search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.39k stars 4.75k forks source link

[mono] android crash in `mono_object_handle_isinst` #109410

Open srxqds opened 2 weeks ago

srxqds commented 2 weeks ago

Description

hit crash on android with execute at https://github.com/dotnet/runtime/blob/d2a2a79b2eaf66d68a02f35917907bd9fbe97ea7/src/libraries/System.Linq.Expressions/src/System/Dynamic/Utils/ExpressionUtils.cs#L90

build linq expression in thread and the main thread call gc collect.

Reproduction Steps

we can't reproduct it, but it occur in our production app

Expected behavior

not crash

Actual behavior

crash

Regression?

I don't know, we use 8.0.3 version

Known Workarounds

no

Configuration

No response

Other information

the c backtrace:

backtrace:
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20
    x0  b40000721a02ec18  x1  0  x2  716e6fae20  x3  716e6fad9c
    x4  716e6fad48  x5  b4000071d9d5caf0  x6  b4000071d9d269e8  x7  150000
    x8  b40000721a02ec00  x9  1  x10 0  x11 1
    x12 d  x13 b4c340  x14 b4c330  x15 b4000071d9d55310
    x16 71f3768a50  x17 71f36dbae0  x18 71526ce000  x19 b40000721a06c800
    x20 716e6fae20  x21 0  x22 7159b0cc00  x23 b40000721a02ec00
    x24 0  x25 0  x26 b4000071d9d553b0  x27 204000
    x28 716e6fc000  x29 716e6fadb0  lr  71f36caed8  sp  716e6fadb0
    pc  71f36cad98  pst 80001000

    #00 pc 000000000026dd98  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_object_handle_isinst [src/mono/mono/metadata/object.c : 6878 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #01 pc 000000000026ded4  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_object_isinst_checked [src/mono/mono/metadata/object.c : 6861 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #02 pc 0000000000242b50  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_marshal_isinst_with_cache [src/mono/mono/metadata/marshal.c : 4356 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #03 pc 0000000000009f48  <anonymous:732d339000>

we also dump the c# stacktrace when crash:

=================================================================
    Managed Stacktrace:
=================================================================
      at <unknown> <0xffffffff>
      at System.Object:__icall_wrapper_mono_marshal_isinst_with_cache in System.Private.CoreLib.dll:token 0x0+0xffffffff
      at System.Object:__castclass_with_cache in System.Private.CoreLib.dll:token 0x0+0x2d
      at System.Dynamic.Utils.ExpressionUtils:ReturnObject in System.Linq.Expressions.dll:token 0x6001204+0x0
      at System.Linq.Expressions.Expression2`1:GetParameter in System.Linq.Expressions.dll:token 0x600068a+0xf
      at System.Linq.Expressions.LambdaExpression:System.Linq.Expressions.IParameterProvider.GetParameter in System.Linq.Expressions.dll:token 0x6000665+0x2
      at <GetEnumerator>d__6:MoveNext in System.Linq.Expressions.dll:token 0x6000eea+0x45
      at System.Linq.Expressions.Compiler.CompilerScope:.ctor in System.Linq.Expressions.dll:token 0x6000ea1+0x60
      at System.Linq.Expressions.Compiler.VariableBinder:VisitLambda in System.Linq.Expressions.dll:token 0x600105d+0x14
      at System.Linq.Expressions.Expression`1:Accept in System.Linq.Expressions.dll:token 0x6000677+0x2
      at System.Linq.Expressions.ExpressionVisitor:Visit in System.Linq.Expressions.dll:token 0x60005d5+0x7
      at System.Linq.Expressions.Compiler.VariableBinder:Visit in System.Linq.Expressions.dll:token 0x600105a+0x3c
      at System.Linq.Expressions.Compiler.VariableBinder:Bind in System.Linq.Expressions.dll:token 0x6001058+0x8
      at System.Linq.Expressions.Compiler.LambdaCompiler:AnalyzeLambda in System.Linq.Expressions.dll:token 0x6000f65+0xb
      at System.Linq.Expressions.Compiler.LambdaCompiler:Compile in System.Linq.Expressions.dll:token 0x6000f64+0x8
      at System.Linq.Expressions.Expression`1:Compile in System.Linq.Expressions.dll:token 0x6000672+0x8
      at SpanJson.Formatters.RuntimeFormatter`2:BuildSerializeDelegate in SpanJson.dll:token 0x6000606+0xbc
      at <>c:<Serialize>b__5_0 in SpanJson.dll:token 0x6000700+0x1
      at System.Collections.Concurrent.ConcurrentDictionary`2:GetOrAdd in System.Collections.Concurrent.dll:token 0x60000c9+0x4a
      at SpanJson.Formatters.RuntimeFormatter`2:Serialize in SpanJson.dll:token 0x6000605+0x34
      at Inner`3:InnerSerializeToByteArray in SpanJson.dll:token 0x6000731+0x14
      at SpanJson.Helpers.PreCreateSerializerHelper:SerializeObject in SpanJson.dll:token 0x6000200+0x7
      at <>c__DisplayClass3_0:<PreCreateAsync>b__0 in SpanJson.dll:token 0x600068c+0x14
      at System.Threading.Tasks.Task:InnerInvoke in System.Private.CoreLib.dll:token 0x6003f45+0x10
      at <>c:<.cctor>b__281_0 in System.Private.CoreLib.dll:token 0x6003ff4+0x6
      at System.Threading.ExecutionContext:RunFromThreadPoolDispatchLoop in System.Private.CoreLib.dll:token 0x6003a39+0x17
      at System.Threading.Tasks.Task:ExecuteWithThreadLocal in System.Private.CoreLib.dll:token 0x6003f44+0xae
      at System.Threading.Tasks.Task:ExecuteEntryUnsafe in System.Private.CoreLib.dll:token 0x6003f42+0x32
      at System.Threading.Tasks.Task:ExecuteFromThreadPool in System.Private.CoreLib.dll:token 0x6003f41+0x2
      at System.Threading.ThreadPoolWorkQueue:Dispatch in System.Private.CoreLib.dll:token 0x6003bb7+0x140
      at WorkerThread:WorkerThreadStart in System.Private.CoreLib.dll:token 0x6003d46+0xa1
      at System.Threading.Thread:StartCallback in System.Private.CoreLib.dll:token 0x60038f5+0xe
      at System.Object:runtime_invoke_void__this__ in System.Private.CoreLib.dll:token 0x0+0x32

mabye the main thread is calling gc.collect

dotnet-policy-service[bot] commented 2 weeks ago

Tagging subscribers to this area: @cston See info in area-owners.md if you want to be subscribed.

srxqds commented 2 weeks ago

@lambdageek can you help figure out this issuse?

srxqds commented 2 weeks ago

why the MonoClass* is nullptr, access the offset 0x20, when call __icall_wrapper_mono_marshal_isinst_with_cache?https://github.com/dotnet/runtime/blob/797306fb84b3cab32ddbea1659b93267e98c3140/src/mono/mono/mini/method-to-ir.c#L9606-L9624

the CHECK_TYPELOAD will check the klass value. this will be effected by gc?

srxqds commented 2 weeks ago

the crash code of main branch : https://github.com/dotnet/runtime/blob/797306fb84b3cab32ddbea1659b93267e98c3140/src/mono/mono/metadata/object.c#L6809

srxqds commented 2 weeks ago

the reason maybe the same with this issuse https://github.com/dotnet/runtime/issues/109443

hope it can give you more clues to help analyze.

dotnet-policy-service[bot] commented 2 weeks ago

Tagging subscribers to 'arch-android': @vitek-karas, @simonrozsival, @steveisok, @akoeplinger See info in area-owners.md if you want to be subscribed.

srxqds commented 2 weeks ago

hi, @steveisok this issue only rise on production game, not found in development.

it is happened many times, have a great bad impact on our project.