Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault in gc_heap::get_region_plan_gen_num for a frozen object #63778

Closed
MichalStrehovsky opened this issue Jan 14, 2022 · 4 comments · Fixed by #63828
Closed

Segfault in gc_heap::get_region_plan_gen_num for a frozen object #63778

MichalStrehovsky opened this issue Jan 14, 2022 · 4 comments · Fixed by #63828
Assignees
@cshung
Labels
area-GC-coreclr
Milestone
7.0.0

Comments

@MichalStrehovsky
Copy link
Member

I'm seeing a segfault in gc_heap::get_region_plan_gen_num when trying to dereference the return value of heap_segment_plan_gen_num when processing a frozen object. It looks like the int& returned from heap_segment_plan_gen_num doesn't point anywhere useful.

Obj is a frozen string at the point of the crash. This is NativeAOT, obviously.

I also have a crashdump with a repro EXE if this is not enough to troubleshoot.

>	System.Collections.Tests.exe!WKS::gc_heap::get_region_plan_gen_num(unsigned char * obj) Line 11257	C++
 	System.Collections.Tests.exe!WKS::gc_heap::check_demotion_helper_sip(unsigned char * * pval, int parent_gen_num, unsigned char * parent_loc) Line 30140	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_advance_to_non_sip(WKS::heap_segment * region) Line 30186	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_survivors(int condemned_gen_number, unsigned char * first_condemned_address) Line 31296	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_phase(int condemned_gen_number, unsigned char * first_condemned_address) Line 31714	C++
 	System.Collections.Tests.exe!WKS::gc_heap::plan_phase(int condemned_gen_number) Line 29005	C++
 	System.Collections.Tests.exe!WKS::gc_heap::gc1() Line 20353	C++
 	System.Collections.Tests.exe!WKS::gc_heap::garbage_collect(int n) Line 22032	C++
 	System.Collections.Tests.exe!WKS::GCHeap::GarbageCollectGeneration(unsigned int gen, gc_reason reason) Line 45098	C++
 	System.Collections.Tests.exe!WKS::gc_heap::trigger_gc_for_alloc(int gen_number, gc_reason gr, WKS::GCDebugSpinLock * msl, bool loh_p, WKS::msl_take_state take_state) Line 17083	C++
 	System.Collections.Tests.exe!WKS::gc_heap::try_allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int gen_number) Line 17229	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int alloc_generation_number) Line 17693	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate(unsigned __int64 jsize, alloc_context * acontext, unsigned int flags) Line 17724	C++
 	System.Collections.Tests.exe!WKS::GCHeap::Alloc(gc_alloc_context * context, unsigned __int64 size, unsigned int flags) Line 44055	C++
 	System.Collections.Tests.exe!GcAllocInternal(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, Thread * pThread) Line 267	C++
 	System.Collections.Tests.exe!RhpGcAlloc(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, void * pTransitionFrame) Line 304	C++
@ghost
Copy link

ghost commented Jan 14, 2022

Tagging subscribers to this area: @dotnet/gc
See info in area-owners.md if you want to be subscribed.

Issue Details

I'm seeing a segfault in gc_heap::get_region_plan_gen_num when trying to dereference the return value of heap_segment_plan_gen_num when processing a frozen object. It looks like the int& returned from heap_segment_plan_gen_num doesn't point anywhere useful.

Obj is a frozen string at the point of the crash. This is NativeAOT, obviously.

I also have a crashdump with a repro EXE if this is not enough to troubleshoot.

>	System.Collections.Tests.exe!WKS::gc_heap::get_region_plan_gen_num(unsigned char * obj) Line 11257	C++
 	System.Collections.Tests.exe!WKS::gc_heap::check_demotion_helper_sip(unsigned char * * pval, int parent_gen_num, unsigned char * parent_loc) Line 30140	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_advance_to_non_sip(WKS::heap_segment * region) Line 30186	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_survivors(int condemned_gen_number, unsigned char * first_condemned_address) Line 31296	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_phase(int condemned_gen_number, unsigned char * first_condemned_address) Line 31714	C++
 	System.Collections.Tests.exe!WKS::gc_heap::plan_phase(int condemned_gen_number) Line 29005	C++
 	System.Collections.Tests.exe!WKS::gc_heap::gc1() Line 20353	C++
 	System.Collections.Tests.exe!WKS::gc_heap::garbage_collect(int n) Line 22032	C++
 	System.Collections.Tests.exe!WKS::GCHeap::GarbageCollectGeneration(unsigned int gen, gc_reason reason) Line 45098	C++
 	System.Collections.Tests.exe!WKS::gc_heap::trigger_gc_for_alloc(int gen_number, gc_reason gr, WKS::GCDebugSpinLock * msl, bool loh_p, WKS::msl_take_state take_state) Line 17083	C++
 	System.Collections.Tests.exe!WKS::gc_heap::try_allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int gen_number) Line 17229	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int alloc_generation_number) Line 17693	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate(unsigned __int64 jsize, alloc_context * acontext, unsigned int flags) Line 17724	C++
 	System.Collections.Tests.exe!WKS::GCHeap::Alloc(gc_alloc_context * context, unsigned __int64 size, unsigned int flags) Line 44055	C++
 	System.Collections.Tests.exe!GcAllocInternal(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, Thread * pThread) Line 267	C++
 	System.Collections.Tests.exe!RhpGcAlloc(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, void * pTransitionFrame) Line 304	C++
Author: MichalStrehovsky
Assignees: -
Labels:

area-GC-coreclr
Milestone: -

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Jan 14, 2022
@MichalStrehovsky MichalStrehovsky mentioned this issue Jan 14, 2022
Merged
@mangod9
Copy link
Member

mangod9 commented Jan 14, 2022

Thanks for reporting this @MichalStrehovsky. Is this a consistent or intermittent failure?

@MichalStrehovsky
Copy link
Member Author

I ran the test app twice and I hit it twice, so looks pretty consistent.

@mangod9 mangod9 removed the untriaged New issue has not been triaged by the area owner label Jan 14, 2022
@mangod9 mangod9 added this to the 7.0.0 milestone Jan 14, 2022
@mangod9
Copy link
Member

mangod9 commented Jan 14, 2022

ok we will investigate.

@MichalStrehovsky MichalStrehovsky mentioned this issue Jan 14, 2022
Merged
@cshung cshung self-assigned this Jan 15, 2022
@cshung cshung mentioned this issue Jan 15, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jan 15, 2022
This was referenced Jan 17, 2022
Closed
Closed
@jkotas jkotas mentioned this issue Jan 18, 2022
Closed
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Jan 20, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Feb 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cshung cshung

Labels
area-GC-coreclr
Projects
None yet
Milestone
7.0.0
Development

Successfully merging a pull request may close this issue.

Check if the child object is in the heap range before get_region_plan_gen_num cshung/runtime
3 participants
@cshung @MichalStrehovsky @mangod9