Bug 41130 - Segmentation Fault on calling Type.GetField() for generic dynamic types
Summary: Segmentation Fault on calling Type.GetField() for generic dynamic types
Status: CONFIRMED
Alias: None
Product: Runtime
Classification: Mono
Component: Reflection (show other bugs)
Version: 5.8 (2017-10)
Hardware: PC All
: Normal normal
Target Milestone: Future Cycle (TBD)
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2016-05-17 12:56 UTC by Eirik Tsarpalis
Modified: 2017-11-27 18:24 UTC (History)
4 users (show)

See Also:
Tags: bugpool
Is this bug a regression?: ---
Last known good build:


Attachments
Reproducing F# console app (1.29 KB, text/plain)
2016-05-17 12:56 UTC, Eirik Tsarpalis
Details

Description Eirik Tsarpalis 2016-05-17 12:56:08 UTC
Created attachment 16018 [details]
Reproducing F# console app

I attach a reproducing piece of code in F#. It basically generates a couple of dynamic types and attempts to look them up using reflection. Running 'fsharpc repro.fs && mono repro.exe' results in the following error:

Stacktrace:

  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.RuntimeType.GetFields_internal (System.RuntimeType,string,System.Reflection.BindingFlags,System.Type) <0x00012>
  at System.RuntimeType.GetField (string,System.Reflection.BindingFlags) <0x00067>
  at System.Type.GetField (string) <0x0002f>
  at <StartupCode$repro>.$Repro.main@ () <0x00547>
  at (wrapper runtime-invoke) object.runtime_invoke_void (object,intptr,intptr,intptr) <0x00090>

Native stacktrace:


Debug info from gdb:

(lldb) command source -s 0 '/tmp/mono-gdb-commands.XzxEaT'
Executing commands in '/tmp/mono-gdb-commands.XzxEaT'.
(lldb) process attach --pid 7963
warning: (i386) /Library/Frameworks/Mono.framework/Versions/4.4.0/lib/mono/4.5/mscorlib.dll.dylib empty dSYM file detected, dSYM was created with an executable with no debug info.
Process 7963 stopped
* thread #1: tid = 0x2a0e4, 0x9d4dccee libsystem_kernel.dylib`__wait4 + 10, name = 'tid_50b', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x9d4dccee libsystem_kernel.dylib`__wait4 + 10
libsystem_kernel.dylib`__wait4:
->  0x9d4dccee <+10>: jae    0x9d4dccfe                ; <+26>
    0x9d4dccf0 <+12>: calll  0x9d4dccf5                ; <+17>
    0x9d4dccf5 <+17>: popl   %edx
    0x9d4dccf6 <+18>: movl   0x6e6432f(%edx), %edx

Executable module set to "/usr/local/bin/mono".
Architecture set to: i386-apple-macosx.
(lldb) thread list
Process 7963 stopped
* thread #1: tid = 0x2a0e4, 0x9d4dccee libsystem_kernel.dylib`__wait4 + 10, name = 'tid_50b', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  thread #2: tid = 0x2a0e5, 0x9d4dc3ea libsystem_kernel.dylib`__psynch_cvwait + 10
  thread #3: tid = 0x2a0e6, 0x9d4d54d6 libsystem_kernel.dylib`semaphore_wait_trap + 10, name = 'tid_1303'
  thread #4: tid = 0x2a0e7, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #5: tid = 0x2a0e8, 0x9d4dd7fa libsystem_kernel.dylib`kevent_qos + 10, queue = 'com.apple.libdispatch-manager'
  thread #6: tid = 0x2a0ea, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #7: tid = 0x2a0eb, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
(lldb) thread backtrace all
* thread #1: tid = 0x2a0e4, 0x9d4dccee libsystem_kernel.dylib`__wait4 + 10, name = 'tid_50b', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  * frame #0: 0x9d4dccee libsystem_kernel.dylib`__wait4 + 10
    frame #1: 0x9cfff7dc libsystem_c.dylib`waitpid$UNIX2003 + 48
    frame #2: 0x0014550d mono`mono_handle_native_sigsegv(signal=11, ctx=0x00727fe0, info=0x00727fa0) + 541 at mini-exceptions.c:2348 [opt]
    frame #3: 0x00195582 mono`mono_arch_handle_altstack_exception(sigctx=<unavailable>, siginfo=<unavailable>, fault_addr=<unavailable>, stack_ovf=0) + 162 at exceptions-x86.c:1107 [opt]
    frame #4: 0x00087e03 mono`mono_sigsegv_signal_handler(_dummy=<unavailable>, _info=<unavailable>, context=<unavailable>) + 467 at mini-runtime.c:2888 [opt]
    frame #5: 0x91e0c79b libsystem_platform.dylib`_sigtramp + 43
    frame #6: 0x001a2e93 mono`mono_class_from_mono_type(type=0x00000000) + 19 at class.c:6561 [opt]
    frame #7: 0x0027b640 mono`mono_type_get_object(domain=0x7ae2ec60, type=0x00000000) + 32 at reflection.c:6690 [opt]
    frame #8: 0x0027c1d2 mono`mono_field_get_object(domain=<unavailable>, klass=<unavailable>, field=0x7b2e4f50) + 322 at reflection.c:6907 [opt]
    frame #9: 0x001d2ee2 mono`ves_icall_Type_GetFields_internal(type=0x00719260, name=<unavailable>, bflags=<unavailable>, reftype=<unavailable>) + 610 at icall.c:3350 [opt]
    frame #10: 0x0068da10
    frame #11: 0x0189dc18 mscorlib.dll.dylib`System_RuntimeType_GetField_string_System_Reflection_BindingFlags + 104
    frame #12: 0x0198b980 mscorlib.dll.dylib`System_Type_GetField_string + 48
    frame #13: 0x0068a4c8
    frame #14: 0x0068a741
    frame #15: 0x0008b637 mono`mono_jit_runtime_invoke(method=<unavailable>, obj=<unavailable>, params=<unavailable>, exc=<unavailable>) + 951 at mini-runtime.c:2578 [opt]
    frame #16: 0x00263c46 mono`mono_runtime_invoke(method=0x7b20aec0, obj=<unavailable>, params=<unavailable>, exc=<unavailable>) + 150 at object.c:2897 [opt]
    frame #17: 0x00269c01 mono`mono_runtime_exec_main(method=0x7b20aec0, args=<unavailable>, exc=0x00000000) + 401 at object.c:4223 [opt]
    frame #18: 0x002699b8 mono`mono_runtime_run_main(method=0x7b20aec0, argc=<unavailable>, argv=<unavailable>, exc=<unavailable>) + 632 at object.c:3837 [opt]
    frame #19: 0x00109985 mono`mono_jit_exec(domain=<unavailable>, assembly=<unavailable>, argc=<unavailable>, argv=<unavailable>) + 213 at driver.g.c:1031 [opt]
    frame #20: 0x0010be4c mono`mono_main [inlined] main_thread_handler + 8396 at driver.g.c:1091 [opt]
    frame #21: 0x0010be14 mono`mono_main(argc=<unavailable>, argv=<unavailable>) + 8340 at driver.g.c:2162 [opt]
    frame #22: 0x0007c8ea mono`main [inlined] mono_main_with_options(argc=2, argc=2, argc=2, argv=0xbff86c08, argv=0xbff86c08, argv=0xbff86c08) + 74 at main.c:20 [opt]
    frame #23: 0x0007c8c9 mono`main(argc=2, argv=0xbff86c08) + 41 at main.c:53 [opt]
    frame #24: 0x0007c895 mono`start + 53

  thread #2: tid = 0x2a0e5, 0x9d4dc3ea libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #0: 0x9d4dc3ea libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x92448538 libsystem_pthread.dylib`_pthread_cond_wait + 757
    frame #2: 0x9244a276 libsystem_pthread.dylib`pthread_cond_wait$UNIX2003 + 71
    frame #3: 0x002c53ab mono`thread_func [inlined] mono_os_cond_wait(mutex=0xb00810b0) + 18 at mono-os-mutex.h:105 [opt]
    frame #4: 0x002c5399 mono`thread_func(thread_data=0x00000000) + 457 at sgen-thread-pool.c:118 [opt]
    frame #5: 0x92447780 libsystem_pthread.dylib`_pthread_body + 138
    frame #6: 0x924476f6 libsystem_pthread.dylib`_pthread_start + 155
    frame #7: 0x92444f7a libsystem_pthread.dylib`thread_start + 34

  thread #3: tid = 0x2a0e6, 0x9d4d54d6 libsystem_kernel.dylib`semaphore_wait_trap + 10, name = 'tid_1303'
    frame #0: 0x9d4d54d6 libsystem_kernel.dylib`semaphore_wait_trap + 10
    frame #1: 0x0026152e mono`finalizer_thread [inlined] mono_os_sem_wait(flags=MONO_SEM_FLAGS_ALERTABLE) + 14 at mono-os-semaphore.h:72 [opt]
    frame #2: 0x00261520 mono`finalizer_thread [inlined] mono_coop_sem_wait(flags=MONO_SEM_FLAGS_ALERTABLE) + 10 at mono-coop-semaphore.h:40 [opt]
    frame #3: 0x00261516 mono`finalizer_thread(unused=0x00000000) + 118 at gc.c:711 [opt]
    frame #4: 0x0023a989 mono`start_wrapper [inlined] start_wrapper_internal + 540 at threads.c:717 [opt]
    frame #5: 0x0023a76d mono`start_wrapper(data=<unavailable>) + 29 at threads.c:764 [opt]
    frame #6: 0x002f4a7d mono`inner_start_thread(arg=<unavailable>) + 349 at mono-threads-posix.c:92 [opt]
    frame #7: 0x92447780 libsystem_pthread.dylib`_pthread_body + 138
    frame #8: 0x924476f6 libsystem_pthread.dylib`_pthread_start + 155
    frame #9: 0x92444f7a libsystem_pthread.dylib`thread_start + 34

  thread #4: tid = 0x2a0e7, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x9244734b libsystem_pthread.dylib`_pthread_wqthread + 1289
    frame #2: 0x92444f56 libsystem_pthread.dylib`start_wqthread + 34

  thread #5: tid = 0x2a0e8, 0x9d4dd7fa libsystem_kernel.dylib`kevent_qos + 10, queue = 'com.apple.libdispatch-manager'
    frame #0: 0x9d4dd7fa libsystem_kernel.dylib`kevent_qos + 10
    frame #1: 0x9ce237ea libdispatch.dylib`_dispatch_mgr_invoke + 234
    frame #2: 0x9ce233be libdispatch.dylib`_dispatch_mgr_thread + 52

  thread #6: tid = 0x2a0ea, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x9244734b libsystem_pthread.dylib`_pthread_wqthread + 1289
    frame #2: 0x92444f56 libsystem_pthread.dylib`start_wqthread + 34

  thread #7: tid = 0x2a0eb, 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #0: 0x9d4dcd5e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x9244734b libsystem_pthread.dylib`_pthread_wqthread + 1289
    frame #2: 0x92444f56 libsystem_pthread.dylib`start_wqthread + 34
(lldb) detach

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

Process 7963 detached
(lldb) quit
zsh: abort      mono repro.exe
Comment 1 Rodrigo Kumpera 2016-09-14 19:01:05 UTC
Hey Zoltan,

This is a nice SRE test case. It can be converted to C# as it doesn't depend on fsharpi.
Comment 2 Ludovic Henry 2017-11-10 21:28:52 UTC
I can reproduce with Mono 5.8.0.40 (2017-10/ce494e3d152), though the assertion is different:

> $> fsharpc repro.fs && mono repro.exe
> Microsoft (R) F# Compiler version 4.1
> Copyright (c) Microsoft Corporation. All Rights Reserved.
> * Assertion at class-accessors.c:138, condition `mono_class_has_static_metadata (klass)' not met
> 
> Stacktrace:
> 
>   at <unknown> <0xffffffff>
>   at (wrapper managed-to-native) System.Reflection.MemberInfo.get_MetadataToken (System.Reflection.MemberInfo) [0x00017] in <5a89c1c5d5f64bbab6a88fd2898ae6c9>:0
>   at <StartupCode$repro>.$Repro.main@ () [0x0022a] in <5a0617af6d5c59cfa7450383af17065a>:0
>   at (wrapper runtime-invoke) object.runtime_invoke_void (object,intptr,intptr,intptr) [0x0004c] in <5a89c1c5d5f64bbab6a88fd2898ae6c9>:0
> 
> Native stacktrace:
> 
> 	0   mono                                0x0000000104643f31 mono_handle_native_crash + 257
> 	1   libsystem_platform.dylib            0x00007fff92897b3a _sigtramp + 26
> 	2   ???                                 0x0000000000000003 0x0 + 3
> 	3   libsystem_c.dylib                   0x00007fff9271c420 abort + 129
> 	4   mono                                0x000000010481bb0f mono_log_write_logfile + 351
> 	5   mono                                0x0000000104833783 monoeg_g_logv + 83
> 	6   mono                                0x000000010483399f monoeg_assertion_message + 143
> 	7   mono                                0x00000001046e7c3f mono_class_get_first_field_idx + 111
> 	8   mono                                0x00000001046e1f0c mono_class_get_field_token + 60
> 	9   ???                                 0x0000000104ae5e9c 0x0 + 4373503644
> 	10  mono                                0x0000000104599d97 mono_jit_runtime_invoke + 1383
> 	11  mono                                0x000000010475a224 do_runtime_invoke + 84
> 	12  mono                                0x000000010475d849 do_exec_main_checked + 137
> 	13  mono                                0x0000000104606dff mono_jit_exec + 287
> 	14  mono                                0x00000001046095f4 mono_main + 9140
> 	15  mono                                0x000000010458977d main + 253
> 	16  mono                                0x0000000104589674 start + 52
> 
> Debug info from gdb:
> 
> (lldb) command source -s 0 '/tmp/mono-gdb-commands.sEWxWF'
> Executing commands in '/tmp/mono-gdb-commands.sEWxWF'.
> (lldb) process attach --pid 12097
> warning: (x86_64) /Library/Frameworks/Mono.framework/Versions/5.8.0/lib/mono/4.5/mscorlib.dll.dylib empty dSYM file detected, dSYM was created with an executable with no debug info.
> Process 12097 stopped
> * thread #1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
>     frame #0: 0x00007fff927b73ee libsystem_kernel.dylib`__wait4 + 10
> libsystem_kernel.dylib`__wait4:
> ->  0x7fff927b73ee <+10>: jae    0x7fff927b73f8            ; <+20>
>     0x7fff927b73f0 <+12>: movq   %rax, %rdi
>     0x7fff927b73f3 <+15>: jmp    0x7fff927afcd4            ; cerror
>     0x7fff927b73f8 <+20>: retq
> Target 0: (mono) stopped.
> 
> Executable module set to "/Library/Frameworks/Mono.framework/Versions/Current/Commands/mono".
> Architecture set to: x86_64h-apple-macosx.
> (lldb) thread list
> Process 12097 stopped
> * thread #1: tid = 0xf980a7, 0x00007fff927b73ee libsystem_kernel.dylib`__wait4 + 10, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
>   thread #2: tid = 0xf980a8, 0x00007fff927b6bf2 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'SGen worker'
>   thread #3: tid = 0xf980a9, 0x00007fff927af386 libsystem_kernel.dylib`semaphore_wait_trap + 10, name = 'Finalizer'
>   thread #4: tid = 0xf980aa, 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
>   thread #5: tid = 0xf980ab, 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
>   thread #6: tid = 0xf980ac, 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
> (lldb) thread backtrace all
> * thread #1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
>   * frame #0: 0x00007fff927b73ee libsystem_kernel.dylib`__wait4 + 10
>     frame #1: 0x0000000104643fbe mono`mono_handle_native_crash(signal=<unavailable>, ctx=<unavailable>, info=<unavailable>) at mini-exceptions.c:2726 [opt]
>     frame #2: 0x00007fff92897b3a libsystem_platform.dylib`_sigtramp + 26
>     frame #3: 0x00007fff927b6d43 libsystem_kernel.dylib`__pthread_kill + 11
>     frame #4: 0x00007fff928a4457 libsystem_pthread.dylib`pthread_kill + 90
>     frame #5: 0x00007fff9271c420 libsystem_c.dylib`abort + 129
>     frame #6: 0x000000010481bb0f mono`mono_log_write_logfile(log_domain=<unavailable>, level=<unavailable>, hdr=<unavailable>, message="* Assertion at class-accessors.c:138, condition `mono_class_has_static_metadata (klass)' not met\n") at mono-log-common.c:135 [opt]
>     frame #7: 0x0000000104833783 mono`monoeg_g_logv(log_domain=0x0000000000000000, log_level=G_LOG_LEVEL_ERROR, format=<unavailable>, args=<unavailable>) at goutput.c:115 [opt]
>     frame #8: 0x000000010483399f mono`monoeg_assertion_message(format=<unavailable>) at goutput.c:135 [opt]
>     frame #9: 0x00000001046e7c3f mono`mono_class_get_first_field_idx(klass=<unavailable>) at class-accessors.c:138 [opt]
>     frame #10: 0x00000001046e1f0c mono`mono_class_get_field_token(field=<unavailable>) at class.c:6970 [opt]
>     frame #11: 0x0000000104ae5e9c
>     frame #12: 0x0000000104599d97 mono`mono_jit_runtime_invoke(method=<unavailable>, obj=<unavailable>, params=0x00007fff5b678528, exc=0x0000000104c06bc0, error=<unavailable>) at mini-runtime.c:2800 [opt]
>     frame #13: 0x000000010475a224 mono`do_runtime_invoke(method=0x00007fbe036063b8, obj=0x0000000000000000, params=0x00007fff5b678528, exc=0x0000000000000000, error=0x00007fff5b678568) at object.c:2849 [opt]
>     frame #14: 0x000000010475d849 mono`do_exec_main_checked [inlined] mono_runtime_invoke_checked(method=<unavailable>, obj=<unavailable>, error=<unavailable>) at object.c:3002 [opt]
>     frame #15: 0x000000010475d808 mono`do_exec_main_checked(method=0x00007fbe036063b8, args=<unavailable>, error=0x00007fff5b678568) at object.c:4726 [opt]
>     frame #16: 0x0000000104606dff mono`mono_jit_exec(domain=<unavailable>, assembly=<unavailable>, argc=1, argv=0x00007fff5b678890) at driver.g.c:1040 [opt]
>     frame #17: 0x00000001046095f4 mono`mono_main [inlined] main_thread_handler at driver.g.c:1109 [opt]
>     frame #18: 0x00000001046095c1 mono`mono_main(argc=2, argv=<unavailable>) at driver.g.c:2222 [opt]
>     frame #19: 0x000000010458977d mono`main [inlined] mono_main_with_options(argc=<unavailable>, argv=<unavailable>) at main.c:46 [opt]
>     frame #20: 0x0000000104589769 mono`main(argc=2, argv=<unavailable>) at main.c:339 [opt]
>     frame #21: 0x0000000104589674 mono`start + 52
>   thread #2, name = 'SGen worker'
>     frame #0: 0x00007fff927b6bf2 libsystem_kernel.dylib`__psynch_cvwait + 10
>     frame #1: 0x00007fff928a27fa libsystem_pthread.dylib`_pthread_cond_wait + 712
>     frame #2: 0x0000000104812fae mono`thread_func [inlined] mono_os_cond_wait(mutex=<unavailable>) at mono-os-mutex.h:173 [opt]
>     frame #3: 0x0000000104812f9b mono`thread_func at sgen-thread-pool.c:165 [opt]
>     frame #4: 0x0000000104812f8d mono`thread_func(data=0x0000000000000000) at sgen-thread-pool.c:196 [opt]
>     frame #5: 0x00007fff928a193b libsystem_pthread.dylib`_pthread_body + 180
>     frame #6: 0x00007fff928a1887 libsystem_pthread.dylib`_pthread_start + 286
>     frame #7: 0x00007fff928a108d libsystem_pthread.dylib`thread_start + 13
>   thread #3, name = 'Finalizer'
>     frame #0: 0x00007fff927af386 libsystem_kernel.dylib`semaphore_wait_trap + 10
>     frame #1: 0x00000001047bf72c mono`finalizer_thread [inlined] mono_os_sem_wait(flags=MONO_SEM_FLAGS_ALERTABLE) at mono-os-semaphore.h:90 [opt]
>     frame #2: 0x00000001047bf721 mono`finalizer_thread at mono-coop-semaphore.h:43 [opt]
>     frame #3: 0x00000001047bf715 mono`finalizer_thread(unused=<unavailable>) at gc.c:866 [opt]
>     frame #4: 0x000000010477b9f0 mono`start_wrapper [inlined] start_wrapper_internal at threads.c:993 [opt]
>     frame #5: 0x000000010477b953 mono`start_wrapper(data=<unavailable>) at threads.c:1053 [opt]
>     frame #6: 0x00007fff928a193b libsystem_pthread.dylib`_pthread_body + 180
>     frame #7: 0x00007fff928a1887 libsystem_pthread.dylib`_pthread_start + 286
>     frame #8: 0x00007fff928a108d libsystem_pthread.dylib`thread_start + 13
>   thread #4
>     frame #0: 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
>     frame #1: 0x00007fff928a148e libsystem_pthread.dylib`_pthread_wqthread + 1023
>     frame #2: 0x00007fff928a107d libsystem_pthread.dylib`start_wqthread + 13
>   thread #5
>     frame #0: 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
>     frame #1: 0x00007fff928a1621 libsystem_pthread.dylib`_pthread_wqthread + 1426
>     frame #2: 0x00007fff928a107d libsystem_pthread.dylib`start_wqthread + 13
>   thread #6
>     frame #0: 0x00007fff927b744e libsystem_kernel.dylib`__workq_kernreturn + 10
>     frame #1: 0x00007fff928a1621 libsystem_pthread.dylib`_pthread_wqthread + 1426
>     frame #2: 0x00007fff928a107d libsystem_pthread.dylib`start_wqthread + 13
> (lldb) detach
> 
> =================================================================
> Got a SIGABRT while executing native code. This usually indicates
> a fatal error in the mono runtime or one of the native libraries
> used by your application.
> =================================================================
> 
> Process 12097 detached
> (lldb) quit
> [1]    12097 abort      mono repro.exe
Comment 3 Ludovic Henry 2017-11-21 21:25:26 UTC
https://github.com/mono/mono/pull/6035
Comment 4 Bernhard Urban 2017-11-27 18:24:48 UTC
The proposed fix in PR #6035 is wrong. Aleksey Kliger suggested possible solutions: https://github.com/mono/mono/pull/6035#issuecomment-345309044

Note You need to log in before you can comment on or make changes to this bug.