Bug 59402 - Invalid emitted IL using Reflection causes Mono to crash.
Summary: Invalid emitted IL using Reflection causes Mono to crash.
Status: NEEDINFO
Alias: None
Product: Runtime
Classification: Mono
Component: JIT (show other bugs)
Version: 5.4 (2017-06)
Hardware: Macintosh Mac OS
: --- major
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2017-09-11 22:08 UTC by Will Smith
Modified: 2017-09-21 21:06 UTC (History)
4 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description Will Smith 2017-09-11 22:08:29 UTC
I'm emitting IL using reflection but the IL is invalid, however, instead of Mono telling us it is invalid it just crashes with this:

* Assertion at remoting.c:1342, condition `mono_method_signature (method)->hasthis' not met

Stacktrace:

  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.Delegate.CreateDelegate_internal (System.Type,object,System.Reflection.MethodInfo,bool) [0x00029] in <0f9cf89506fc472489b02664600526e9>:0
  at System.Delegate.CreateDelegate (System.Type,object,System.Reflection.MethodInfo,bool,bool) [0x002f0] in /Users/builder/data/lanes/4992/mono-mac-sdk/external/bockbuild/builds/mono-x64/mcs/class/corlib/System/Delegate.cs:282
  at System.Delegate.CreateDelegate (System.Type,System.Reflection.MethodInfo,bool) [0x00000] in /Users/builder/data/lanes/4992/mono-mac-sdk/external/bockbuild/builds/mono-x64/mcs/class/corlib/System/Delegate.cs:297
  at System.Delegate.CreateDelegate (System.Type,System.Reflection.MethodInfo) [0x00000] in /Users/builder/data/lanes/4992/mono-mac-sdk/external/bockbuild/builds/mono-x64/mcs/class/corlib/System/Delegate.cs:302
  at System.Reflection.Emit.DynamicMethod.CreateDelegate (System.Type) [0x00029] in /Users/builder/data/lanes/4992/mono-mac-sdk/external/bockbuild/builds/mono-x64/mcs/class/corlib/System.Reflection.Emit/DynamicMethod.cs:175
  at Foom.Ecs.CloneHelpers.createCloneMethod<T_REF> () [0x00273] in <59b7074e0f7e8990a74503834e07b759>:0
  at <StartupCode$Foom-Ecs-Desktop>.$EntityManager/factory@568T<T_REF, a_REF>.Invoke (a_REF) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at <StartupCode$Foom-Ecs-Desktop>.$EntityManager/GetEntityLookupData@588-3.Invoke (System.Type) [0x00014] in <59b7074e0f7e8990a74503834e07b759>:0
  at System.Collections.Concurrent.ConcurrentDictionary`2<TKey_REF, TValue_REF>.GetOrAdd (TKey_REF,System.Func`2<TKey_REF, TValue_REF>) [0x00034] in /Users/builder/data/lanes/4992/mono-mac-sdk/external/bockbuild/builds/mono-x64/external/corefx/src/System.Collections.Concurrent/src/System/Collections/Concurrent/ConcurrentDictionary.cs:1035
  at Foom.Ecs.EntityManager.GetEntityLookupData<T_REF> () [0x0014a] in <59b7074e0f7e8990a74503834e07b759>:0
  at Foom.Ecs.EntityManager.Add<T_REF> (Foom.Ecs.Entity,T_REF) [0x00078] in <59b7074e0f7e8990a74503834e07b759>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x0001d] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityPrototype/AddComponent@978<?_REF>.Invoke (Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00009] in <59b7074e0f7e8990a74503834e07b759>:0
  at Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Foom.Ecs.EntityManager>.InvokeFast<Microsoft.FSharp.Core.Unit> (Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.Entity, Microsoft.FSharp.Core.FSharpFunc`2<Foom.Ecs.EntityManager, Microsoft.FSharp.Core.Unit>>,Foom.Ecs.Entity,Foom.Ecs.EntityManager) [0x00012] in <5584aad2904cf4daa7450383d2aa8455>:0
  at Foom.Ecs.EntityManager.Spawn (Foom.Ecs.EntityPrototype/EntityPrototype) [0x00015] in <59b7074e0f7e8990a74503834e07b759>:0
  at Program.main (string[]) [0x00010] in /Users/williamsmith/Projects/MonoCrash1/Foom.Ecs.PerformanceTests/Program.fs:152
  at (wrapper runtime-invoke) <Module>.runtime_invoke_int_object (object,intptr,intptr,intptr) [0x00057] in <59b7075163b916cca74503835107b759>:0

Native stacktrace:

	0   mono                                0x000000010cb09811 mono_handle_native_crash + 257
	1   libsystem_platform.dylib            0x00007fffc76c5b3a _sigtramp + 26
	2   ???                                 0x000000011ae84551 0x0 + 4746397009
	3   libsystem_c.dylib                   0x00007fffc754a420 abort + 129
	4   mono                                0x000000010ccd99cf mono_log_write_logfile + 351
	5   mono                                0x000000010ccf13e3 monoeg_g_logv + 83
	6   mono                                0x000000010ccf15ff monoeg_assertion_message + 143
	7   mono                                0x000000010cc1b7f3 mono_marshal_get_remoting_invoke_with_check + 643
	8   mono                                0x000000010ca68215 mono_emit_method_call_full + 1477
	9   mono                                0x000000010ca7af4d mono_method_to_ir + 60877
	10  mono                                0x000000010ca59237 mini_method_compile + 3159
	11  mono                                0x000000010ca5c835 mono_jit_compile_method_inner + 773
	12  mono                                0x000000010ca5fda3 mono_jit_compile_method_with_opt + 1379
	13  mono                                0x000000010cbb8d32 ves_icall_System_Delegate_CreateDelegate_internal + 482
	14  ???                                 0x000000011020ede0 0x0 + 4565560800

Debug info from gdb:

(lldb) command source -s 0 '/tmp/mono-gdb-commands.bB1oNJ'
Executing commands in '/tmp/mono-gdb-commands.bB1oNJ'.
(lldb) process attach --pid 92929
Process 92929 stopped
* thread #1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00007fffc75e53ee libsystem_kernel.dylib`__wait4 + 10
libsystem_kernel.dylib`__wait4:
->  0x7fffc75e53ee <+10>: jae    0x7fffc75e53f8            ; <+20>
    0x7fffc75e53f0 <+12>: movq   %rax, %rdi
    0x7fffc75e53f3 <+15>: jmp    0x7fffc75ddcd4            ; cerror
    0x7fffc75e53f8 <+20>: retq   

Executable module set to "/Library/Frameworks/Mono.framework/Versions/5.4.0/bin/mono".
Architecture set to: x86_64h-apple-macosx.
(lldb) thread list
Process 92929 stopped
* thread #1: tid = 0x1186f92, 0x00007fffc75e53ee libsystem_kernel.dylib`__wait4 + 10, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  thread #2: tid = 0x1186f93, 0x00007fffc75e4bf2 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'SGen worker'
  thread #3: tid = 0x1186f94, 0x00007fffc75e4bf2 libsystem_kernel.dylib`__psynch_cvwait + 10, name = 'SGen worker'
  thread #4: tid = 0x1186fa7, 0x00007fffc75dd386 libsystem_kernel.dylib`semaphore_wait_trap + 10, name = 'Finalizer'
  thread #5: tid = 0x1186fa8, 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #6: tid = 0x1186fa9, 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #7: tid = 0x1186faa, 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #8: tid = 0x1186fac, 0x00007fffc75e4df6 libsystem_kernel.dylib`__recvfrom + 10, name = 'Debugger agent'
(lldb) thread backtrace all
* thread #1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  * frame #0: 0x00007fffc75e53ee libsystem_kernel.dylib`__wait4 + 10
    frame #1: 0x000000010cb0989e mono`mono_handle_native_crash(signal=<unavailable>, ctx=<unavailable>, info=<unavailable>) at mini-exceptions.c:2717 [opt]
    frame #2: 0x00007fffc76c5b3a libsystem_platform.dylib`_sigtramp + 26
    frame #3: 0x00007fffc75e4d43 libsystem_kernel.dylib`__pthread_kill + 11
    frame #4: 0x00007fffc76d25bf libsystem_pthread.dylib`pthread_kill + 90
    frame #5: 0x00007fffc754a420 libsystem_c.dylib`abort + 129
    frame #6: 0x000000010ccd99cf mono`mono_log_write_logfile(log_domain=<unavailable>, level=<unavailable>, hdr=<unavailable>, message="* Assertion at remoting.c:1342, condition `mono_method_signature (method)->hasthis' not met\n") at mono-log-common.c:135 [opt]
    frame #7: 0x000000010ccf13e3 mono`monoeg_g_logv(log_domain=0x0000000000000000, log_level=G_LOG_LEVEL_ERROR, format=<unavailable>, args=<unavailable>) at goutput.c:115 [opt]
    frame #8: 0x000000010ccf15ff mono`monoeg_assertion_message(format=<unavailable>) at goutput.c:135 [opt]
    frame #9: 0x000000010cc1b7f3 mono`mono_marshal_get_remoting_invoke_with_check(method=<unavailable>) at remoting.c:1342 [opt]
    frame #10: 0x000000010ca68215 mono`mono_emit_method_call_full(cfg=<unavailable>, method=<unavailable>, sig=<unavailable>, tail=0, args=0x00007f9bf80b5a08, this_ins=<unavailable>, imt_arg=0x0000000000000000, rgctx_arg=<unavailable>) at method-to-ir.c:2537 [opt]
    frame #11: 0x000000010ca7af4d mono`mono_method_to_ir(cfg=<unavailable>, method=<unavailable>, start_bblock=0x00007f9bf80b54c8, end_bblock=<unavailable>, return_var=0x0000000000000000, inline_args=0x00007f9bf80b5a08, inline_offset=<unavailable>, is_virtual_call=<unavailable>) at method-to-ir.c:9031 [opt]
    frame #12: 0x000000010ca59237 mono`mini_method_compile(method=<unavailable>, opts=370239999, domain=0x00007f9bf6f03880, flags=JIT_FLAG_RUN_CCTORS, parts=0, aot_method_index=-1) at mini.c:3442 [opt]
    frame #13: 0x000000010ca5c835 mono`mono_jit_compile_method_inner(method=0x00007f9bf6e4a360, target_domain=0x00007f9bf6f03880, opt=370239999, error=0x00007fff531ad1f0) at mini.c:4167 [opt]
    frame #14: 0x000000010ca5fda3 mono`mono_jit_compile_method_with_opt(method=0x00007f9bf6e4a360, opt=<unavailable>, jit_only=0, error=<unavailable>) at mini-runtime.c:2129 [opt]
    frame #15: 0x000000010cbb8d32 mono`ves_icall_System_Delegate_CreateDelegate_internal(ref_type=<unavailable>, target=0x00007f9bf9002620, info=<unavailable>, throwOnBindFailure='\x01', error=0x00007fff531ad1f0) at icall.c:6236 [opt]
    frame #16: 0x000000011020ede0

  thread #2, name = 'SGen worker'
    frame #0: 0x00007fffc75e4bf2 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fffc76d086e libsystem_pthread.dylib`_pthread_cond_wait + 712
    frame #2: 0x000000010ccd117f mono`thread_func [inlined] mono_os_cond_wait(cond=0x000000010cdf8960, mutex=<unavailable>) at mono-os-mutex.h:173 [opt]
    frame #3: 0x000000010ccd1173 mono`thread_func(thread_data=0x000000010cdf8918) at sgen-thread-pool.c:108 [opt]
    frame #4: 0x00007fffc76cf9af libsystem_pthread.dylib`_pthread_body + 180
    frame #5: 0x00007fffc76cf8fb libsystem_pthread.dylib`_pthread_start + 286
    frame #6: 0x00007fffc76cf101 libsystem_pthread.dylib`thread_start + 13

  thread #3, name = 'SGen worker'
    frame #0: 0x00007fffc75e4bf2 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fffc76d086e libsystem_pthread.dylib`_pthread_cond_wait + 712
    frame #2: 0x000000010ccd1162 mono`thread_func [inlined] mono_os_cond_wait(cond=0x000000010ce4cbc0, mutex=<unavailable>) at mono-os-mutex.h:173 [opt]
    frame #3: 0x000000010ccd1156 mono`thread_func(thread_data=0x000000010cf52108) at sgen-thread-pool.c:90 [opt]
    frame #4: 0x00007fffc76cf9af libsystem_pthread.dylib`_pthread_body + 180
    frame #5: 0x00007fffc76cf8fb libsystem_pthread.dylib`_pthread_start + 286
    frame #6: 0x00007fffc76cf101 libsystem_pthread.dylib`thread_start + 13

  thread #4, name = 'Finalizer'
    frame #0: 0x00007fffc75dd386 libsystem_kernel.dylib`semaphore_wait_trap + 10
    frame #1: 0x000000010cc533a5 mono`finalizer_thread [inlined] mono_os_sem_wait(flags=MONO_SEM_FLAGS_ALERTABLE) at mono-os-semaphore.h:91 [opt]
    frame #2: 0x000000010cc5339a mono`finalizer_thread at mono-coop-semaphore.h:43 [opt]
    frame #3: 0x000000010cc5338e mono`finalizer_thread(unused=<unavailable>) at gc.c:864 [opt]
    frame #4: 0x000000010cc274f3 mono`start_wrapper [inlined] start_wrapper_internal at threads.c:829 [opt]
    frame #5: 0x000000010cc27473 mono`start_wrapper(data=0x00007f9bf6f141a0) at threads.c:891 [opt]
    frame #6: 0x00007fffc76cf9af libsystem_pthread.dylib`_pthread_body + 180
    frame #7: 0x00007fffc76cf8fb libsystem_pthread.dylib`_pthread_start + 286
    frame #8: 0x00007fffc76cf101 libsystem_pthread.dylib`thread_start + 13

  thread #5
    frame #0: 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fffc76cf695 libsystem_pthread.dylib`_pthread_wqthread + 1426
    frame #2: 0x00007fffc76cf0f1 libsystem_pthread.dylib`start_wqthread + 13

  thread #6
    frame #0: 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fffc76cf502 libsystem_pthread.dylib`_pthread_wqthread + 1023
    frame #2: 0x00007fffc76cf0f1 libsystem_pthread.dylib`start_wqthread + 13

  thread #7
    frame #0: 0x00007fffc75e544e libsystem_kernel.dylib`__workq_kernreturn + 10
    frame #1: 0x00007fffc76cf695 libsystem_pthread.dylib`_pthread_wqthread + 1426
    frame #2: 0x00007fffc76cf0f1 libsystem_pthread.dylib`start_wqthread + 13

  thread #8, name = 'Debugger agent'
    frame #0: 0x00007fffc75e4df6 libsystem_kernel.dylib`__recvfrom + 10
    frame #1: 0x000000010cb4361e mono`socket_transport_recv(buf="<?", len=11) at debugger-agent.c:1148 [opt]
    frame #2: 0x000000010cb2db36 mono`debugger_thread [inlined] transport_recv(len=11) at debugger-agent.c:1554 [opt]
    frame #3: 0x000000010cb2db20 mono`debugger_thread(arg=<unavailable>) at debugger-agent.c:10338 [opt]
    frame #4: 0x000000010cc274f3 mono`start_wrapper [inlined] start_wrapper_internal at threads.c:829 [opt]
    frame #5: 0x000000010cc27473 mono`start_wrapper(data=0x00007f9bf6c23440) at threads.c:891 [opt]
    frame #6: 0x00007fffc76cf9af libsystem_pthread.dylib`_pthread_body + 180
    frame #7: 0x00007fffc76cf8fb libsystem_pthread.dylib`_pthread_start + 286
    frame #8: 0x00007fffc76cf101 libsystem_pthread.dylib`thread_start + 13
(lldb) detach

=================================================================
Got a SIGABRT while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

Process 92929 detached
(lldb) quit
Abort trap: 6




I've included a sample project. Just run Foom.Ecs.PerformanceTests in debug or release. Please look at EntityManager.fs line 262 to give you an idea what is causing Mono to crash.


Here is my Mono version:

Mono JIT compiler version 5.4.0.167 (2017-06/6b8abfeb7cc Thu Aug 17 18:17:27 EDT 2017)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  amd64
	Disabled:      none
	Misc:          softdebug 
	LLVM:          yes(3.6.0svn-mono-master/8b1520c8aae)
	GC:            sgen (concurrent by default)
Comment 1 Zoltan Varga 2017-09-20 07:35:13 UTC
The mono JIT does a certain level of checking on IL, but doesn't check everything.
Comment 2 Ludovic Henry 2017-09-21 21:06:20 UTC
Could you please attach the sample project you are talking about in https://bugzilla.xamarin.com/show_bug.cgi?id=59402#c0, I can't seem to find it. Thank you

Note You need to log in before you can comment on or make changes to this bug.