search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.44k stars 4.76k forks source link

[wasm] V8 crash with AOT for `System.Runtime.InteropServices.JavaScript.Tests` #78972

Closed radical closed 1 year ago

radical commented 1 year ago

This is breaking on rolling builds. Build, and log:

Using random seed for collections: 287614867
Starting:    System.Runtime.InteropServices.JavaScript.Tests.dll
Error: [MONO] * Assertion: should not be reached at /__w/1/s/src/mono/mono/mini/../sgen/sgen-scan-object.h:93

    at $e (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:509)
    at Me (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:792)
    at wasm_trace_logger (<anonymous>:wasm-function[73338]:0xd54952)
    at eglib_log_adapter (<anonymous>:wasm-function[61106]:0xbf38a6)
    at monoeg_g_logstr (<anonymous>:wasm-function[72522]:0xd3a402)
    at monoeg_g_logv_nofree (<anonymous>:wasm-function[72520]:0xd3a3b1)
    at monoeg_assertion_message (<anonymous>:wasm-function[72525]:0xd3a481)
    at mono_assertion_message_unreachable (<anonymous>:wasm-function[72528]:0xd3a4f0)
    at major_scan_object_no_evacuation (<anonymous>:wasm-function[62090]:0xc0e0ec)
    at drain_gray_stack_no_evacuation (<anonymous>:wasm-function[62061]:0xc0bed2)
    at drain_gray_stack (<anonymous>:wasm-function[62025]:0xc08b8a)
    at sgen_drain_gray_stack (<anonymous>:wasm-function[61715]:0xbffc3f)
    at finish_gray_stack (<anonymous>:wasm-function[61808]:0xc02dc5)
    at major_finish_collection (<anonymous>:wasm-function[61810]:0xc030d8)
    at major_do_collection (<anonymous>:wasm-function[61737]:0xc0099f)
    at sgen_perform_collection_inner (<anonymous>:wasm-function[61732]:0xc00275)
    at sgen_perform_collection (<anonymous>:wasm-function[61730]:0xc00166)
    at sgen_ensure_free_space (<anonymous>:wasm-function[61729]:0xc000f6)
    at sgen_los_alloc_large_inner (<anonymous>:wasm-function[61948]:0xc062d6)
    at sgen_alloc_obj_nolock (<anonymous>:wasm-function[61590]:0xbfdb18)
    at mono_gc_alloc_string (<anonymous>:wasm-function[60799]:0xbe81cb)
    at mono_gc_alloc_handle_string (<anonymous>:wasm-function[60612]:0xbe4e78)
    at mono_string_new_size_handle (<anonymous>:wasm-function[59346]:0xbc5a95)
    at mono_string_new_size_checked (<anonymous>:wasm-function[59345]:0xbc59fd)
    at mono_string_new_utf16_checked (<anonymous>:wasm-function[59498]:0xbc9c6d)
    at mono_string_new_utf16 (<anonymous>:wasm-function[59497]:0xbc9c47)
    at mono_wasm_string_from_utf16_ref (<anonymous>:wasm-function[73354]:0xd54b18)
    at Object.Module._mono_wasm_string_from_utf16_ref [as mono_wasm_string_from_utf16_ref] (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:7000:141)
    at Ss (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:81927)
    at ks (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:81774)
    at hi (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:89993)
    at mi (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:89949)
    at /datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:88478
    at e (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:108370)
    at Ta (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:109070)
    at aot_wrapper_System_dot_Runtime_dot_InteropServices_dot_JavaScript_System_dot_Runtime_dot_InteropServices_dot_JavaScript__Interop_sl_Runtime__InvokeImport_pinvoke_void_iicl7_void_2a_void_iicl7_void_2a_ (<anonymous>:wasm-function[38011]:0x798690)
    at System_Runtime_InteropServices_JavaScript_System_Runtime_InteropServices_JavaScript_JavaScriptImports_GetPropertyAsString_System_Runtime_InteropServices_JavaScript_JSObject_string (<anonymous>:wasm-function[38035]:0x79a313)
    at System_Runtime_InteropServices_JavaScript_System_Runtime_InteropServices_JavaScript_JSException_get_StackTrace (<anonymous>:wasm-function[38425]:0x7ae544)
    at System_Runtime_InteropServices_JavaScript_Tests_System_Runtime_InteropServices_JavaScript_Tests_JSImportExportTest_JsImportTest_T_REF_T_REF_System_Action_1_T_REF_System_Func_1_T_REF_System_Func_2_T_REF_T_REF_System_Func_2_T_REF_T_REF_System_Func_2_T_REF_bool_string_string (<anonymous>:wasm-function[40315]:0x8326cd)
    at System_Runtime_InteropServices_JavaScript_Tests_System_Runtime_InteropServices_JavaScript_Tests_JSImportExportTest_JSImportException_System_Exception_string (<anonymous>:wasm-function[40329]:0x8346b9)
    at corlib_aot_wrapper_gsharedvt_out_sig_void_this_objobj (<anonymous>:wasm-function[32452]:0x6b163b)
    at jit_call_cb (<anonymous>:wasm-function[54404]:0xb32c2c)
    at i (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:158818)
    at do_jit_call (<anonymous>:wasm-function[54338]:0xb3143e)
    at mono_interp_exec_method (<anonymous>:wasm-function[54319]:0xb246b0)
    at interp_runtime_invoke (<anonymous>:wasm-function[54456]:0xb33dd9)
    at mono_jit_runtime_invoke (<anonymous>:wasm-function[71496]:0xd165a0)
    at do_runtime_invoke (<anonymous>:wasm-function[59301]:0xbc4473)
    at mono_runtime_invoke_checked (<anonymous>:wasm-function[59299]:0xbc441b)
    at mono_runtime_try_invoke_byrefs (<anonymous>:wasm-function[59466]:0xbc9008)
    at ves_icall_InternalInvoke (<anonymous>:wasm-function[58135]:0xba1f65)
    at ves_icall_InternalInvoke_raw (<anonymous>:wasm-function[58288]:0xba6f4b)
    at aot_wrapper_corlib_System_dot_Reflection_System_dot_Reflection_dot_RuntimeMethodInfo__InternalInvoke_pinvoke_obj_this_objcl9_intptr_2a_bclsc_Exception_26__attrs_2obj_cls1d_Reflection_dRuntimeMethodInfo_objcl9_intptr_2a_bclsc_Exception_26__attrs_2 (<anonymous>:wasm-function[25275]:0x57fb1c)
    at corlib_System_Reflection_MethodInvoker_InterpretedInvoke_object_intptr_ (<anonymous>:wasm-function[25274]:0x57fa97)
    at invoke_iiiii (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:8137:36)
    at corlib_System_Reflection_MethodInvoker_Invoke_object_intptr__System_Reflection_BindingFlags (<anonymous>:wasm-function[25277]:0x57fd42)
    at corlib_System_Reflection_RuntimeMethodInfo_Invoke_object_System_Reflection_BindingFlags_System_Reflection_Binder_object___System_Globalization_CultureInfo (<anonymous>:wasm-function[25432]:0x585d37)
    at xunit_execution_dotnet_Xunit_Sdk_TestInvoker_1_TTestCase_REF_CallTestMethod_object (<anonymous>:wasm-function[49413]:0xa2d4b4)
    at invoke_iiii (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:8049:36)
    at xunit_execution_dotnet_Xunit_Sdk_TestInvoker_1__c__DisplayClass48_0___InvokeTestMethodAsyncb__1d_TTestCase_REF_MoveNext (<anonymous>:wasm-function[49431]:0xa2fd2d)
    at corlib_aot_wrapper_gsharedvt_out_sig_pinvoke_void_this_ (<anonymous>:wasm-function[31962]:0x6a9b6c)
    at jit_call_cb (<anonymous>:wasm-function[54404]:0xb32c01)
    at i (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:158818)
    at do_jit_call (<anonymous>:wasm-function[54338]:0xb3143e)
    at mono_interp_exec_method (<anonymous>:wasm-function[54319]:0xb246b0)
    at interp_runtime_invoke (<anonymous>:wasm-function[54456]:0xb33dd9)
    at mono_jit_runtime_invoke (<anonymous>:wasm-function[71496]:0xd165a0)
    at do_runtime_invoke (<anonymous>:wasm-function[59301]:0xbc4473)
    at mono_runtime_invoke_checked (<anonymous>:wasm-function[59299]:0xbc441b)
    at mono_gsharedvt_constrained_call (<anonymous>:wasm-function[71643]:0xd1a8db)
    at aot_wrapper_icall_mono_gsharedvt_constrained_call (<anonymous>:wasm-function[28009]:0x5fa6c5)

...

(/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:7420:108)
    at jl (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:143128)
Process v8 exited with 1

Full trace is at https://gist.github.com/radical/03fe923e8cc760fc0853b7b8fe1b0aeb .

cc @pavelsavara @maraf @vargaz I think this might be related to https://github.com/dotnet/runtime/issues/77334 which is getting hit regularly on CI.

Report

Summary

24-Hour Hit Count 7-Day Hit Count 1-Month Count
0 0 0
ghost commented 1 year ago

Tagging subscribers to 'arch-wasm': @lewing See info in area-owners.md if you want to be subscribed.

Issue Details
This is breaking on rolling builds. [Build](https://dev.azure.com/dnceng-public/public/_build/results?buildId=95931&view=logs&j=58dc7ccb-0414-5dd3-62a5-bf2e63258b7c&t=1a5c781f-8921-5969-0583-203a5fad54cb), and [log](https://helixre107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-heads-main-b4997cd09e06441f8a/normal-System.Runtime.InteropServices.JavaScript.Tests/1/console.49ca089a.log?helixlogtype=result): ``` Using random seed for collections: 287614867 Starting: System.Runtime.InteropServices.JavaScript.Tests.dll Error: [MONO] * Assertion: should not be reached at /__w/1/s/src/mono/mono/mini/../sgen/sgen-scan-object.h:93 at $e (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:509) at Me (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:792) at wasm_trace_logger (:wasm-function[73338]:0xd54952) at eglib_log_adapter (:wasm-function[61106]:0xbf38a6) at monoeg_g_logstr (:wasm-function[72522]:0xd3a402) at monoeg_g_logv_nofree (:wasm-function[72520]:0xd3a3b1) at monoeg_assertion_message (:wasm-function[72525]:0xd3a481) at mono_assertion_message_unreachable (:wasm-function[72528]:0xd3a4f0) at major_scan_object_no_evacuation (:wasm-function[62090]:0xc0e0ec) at drain_gray_stack_no_evacuation (:wasm-function[62061]:0xc0bed2) at drain_gray_stack (:wasm-function[62025]:0xc08b8a) at sgen_drain_gray_stack (:wasm-function[61715]:0xbffc3f) at finish_gray_stack (:wasm-function[61808]:0xc02dc5) at major_finish_collection (:wasm-function[61810]:0xc030d8) at major_do_collection (:wasm-function[61737]:0xc0099f) at sgen_perform_collection_inner (:wasm-function[61732]:0xc00275) at sgen_perform_collection (:wasm-function[61730]:0xc00166) at sgen_ensure_free_space (:wasm-function[61729]:0xc000f6) at sgen_los_alloc_large_inner (:wasm-function[61948]:0xc062d6) at sgen_alloc_obj_nolock (:wasm-function[61590]:0xbfdb18) at mono_gc_alloc_string (:wasm-function[60799]:0xbe81cb) at mono_gc_alloc_handle_string (:wasm-function[60612]:0xbe4e78) at mono_string_new_size_handle (:wasm-function[59346]:0xbc5a95) at mono_string_new_size_checked (:wasm-function[59345]:0xbc59fd) at mono_string_new_utf16_checked (:wasm-function[59498]:0xbc9c6d) at mono_string_new_utf16 (:wasm-function[59497]:0xbc9c47) at mono_wasm_string_from_utf16_ref (:wasm-function[73354]:0xd54b18) at Object.Module._mono_wasm_string_from_utf16_ref [as mono_wasm_string_from_utf16_ref] (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:7000:141) at Ss (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:81927) at ks (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:81774) at hi (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:89993) at mi (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:89949) at /datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:88478 at e (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:108370) at Ta (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:109070) at aot_wrapper_System_dot_Runtime_dot_InteropServices_dot_JavaScript_System_dot_Runtime_dot_InteropServices_dot_JavaScript__Interop_sl_Runtime__InvokeImport_pinvoke_void_iicl7_void_2a_void_iicl7_void_2a_ (:wasm-function[38011]:0x798690) at System_Runtime_InteropServices_JavaScript_System_Runtime_InteropServices_JavaScript_JavaScriptImports_GetPropertyAsString_System_Runtime_InteropServices_JavaScript_JSObject_string (:wasm-function[38035]:0x79a313) at System_Runtime_InteropServices_JavaScript_System_Runtime_InteropServices_JavaScript_JSException_get_StackTrace (:wasm-function[38425]:0x7ae544) at System_Runtime_InteropServices_JavaScript_Tests_System_Runtime_InteropServices_JavaScript_Tests_JSImportExportTest_JsImportTest_T_REF_T_REF_System_Action_1_T_REF_System_Func_1_T_REF_System_Func_2_T_REF_T_REF_System_Func_2_T_REF_T_REF_System_Func_2_T_REF_bool_string_string (:wasm-function[40315]:0x8326cd) at System_Runtime_InteropServices_JavaScript_Tests_System_Runtime_InteropServices_JavaScript_Tests_JSImportExportTest_JSImportException_System_Exception_string (:wasm-function[40329]:0x8346b9) at corlib_aot_wrapper_gsharedvt_out_sig_void_this_objobj (:wasm-function[32452]:0x6b163b) at jit_call_cb (:wasm-function[54404]:0xb32c2c) at i (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:158818) at do_jit_call (:wasm-function[54338]:0xb3143e) at mono_interp_exec_method (:wasm-function[54319]:0xb246b0) at interp_runtime_invoke (:wasm-function[54456]:0xb33dd9) at mono_jit_runtime_invoke (:wasm-function[71496]:0xd165a0) at do_runtime_invoke (:wasm-function[59301]:0xbc4473) at mono_runtime_invoke_checked (:wasm-function[59299]:0xbc441b) at mono_runtime_try_invoke_byrefs (:wasm-function[59466]:0xbc9008) at ves_icall_InternalInvoke (:wasm-function[58135]:0xba1f65) at ves_icall_InternalInvoke_raw (:wasm-function[58288]:0xba6f4b) at aot_wrapper_corlib_System_dot_Reflection_System_dot_Reflection_dot_RuntimeMethodInfo__InternalInvoke_pinvoke_obj_this_objcl9_intptr_2a_bclsc_Exception_26__attrs_2obj_cls1d_Reflection_dRuntimeMethodInfo_objcl9_intptr_2a_bclsc_Exception_26__attrs_2 (:wasm-function[25275]:0x57fb1c) at corlib_System_Reflection_MethodInvoker_InterpretedInvoke_object_intptr_ (:wasm-function[25274]:0x57fa97) at invoke_iiiii (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:8137:36) at corlib_System_Reflection_MethodInvoker_Invoke_object_intptr__System_Reflection_BindingFlags (:wasm-function[25277]:0x57fd42) at corlib_System_Reflection_RuntimeMethodInfo_Invoke_object_System_Reflection_BindingFlags_System_Reflection_Binder_object___System_Globalization_CultureInfo (:wasm-function[25432]:0x585d37) at xunit_execution_dotnet_Xunit_Sdk_TestInvoker_1_TTestCase_REF_CallTestMethod_object (:wasm-function[49413]:0xa2d4b4) at invoke_iiii (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:8049:36) at xunit_execution_dotnet_Xunit_Sdk_TestInvoker_1__c__DisplayClass48_0___InvokeTestMethodAsyncb__1d_TTestCase_REF_MoveNext (:wasm-function[49431]:0xa2fd2d) at corlib_aot_wrapper_gsharedvt_out_sig_pinvoke_void_this_ (:wasm-function[31962]:0x6a9b6c) at jit_call_cb (:wasm-function[54404]:0xb32c01) at i (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:158818) at do_jit_call (:wasm-function[54338]:0xb3143e) at mono_interp_exec_method (:wasm-function[54319]:0xb246b0) at interp_runtime_invoke (:wasm-function[54456]:0xb33dd9) at mono_jit_runtime_invoke (:wasm-function[71496]:0xd165a0) at do_runtime_invoke (:wasm-function[59301]:0xbc4473) at mono_runtime_invoke_checked (:wasm-function[59299]:0xbc441b) at mono_gsharedvt_constrained_call (:wasm-function[71643]:0xd1a8db) at aot_wrapper_icall_mono_gsharedvt_constrained_call (:wasm-function[28009]:0x5fa6c5) ... (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:7420:108) at jl (/datadisks/disk1/work/AD8909A6/w/ACB6096D/e/wasm_build/AppBundle/dotnet.js:5:143128) Process v8 exited with 1 ``` Full trace is at https://gist.github.com/radical/03fe923e8cc760fc0853b7b8fe1b0aeb . cc @pavelsavara @maraf @vargaz I think this might be related to https://github.com/dotnet/runtime/issues/77334 which is getting hit regularly on CI.
Author: radical
Assignees: -
Labels: `arch-wasm`, `blocking-clean-ci`, `test-failure`
Milestone: -
lewing commented 1 year ago

cc @pavelsavara

vargaz commented 1 year ago

Findings:

marshal-to-cs.ts, in _marshal_cs_object_to_cs () there is this case:

            else if (value instanceof Error) {
                set_arg_type(arg, MarshalerType.JSException);
                const js_handle = mono_wasm_get_js_handle(value);
                set_js_handle(arg, js_handle);
            }

in JSMarshalerArgument.Exception.cs, this is decoded as:

            JSObject? jsException = null;
            if (slot.JSHandle != IntPtr.Zero)
            {
                // this is JSException round-trip
                jsException = JSHostImplementation.CreateCSOwnedProxy(slot.JSHandle);
            }

            string? message;
            ToManaged(out message);

so the sender doesn't set the message param that the receiver is trying to decode. is that a bug ? the JSMarshalerArgument struct is allocated using localloc, so its not initialized, so ToManaged(out string) tries to read a random value here:

            fixed (void* argAsRoot = &slot.IntPtrValue)
            {
                value = Unsafe.AsRef<string>(argAsRoot);
            }

creating a random object reference.

pavelsavara commented 1 year ago

I'm on it

pavelsavara commented 1 year ago

bug for sure, many thanks!

This should only happen when somebody is returning JavaScript Error instance as on JSImport with System.Object return type. The test which we have stack trace for is JSImportException which is only marshaling via strongly typed System.Exception and marshal_exception_to_cs. @vargaz I wonder if the random reference could have survived in memory from some of the previous tests.

Could such memory corruption also cause https://github.com/dotnet/runtime/issues/77334 ?