Bug 39251 - double free or corruption in free_jit_tls_data when running Nancy xunit tests
Summary: double free or corruption in free_jit_tls_data when running Nancy xunit tests
Status: CONFIRMED
Alias: None
Product: Runtime
Classification: Mono
Component: General (show other bugs)
Version: unspecified
Hardware: All Linux
: --- normal
Target Milestone: ---
Assignee: Vlad Brezae
URL:
Depends on:
Blocks:
 
Reported: 2016-03-01 14:43 UTC by Alexander Köplinger [MSFT]
Modified: 2016-03-01 19:47 UTC (History)
3 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
repro folder (985.63 KB, application/x-zip-compressed)
2016-03-01 14:43 UTC, Alexander Köplinger [MSFT]
Details

Description Alexander Köplinger [MSFT] 2016-03-01 14:43:22 UTC
Created attachment 15207 [details]
repro folder

Mono: master/978c84a
OS: Ubuntu 14.04, amd64

Unzip the attached file and run this in a loop:

> MONO_CFG_DIR=<mono-dir>/runtime/etc MONO_PATH=<mono-dir>/mcs/class/lib/net_4_x <mono-dir>/mono/mini/mono-sgen --debug xunit/xunit.console.x86.exe Nancy.Validation.DataAnnotations.Tests.dll

After a while it'll crash with the following error:

>   Starting:    Nancy.Validation.DataAnnotations.Tests
>   Finished:    Nancy.Validation.DataAnnotations.Tests
> System.TypeInitializationException: The type initializer for 'System.Collections.Generic.List`1' threw an exception. ---> System.Threading.ThreadAbortException: 
>   at System.Collections.Generic.List`1[T]..cctor () [0x00000] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/collections/generic/list.cs:47 
>   --- End of inner exception stack trace ---
>   at System.Threading.ThreadHelper.ThreadStart_Context (System.Object state) [0x00017] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/thread.cs:68 
>   at System.Threading.ExecutionContext.RunInternal (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state, Boolean preserveSyncCtx) [0x0008d] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:957 
>   at System.Threading.ExecutionContext.Run (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state, Boolean preserveSyncCtx) [0x00000] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:904 
>   at System.Threading.ExecutionContext.Run (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state) [0x00031] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:893 
>   at System.Threading.ThreadHelper.ThreadStart () [0x0000b] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/thread.cs:105 
> *** Error in `../mono/mono/mini/mono-sgen': double free or corruption (out): 0x00007f4df000d660 ***
> Stacktrace:
> 
> 
> Native stacktrace:
> 
> 	../mono/mono/mini/mono-sgen() [0x509e74]
> 	../mono/mono/mini/mono-sgen() [0x5ae6ab]
> 	/lib/x86_64-linux-gnu/libpthread.so.0(+0x10340) [0x7f4e06cb4340]
> 	/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x39) [0x7f4e066ffcc9]
> 	/lib/x86_64-linux-gnu/libc.so.6(abort+0x148) [0x7f4e067030d8]
> 	/lib/x86_64-linux-gnu/libc.so.6(+0x73394) [0x7f4e0673c394]
> 	/lib/x86_64-linux-gnu/libc.so.6(+0x7f66e) [0x7f4e0674866e]
> 	../mono/mono/mini/mono-sgen() [0x7a4fa8]
> 	../mono/mono/mini/mono-sgen() [0x41488a]
> 	../mono/mono/mini/mono-sgen() [0x41b915]
> 	../mono/mono/mini/mono-sgen(mono_runtime_quit+0x2b) [0x6a898d]
> 	../mono/mono/mini/mono-sgen() [0x61034a]
> 	[0x402961e2]
> 
> Debug info from gdb:
> 
> [New LWP 4282]
> [New LWP 4275]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> 85	../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S: No such file or directory.
>   Id   Target Id         Frame 
>   3    Thread 0x7f4e057ff700 (LWP 4275) "mono-sgen" pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
>   2    Thread 0x7f4e01e40700 (LWP 4282) "mono-sgen" 0x00007f4e06cb3ee9 in __libc_waitpid (pid=4286, stat_loc=0x7f4e01e3bee4, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:40
> * 1    Thread 0x7f4e077d17c0 (LWP 4274) "mono-sgen" sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> 
> Thread 3 (Thread 0x7f4e057ff700 (LWP 4275)):
> #0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
> #1  0x000000000075a746 in mono_os_cond_wait (cond=0xb06900 <work_cond>, mutex=0xb068c0 <lock>) at ../../mono/utils/mono-os-mutex.h:105
> #2  0x000000000075b2c7 in thread_func (thread_data=0x0) at sgen-thread-pool.c:118
> #3  0x00007f4e06cac182 in start_thread (arg=0x7f4e057ff700) at pthread_create.c:312
> #4  0x00007f4e067c347d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> 
> Thread 2 (Thread 0x7f4e01e40700 (LWP 4282)):
> #0  0x00007f4e06cb3ee9 in __libc_waitpid (pid=4286, stat_loc=0x7f4e01e3bee4, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:40
> #1  0x0000000000509fbd in mono_handle_native_sigsegv (signal=6, ctx=0x7f4e01e3c780, info=0x7f4e01e3c8b0) at mini-exceptions.c:2387
> #2  0x00000000005ae6ab in sigabrt_signal_handler (_dummy=6, _info=0x7f4e01e3c8b0, context=0x7f4e01e3c780) at mini-posix.c:218
> #3  <signal handler called>
> #4  0x00007f4e066ffcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #5  0x00007f4e067030d8 in __GI_abort () at abort.c:89
> #6  0x00007f4e0673c394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f4e0684ab28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
> #7  0x00007f4e0674866e in malloc_printerr (ptr=<optimized out>, str=0x7f4e0684ac58 "double free or corruption (out)", action=1) at malloc.c:4996
> #8  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
> #9  0x00000000007a4fa8 in monoeg_g_free (ptr=0x7f4df000d660) at gmem.c:36
> #10 0x000000000041488a in free_jit_tls_data (jit_tls=0x7f4df000d660) at mini-runtime.c:1078
> #11 0x000000000041b915 in mini_cleanup (domain=0x259e480) at mini-runtime.c:4172
> #12 0x00000000006a898d in mono_runtime_quit () at appdomain.c:416
> #13 0x000000000061034a in ves_icall_System_Environment_Exit (result=1) at icall.c:6651
> #14 0x00000000402961e2 in ?? ()
> #15 0x00007f4df0033428 in ?? ()
> #16 0x00007f4e05a71338 in ?? ()
> #17 0x00007f4e05a9dff0 in ?? ()
> #18 0x00007f4e05a9dff0 in ?? ()
> #19 0x00007f4e05a9dff0 in ?? ()
> #20 0x00007f4e01e3f528 in ?? ()
> #21 0x00007f4e01e3d2c0 in ?? ()
> #22 0x00007f4e01e3d2c0 in ?? ()
> #23 0x00007f4e01e3d1e0 in ?? ()
> #24 0x000000004029616a in ?? ()
> #25 0x00007f4e022f01b0 in ?? ()
> #26 0x00007f4e01e3d860 in ?? ()
> #27 0x00000000402960d0 in ?? ()
> #28 0x00000000408e8200 in ?? ()
> #29 0x00007f4e01e3d2c0 in ?? ()
> #30 0x0000000040243f15 in ?? ()
> #31 0x00007f4e01e3d2a0 in ?? ()
> #32 0x00007f4e01e3d848 in ?? ()
> #33 0x0000000000000000 in ?? ()
> 
> Thread 1 (Thread 0x7f4e077d17c0 (LWP 4274)):
> #0  sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> #1  0x00000000007966ef in mono_os_sem_wait (sem=0x259cda0, flags=MONO_SEM_FLAGS_NONE) at ../../mono/utils/mono-os-semaphore.h:163
> #2  0x000000000079733d in mono_thread_info_wait_for_resume (info=0x259cd40) at mono-threads.c:144
> #3  0x0000000000798589 in mono_thread_info_end_self_suspend () at mono-threads.c:700
> #4  0x0000000000683f05 in self_suspend_internal () at threads.c:4824
> #5  0x0000000000683571 in mono_thread_execute_interruption () at threads.c:4344
> #6  0x00000000006837a0 in mono_thread_interruption_checkpoint_request (bypass_abort_protection=1) at threads.c:4473
> #7  0x00000000006837d6 in mono_thread_force_interruption_checkpoint_noraise () at threads.c:4498
> #8  0x00000000408e62b6 in ?? ()
> #9  0x00007fff6aeb1b60 in ?? ()
> #10 0x00007fff6aeb1ced in ?? ()
> #11 0x0000000040295f74 in ?? ()
> #12 0x00000000006ad1ae in unload_data_unref (data=0x1) at appdomain.c:2365
> #13 0x0000000040295f74 in ?? ()
> #14 0x00007f4e0582a650 in ?? ()
> #15 0x00007f4e058d9678 in ?? ()
> #16 0x00007f4e05830698 in ?? ()
> #17 0x00007f4e05a86380 in ?? ()
> #18 0x00007f4e01bb9878 in ?? ()
> #19 0x00000000025c77a0 in ?? ()
> #20 0x00007f4e05a86380 in ?? ()
> #21 0x00007fff6aeb1d60 in ?? ()
> #22 0x00007fff6aeb1cc0 in ?? ()
> #23 0x00007f4e03508578 in System_AppDomain_Unload_System_AppDomain (domain=...) at /home/alexander/dev/mono/mcs/class/corlib/System/AppDomain.cs:1200
> #24 0x0000000040295752 in ?? ()
> #25 0x00007f4e01bb9828 in ?? ()
> #26 0x00000000025c77a0 in ?? ()
> #27 0x0000000040295700 in ?? ()
> #28 0xfffffffffffffffb in ?? ()
> #29 0x000000004020c1c8 in ?? ()
> #30 0x00000000006837c8 in mono_thread_interruption_checkpoint () at threads.c:4489
> #31 0x00007f4e05818e68 in ?? ()
> #32 0x00007f4e01bb97d8 in ?? ()
> #33 0x00007fff6aeb1de0 in ?? ()
> #34 0x000000004029567f in ?? ()
> #35 0x00007f4e01bc07f0 in ?? ()
> #36 0x00000000402956bc in ?? ()
> #37 0x00007f4e01bc07f0 in ?? ()
> #38 0x000000004029563c in ?? ()
> #39 0x00007f4e05818ad8 in ?? ()
> #40 0x000000004029518f in ?? ()
> #41 0x00007f4e058d9988 in ?? ()
> #42 0x00000000025c77a0 in ?? ()
> #43 0x00007f4e01bb97b0 in ?? ()
> #44 0x0000000200000001 in ?? ()
> #45 0x00007f4e01bc07f0 in ?? ()
> #46 0x00000000006837c8 in mono_thread_interruption_checkpoint () at threads.c:4489
> #47 0x00007f4e022dbd20 in ?? ()
> #48 0x0000000040295130 in ?? ()
> #49 0x00007fff6aeb1fe0 in ?? ()
> #50 0x0000000040246d87 in ?? ()
> #51 0x00007f4e05818ad8 in ?? ()
> #52 0x00007f4e05818ad8 in ?? ()
> #53 0x0000000040246d57 in ?? ()
> #54 0x0000000040246d10 in ?? ()
> #55 0x0000000000000000 in ?? ()
> 
> =================================================================
> Got a SIGABRT while executing native code. This usually indicates
> a fatal error in the mono runtime or one of the native libraries 
> used by your application.
> =================================================================
> 
> Aborted
Comment 1 Alexander Köplinger [MSFT] 2016-03-01 19:47:26 UTC
The issue doesn't seem to occur if I pass -noappdomain to the xunit.console.exe.

@alexanderkyte: I remember you worked on xunit issues in the past, does this^ ring any bells to you?

Note You need to log in before you can comment on or make changes to this bug.