Bug 8476 - runtime SEGV associated with IO buffer copy
Summary: runtime SEGV associated with IO buffer copy
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: io-layer ()
Version: unspecified
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2012-11-17 15:51 UTC by Jonathan Shore
Modified: 2012-11-17 21:12 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Jonathan Shore 2012-11-17 15:51:43 UTC
During a Stream Read(byte[], int, int) on a buffered network stream on socket, the stream / socket is closed on another thread (due to an application error).  Instead of throwing an IO exception or returning 0, the runtime crashes as follows below.   This is on mono 3.0.1 on OSX Lion.

I am guessing that the Read failed and the System.Buffer.BlockCopyInternal is not resilient to a negative length, or something like that.

 failure
Stacktrace:

  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.Buffer.BlockCopyInternal (System.Array,int,System.Array,int,int) <IL 0x00026, 0xffffffff>
  at System.IO.BufferedStream.Read (byte[],int,int) [0x00195] in /private/tmp/source/bockbuild/profiles/mono-mac-release/build-root/mono-2.11/_build/mono-2.11.git/mcs/class/corlib/System.IO/BufferedStream.cs:273
  at com.gf.io.formats.exec.EXECMessage.ReadExact (System.IO.Stream,byte[],int,int) [0x00007] in /Volumes/fufu/Dev/hf/src/Libraries/Core/src/io/formats/iexec/EXECMessage.cs:144
  at com.gf.io.formats.exec.EXECMessage.Read (System.IO.Stream,byte[]) [0x00001] in /Volumes/fufu/Dev/hf/src/Libraries/Core/src/io/formats/iexec/EXECMessage.cs:72
  at com.gf.io.formats.exec.client.EXECRpcServerClient.Service () [0x00003] in /Volumes/fufu/Dev/hf/src/Libraries/Core/src/io/formats/iexec/client/EXECRpcServerClient.cs:196
  at System.Threading.Thread.StartInternal () [0x00016] in /private/tmp/source/bockbuild/profiles/mono-mac-release/build-root/mono-2.11/_build/mono-2.11.git/mcs/class/corlib/System.Threading/Thread.cs:783
  at (wrapper runtime-invoke) object.runtime_invoke_void__this__ (object,intptr,intptr,intptr) <IL 0x0004e, 0xffffffff>

Native stacktrace:


Debug info from gdb:

Attaching to process 18775.
Reading symbols for shared libraries . done
Reading symbols for shared libraries .................................... done
0x053a4250 in ?? ()
  11                                 0x94b19c76 in semaphore_timedwait_trap ()
  10                                 0x94b1bbb2 in __semwait_signal ()
   9                                 0x94b1b83e in __psynch_cvwait ()
   8                                 0x94b1bfda in __wait4 ()
   7                                 0x94b1ae12 in accept$UNIX2003 ()
   6                                 0x94b1ae12 in accept$UNIX2003 ()
   5 "com.apple.libdispatch-manager" 0x94b1c90a in kevent ()
   4                                 0x94b1ba9a in recvfrom$UNIX2003 ()
   3                                 0x94b19c5e in semaphore_wait_trap ()
   2                                 0x94b19c22 in mach_msg_trap ()
*  1 "com.apple.main-thread"         0x053a4250 in ?? ()

Thread 11 (process 18775):
#0  0x94b19c76 in semaphore_timedwait_trap ()
#1  0x00268a2d in mono_sem_timedwait (sem=0x370468, timeout_ms=2000, alertable=1) at mono-semaphore.c:76
#2  0x001c4e5a in async_invoke_thread (data=0x0) at threadpool.c:1513
#3  0x001b2f81 in start_wrapper_internal (data=0x3840e40) at threads.c:589
#4  0x001b30a2 in start_wrapper (data=0x3840e40) at threads.c:635
#5  0x00252dc9 in thread_start_routine (args=0x1131f08) at wthreads.c:286
#6  0x0026da71 in inner_start_thread (arg=0x3841b10) at mono-threads-posix.c:49
#7  0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#8  0x9c74ded9 in _pthread_start ()
#9  0x9c7516de in thread_start ()

Thread 10 (process 18775):
#0  0x94b1bbb2 in __semwait_signal ()
#1  0x9c7027b9 in nanosleep$UNIX2003 ()
#2  0x00253c60 in SleepEx (ms=500, alertable=1) at wthreads.c:834
#3  0x001c267a in monitor_thread (unused=0x0) at threadpool.c:783
#4  0x001b2f81 in start_wrapper_internal (data=0x3841680) at threads.c:589
#5  0x001b30a2 in start_wrapper (data=0x3841680) at threads.c:635
#6  0x00252dc9 in thread_start_routine (args=0x1131e8c) at wthreads.c:286
#7  0x0026da71 in inner_start_thread (arg=0x3840e20) at mono-threads-posix.c:49
#8  0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#9  0x9c74ded9 in _pthread_start ()
#10 0x9c7516de in thread_start ()

Thread 9 (process 18775):
#0  0x94b1b83e in __psynch_cvwait ()
#1  0x9c751e21 in _pthread_cond_wait ()
#2  0x9c7023e0 in pthread_cond_timedwait$UNIX2003 ()
#3  0x002370bc in _wapi_handle_timedwait_signal_handle (handle=0x202d, timeout=0xb070eaf0, alertable=1, poll=0) at handles.c:1583
#4  0x00250617 in WaitForSingleObjectEx (handle=0x202d, timeout=14999, alertable=1) at wait.c:197
#5  0x001b5858 in ves_icall_System_Threading_WaitHandle_WaitOne_internal (this=0x5c659990, handle=0x202d, ms=14999, exitContext=0) at threads.c:1492
#6  0x053d06d0 in ?? ()
#7  0x053f1520 in ?? ()
#8  0x053f13a5 in ?? ()
#9  0x053ef355 in ?? ()
#10 0x053bd136 in ?? ()
#11 0x025e0a45 in ?? ()
#12 0x0000dc52 in mono_jit_runtime_invoke (method=0xd08c34, obj=0x425b92a0, params=0xb070ee6c, exc=0x0) at mini.c:5948
#13 0x001fd58a in mono_runtime_invoke (method=0xd08c34, obj=0x425b92a0, params=0xb070ee6c, exc=0x0) at object.c:2812
#14 0x001fef42 in mono_runtime_delegate_invoke (delegate=0x425b92a0, params=0xb070ee6c, exc=0x0) at object.c:3492
#15 0x001b2fe1 in start_wrapper_internal (data=0x3a3dfc0) at threads.c:595
#16 0x001b30a2 in start_wrapper (data=0x3a3dfc0) at threads.c:635
#17 0x00252dc9 in thread_start_routine (args=0x1131d18) at wthreads.c:286
#18 0x0026da71 in inner_start_thread (arg=0x3a3e430) at mono-threads-posix.c:49
#19 0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#20 0x9c74ded9 in _pthread_start ()
#21 0x9c7516de in thread_start ()

Thread 8 (process 18775):
#0  0x94b1bfda in __wait4 ()
#1  0x9c7024ec in waitpid$UNIX2003 ()
#2  0x0009a422 in mono_handle_native_sigsegv (signal=11, ctx=0x53e7fe0) at mini-exceptions.c:2289
#3  0x000e83a5 in mono_arch_handle_altstack_exception (sigctx=0x53e7fe0, fault_addr=0x0, stack_ovf=0) at exceptions-x86.c:1133
#4  0x000054d1 in mono_sigsegv_signal_handler (_dummy=10, info=0x53e7fa0, context=0x53e7fe0) at mini.c:6066
#5  <signal handler called>
#6  0x00139d85 in mono_array_get_byte_length (array=0x0) at icall.c:6191
#7  0x00139fa1 in ves_icall_System_Buffer_BlockCopyInternal (src=0x0, src_offset=0, dest=0x51faaa0, dest_offset=0, count=0) at icall.c:6258
#8  0x02726313 in ?? ()
#9  0x053d3f94 in ?? ()
#10 0x053d39ef in ?? ()
#11 0x053d37b8 in ?? ()
#12 0x053d2fb0 in ?? ()
#13 0x053bd136 in ?? ()
#14 0x025e0a45 in ?? ()
#15 0x0000dc52 in mono_jit_runtime_invoke (method=0xd08c34, obj=0x425b9540, params=0xb060ce6c, exc=0x0) at mini.c:5948
#16 0x001fd58a in mono_runtime_invoke (method=0xd08c34, obj=0x425b9540, params=0xb060ce6c, exc=0x0) at object.c:2812
#17 0x001fef42 in mono_runtime_delegate_invoke (delegate=0x425b9540, params=0xb060ce6c, exc=0x0) at object.c:3492
#18 0x001b2fe1 in start_wrapper_internal (data=0x54c2e6c0) at threads.c:595
#19 0x001b30a2 in start_wrapper (data=0x54c2e6c0) at threads.c:635
#20 0x00252dc9 in thread_start_routine (args=0x1131ba4) at wthreads.c:286
#21 0x0026da71 in inner_start_thread (arg=0x54c2e7a0) at mono-threads-posix.c:49
#22 0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#23 0x9c74ded9 in _pthread_start ()
#24 0x9c7516de in thread_start ()

Thread 7 (process 18775):
#0  0x94b1ae12 in accept$UNIX2003 ()
#1  0x00249de5 in _wapi_accept (fd=10, addr=0x0, addrlen=0x0) at sockets.c:221
#2  0x001a40cc in ves_icall_System_Net_Sockets_Socket_Accept_internal (sock=10, error=0xb050aca0, blocking=1) at socket-io.c:885
#3  0x053bdbc8 in ?? ()
#4  0x053bd960 in ?? ()
#5  0x053c852c in ?? ()
#6  0x053bd136 in ?? ()
#7  0x025e0a45 in ?? ()
#8  0x0000dc52 in mono_jit_runtime_invoke (method=0xd08c34, obj=0x42684ea8, params=0xb050ae6c, exc=0x0) at mini.c:5948
#9  0x001fd58a in mono_runtime_invoke (method=0xd08c34, obj=0x42684ea8, params=0xb050ae6c, exc=0x0) at object.c:2812
#10 0x001fef42 in mono_runtime_delegate_invoke (delegate=0x42684ea8, params=0xb050ae6c, exc=0x0) at object.c:3492
#11 0x001b2fe1 in start_wrapper_internal (data=0x1f42430) at threads.c:595
#12 0x001b30a2 in start_wrapper (data=0x1f42430) at threads.c:635
#13 0x00252dc9 in thread_start_routine (args=0x1131aac) at wthreads.c:286
#14 0x0026da71 in inner_start_thread (arg=0x1f40b00) at mono-threads-posix.c:49
#15 0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#16 0x9c74ded9 in _pthread_start ()
#17 0x9c7516de in thread_start ()

Thread 6 (process 18775):
#0  0x94b1ae12 in accept$UNIX2003 ()
#1  0x00249de5 in _wapi_accept (fd=6, addr=0x0, addrlen=0x0) at sockets.c:221
#2  0x001a40cc in ves_icall_System_Net_Sockets_Socket_Accept_internal (sock=6, error=0xb0408cb0, blocking=1) at socket-io.c:885
#3  0x053bdbc8 in ?? ()
#4  0x053bd960 in ?? ()
#5  0x053bd2dc in ?? ()
#6  0x053bd136 in ?? ()
#7  0x025e0a45 in ?? ()
#8  0x0000dc52 in mono_jit_runtime_invoke (method=0xd08c34, obj=0x425b9070, params=0xb0408e6c, exc=0x0) at mini.c:5948
#9  0x001fd58a in mono_runtime_invoke (method=0xd08c34, obj=0x425b9070, params=0xb0408e6c, exc=0x0) at object.c:2812
#10 0x001fef42 in mono_runtime_delegate_invoke (delegate=0x425b9070, params=0xb0408e6c, exc=0x0) at object.c:3492
#11 0x001b2fe1 in start_wrapper_internal (data=0x1f3e050) at threads.c:595
#12 0x001b30a2 in start_wrapper (data=0x1f3e050) at threads.c:635
#13 0x00252dc9 in thread_start_routine (args=0x11319b4) at wthreads.c:286
#14 0x0026da71 in inner_start_thread (arg=0x1f3de60) at mono-threads-posix.c:49
#15 0x00283ef8 in GC_start_routine (arg=0x1cd6e40) at pthread_support.c:1508
#16 0x9c74ded9 in _pthread_start ()
#17 0x9c7516de in thread_start ()

Thread 5 (process 18775):
#0  0x94b1c90a in kevent ()
#1  0x937dbc58 in _dispatch_mgr_invoke ()
#2  0x937da6a7 in _dispatch_mgr_thread ()

Thread 4 (process 18775):
#0  0x94b1ba9a in recvfrom$UNIX2003 ()
#1  0x9c7024a2 in recv$UNIX2003 ()
#2  0x000c19b0 in socket_transport_recv (buf=0xb0284c1d, len=11) at debugger-agent.c:1057
#3  0x000be2ea in debugger_thread (arg=0x0) at debugger-agent.c:1438
#4  0x00252dc9 in thread_start_routine (args=0x1130a34) at wthreads.c:286
#5  0x0026da71 in inner_start_thread (arg=0x63bdd0) at mono-threads-posix.c:49
#6  0x00283ef8 in GC_start_routine (arg=0x782f60) at pthread_support.c:1508
#7  0x9c74ded9 in _pthread_start ()
#8  0x9c7516de in thread_start ()

Thread 3 (process 18775):
#0  0x94b19c5e in semaphore_wait_trap ()
#1  0x00268aa2 in mono_sem_wait (sem=0x3706f4, alertable=1) at mono-semaphore.c:115
#2  0x001f164d in finalizer_thread (unused=0x0) at gc.c:1097
#3  0x001b2f81 in start_wrapper_internal (data=0x63ba00) at threads.c:589
#4  0x001b30a2 in start_wrapper (data=0x63ba00) at threads.c:635
#5  0x00252dc9 in thread_start_routine (args=0x11309b8) at wthreads.c:286
#6  0x0026da71 in inner_start_thread (arg=0x63ba20) at mono-threads-posix.c:49
#7  0x00283ef8 in GC_start_routine (arg=0x782f60) at pthread_support.c:1508
#8  0x9c74ded9 in _pthread_start ()
#9  0x9c7516de in thread_start ()

Thread 2 (process 18775):
#0  0x94b19c22 in mach_msg_trap ()
#1  0x94b191f6 in mach_msg ()
#2  0x000ed2ca in mach_exception_thread (arg=0x0) at mini-darwin.c:139
#3  0x9c74ded9 in _pthread_start ()
#4  0x9c7516de in thread_start ()

Thread 1 (process 18775):
#0  0x053a4250 in ?? ()
#1  0x0539ff80 in ?? ()
#2  0x0539f3f8 in ?? ()
#3  0x053c9dcc in ?? ()
#4  0x053c8c48 in ?? ()
#5  0x053c8838 in ?? ()
#6  0x0070731c in ?? ()
#7  0x0070757f in ?? ()
#8  0x0000dc52 in mono_jit_runtime_invoke (method=0x113821c, obj=0x0, params=0xbffff7e8, exc=0x0) at mini.c:5948
#9  0x001fd58a in mono_runtime_invoke (method=0x113821c, obj=0x0, params=0xbffff7e8, exc=0x0) at object.c:2812
#10 0x0020029c in mono_runtime_exec_main (method=0x113821c, args=0x784fc0, exc=0x0) at object.c:4010
#11 0x001ff45c in mono_runtime_run_main (method=0x113821c, argc=3, argv=0xbffffa48, exc=0x0) at object.c:3632
#12 0x0006c655 in mono_jit_exec (domain=0x4b9e00, assembly=0x63b430, argc=4, argv=0xbffffa44) at driver.c:954
#13 0x0006ec69 in mono_main (argc=7, argv=0xbffffa38) at driver.c:1013
#14 0x00002749 in main (argc=7, argv=0xbffffa38) at main.c:93

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

Abort trap: 6
Comment 1 Zoltan Varga 2012-11-17 21:12:49 UTC
The crash is fixed in master/2.10 branch.