Bug 56684 - (mono-2.0-sgen.dll) in mono.exe: 0xC0000005: Access violation reading location 0x04FA3D9A.
Summary: (mono-2.0-sgen.dll) in mono.exe: 0xC0000005: Access violation reading locatio...
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: General (show other bugs)
Version: unspecified
Hardware: PC Windows
: --- normal
Target Milestone: ---
Assignee: Rodrigo Kumpera
URL:
Depends on:
Blocks:
 
Reported: 2017-05-19 20:11 UTC by Kirill Osenkov
Modified: 2017-06-09 18:51 UTC (History)
7 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description Kirill Osenkov 2017-05-19 20:11:43 UTC
I was running VSMEF unit-tests on Windows and at the very end of the test run sgen crashes with access violation (nullref?):

Unhandled exception at 0x101C6DCA (mono-2.0-sgen.dll) in mono.exe: 0xC0000005: Access violation reading location 0x04FA3D9A.

Dump is at:
https://www.dropbox.com/s/5h039rvndharx50/monoAccessViolationSgen.dmp?dl=0
Comment 1 Kirill Osenkov 2017-05-19 20:15:22 UTC
Revision: 5ebfdf8821fc7bc21b133666596ddc3232811f17
Comment 2 Kirill Osenkov 2017-05-19 20:44:13 UTC
SHA seems to be 8a3993fbcc3b48b3b966a7544124b476a9d2f1d5
Comment 3 Kirill Osenkov 2017-05-19 20:47:41 UTC
.pdb file at:
https://www.dropbox.com/s/qfa0k1ztpiaa88c/mono-2.0-sgen.pdb?dl=0

Full stack:

>	mono-2.0-sgen.dll!do_mono_metadata_type_equal Line 5144	C
 	mono-2.0-sgen.dll!mono_metadata_type_equal Line 5202	C
 	mono-2.0-sgen.dll!mono_g_hash_table_find_slot Line 126	C
 	[Inline Frame] mono-2.0-sgen.dll!mono_g_hash_table_lookup_extended Line 295	C
 	mono-2.0-sgen.dll!mono_g_hash_table_lookup Line 279	C
 	mono-2.0-sgen.dll!mono_type_get_object_checked Line 494	C
 	mono-2.0-sgen.dll!mono_class_create_runtime_vtable Line 2087	C
 	mono-2.0-sgen.dll!mono_class_vtable_full Line 1783	C
 	mono-2.0-sgen.dll!mono_class_vtable Line 1750	C
 	mono-2.0-sgen.dll!mono_method_to_ir Line 10315	C
 	mono-2.0-sgen.dll!mini_method_compile Line 3466	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_inner Line 4191	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_with_opt Line 1886	C
 	[Inline Frame] mono-2.0-sgen.dll!mono_jit_compile_method Line 1930	C
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2431	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	mono-2.0-sgen.dll!mono_runtime_class_init_full Line 471	C
 	mono-2.0-sgen.dll!mono_generic_class_init Line 1457	C
 	03b96789	Unknown
 	[Frames below may be incorrect and/or missing]	
 	0eb6d4b0	Unknown
 	0eb6d23c	Unknown
 	04aee5b5	Unknown
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2546	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	mono-2.0-sgen.dll!mono_runtime_class_init_full Line 471	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_inner Line 4362	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_with_opt Line 1886	C
 	mono-2.0-sgen.dll!mono_jit_compile_method Line 1930	C
 	mono-2.0-sgen.dll!common_call_trampoline Line 704	C
 	mono-2.0-sgen.dll!mono_magic_trampoline Line 834	C
 	001e0188	Unknown
 	0b5c32a0	Unknown
 	04aee5b5	Unknown
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2546	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	mono-2.0-sgen.dll!mono_runtime_class_init_full Line 471	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_inner Line 4362	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_with_opt Line 1886	C
 	mono-2.0-sgen.dll!mono_jit_compile_method Line 1930	C
 	mono-2.0-sgen.dll!common_call_trampoline Line 704	C
 	mono-2.0-sgen.dll!mono_magic_trampoline Line 834	C
 	001e0188	Unknown
 	0b93ada0	Unknown
 	0eb6bb78	Unknown
 	04aee5b5	Unknown
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2546	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	mono-2.0-sgen.dll!mono_runtime_class_init_full Line 471	C
 	mono-2.0-sgen.dll!mono_generic_class_init Line 1457	C
 	03b96789	Unknown
 	0eb63d58	Unknown
 	0eb63cd4	Unknown
 	0eb63c98	Unknown
 	0eb63bc4	Unknown
 	04aee5b5	Unknown
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2546	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	mono-2.0-sgen.dll!mono_runtime_class_init_full Line 471	C
 	mono-2.0-sgen.dll!mono_method_to_ir Line 11035	C
 	mono-2.0-sgen.dll!mini_method_compile Line 3466	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_inner Line 4191	C
 	mono-2.0-sgen.dll!mono_jit_compile_method_with_opt Line 1886	C
 	mono-2.0-sgen.dll!mono_jit_compile_method Line 1930	C
 	mono-2.0-sgen.dll!common_call_trampoline Line 704	C
 	mono-2.0-sgen.dll!mono_magic_trampoline Line 834	C
 	001e0188	Unknown
 	0b595408	Unknown
 	0eb62c2c	Unknown
 	0eb62ae8	Unknown
 	0eb6248c	Unknown
 	0e81e87c	Unknown
 	0e81e75c	Unknown
 	0e81e70d	Unknown
 	0e81e6b1	Unknown
 	051b6f32	Unknown
 	051b4204	Unknown
 	03b94c5c	Unknown
 	03b94f5c	Unknown
 	mono-2.0-sgen.dll!mono_jit_runtime_invoke Line 2546	C
 	mono-2.0-sgen.dll!do_runtime_invoke Line 2829	C
 	[Inline Frame] mono-2.0-sgen.dll!mono_runtime_invoke_checked Line 2983	C
 	mono-2.0-sgen.dll!do_exec_main_checked Line 4623	C
 	[Inline Frame] mono-2.0-sgen.dll!mono_runtime_exec_main_checked Line 4724	C
 	mono-2.0-sgen.dll!mono_runtime_run_main_checked Line 4182	C
 	mono-2.0-sgen.dll!mono_jit_exec Line 1032	C
 	mono-2.0-sgen.dll!main_thread_handler Line 1101	C
 	mono-2.0-sgen.dll!mono_main Line 2201	C
 	[Inline Frame] mono.exe!mono_main_with_options Line 46	C
 	mono.exe!main Line 329	C
 	[Inline Frame] mono.exe!invoke_main Line 64	C++
 	mono.exe!__scrt_common_main_seh Line 253	C++
 	kernel32.dll!BaseThreadInitThunk Line 64	C
 	ntdll.dll!__RtlUserThreadStart Line 997	C
 	ntdll.dll!_RtlUserThreadStart Line 914	C

Attached the binary and .pdb
Comment 4 Kirill Osenkov 2017-05-19 22:46:01 UTC
I can reproduce at will on Windows, about 50% time.

1. On Windows, install this Mono: https://jenkins.mono-project.com/view/Releases/job/v/150/Azure/processDownloadRequest/150/resources/bin/Release/MonoForWindows-x86.msi

2. Download and unzip xUnit to C:\xunit: https://www.nuget.org/packages/xunit.runner.console/2.1.0

3. git clone https://github.com/Microsoft/vs-mef

4. C:\vs-mef\init.cmd

5. msbuild C:\vs-mef\src\Microsoft.VisualStudio.Composition.sln

6. cd C:\vs-mef\bin\Debug\Tests\net451

7. C:\xunit\tools\xunit.console.x86.exe Microsoft.VisualStudio.Composition.Tests.dll -noshadow -html C:\vs-mef\vsmef.html -method "Microsoft.VisualStudio.Composition.Tests.AssembliesLazyLoadedTests.ComposableAssembliesLazyLoadedByLazyImport"

I'm working on the repro steps for Mac, but should be very similar.
Comment 5 Kirill Osenkov 2017-05-19 22:56:24 UTC
Hmm, also seeing this now:

Assertion: should not be reached at d:\j\workspace\v\repos\mono\mono\sgen\sgen-scan-object.h:91

Stack:

 	ucrtbase.dll!abort Line 77	C++
 	mono-2.0-sgen.dll!mono_log_write_logfile Line 136	C
 	mono-2.0-sgen.dll!structured_log_adapter Line 432	C
 	mono-2.0-sgen.dll!monoeg_g_logv Line 116	C
 	mono-2.0-sgen.dll!monoeg_assertion_message Line 135	C
 	mono-2.0-sgen.dll!major_scan_object_no_evacuation Line 91	C
 	mono-2.0-sgen.dll!drain_gray_stack_no_evacuation Line 345	C
 	[Inline Frame] mono-2.0-sgen.dll!sgen_drain_gray_stack Line 515	C
 	mono-2.0-sgen.dll!finish_gray_stack Line 1065	C
 	mono-2.0-sgen.dll!major_finish_collection Line 2033	C
 	mono-2.0-sgen.dll!major_do_collection Line 2160	C
 	mono-2.0-sgen.dll!sgen_perform_collection Line 2356	C
 	mono-2.0-sgen.dll!sgen_gc_collect Line 2866	C
 	mono-2.0-sgen.dll!unload_thread_main Line 2569	C
>	mono-2.0-sgen.dll!start_wrapper_internal Line 830	C
 	mono-2.0-sgen.dll!start_wrapper Line 893	C

Dump:
https://www.dropbox.com/s/eoghwv7zd1pnmp2/monoSgenUnreachableAssert.dmp?dl=0

Same mono and .pdb file.
Comment 6 Kirill Osenkov 2017-05-19 23:58:41 UTC
Never mind, the sgen-scan-object.h is a separate issue: 
https://bugzilla.xamarin.com/show_bug.cgi?id=56694
Comment 8 Rodrigo Kumpera 2017-05-23 05:58:28 UTC
This doesn't look like a GC issue.

CC'ing Ludovic and Andi so this get assigned to someone.
Comment 9 Ludovic Henry 2017-05-23 16:57:16 UTC
@vlad, you already started looking at it. If it turns out it's not a GC bug, please reassigned to proper person.
Comment 10 Vlad Brezae 2017-05-24 21:50:28 UTC
I started looking into this bug as being potentially caused by the mono_g_hashtable changes in 5.2 but I can't find any direct correlation.

The issue seems to be that in the type_hash for a domain we have a type (MONO_TYPE_CLASS) that references a klass (always an IMessageSink) from an image (always xunit.abstractions.dll) that has been already unloaded. Help from a metadata experienced person would be welcome.

I reproduced the issue on OSX, 100% hit ratio. Weird that if I disable aot it no longer reproduces.
Comment 11 Rodrigo Kumpera 2017-05-24 23:55:52 UTC
Le Fu,

I guess that's on me then :cry:
Comment 12 Rodrigo Kumpera 2017-06-08 21:21:11 UTC
https://github.com/mono/mono/pull/4998
Comment 13 Rodrigo Kumpera 2017-06-09 18:51:19 UTC
Merged.

Backporting to 2017-06 (mono 5.4, possibly dev 15.4)
https://github.com/mono/mono/pull/5007

Note You need to log in before you can comment on or make changes to this bug.