Bug 54495 - Crash in handle_writer_queue_entry when freeing the method list
Summary: Crash in handle_writer_queue_entry when freeing the method list
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: Profiler ()
Version: master
Hardware: PC Linux
: Normal normal
Target Milestone: Future Cycle (TBD)
Assignee: Alex Rønne Petersen
URL:
Depends on:
Blocks:
 
Reported: 2017-04-05 15:36 UTC by Alex Rønne Petersen
Modified: 2017-06-21 18:34 UTC (History)
0 users

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Alex Rønne Petersen 2017-04-05 15:36:39 UTC
Happened on the roslyn benchmark:

> Thread 44 (Thread 0x2aad18402700 (LWP 31126)):
> #0  0x00002aad0b7ab88d in __libc_waitpid (pid=<optimized out>, stat_loc=<optimized out>, options=<optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41
> #1  0x00000000004ff360 in mono_handle_native_crash (signal=0x82e851 "SIGABRT", ctx=0x2aad18400d80, info=0x2aad18400eb0) > at mini-exceptions.c:2558
> #2  0x00000000005ca471 in sigabrt_signal_handler (_dummy=6, _info=0x2aad18400eb0, context=0x2aad18400d80) at mini-posix.c:209
> #3  <signal handler called>
> #4  0x00002aad0bc070d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #5  0x00002aad0bc0a83b in __GI_abort () at abort.c:91
> #6  0x00002aad0bc4432e in __libc_message (do_abort=2, fmt=0x2aad0bd4e5d8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
> #7  0x00002aad0bc4eb26 in malloc_printerr (action=3, str=0x2aad0bd4e6e8 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:5051
> #8  0x00002aad0d618791 in monoeg_g_free (ptr=0x2aadc805b470) at gmem.c:66
> #9  0x00002aad0d61dc36 in monoeg_g_ptr_array_free (array=0x2aadc80233a0, free_seg=1) at gptrarray.c:91
> #10 0x00002aad0d611b6b in handle_writer_queue_entry (prof=0xf4d030) at mono-profiler-log.c:4371
> #11 0x00002aad0d611c59 in writer_thread (arg=0xf4d030) at mono-profiler-log.c:4405
> #12 0x00002aad0b7a3e9a in start_thread (arg=0x2aad18402700) at pthread_create.c:308
> #13 0x00002aad0bcc438d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
> #14 0x0000000000000000 in ?? ()
Comment 1 Alex Rønne Petersen 2017-04-06 03:54:10 UTC
Quite possibly related crash, also on the roslyn benchmark:

Thread 10 (Thread 0x2b3eb8214700 (LWP 21813)):
> #0  0x00002b3e8f713454 in do_sigsuspend (set=0xb90d40) at ../sysdeps/unix/sysv/linux/sigsuspend.c:63
> #1  __GI___sigsuspend (set=<optimized out>) at ../sysdeps/unix/sysv/linux/sigsuspend.c:78
> #2  0x00000000007f5eef in suspend_signal_handler (_dummy=35, info=0x2b3eb820feb0, context=0x2b3eb820fd80) at mono-threads-posix-signals.c:179
> #3  <signal handler called>
> #4  0x00002b3e8f2b788b in __libc_waitpid (pid=<optimized out>, stat_loc=<optimized out>, options=<optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41
> #5  0x00000000004ff360 in mono_handle_native_crash (signal=0x82e8b1 "SIGABRT", ctx=0x2b3eb8210cc0, info=0x2b3eb8210df0) at mini-exceptions.c:2558
> #6  0x00000000005ca471 in sigabrt_signal_handler (_dummy=6, _info=0x2b3eb8210df0, context=0x2b3eb8210cc0) at mini-posix.c:209
> #7  <signal handler called>
> #8  0x00002b3e8f7130d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #9  0x00002b3e8f71683b in __GI_abort () at abort.c:91
> #10 0x00002b3e8f75032e in __libc_message (do_abort=2, fmt=0x2b3e8f85a5d8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
> #11 0x00002b3e8f75ab26 in malloc_printerr (action=3, str=0x2b3e8f856fef "realloc(): invalid old size", ptr=<optimized out>) at malloc.c:5051
> #12 0x00002b3e8f75ded7 in _int_realloc (av=0x2b3e8fa94720, oldp=0x2b3ebc036740, oldsize=47548442306336, nb=<optimized out>) at malloc.c:4367
> #13 0x00002b3e8f75f6ee in __GI___libc_realloc (oldmem=0x2b3ebc036750, bytes=128) at malloc.c:3062
> #14 0x00002b3e9121881f in monoeg_realloc (obj=0x2b3ebc036750, size=128) at gmem.c:91
> #15 0x00002b3e9121db5a in monoeg_ptr_array_grow (array=0x2b3ebc040d40, length=1) at gptrarray.c:58
> #16 0x00002b3e9121dd67 in monoeg_g_ptr_array_add (array=0x2b3ebc040d40, data=0x2b3ebc0401c0) at gptrarray.c:119
> #17 0x00002b3e912093df in register_method_local (method=0x2b3ec80a1ab0, ji=0x2b3ebc0437e0) at mono-profiler-log.c:1098
> #18 0x00002b3e9120c44c in method_jitted (prof=0x1dd6050, method=0x2b3ec80a1ab0, ji=0x2b3ebc0437e0, result=0) at mono-profiler-log.c:2077
> #19 0x00000000006a4ddf in mono_profiler_method_end_jit (method=0x2b3ec80a1ab0, jinfo=0x2b3ebc0437e0, result=0) at profiler.c:533
> #20 0x00000000005d7913 in mono_jit_compile_method_inner (method=0x2b3ec80a1ab0, target_domain=0x1ddf3b0, opt=370239999, error=0x2b3eb8212270) at mini.c:4356
> #21 0x0000000000418894 in mono_jit_compile_method_with_opt (method=0x2b3ec80a1ab0, opt=370239999, jit_only=0, error=0x2b3eb8212270) at mini-runtime.c:1886
> #22 0x0000000000418a30 in mono_jit_compile_method (method=0x2b3ec80a1ab0, error=0x2b3eb8212270) at mini-runtime.c:1930
> #23 0x0000000000502375 in common_call_trampoline (regs=0x2b3eb8212358, code=0x41071bcf "H\211\204$\230", m=0x2b3ec80a1ab0, vt=0x2b3eec00ff18, vtable_slot=0x2b3eec00fff8, error=0x2b3eb8212270) at mini-trampolines.c:704
> #24 0x0000000000502acb in mono_vcall_trampoline (regs=0x2b3eb8212358, code=0x41071bcf "H\211\204$\230", slot=20, tramp=0x40f7f0dc "\350\037\265\246\377\004\024") at mini-trampolines.c:915
> #25 0x00000000409ea78c in ?? ()
> #26 0x0000000000000030 in ?? ()
> #27 0x00002b3eb82136dd in ?? ()
> #28 0x0000000041071bcf in ?? ()
> #29 0x00000000006f3253 in mono_handle_assign (dest=0x0, src=0x2718) at ../../mono/metadata/handle.h:412
> #30 0x0000000041071bcf in ?? ()
> #31 0x00002b3e8fd6a240 in ?? ()
> #32 0x00002b3eb8212630 in ?? ()
> #33 0x00002b3e8ff1b018 in ?? ()
> #34 0x00002b3e8fc04148 in ?? ()
> #35 0x00002b3eb82125c8 in ?? ()
> #36 0x00002b3eb8212e40 in ?? ()
> #37 0x00002b3eb8212570 in ?? ()
> #38 0x00002b3e9f04f380 in ?? ()
> #39 0x00002b3e9f468220 in ?? ()
> #40 0x000000004106faf7 in ?? ()
> #41 0x00002b3e8fd6a240 in ?? ()
> #42 0x00002b3eb8212630 in ?? ()
> #43 0x00002b3e8ff1b018 in ?? ()
> #44 0x00002b3eb8212568 in ?? ()
> #45 0x00002b3e8fc04148 in ?? ()
> #46 0x0000000000000002 in ?? ()
> #47 0x0000000000000000 in ?? ()
Comment 2 Alex Rønne Petersen 2017-06-20 04:41:52 UTC
https://github.com/mono/mono/pull/5072