Bug 39251 - double free or corruption in free_jit_tls_data when running Nancy xunit tests
Summary: double free or corruption in free_jit_tls_data when running Nancy xunit tests
Status: CONFIRMED
Alias: None
Product: Runtime
Classification: Mono
Component: General (show other bugs)
Version: unspecified
Hardware: All Linux
: --- normal
Target Milestone: ---
Assignee: Vlad Brezae
URL:
Depends on:
Blocks:
 
Reported: 2016-03-01 14:43 UTC by Alexander Köplinger [MSFT]
Modified: 2016-03-01 19:47 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
repro folder (985.63 KB, application/x-zip-compressed)
2016-03-01 14:43 UTC, Alexander Köplinger [MSFT]
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 39251 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
CONFIRMED

Description Alexander Köplinger [MSFT] 2016-03-01 14:43:22 UTC
Created attachment 15207 [details]
repro folder

Mono: master/978c84a
OS: Ubuntu 14.04, amd64

Unzip the attached file and run this in a loop:

> MONO_CFG_DIR=<mono-dir>/runtime/etc MONO_PATH=<mono-dir>/mcs/class/lib/net_4_x <mono-dir>/mono/mini/mono-sgen --debug xunit/xunit.console.x86.exe Nancy.Validation.DataAnnotations.Tests.dll

After a while it'll crash with the following error:

>   Starting:    Nancy.Validation.DataAnnotations.Tests
>   Finished:    Nancy.Validation.DataAnnotations.Tests
> System.TypeInitializationException: The type initializer for 'System.Collections.Generic.List`1' threw an exception. ---> System.Threading.ThreadAbortException: 
>   at System.Collections.Generic.List`1[T]..cctor () [0x00000] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/collections/generic/list.cs:47 
>   --- End of inner exception stack trace ---
>   at System.Threading.ThreadHelper.ThreadStart_Context (System.Object state) [0x00017] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/thread.cs:68 
>   at System.Threading.ExecutionContext.RunInternal (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state, Boolean preserveSyncCtx) [0x0008d] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:957 
>   at System.Threading.ExecutionContext.Run (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state, Boolean preserveSyncCtx) [0x00000] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:904 
>   at System.Threading.ExecutionContext.Run (System.Threading.ExecutionContext executionContext, System.Threading.ContextCallback callback, System.Object state) [0x00031] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/executioncontext.cs:893 
>   at System.Threading.ThreadHelper.ThreadStart () [0x0000b] in /home/alexander/dev/mono/external/referencesource/mscorlib/system/threading/thread.cs:105 
> *** Error in `../mono/mono/mini/mono-sgen': double free or corruption (out): 0x00007f4df000d660 ***
> Stacktrace:
> 
> 
> Native stacktrace:
> 
> 	../mono/mono/mini/mono-sgen() [0x509e74]
> 	../mono/mono/mini/mono-sgen() [0x5ae6ab]
> 	/lib/x86_64-linux-gnu/libpthread.so.0(+0x10340) [0x7f4e06cb4340]
> 	/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x39) [0x7f4e066ffcc9]
> 	/lib/x86_64-linux-gnu/libc.so.6(abort+0x148) [0x7f4e067030d8]
> 	/lib/x86_64-linux-gnu/libc.so.6(+0x73394) [0x7f4e0673c394]
> 	/lib/x86_64-linux-gnu/libc.so.6(+0x7f66e) [0x7f4e0674866e]
> 	../mono/mono/mini/mono-sgen() [0x7a4fa8]
> 	../mono/mono/mini/mono-sgen() [0x41488a]
> 	../mono/mono/mini/mono-sgen() [0x41b915]
> 	../mono/mono/mini/mono-sgen(mono_runtime_quit+0x2b) [0x6a898d]
> 	../mono/mono/mini/mono-sgen() [0x61034a]
> 	[0x402961e2]
> 
> Debug info from gdb:
> 
> [New LWP 4282]
> [New LWP 4275]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> 85	../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S: No such file or directory.
>   Id   Target Id         Frame 
>   3    Thread 0x7f4e057ff700 (LWP 4275) "mono-sgen" pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
>   2    Thread 0x7f4e01e40700 (LWP 4282) "mono-sgen" 0x00007f4e06cb3ee9 in __libc_waitpid (pid=4286, stat_loc=0x7f4e01e3bee4, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:40
> * 1    Thread 0x7f4e077d17c0 (LWP 4274) "mono-sgen" sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> 
> Thread 3 (Thread 0x7f4e057ff700 (LWP 4275)):
> #0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
> #1  0x000000000075a746 in mono_os_cond_wait (cond=0xb06900 <work_cond>, mutex=0xb068c0 <lock>) at ../../mono/utils/mono-os-mutex.h:105
> #2  0x000000000075b2c7 in thread_func (thread_data=0x0) at sgen-thread-pool.c:118
> #3  0x00007f4e06cac182 in start_thread (arg=0x7f4e057ff700) at pthread_create.c:312
> #4  0x00007f4e067c347d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> 
> Thread 2 (Thread 0x7f4e01e40700 (LWP 4282)):
> #0  0x00007f4e06cb3ee9 in __libc_waitpid (pid=4286, stat_loc=0x7f4e01e3bee4, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:40
> #1  0x0000000000509fbd in mono_handle_native_sigsegv (signal=6, ctx=0x7f4e01e3c780, info=0x7f4e01e3c8b0) at mini-exceptions.c:2387
> #2  0x00000000005ae6ab in sigabrt_signal_handler (_dummy=6, _info=0x7f4e01e3c8b0, context=0x7f4e01e3c780) at mini-posix.c:218
> #3  <signal handler called>
> #4  0x00007f4e066ffcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #5  0x00007f4e067030d8 in __GI_abort () at abort.c:89
> #6  0x00007f4e0673c394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f4e0684ab28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
> #7  0x00007f4e0674866e in malloc_printerr (ptr=<optimized out>, str=0x7f4e0684ac58 "double free or corruption (out)", action=1) at malloc.c:4996
> #8  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
> #9  0x00000000007a4fa8 in monoeg_g_free (ptr=0x7f4df000d660) at gmem.c:36
> #10 0x000000000041488a in free_jit_tls_data (jit_tls=0x7f4df000d660) at mini-runtime.c:1078
> #11 0x000000000041b915 in mini_cleanup (domain=0x259e480) at mini-runtime.c:4172
> #12 0x00000000006a898d in mono_runtime_quit () at appdomain.c:416
> #13 0x000000000061034a in ves_icall_System_Environment_Exit (result=1) at icall.c:6651
> #14 0x00000000402961e2 in ?? ()
> #15 0x00007f4df0033428 in ?? ()
> #16 0x00007f4e05a71338 in ?? ()
> #17 0x00007f4e05a9dff0 in ?? ()
> #18 0x00007f4e05a9dff0 in ?? ()
> #19 0x00007f4e05a9dff0 in ?? ()
> #20 0x00007f4e01e3f528 in ?? ()
> #21 0x00007f4e01e3d2c0 in ?? ()
> #22 0x00007f4e01e3d2c0 in ?? ()
> #23 0x00007f4e01e3d1e0 in ?? ()
> #24 0x000000004029616a in ?? ()
> #25 0x00007f4e022f01b0 in ?? ()
> #26 0x00007f4e01e3d860 in ?? ()
> #27 0x00000000402960d0 in ?? ()
> #28 0x00000000408e8200 in ?? ()
> #29 0x00007f4e01e3d2c0 in ?? ()
> #30 0x0000000040243f15 in ?? ()
> #31 0x00007f4e01e3d2a0 in ?? ()
> #32 0x00007f4e01e3d848 in ?? ()
> #33 0x0000000000000000 in ?? ()
> 
> Thread 1 (Thread 0x7f4e077d17c0 (LWP 4274)):
> #0  sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:85
> #1  0x00000000007966ef in mono_os_sem_wait (sem=0x259cda0, flags=MONO_SEM_FLAGS_NONE) at ../../mono/utils/mono-os-semaphore.h:163
> #2  0x000000000079733d in mono_thread_info_wait_for_resume (info=0x259cd40) at mono-threads.c:144
> #3  0x0000000000798589 in mono_thread_info_end_self_suspend () at mono-threads.c:700
> #4  0x0000000000683f05 in self_suspend_internal () at threads.c:4824
> #5  0x0000000000683571 in mono_thread_execute_interruption () at threads.c:4344
> #6  0x00000000006837a0 in mono_thread_interruption_checkpoint_request (bypass_abort_protection=1) at threads.c:4473
> #7  0x00000000006837d6 in mono_thread_force_interruption_checkpoint_noraise () at threads.c:4498
> #8  0x00000000408e62b6 in ?? ()
> #9  0x00007fff6aeb1b60 in ?? ()
> #10 0x00007fff6aeb1ced in ?? ()
> #11 0x0000000040295f74 in ?? ()
> #12 0x00000000006ad1ae in unload_data_unref (data=0x1) at appdomain.c:2365
> #13 0x0000000040295f74 in ?? ()
> #14 0x00007f4e0582a650 in ?? ()
> #15 0x00007f4e058d9678 in ?? ()
> #16 0x00007f4e05830698 in ?? ()
> #17 0x00007f4e05a86380 in ?? ()
> #18 0x00007f4e01bb9878 in ?? ()
> #19 0x00000000025c77a0 in ?? ()
> #20 0x00007f4e05a86380 in ?? ()
> #21 0x00007fff6aeb1d60 in ?? ()
> #22 0x00007fff6aeb1cc0 in ?? ()
> #23 0x00007f4e03508578 in System_AppDomain_Unload_System_AppDomain (domain=...) at /home/alexander/dev/mono/mcs/class/corlib/System/AppDomain.cs:1200
> #24 0x0000000040295752 in ?? ()
> #25 0x00007f4e01bb9828 in ?? ()
> #26 0x00000000025c77a0 in ?? ()
> #27 0x0000000040295700 in ?? ()
> #28 0xfffffffffffffffb in ?? ()
> #29 0x000000004020c1c8 in ?? ()
> #30 0x00000000006837c8 in mono_thread_interruption_checkpoint () at threads.c:4489
> #31 0x00007f4e05818e68 in ?? ()
> #32 0x00007f4e01bb97d8 in ?? ()
> #33 0x00007fff6aeb1de0 in ?? ()
> #34 0x000000004029567f in ?? ()
> #35 0x00007f4e01bc07f0 in ?? ()
> #36 0x00000000402956bc in ?? ()
> #37 0x00007f4e01bc07f0 in ?? ()
> #38 0x000000004029563c in ?? ()
> #39 0x00007f4e05818ad8 in ?? ()
> #40 0x000000004029518f in ?? ()
> #41 0x00007f4e058d9988 in ?? ()
> #42 0x00000000025c77a0 in ?? ()
> #43 0x00007f4e01bb97b0 in ?? ()
> #44 0x0000000200000001 in ?? ()
> #45 0x00007f4e01bc07f0 in ?? ()
> #46 0x00000000006837c8 in mono_thread_interruption_checkpoint () at threads.c:4489
> #47 0x00007f4e022dbd20 in ?? ()
> #48 0x0000000040295130 in ?? ()
> #49 0x00007fff6aeb1fe0 in ?? ()
> #50 0x0000000040246d87 in ?? ()
> #51 0x00007f4e05818ad8 in ?? ()
> #52 0x00007f4e05818ad8 in ?? ()
> #53 0x0000000040246d57 in ?? ()
> #54 0x0000000040246d10 in ?? ()
> #55 0x0000000000000000 in ?? ()
> 
> =================================================================
> Got a SIGABRT while executing native code. This usually indicates
> a fatal error in the mono runtime or one of the native libraries 
> used by your application.
> =================================================================
> 
> Aborted
Comment 1 Alexander Köplinger [MSFT] 2016-03-01 19:47:26 UTC
The issue doesn't seem to occur if I pass -noappdomain to the xunit.console.exe.

@alexanderkyte: I remember you worked on xunit issues in the past, does this^ ring any bells to you?