Segfault in gc_heap::get_region_plan_gen_num for a frozen object

[MichalStrehovsky]

I'm seeing a segfault in gc_heap::get_region_plan_gen_num when trying to dereference the return value of heap_segment_plan_gen_num when processing a frozen object. It looks like the int& returned from heap_segment_plan_gen_num doesn't point anywhere useful.

Obj is a frozen string at the point of the crash. This is NativeAOT, obviously.

I also have a crashdump with a repro EXE if this is not enough to troubleshoot.

>	System.Collections.Tests.exe!WKS::gc_heap::get_region_plan_gen_num(unsigned char * obj) Line 11257	C++
 	System.Collections.Tests.exe!WKS::gc_heap::check_demotion_helper_sip(unsigned char * * pval, int parent_gen_num, unsigned char * parent_loc) Line 30140	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_advance_to_non_sip(WKS::heap_segment * region) Line 30186	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_survivors(int condemned_gen_number, unsigned char * first_condemned_address) Line 31296	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_phase(int condemned_gen_number, unsigned char * first_condemned_address) Line 31714	C++
 	System.Collections.Tests.exe!WKS::gc_heap::plan_phase(int condemned_gen_number) Line 29005	C++
 	System.Collections.Tests.exe!WKS::gc_heap::gc1() Line 20353	C++
 	System.Collections.Tests.exe!WKS::gc_heap::garbage_collect(int n) Line 22032	C++
 	System.Collections.Tests.exe!WKS::GCHeap::GarbageCollectGeneration(unsigned int gen, gc_reason reason) Line 45098	C++
 	System.Collections.Tests.exe!WKS::gc_heap::trigger_gc_for_alloc(int gen_number, gc_reason gr, WKS::GCDebugSpinLock * msl, bool loh_p, WKS::msl_take_state take_state) Line 17083	C++
 	System.Collections.Tests.exe!WKS::gc_heap::try_allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int gen_number) Line 17229	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int alloc_generation_number) Line 17693	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate(unsigned __int64 jsize, alloc_context * acontext, unsigned int flags) Line 17724	C++
 	System.Collections.Tests.exe!WKS::GCHeap::Alloc(gc_alloc_context * context, unsigned __int64 size, unsigned int flags) Line 44055	C++
 	System.Collections.Tests.exe!GcAllocInternal(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, Thread * pThread) Line 267	C++
 	System.Collections.Tests.exe!RhpGcAlloc(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, void * pTransitionFrame) Line 304	C++

Tagging subscribers to this area: @dotnet/gc
See info in area-owners.md if you want to be subscribed.

Issue Details

---

I'm seeing a segfault in gc_heap::get_region_plan_gen_num when trying to dereference the return value of heap_segment_plan_gen_num when processing a frozen object. It looks like the int& returned from heap_segment_plan_gen_num doesn't point anywhere useful.

Obj is a frozen string at the point of the crash. This is NativeAOT, obviously.

I also have a crashdump with a repro EXE if this is not enough to troubleshoot.

>	System.Collections.Tests.exe!WKS::gc_heap::get_region_plan_gen_num(unsigned char * obj) Line 11257	C++
 	System.Collections.Tests.exe!WKS::gc_heap::check_demotion_helper_sip(unsigned char * * pval, int parent_gen_num, unsigned char * parent_loc) Line 30140	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_advance_to_non_sip(WKS::heap_segment * region) Line 30186	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_survivors(int condemned_gen_number, unsigned char * first_condemned_address) Line 31296	C++
 	System.Collections.Tests.exe!WKS::gc_heap::relocate_phase(int condemned_gen_number, unsigned char * first_condemned_address) Line 31714	C++
 	System.Collections.Tests.exe!WKS::gc_heap::plan_phase(int condemned_gen_number) Line 29005	C++
 	System.Collections.Tests.exe!WKS::gc_heap::gc1() Line 20353	C++
 	System.Collections.Tests.exe!WKS::gc_heap::garbage_collect(int n) Line 22032	C++
 	System.Collections.Tests.exe!WKS::GCHeap::GarbageCollectGeneration(unsigned int gen, gc_reason reason) Line 45098	C++
 	System.Collections.Tests.exe!WKS::gc_heap::trigger_gc_for_alloc(int gen_number, gc_reason gr, WKS::GCDebugSpinLock * msl, bool loh_p, WKS::msl_take_state take_state) Line 17083	C++
 	System.Collections.Tests.exe!WKS::gc_heap::try_allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int gen_number) Line 17229	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate_more_space(alloc_context * acontext, unsigned __int64 size, unsigned int flags, int alloc_generation_number) Line 17693	C++
 	System.Collections.Tests.exe!WKS::gc_heap::allocate(unsigned __int64 jsize, alloc_context * acontext, unsigned int flags) Line 17724	C++
 	System.Collections.Tests.exe!WKS::GCHeap::Alloc(gc_alloc_context * context, unsigned __int64 size, unsigned int flags) Line 44055	C++
 	System.Collections.Tests.exe!GcAllocInternal(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, Thread * pThread) Line 267	C++
 	System.Collections.Tests.exe!RhpGcAlloc(MethodTable * pEEType, unsigned int uFlags, unsigned __int64 numElements, void * pTransitionFrame) Line 304	C++

Author:	MichalStrehovsky
Assignees:	-
Labels:	area-GC-coreclr
Milestone:	-

[mangod9]

Thanks for reporting this @MichalStrehovsky. Is this a consistent or intermittent failure?

[MichalStrehovsky]

I ran the test app twice and I hit it twice, so looks pretty consistent.

[mangod9]

ok we will investigate.