000ffff96fa6be8 swift_task_dealloc + 127 in libswift_Concurrency.so
 6 [ra]             0x0000aaaacfb1a840 ClientRPCExecutor.RetryExecutor.executeAttempt<A>(stream:metadata:retryStream:method:attempt:responseHandler:) + 215 in grpc-swiftPackageTests.xctest at /code/Sources/GRPCCore/Call/Client/Internal/ClientRPCExecutor+RetryExecutor.swift:209:18
 7 [async]          0x0000aaaacfb1a448 closure #1 in closure #3 in closure #1 in ClientRPCExecutor.RetryExecutor.execute<A>(request:method:options:responseHandler:) in grpc-swiftPackageTests.xctest at /code/Sources/GRPCCore/Call/Client/Internal/ClientRPCExecutor+RetryExecutor.swift:134
 8 [async] [thunk]  0x0000aaaacfb207ac partial apply for closure #1 in closure #3 in closure #1 in ClientRPCExecutor.RetryExecutor.execute<A>(request:method:options:responseHandler:) in grpc-swiftPackageTests.xctest at //<compiler-generated>
 9 [async] [thunk]  0x0000aaaacfb04dec thunk for @escaping @isolated(any) @callee_guaranteed @async () -> (@out A) in grpc-swiftPackageTests.xctest at //<compiler-generated>
10 [async] [thunk]  0x0000aaaacfb07324 partial apply for thunk for @escaping @isolated(any) @callee_guaranteed @async () -> (@out A) in grpc-swiftPackageTests.xctest at //<compiler-generated>
11 [async] [system] 0x0000ffff96fa63dc completeTaskWithClosure(swift::AsyncContext*, swift::SwiftError*) in libswift_Concurrency.so

Registers:

 x0 0x0000000000000000  0
 x1 0x0000000000002b87  11143
 x2 0x0000000000000006  6
 x3 0x0000ffff917fee00  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ················
 x4 0x0000ffff97eeab58  00 b8 da 6a 16 71 b9 b7 00 00 00 00 44 01 06 00  ·¸Új·q¹·····D···
 x5 0x00000000fbad2887  4222429319
 x6 0x6f70206465657266  8029953751171560038
 x7 0x6177207265746e69  7023117819608067689
 x8 0x0000000000000083  131
 x9 0x61207473616c2065  6998721859838287973
x10 0x0000ffff95ef4860  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ················
x11 0x0000000000000000  0
x12 0x0000000000002180  8576
x13 0x0000000000000000  0
x14 0x0000ffff8c00fdb8  60 79 00 8c ff ff 00 00 01 00 00 00 00 00 00 00  `y··ÿÿ··········
x15 0x0000ffff8c00fdb0  b8 f7 56 97 ff ff 00 00 60 79 00 8c ff ff 00 00  ¸÷V·ÿÿ··`y··ÿÿ··
x16 0x0000000000000001  1
x17 0x0000ffff96fe0578  4c 70 f1 95 ff ff 00 00 48 3f f6 96 ff ff 00 00  Lpñ·ÿÿ··H?ö·ÿÿ··
x18 0x0000ffff8c010120  20 fc 00 8c ff ff 00 00 58 b0 b1 cf aa aa 00 00   ü··ÿÿ··X°±Ïªª··
x19 0x0000000000002b87  11143
x20 0x0000ffff917fee00  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ················
x21 0x0000000000000006  6
x22 0x0000ffff8c00f610  10 f2 00 8c ff ff 00 00 68 a7 b1 cf aa aa 00 00  ·ò··ÿÿ··h§±Ïªª··
x23 0x0000ffff917ff608  87 2b 00 00 00 00 00 00 b0 82 90 d4 aa aa 00 00  ·+······°··Ôªª··
x24 0x0000ffff8c011c60  00 00 00 00 00 00 00 00 80 1a 01 8c ff ff 00 00  ············ÿÿ··
x25 0x0000000000005019  20505
x26 0x0000ffff917ff5f0  30 eb 00 8c ff ff 00 00 80 e3 7f 91 ff ff 00 00  0ë··ÿÿ···ã··ÿÿ··
x27 0x0000000000000000  0
x28 0x0000ffff917ff5c0  00 27 00 8c ff ff 00 00 00 00 00 00 00 00 00 00  ·'··ÿÿ··········
 fp 0x0000ffff917fdea0  70 df 7f 91 ff ff 00 00 7c a6 f2 95 ff ff 00 00  pß··ÿÿ··|¦ò·ÿÿ··
 lr 0x0000ffff95f6f1ec  e1 03 13 aa e2 03 15 aa 00 7c 40 93 68 10 80 d2  á··ªâ··ª·|@·h··Ò
 sp 0x0000ffff917fdea0  70 df 7f 91 ff ff 00 00 7c a6 f2 95 ff ff 00 00  pß··ÿÿ··|¦ò·ÿÿ··
 pc 0x0000ffff95f6f200  1f 04 40 31 e0 97 80 5a e0 ff ff 17 e0 03 16 aa  ··@1à··Zàÿÿ·à··ª

Images (49 omitted):

0x0000aaaacf3a0000–0x0000aaaad2a52f48 <no build ID>                            grpc-swiftPackageTests.xctest /code/.build/aarch64-unknown-linux-gnu/debug/grpc-swiftPackageTests.xctest
0x0000ffff95ef0000–0x0000ffff96077404 aa6e122fa39ae02d412afb49d75e33281fcd2805 libc.so.6                     /usr/lib/aarch64-linux-gnu/libc.so.6
0x0000ffff96f40000–0x0000ffff96fbf380 cf1639bfd9a10cae9968dcb7baf58403d1a7106a libswift_Concurrency.so       /usr/lib/swift/linux/libswift_Concurrency.so

Backtrace took 1.54s

Expected behavior

Test should complete

Environment

Swift version 6.0-dev (LLVM 723ba90c22d3da1, Swift ae7e24dc658e067) Target: aarch64-unknown-linux-gnu

Additional information

• Doesn't reproduce on macOS
• The repo also has a fix branch which switches from DiscardingTaskGroup to TaskGroup<Void>, the same test doesn't crash.

[ktoso]

Hmm, these happen when the task local allocator has allocated in some order a b c and frees b before c etc. This is rather unexpected, a discarding taskgroup itself doesn't really task allocate anything hmmm

I'll look into this