Bug 2644 - SIGSEGV in emit_move_return_value
Summary: SIGSEGV in emit_move_return_value
Status: RESOLVED DUPLICATE of bug 2642
Alias: None
Product: Runtime
Classification: Mono
Component: JIT ()
Version: unspecified
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2011-12-27 03:27 UTC by Bassam
Modified: 2012-03-28 17:42 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED DUPLICATE of bug 2642

Description Bassam 2011-12-27 03:27:34 UTC
We are seeing a SIGSEGV raised on our ASP.NET farm running on "Intel(R) Xeon(R) CPU E31270" processors. We build mono from the mono-2-10 branch.

Program terminated with signal 6, Aborted.
#0  0x00007fede81a6165 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/raise.c
#0  0x00007fede81a6165 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007fede81a8f70 in *__GI_abort () at abort.c:92
#2  0x00000000004933d0 in mono_handle_native_sigsegv (signal=-2147243768, ctx=<value optimized out>) at mini-exceptions.c:2246
#3  0x00000000004e6c9d in mono_arch_handle_altstack_exception (sigctx=0x7fede0fdeac0, fault_addr=<value optimized out>, 
    stack_ovf=0) at exceptions-amd64.c:957
#4  0x00000000004176e4 in mono_sigsegv_signal_handler (_dummy=11, info=0x7fede0fdebf0, context=0x7fede0fdeac0) at mini.c:5882
#5  <signal handler called>
#6  emit_move_return_value (cfg=0x7fed800135a0, ins=<value optimized out>, code=0x7fed8007aa01 "\270\003\200\355\177")
    at mini-amd64.c:3564
#7  0x00000000004d4e49 in mono_arch_output_basic_block (cfg=0x7fed800135a0, bb=0x7fed80042698) at mini-amd64.c:4716
#8  0x000000000041840b in mono_codegen (cfg=0x7fed800135a0) at mini.c:3631
#9  0x000000000041d396 in mini_method_compile (method=0x7feddc4689d8, opts=51472895, domain=0x7fede8e65cc0, 
    run_cctors=<value optimized out>, compile_aot=<value optimized out>, parts=0) at mini.c:4873
#10 0x000000000041e818 in mono_jit_compile_method_inner (method=0x7feddc4689d8, opt=51472895, ex=0x7fede11dcee8) at mini.c:5155
#11 mono_jit_compile_method_with_opt (method=0x7feddc4689d8, opt=51472895, ex=0x7fede11dcee8) at mini.c:5379
#12 0x000000000041eede in mono_jit_compile_method (method=0x0) at mini.c:5404
#13 0x0000000000496fef in common_call_trampoline (regs=0x7fede11dd1d8, code=0x41d6e342 "\351\025\001", m=0x7feddc4689d8, 
    tramp=<value optimized out>, vt=0x7feddc453f08, vtable_slot=0x7feddc453f68, need_rgctx_tramp=0) at mini-trampolines.c:492
#14 0x0000000000497838 in mono_vcall_trampoline (regs=0x7fede11dd1d8, code=0x41d6e342 "\351\025\001", slot=<value optimized out>, 
    tramp=0x41e8c03c "\350\017:`\377\004\004") at mini-trampolines.c:671
#15 0x000000004148fbba in ?? ()
#16 0x3883d38b48f88b48 in ?? ()
#17 0x8b480000002fe800 in ?? ()
#18 0x0000010141867684 in ?? ()
#19 0x0000000000000000 in ?? ()

Not sure if this is related to bug 2642 or not. Here is some debug information:

(gdb) frame 7
#7  0x00000000004d4e49 in mono_arch_output_basic_block (cfg=0x7f396c05d8c0, bb=0x7f396c062028) at mini-amd64.c:4716
4716    mini-amd64.c: No such file or directory.
        in mini-amd64.c
(gdb) p *ins
$2 = {opcode = 359, type = 7 '\a', flags = 129 '\201', dreg = -1, sreg1 = 0, sreg2 = -1, sreg3 = -1, next = 0x7f396c06b850,
  prev = 0x7f396c06b7b0, data = {op = {{src = 0x120, var = 0x120, const_val = 288, p = 0x120, method = 0x120, signature = 0x120,
        many_blocks = 0x120, target_block = 0x120, args = 0x120, vtype = 0x120, klass = 0x120, phi_args = 0x120,
        call_inst = 0x120, exception_clause = 0x120}, {src = 0x0, var = 0x0, const_val = 0, p = 0x0, method = 0x0,
        signature = 0x0, many_blocks = 0x0, target_block = 0x0, args = 0x0, vtype = 0x0, klass = 0x0, phi_args = 0x0,
        call_inst = 0x0, exception_clause = 0x0}}, i8const = 288, r8const = 1.42290906002279e-321},
  cil_code = 0x7f39c603d9b9 <Address 0x7f39c603d9b9 out of bounds>, backend = {reg3 = 671, arg_info = 671, size = 671,
    memcpy_args = 0x29f, data = 0x29f, shift_amount = 671, is_pinvoke = 671, record_cast_details = 671, spill_var = 0x29f,
    source_opcode = 671, pc_offset = 671}, klass = 0x169bd40}
(gdb) p ins->opcode
$3 = 359
(gdb) p code
$4 = (guint8 *) 0x0
(gdb) p *cfg
$6 = {method = 0x16a2e40, header = 0x7f396c00fba0, mempool = 0x7f396c060800, varinfo = 0x7f396c005290, vars = 0x7f396c00cfc0,
  ret = 0x0, bb_entry = 0x7f396c061418, bb_exit = 0x7f396c061540, bb_init = 0x7f396c070d50, bblocks = 0x7f396c007390,
  cil_offset_to_bb = 0x7f396c060de8, state_pool = 0x0, cbb = 0x7f396c061dd8, prev_ins = 0x0, patch_info = 0x7f396c04c9f0,
  jit_info = 0x0, dynamic_info = 0x0, num_bblocks = 69, max_block_num = 119, locals_start = 3, num_varinfo = 36,
  varinfo_count = 64, stack_offset = 248, max_ireg = 0, cil_offset_to_bb_len = 195, rs = 0x7f396c004b90, spill_info = {
    0x7f396c04c340, 0x0 <repeats 15 times>}, spill_count = 0, spill_info_len = {16, 0 <repeats 15 times>}, inlined_method = 0x0,
  domainvar = 0x0, got_var = 0x0, locals = 0x7f396c060a78, rgctx_var = 0x0, args = 0x7f396c060870, arg_types = 0x7f396c061400,
  current_method = 0x16a2e40, method_to_register = 0x16a2e40, generic_context = 0x0, vret_addr = 0x0, ip = 0x0,
  aliasing_info = 0x0, spvars = 0x7f396c062810, exvars = 0x7f396c05d5a0, ldstr_list = 0x0, domain = 0x7f39d4c0fcc0,
  real_offset = 194, cbb_hash = 0x0, next_vreg = 324, generic_sharing_context = 0x0,
  cil_start = 0x7f39c603d974 <Address 0x7f39c603d974 out of bounds>,
  native_code = 0x7f396c050b30 "UH\213\354SATAUAVAWH\201\354", <incomplete sequence \330>, code_size = 10240, code_len = 648,
  prolog_end = 41, epilog_begin = 0, used_int_regs = 61448, opt = 51472895, prof_options = 0, flags = 262, comp_done = 275,
  verbose_level = 0, stack_usage = 0, param_area = 0, frame_reg = 5, sig_cookie = 0, disable_aot = 0, disable_ssa = 0,
  disable_llvm = 0, enable_extended_bblocks = 0, run_cctors = 1, need_lmf_area = 0, compile_aot = 0, compile_llvm = 0,
  got_var_allocated = 0, ret_var_is_local = 0, ret_var_set = 0, globalra = 0, unverifiable = 0, skip_visibility = 0,
  disable_reuse_registers = 0, disable_reuse_stack_slots = 0, disable_reuse_ref_stack_slots = 0,
  disable_ref_noref_stack_slot_share = 0, disable_initlocals_opt = 0, disable_initlocals_opt_refs = 0, disable_omit_fp = 0,
  disable_vreg_to_lvreg = 0, disable_deadce_vars = 0, disable_out_of_line_bblocks = 0, gen_write_barriers = 0, init_ref_vars = 0,
  extend_live_ranges = 0, compute_precise_live_ranges = 0, has_got_slots = 0, uses_rgctx_reg = 0, uses_vtable_reg = 0,
  uses_simd_intrinsics = 0, keep_cil_nops = 0, gen_seq_points = 0, explicit_null_checks = 0, compute_gc_maps = 0,
  soft_breakpoints = 0, debug_info = 0x0, lmf_offset = 0, intvars = 0x7f396c060830, coverage_info = 0x0,
  token_info_hash = 0x7f396c011440, arch = {lmf_offset = 0, localloc_offset = 0, reg_save_area_offset = 0, stack_alloc_size = 216,
    sp_fp_offset = 256, omit_fp = 0, omit_fp_computed = 1, no_pushes = 1, cinfo = 0x7f396c060d38, async_point_count = 0,
    vret_addr_loc = 0x0, ss_trigger_page_var = 0x0}, inline_depth = 0, exception_type = 0, exception_data = 0,
  exception_message = 0x0, exception_ptr = 0x0, encoded_unwind_ops = 0x0, encoded_unwind_ops_len = 0, unwind_ops = 0x7f396c04c520,
  reginfo = 0x7f396c04cb20, reginfo_len = 1024, vreg_to_inst = 0x7f396c06ae20, vreg_to_inst_len = 256, vreg_is_ref = 0x0,
  vreg_is_ref_len = 0, vreg_is_mp = 0x0, vreg_is_mp_len = 0, orig_method = 0x16a2e40, abs_patches = 0x0,
  tailcall_valuetype_addrs = 0x0, iconv_raw_var = 0x0, fconv_to_r8_x_var = 0x0, simd_ctor_var = 0x0, dyn_call_var = 0x0,
  seq_points = 0x0, seq_point_info = 0x0, headers_to_free = 0x7f396c0454b8, got_offset = 0, ex_info_offset = 0,
  method_info_offset = 0, asm_symbol = 0x0, llvm_method_name = 0x0, llvm_ex_info = 0x0, llvm_ex_info_len = 0, llvm_this_reg = 0,
  llvm_this_offset = 0, try_block_holes = 0x0, locals_min_stack_offset = -216, locals_max_stack_offset = -40, cfa_reg = 5,
  cfa_offset = 16, gc_info = 0x0, gc_map = 0x0, gc_map_size = 0}


Unfortunately as with most JIT issues, we are unable to provide a concise repro. I have gdb core files that I can supply if needed for postmortem debugging.
Comment 1 Bassam 2011-12-27 03:49:05 UTC
it looks like the offending code is here:


https://github.com/mono/mono/blob/mono-2-10/mono/mini/mini-amd64.c#L3565

case OP_VCALL2_MEMBASE:
		cinfo = get_call_info (cfg->generic_sharing_context, cfg->mempool, ((MonoCallInst*)ins)->signature);
		if (cinfo->ret.storage == ArgValuetypeInReg) {
			MonoInst *loc = cfg->arch.vret_addr_loc;

cfg->arch.vret_addr_loc is null:

(gdb) p cfg->arch
$6 = {lmf_offset = 0, localloc_offset = 0, reg_save_area_offset = 0, stack_alloc_size = 216, sp_fp_offset = 256, omit_fp = 0,
  omit_fp_computed = 1, no_pushes = 1, cinfo = 0x7f396c060d38, async_point_count = 0, vret_addr_loc = 0x0,
  ss_trigger_page_var = 0x0}

and is deferenced here:

https://github.com/mono/mono/blob/mono-2-10/mono/mini/mini-amd64.c#L3568
Comment 2 Bassam 2012-03-28 17:42:09 UTC
looks related to 2642

*** This bug has been marked as a duplicate of bug 2642 ***