Assert in SlabAlloc::do_free on realm open

[Cliff-F]

SDK and version

SDK : Realm Swift
Version: 10.38.0

Observations

• How frequent do the crash occur? Always
• Does it happen in production or during dev/test? Yes
• Can the crash be reproduced by you? Yes
• Can you provide instructions for how we can reproduce it?

Crash log / stacktrace

loading file:///Users/masa/Library/Containers/com.catalystwo.eLaws/Data/Documents/LawXML%E3%81%AE%E3%82%B3%E3%83%92%E3%82%9A%E3%83%BC.realm
/Users/realm/workspace/realm_realm-core_release_13.9.0/src/realm/alloc_slab.cpp:541: [realm-core-13.9.0] Assertion failed: ref + size <= next->first with (ref, size, next->first, next->second, get_file_path_for_assertions()) =  [3138384, 8, 3138384, 8, "/Users/masa/Library/Containers/com.catalystwo.eLaws/Data/Documents/LawXMLのコピー.realm"]
0   Realm                               0x0000000104ae9430 _ZN5realm4utilL18terminate_internalERNSt3__118basic_stringstreamIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE + 28
1   Realm                               0x0000000104ae9704 _ZN5realm4util19terminate_with_infoEPKcS2_lS2_OSt16initializer_listINS0_9PrintableEE + 388
2   Realm                               0x00000001049519c4 _ZN5realm9SlabAlloc10free_blockEmPNS0_9FreeBlockE + 0
3   Realm                               0x0000000104951790 _ZN5realm9SlabAlloc7do_freeEmPc + 1732
4   Realm                               0x00000001049a1d0c _ZN5realm5Array12destroy_deepENS_6MemRefERNS_9AllocatorE + 60
5   Realm                               0x0000000104961b84 _ZN5realm11ArrayBinary5eraseEm + 68
6   Realm                               0x000000010489fcb8 _ZZN5realm4util11FunctionRefIFmPNS_13BPlusTreeNodeEmEEC1IRZNS_9BPlusTreeINS_10BinaryDataEE5eraseEmEUlS3_mE_EEOT_ENUlPvS3_mE_8__invokeESE_S3_m + 28
7   Realm                               0x00000001049754d8 _ZN5realm13BPlusTreeBase12bptree_eraseEmNS_4util11FunctionRefIFmPNS_13BPlusTreeNodeEmEEE + 52
8   Realm                               0x000000010489f7f8 _ZN5realm9BPlusTreeINS_10BinaryDataEE5eraseEm + 44
9   Realm                               0x00000001049b733c _ZN12_GLOBAL__N_114InRealmHistory24set_oldest_bound_versionEy + 132
10  Realm                               0x0000000104993a34 _ZN5realm2DB16low_level_commitEyRNS_11TransactionEb + 136
11  Realm                               0x00000001049938b0 _ZN5realm2DB9do_commitERNS_11TransactionEb + 112
12  Realm                               0x0000000104abf6e8 _ZN5realm11Transaction6commitEv + 84
13  Realm                               0x0000000104bdbb04 _ZN5realm5_impl16RealmCoordinator7open_dbEv + 1716
14  Realm                               0x0000000104bdc60c _ZN5realm5_impl16RealmCoordinator12do_get_realmEONS_11RealmConfigERNSt3__110shared_ptrINS_5RealmEEENS4_8optionalINS_9VersionIDEEERNS_4util17CheckedUniqueLockE + 72
15  Realm                               0x0000000104bdc488 _ZN5realm5_impl16RealmCoordinator9get_realmENS_11RealmConfigENSt3__18optionalINS_9VersionIDEEE + 336
16  Realm                               0x0000000104c71e88 _ZN5realm5Realm16get_shared_realmENS_11RealmConfigE + 120
17  Realm                               0x0000000104923c94 +[RLMRealm realmWithConfiguration:confinedTo:error:] + 944
18  Realm                               0x0000000104923868 +[RLMRealm realmWithConfiguration:queue:error:] + 88
19  RealmSwift                          0x0000000102175efc $sSo8RLMRealmC13configuration5queueABSo0A13ConfigurationC_So012OS_dispatch_C0CSgtKcfCTO + 72
20  RealmSwift                          0x00000001021763c4 $s10RealmSwift0A0V13configuration5queueA2C13ConfigurationV_So012OS_dispatch_D0CSgtKcfC + 104
21  eLawsCore                           0x0000000102fafa18 $s9eLawsCore12RealmManagerC04readC4File2atSb10Foundation3URLV_tF + 3708
22  eLawsCore                           0x0000000102fac440 $s9eLawsCore12RealmManagerC04readC4FileyyF + 2908
23  eLawsCore                           0x0000000102fa81f8 $s9eLawsCore12RealmManagerCACyc33_256214687B808D38FBA7DB81398AC59ELlfc + 396
24  eLawsCore                           0x0000000102fa28a8 $s9eLawsCore12RealmManagerCACyc33_256214687B808D38FBA7DB81398AC59ELlfC + 44
25  eLawsCore                           0x0000000102fa2868 $s9eLawsCore12RealmManagerC6shared_WZ + 28
26  libdispatch.dylib                   0x00000001032ce9d4 _dispatch_client_callout + 20
27  libdispatch.dylib                   0x00000001032d08f8 _dispatch_once_callout + 156
28  eLawsCore                           0x0000000102fa2904 $s9eLawsCore12RealmManagerC6sharedACvau + 80
29  eLawsCore                           0x0000000102fa2920 $s9eLawsCore12RealmManagerC6sharedACvgZ + 24
30  eLaws                               0x00000001008fcbb0 $s5eLaws11AppDelegateC11application_29didFinishLaunchingWithOptionsSbSo13UIApplicationC_SDySo0j6LaunchI3KeyaypGSgtF + 7608
31  eLaws                               0x00000001008fd338 $s5eLaws11AppDelegateC11application_29didFinishLaunchingWithOptionsSbSo13UIApplicationC_SDySo0j6LaunchI3KeyaypGSgtFTo + 196
32  UIKitCore                           0x00000001b74a0af8 -[UIApplication _handleDelegateCallbacksWithOptions:isSuspended:restoreState:] + 296
33  UIKitCore                           0x00000001b749ffb0 -[UIApplication _callInitializationDelegatesWithActions:forCanvas:payload:fromOriginatingProcess:] + 2820
34  UIKitCore                           0x00000001b749e284 -[UIApplication _runWithMainScene:transitionContext:completion:] + 988
35  UIKitCore                           0x00000001b749dde4 -[_UISceneLifecycleMultiplexer completeApplicationLaunchWithFBSScene:transitionContext:] + 152
36  UIKitCore                           0x00000001b7ff7fa8 -[UIApplication _compellApplicationLaunchToCompleteUnconditionally] + 48
37  UIKitCore                           0x00000001b7481e14 -[UIApplication _run] + 888
38  UIKitCore                           0x00000001b74780d8 UIApplicationMain + 136
39  eLaws                               0x0000000100903934 main + 64
40  dyld                                0x000000018cfdfe50 start + 2544!!! IMPORTANT: Please report this at https://github.com/realm/realm-core/issues/new/choose2023-04-22 13:31:45.043886+0900 eLaws[10044:138892] /Users/realm/workspace/realm_realm-core_release_13.9.0/src/realm/alloc_slab.cpp:541: [realm-core-13.9.0] Assertion failed: ref + size <= next->first with (ref, size, next->first, next->second, get_file_path_for_assertions()) =  [3138384, 8, 3138384, 8, "/Users/masa/Library/Containers/com.catalystwo.eLaws/Data/Documents/LawXMLのコピー.realm"]
0   Realm                               0x0000000104ae9430 _ZN5realm4utilL18terminate_internalERNSt3__118basic_stringstreamIcNS1_11char_traitsIcEENS1_9allocatorIcEEEE + 28
1   Realm                               0x0000000104ae9704 _ZN5realm4util19terminate_with_infoEPKcS2_lS2_OSt16initializer_listINS0_9PrintableEE + 388
2   Realm                               0x00000001049519c4 _ZN5realm9SlabAlloc10free_blockEmPNS0_9FreeBlockE + 0
3   Realm                               0x0000000104951790 _ZN5realm9SlabAlloc7do_freeEmPc + 1732
4   Realm                               0x00000001049a1d0c _ZN5realm5Array12destroy_deepENS_6MemRefERNS_9AllocatorE + 60
5   Realm                               0x0000000104961b84 _ZN5realm11ArrayBinary5eraseEm + 68
6   Realm                               0x000000010489fcb8 _ZZN5realm4util11FunctionRefIFmPNS_13BPlusTreeNodeEmEEC1IRZNS_9BPlusTreeINS_10BinaryDataEE5eraseEmEUlS3_mE_EEOT_ENUlPvS3_mE_8__invokeESE_S3_m + 28
7   Realm                               0x00000001049754d8 _ZN5realm13BPlusTreeBase12bptree_eraseEmNS_4util11FunctionRefIFmPNS_13BPlusTreeNodeEmEEE + 52
8   Realm                               0x000000010489f7f8 _ZN5realm9BPlusTreeINS_10BinaryDataEE5eraseEm + 44
9   Realm                               0x00000001049b733c _ZN12_GLOBAL__N_114InRealmHistory24set_oldest_bound_versionEy + 132
10  Realm                               0x0000000104993a34 _ZN5realm2DB16low_level_commitEyRNS_11TransactionEb + 136
11  Realm                               0x00000001049938b0 _ZN5realm2DB9do_commitERNS_11TransactionEb + 112
12  Realm                               0x0000000104abf6e8 _ZN5realm11Transaction6commitEv + 84
13  Realm                               0x0000000104bdbb04 _ZN5realm5_impl16RealmCoordinator7open_dbEv + 1716
14  Realm                               0x0000000104bdc60c _ZN5realm5_impl16RealmCoordinator12do_get_realmEONS_11RealmConfigERNSt3__110shared_ptrINS_5RealmEEENS4_8optionalINS_9VersionIDEEERNS_4util17CheckedUniqueLockE + 72
15  Realm                               0x0000000104bdc488 _ZN5realm5_impl16RealmCoordinator9get_realmENS_11RealmConfigENSt3__18optionalINS_9VersionIDEEE + 336
16  Realm                               0x0000000104c71e88 _ZN5realm5Realm16get_shared_realmENS_11RealmConfigE + 120
17  Realm                               0x0000000104923c94 +[RLMRealm realmWithConfiguration:confinedTo:error:] + 944
18  Realm                               0x0000000104923868 +[RLMRealm realmWithConfiguration:queue:error:] + 88
19  RealmSwift                          0x0000000102175efc $sSo8RLMRealmC13configuration5queueABSo0A13ConfigurationC_So012OS_dispatch_C0CSgtKcfCTO + 72
20  RealmSwift                          0x00000001021763c4 $s10RealmSwift0A0V13configuration5queueA2C13ConfigurationV_So012OS_dispatch_D0CSgtKcfC + 104
21  eLawsCore                           0x0000000102fafa18 $s9eLawsCore12RealmManagerC04readC4File2atSb10Foundation3URLV_tF + 3708
22  eLawsCore                           0x0000000102fac440 $s9eLawsCore12RealmManagerC04readC4FileyyF + 2908
23  eLawsCore                           0x0000000102fa81f8 $s9eLawsCore12RealmManagerCACyc33_256214687B808D38FBA7DB81398AC59ELlfc + 396
24  eLawsCore                           0x0000000102fa28a8 $s9eLawsCore12RealmManagerCACyc33_256214687B808D38FBA7DB81398AC59ELlfC + 44
25  eLawsCore                           0x0000000102fa2868 $s9eLawsCore12RealmManagerC6shared_WZ + 28
26  libdispatch.dylib                   0x00000001032ce9d4 _dispatch_client_callout + 20
27  libdispatch.dylib                   0x00000001032d08f8 _dispatch_once_callout + 156
28  eLawsCore                           0x0000000102fa2904 $s9eLawsCore12RealmManagerC6sharedACvau + 80
29  eLawsCore                           0x0000000102fa2920 $s9eLawsCore12RealmManagerC6sharedACvgZ + 24
30  eLaws                               0x00000001008fcbb0 $s5eLaws11AppDelegateC11application_29didFinishLaunchingWithOptionsSbSo13UIApplicationC_SDySo0j6LaunchI3KeyaypGSgtF + 7608
31  eLaws                               0x00000001008fd338 $s5eLaws11AppDelegateC11application_29didFinishLaunchingWithOptionsSbSo13UIApplicationC_SDySo0j6LaunchI3KeyaypGSgtFTo + 196
32  UIKitCore                           0x00000001b74a0af8 -[UIApplication _handleDelegateCallbacksWithOptions:isSuspended:restoreState:] + 296
33  UIKitCore                           0x00000001b749ffb0 -[UIApplication _callInitializationDelegatesWithActions:forCanvas:payload:fromOriginatingProcess:] + 2820
34  UIKitCore                           0x00000001b749e284 -[UIApplication _runWithMainScene:transitionContext:completion:] + 988
35  UIKitCore                           0x00000001b749dde4 -[_UISceneLifecycleMultiplexer completeApplicationLaunchWithFBSScene:transitionContext:] + 152
36  UIKitCore                           0x00000001b7ff7fa8 -[UIApplication _compellApplicationLaunchToCompleteUnconditionally] + 48
37  UIKitCore                           0x00000001b7481e14 -[UIApplication _run] + 888
38  UIKitCore                           0x00000001b74780d8 UIApplicationMain + 136
39  eLaws                               0x0000000100903934 main + 64
40  dyld                                0x000000018cfdfe50 start + 2544!!! IMPORTANT: Please report this at https://github.com/realm/realm-core/issues/new/choose

Steps & Code to Reproduce

I'm reporting this because I was instructed to. The realm file may have been accessed by two processes, which may have broken the realm file. This crash occurs when opening this particular realm file, which we can share.

Realm Studio on Mac can open it, but my application crashes when trying to open this file by let realm = try Realm(configuration: config)

[nicola-cab]

Hello, thanks for reporting this, there has been a slight increase of these crashes, we are investigating them and trying to find a fix. We suspect the problem is related to multiprocess access to the file.

[kiburtse]

@nicola-cab does it make sense to get this realm file? @Cliff-F you can provide one, right? Could you also clarify if your app crashes on realm open on device or the same machine with Realm Studio? Also, what's the version of Studio you're using?

[Cliff-F]

I sent the file to the email address. --- I was developing a Mac Catalyst app (on ventura 13.2（22D49）), and I think the two processes both accessed the same file.
The application I'm developing always crashes when it tries to open the said file. I copied the realm file to an iPad, and the iOS version of the app I'm developing also crashed.
Realm Studio 13.0.2 on the same Mac can open it, but it seems that it cannot edit. When I try to edit, the window becomes all grey. When choosing "Save Data -> Local Ream" on Realm Studio, the broken realm file is fixed and the newly exported file no longer causes crashing.

[nicola-cab]

@nicola-cab does it make sense to get this realm file? @Cliff-F you can provide one, right? Could you also clarify if your app crashes on realm open on device or the same machine with Realm Studio? Also, what's the version of Studio you're using?

Yes, It would be interesting to understand also what the app was doing when things got broken.

[finnschiermer]

@Cliff-F The interesting repro here would be if you could produce again a file which caused crashing. Once the file is corrupt in this way, subsequent crashing is expected. To find the bug we have to get closer to how the file was corrupted in the first place. Can you reproduce a new file which is corrupted? Any clues as to how can be valuable.

[jedelbo]

Another instance of double deallocation, but here the size of the freed array 8 where in the other instances, the size is 56.

[kiburtse]

Actually @ironage already looked at the file:

./realm-trawler-dbg -m LawXML.realm
File name: LawXML.realm
Current top ref: 0x2f16b8
File format version: 23
File size: 6324224
Logical file size: 6.03M
Current version: 270689
Free list size: 176
Free space size: 2.31M
History type: InRealm
History schema version: 0
File ident: 0
State size: 3.72M
*** Overlapping entries:
    0x2fe350..0x2fe358
    0x2fe350..0x2fe358
*** Overlapping entries:
    0x2fe350..0x2fe358
    0x2fe350..0x2fe358
Not and array: 0x2fd908, path: [1, 7]
*** Overlapping entries:
    0x2fe070..0x2fe080
    0x2fe070..0x2fe078
*** Overlapping entries:
    0x2fe070..0x2fe080
    0x2fe078..0x2fe080
*** Overlapping entries:
    0x2ffef0..0x2fff00
    0x2ffef8..0x2fff00
History size: 216
Memory leaked:
    0x5f8a78..0x5f9738

There are some error in free list, so it reads ok but modifying the file hits the assertion. So it's post factum failure. We still need a way to reproduce this corruption.
Finn suggested that it might be something from recent version management or online compaction changes. Or an issue with free space management itself (although the algo hasn't been changed for quite a while).

@Cliff-F could you clarify what these "two processes both accessed the same file" were exactly?
Also, is my understanding correct that only ios version of your app crashes on provided realm file and not the ipad one?

[nicola-cab]

@finnschiermer and @jedelbo why isn't this issue closed as well as all the other issues that are listed in the same category in #6531 ?

[nicola-cab]

Assigning this to @finnschiermer because it is part of his experimentation for the slab allocator corruption bug.