scheduler: engine: output_thread: Plug macOS abort on dry-run

[cosmo0920]

This is because macOS's TLS of pthread sometimes returns garbage values when uninitialized.
So, we need to introduce a flag or a magic number to distinguish whether initialized correctly or not.

Closes #11089.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

service:
  log_level: debug
pipeline:
  inputs:
  - name: dummy
    tag: test
    invalid_property_that_does_not_exist: some_value
  outputs:
  - name: stdout
    match: '*'

• Debug log output from testing the change

Before this change, the debug log with backtrace is:

luent Bit v4.2.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

______ _                  _    ______ _ _             ___   __  
|  ___| |                | |   | ___ (_) |           /   | /  | 
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `| | 
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |  | | 
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |__| |_
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)___/


[2025/11/04 13:13:28.582320000] [ info] Configuration:
[2025/11/04 13:13:28.582325000] [ info]  flush time     | 1.000000 seconds
[2025/11/04 13:13:28.582329000] [ info]  grace          | 5 seconds
[2025/11/04 13:13:28.582331000] [ info]  daemon         | 0
[2025/11/04 13:13:28.582333000] [ info] ___________
[2025/11/04 13:13:28.582335000] [ info]  inputs:
[2025/11/04 13:13:28.582338000] [ info]      dummy
[2025/11/04 13:13:28.582340000] [ info] ___________
[2025/11/04 13:13:28.582342000] [ info]  filters:
[2025/11/04 13:13:28.582344000] [ info] ___________
[2025/11/04 13:13:28.582346000] [ info]  outputs:
[2025/11/04 13:13:28.582349000] [ info]      stdout.0
[2025/11/04 13:13:28.582351000] [ info] ___________
[2025/11/04 13:13:28.582353000] [ info]  collectors:
configuration test is successful
fluent-bit(17919,0x1f14d8800) malloc: *** error for object 0x1f14d8800: pointer being freed was not allocated
fluent-bit(17919,0x1f14d8800) malloc: *** set a breakpoint in malloc_error_break to debug
Process 17919 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x0000000184af25b0 libsystem_kernel.dylib`__pthread_kill + 8
libsystem_kernel.dylib`__pthread_kill:
->  0x184af25b0 <+8>:  b.lo   0x184af25d0    ; <+40>
    0x184af25b4 <+12>: pacibsp 
    0x184af25b8 <+16>: stp    x29, x30, [sp, #-0x10]!
    0x184af25bc <+20>: mov    x29, sp
Target 0: (fluent-bit) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x0000000184af25b0 libsystem_kernel.dylib`__pthread_kill + 8
    frame #1: 0x0000000184b2c888 libsystem_pthread.dylib`pthread_kill + 296
    frame #2: 0x0000000184a32808 libsystem_c.dylib`abort + 124
    frame #3: 0x0000000184931208 libsystem_malloc.dylib`malloc_vreport + 892
    frame #4: 0x0000000184934f38 libsystem_malloc.dylib`malloc_report + 64
    frame #5: 0x0000000184939db8 libsystem_malloc.dylib`___BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED + 76
    frame #6: 0x000000010009a128 fluent-bit`flb_free(ptr=0x00000001f14d8800) at flb_mem.h:127:5
    frame #7: 0x0000000100099c30 fluent-bit`flb_engine_shutdown(config=0x00000001055dae60) at flb_engine.c:1232:9
    frame #8: 0x0000000100052f54 fluent-bit`flb_destroy(ctx=0x00000001055dae40) at flb_lib.c:240:13
    frame #9: 0x0000000100006d14 fluent-bit`flb_main_run(argc=4, argv=0x000000016fdff098) at fluent-bit.c:1436:9
    frame #10: 0x00000001000d88c8 fluent-bit`flb_supervisor_run(argc=4, argv=0x000000016fdff098, entry=(fluent-bit`flb_main_run at fluent-bit.c:993)) at flb_supervisor.c:626:16
    frame #11: 0x0000000100005e8c fluent-bit`flb_main(argc=4, argv=0x000000016fdff098) at fluent-bit.c:1564:12
    frame #12: 0x000000010000712c fluent-bit`main(argc=4, argv=0x000000016fdff098) at fluent-bit.c:1572:12
    frame #13: 0x000000018476dd54 dyld`start + 7184

After this change, the debug log became like:

% bin/fluent-bit -c invalid_config.yaml --dry-run
Fluent Bit v4.2.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

______ _                  _    ______ _ _             ___   __  
|  ___| |                | |   | ___ (_) |           /   | /  | 
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __/ /| | `| | 
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| |  | | 
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /\___  |__| |_
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/     |_(_)___/


[2025/11/04 13:29:39.915567000] [ info] Configuration:
[2025/11/04 13:29:39.915580000] [ info]  flush time     | 1.000000 seconds
[2025/11/04 13:29:39.915583000] [ info]  grace          | 5 seconds
[2025/11/04 13:29:39.915585000] [ info]  daemon         | 0
[2025/11/04 13:29:39.915587000] [ info] ___________
[2025/11/04 13:29:39.915589000] [ info]  inputs:
[2025/11/04 13:29:39.915590000] [ info]      dummy
[2025/11/04 13:29:39.915592000] [ info] ___________
[2025/11/04 13:29:39.915593000] [ info]  filters:
[2025/11/04 13:29:39.915595000] [ info] ___________
[2025/11/04 13:29:39.915597000] [ info]  outputs:
[2025/11/04 13:29:39.915598000] [ info]      stdout.0
[2025/11/04 13:29:39.915600000] [ info] ___________
[2025/11/04 13:29:39.915601000] [ info]  collectors:
configuration test is successful

Nothing aborted logs are shown.

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Bug Fixes
  • Strengthened validation during engine shutdown to ensure scheduler-related resources are only released when properly initialized, reducing crashes and memory issues.
  • Added the same validation to output-thread cleanup to prevent invalid frees, improving stability during shutdown and concurrent operations.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Added a TLS magic constant and a magic field to the scheduler timer callback params; the field is initialized when params are set and checked before freeing scheduler TLS in engine shutdown and output-thread paths.

Changes

Cohort / File(s)	Summary
TLS magic and struct update include/fluent-bit/flb_scheduler.h	Added #define FLB_SCHED_TLS_MAGIC and expanded struct flb_sched_timer_coro_cb_params with a uint32_t magic field; sched_timer_cb_params_set now assigns FLB_SCHED_TLS_MAGIC to that field.
Shutdown / thread free validation src/flb_engine.c, src/flb_output_thread.c	Updated conditional frees to require both sched_params != NULL and sched_params->magic == FLB_SCHED_TLS_MAGIC before freeing/clearing TLS scheduler params.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Engine
    participant TLS as sched_params (TLS)
    participant Free as free()/cleanup

    rect rgb(211,228,205)
    note over Engine,TLS: Shutdown / output-thread path (validation added)
    Engine->>TLS: check sched_params != NULL
    alt sched_params exists
        Engine->>TLS: check magic == FLB_SCHED_TLS_MAGIC
        alt magic matches
            Engine->>Free: free(sched_params)
            Free-->>Engine: freed
        else magic invalid
            Engine-->>Engine: skip free (no-op)
        end
    else no sched_params
        Engine-->>Engine: no-op
    end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify every allocation/initializer for flb_sched_timer_coro_cb_params sets magic.
• Check all code paths that may free or access sched_params for consistent validation.
• Inspect platform-specific behavior (macOS) around TLS allocation and destruction.

Poem

🐰 I tuck a tiny token bright,
A hop of magic in the night,
I peek before I let things go —
True token found, then free the flow.
Hoppity checks keep memory right.

Pre-merge checks and finishing touches

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding a magic number validation to prevent invalid free operations on macOS during dry-run, which directly addresses the crash issue.
Linked Issues check	✅ Passed	The code changes implement the fix for issue #11089 by introducing FLB_SCHED_TLS_MAGIC validation to prevent invalid free of uninitialized TLS data on macOS during shutdown.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the macOS dry-run crash; modifications to header, engine, and output_thread files are all scope-aligned with the TLS validation objective.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cosmo0920-plug-macOS-abort-on-dry-run

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

include/fluent-bit/flb_scheduler.h (2)

195-195: Consider adding a comment to document the magic constant.

The magic constant lacks documentation explaining its purpose and why this specific value was chosen. This would help future maintainers understand the validation mechanism introduced to fix the macOS TLS garbage issue.

Apply this diff to add documentation:

+/* Magic constant to validate TLS initialization state (fixes macOS garbage data issue) */
 #define FLB_SCHED_TLS_MAGIC 0x53544350u

---

202-202: Use unsigned type for the magic field.

The magic field is declared as int, but the constant FLB_SCHED_TLS_MAGIC is defined as 0x53544350u (unsigned). This type mismatch could lead to sign-related issues or compiler warnings during comparison.

Apply this diff to use a consistent unsigned type:

-    int   magic;
+    unsigned int magic;

or for better portability:

-    int   magic;
+    uint32_t magic;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb24892 and 1a598d7.

📒 Files selected for processing (2)

• include/fluent-bit/flb_scheduler.h (2 hunks)
• src/flb_engine.c (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: PR - fuzzing test
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-centos-7

🔇 Additional comments (2)

include/fluent-bit/flb_scheduler.h (1)

265-265: LGTM: Magic field initialization is correctly placed.

The magic constant is set after successful parameter allocation and before storing in TLS, ensuring only properly initialized structures contain the magic value. This validates the TLS state during shutdown and prevents freeing garbage data on macOS.

src/flb_engine.c (1)

1230-1234: No issues found; code validation is correct.

The verification confirms that the magic field validation in flb_engine.c (lines 1231-1234) is appropriate and safe. All code paths that allocate and set sched_timer_coro_cb_params via TLS initialize the magic field unconditionally (in flb_scheduler.h:267, always preceded by magic = FLB_SCHED_TLS_MAGIC at line 265). This makes the memory leak concern invalid—the validation logic correctly prevents freeing invalid or garbage TLS data that lacks the proper magic marker, which is exactly the intended defense against the macOS abort issue.

[edsiper]

lets double check this

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

include/fluent-bit/flb_scheduler.h (1)

271-288: Consider adding defensive magic validation.

While the normal execution flow ensures params is initialized before sched_timer_coro_cb_run is called, adding a magic check after the NULL check would provide defense-in-depth against the same TLS garbage-pointer issue on macOS.

Apply this diff for added safety:

 static FLB_INLINE void sched_timer_coro_cb_run(void)
 {
     struct flb_coro *coro;
     struct flb_sched_timer *timer;
     struct flb_sched_timer_coro_cb_params *params;
 
     params = (struct flb_sched_timer_coro_cb_params *) FLB_TLS_GET(sched_timer_coro_cb_params);
-    if (!params) {
+    if (!params || params->magic != FLB_SCHED_TLS_MAGIC) {
         return;
     }
 
     coro = params->coro;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c281ecc and d6990f3.

📒 Files selected for processing (1)

• include/fluent-bit/flb_scheduler.h (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: pr-compile-centos-7
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: PR - fuzzing test

🔇 Additional comments (4)

include/fluent-bit/flb_scheduler.h (4)

195-195: LGTM! Well-chosen magic constant.

The magic value 0x53544350u ("STCP" in ASCII) provides a reliable sentinel to distinguish initialized TLS from garbage pointers on macOS. The value is distinct and unlikely to match uninitialized memory.

---

202-202: LGTM! Magic field properly added.

The uint32_t magic field correctly matches the type of FLB_SCHED_TLS_MAGIC and integrates cleanly into the flb_sched_timer_coro_cb_params structure.

---

265-265: LGTM! Magic properly initialized.

The magic field is correctly set after allocation and field initialization, but before storing in TLS. This ensures the sentinel is always present in properly initialized params.

---

195-203: No issues found — cleanup paths properly validate magic sentinel.

Verification confirms that all cleanup paths in both src/flb_output_thread.c (line 405) and src/flb_engine.c (line 1231) now correctly validate the magic field before calling flb_free. The past concern about src/flb_output_thread.c has been resolved.