Sgen aborting because of theorically unreachable code #21369
Description
potentially similar issue ? #14732
TL;DR: I think I have found a workaround for now by using the "new" sgen bridge implementation.
But i am curious if someone here with good knowledge of the sgen garbage / bridge can give me insight
of what is going on with this issue:
I already gave a lot of information in the xamarin-android issue so do not hesitate to read that first.
Steps to Reproduce
could not yet reproduce with a minimal reproduction project (EDIT: see response below, i now found out a way to trigger the bug )
Current Behavior
crash because of sgen gc aborting
Expected Behavior
no crash
On which platforms did you notice this
[ ] macOS
[ ] Linux
[ ] Windows
[X] Android with tarjan bridge and xamarin for android (not .NET 6, regular "old" xamarin application)
Version Used:
mono-6.12.0.145 on May 27 2021 c633fe9
(I know this is not the latest, in the eventuality that there is a problem that have been identified since, and i did not find the issue, then, sorry and please point me to relevant PR/issues)
#0 0x00007c72ab4f02a8 in syscall () from C:\Users\Thomas\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#1 0x00007c72ab4f3213 in abort () from C:\Users\Thomas\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#2 0x00007c6fbf23174a in ?? ()
#3 0x00007c6fbf1d9cf0 in ?? ()
#4 0x00007c6fbfb0f154 in eglib_log_adapter (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, message=0x7c70c92a0e90 "* Assertion: should not be reached at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91\n", user_data=0x0) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/utils/mono-logger.c:405
#5 0x00007c6fbfb3c72a in monoeg_g_logstr (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, msg=0x7c70c92a0e90 "* Assertion: should not be reached at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91\n") at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:151
#6 0x00007c6fbfb3c00e in monoeg_g_logv_nofree (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, format=0x7c6fbfb96dca "* Assertion: should not be reached at %s:%d\n", args=0x7c6fbf1d9020) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:166
#7 0x00007c6fbfb3c2f4 in monoeg_assertion_message (format=0x7c6fbfb96dca "* Assertion: should not be reached at %s:%d\n") at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:201
#8 0x00007c6fbfb3c394 in mono_assertion_message_unreachable (file=0x7c6fbfb8bb6a "/Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h", line=91) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:228
#9 0x00007c6fbfaa0c77 in major_scan_object_concurrent_with_evacuation (full_object=0x7c6fb7a157e0, desc=35027181184716800, queue=0x7c72aac6b010) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91
#10 0x00007c6fbfac3dd1 in scan_card_table_for_block (block=0x7c6fb7a14000, scan_type=CARDTABLE_SCAN_MOD_UNION_PRECLEAN, ctx=...) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-marksweep.c:2619
#11 0x00007c6fbfa91e24 in major_scan_card_table (scan_type=CARDTABLE_SCAN_MOD_UNION_PRECLEAN, ctx=..., job_index=0, job_split_count=1, block_count=4973) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-marksweep.c:2711
#12 0x00007c6fbfa877d2 in job_major_mod_union_preclean (worker_data_untyped=0x7c72aac6b008, job=0x7c7001dc3208) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-gc.c:1554
#13 0x00007c6fbfb00947 in thread_func (data=0x0) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-thread-pool.c:207
#14 0x00007c72ab55dd2b in __pthread_start(void*) () from C:\Users\Thomas\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#15 0x00007c72ab4f50c8 in __start_thread () from C:\Users\Thomas\AppData\Local\Temp\x64\Debug\.gdb\libc.so
variant with "large object" (not meaning "in LOS" , rather bigger than card in cardtable)
#0 0x00007018985dd2a8 in syscall () from C:\Users\tmijieux\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#1 0x00007018985e0213 in abort () from C:\Users\tmijieux\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#2 0x00007015ac12f68a in ?? ()
#3 0x00007015abbfbcf0 in ?? ()
#4 0x00007015aca11154 in eglib_log_adapter (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, message=0x7016b6004970 "* Assertion: should not be reached at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91\n", user_data=0x0) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/utils/mono-logger.c:405
#5 0x00007015aca3e72a in monoeg_g_logstr (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, msg=0x7016b6004970 "* Assertion: should not be reached at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91\n") at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:151
#6 0x00007015aca3e00e in monoeg_g_logv_nofree (log_domain=0x0, log_level=G_LOG_LEVEL_ERROR, format=0x7015aca98dca "* Assertion: should not be reached at %s:%d\n", args=0x7015abbfafc0) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:166
#7 0x00007015aca3e2f4 in monoeg_assertion_message (format=0x7015aca98dca "* Assertion: should not be reached at %s:%d\n") at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:201
#8 0x00007015aca3e394 in mono_assertion_message_unreachable (file=0x7015aca8db6a "/Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h", line=91) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/eglib/goutput.c:228
#9 0x00007015ac9a2c77 in major_scan_object_concurrent_with_evacuation (full_object=0x7015a4797c40, desc=31550443109896192, queue=0x701897c56010) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-scan-object.h:91
#10 0x00007015ac96f0f5 in sgen_cardtable_scan_object (obj=0x7015a4797c40, block_obj_size=840, cards=0x7015abbfba4e "", ctx=...) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-cardtable.c:590
#11 0x00007015ac9c5e13 in scan_card_table_for_block (block=0x7015a4794000, scan_type=CARDTABLE_SCAN_MOD_UNION_PRECLEAN, ctx=...) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-marksweep.c:2622
#12 0x00007015ac993e24 in major_scan_card_table (scan_type=CARDTABLE_SCAN_MOD_UNION_PRECLEAN, ctx=..., job_index=0, job_split_count=1, block_count=4860) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-marksweep.c:2711
#13 0x00007015ac9897d2 in job_major_mod_union_preclean (worker_data_untyped=0x701897c56008, job=0x7015ad9ae008) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-gc.c:1554
#14 0x00007015aca02947 in thread_func (data=0x0) at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/debug/mono/sgen/sgen-thread-pool.c:207
#15 0x000070189864ad2b in __pthread_start(void*) () from C:\Users\tmijieux\AppData\Local\Temp\x64\Debug\.gdb\libc.so
#16 0x00007018985e20c8 in __start_thread () from C:\Users\tmijieux\AppData\Local\Temp\x64\Debug\.gdb\libc.so
Like i said in the xamarin-android issue, my first guess was maybe memory corruption because of any bug or other native library.
But then i read little bits of code and documentation about sgen.
By inspecting the values in the debugger in noticed that the vtable pointer is ending with 7 so i am wondering if there could be a corner case race condition because of tarjan where object would get re-tagged by bridge and then read on scan function on a place where it does not expect it to be tagged ?