[mono] android crash in `mono_object_handle_isinst`

[srxqds]

Description

hit crash on android with execute at

runtime/src/libraries/System.Linq.Expressions/src/System/Dynamic/Utils/ExpressionUtils.cs

Line 90 in d2a2a79

public static T ReturnObject<T>(object collectionOrT) where T : class

build linq expression in thread and the main thread call gc collect.

Reproduction Steps

we can't reproduct it, but it occur in our production app

Expected behavior

not crash

Actual behavior

crash

Regression?

I don't know, we use 8.0.3 version

Known Workarounds

no

Configuration

No response

Other information

the c backtrace:

backtrace:
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20
    x0  b40000721a02ec18  x1  0  x2  716e6fae20  x3  716e6fad9c
    x4  716e6fad48  x5  b4000071d9d5caf0  x6  b4000071d9d269e8  x7  150000
    x8  b40000721a02ec00  x9  1  x10 0  x11 1
    x12 d  x13 b4c340  x14 b4c330  x15 b4000071d9d55310
    x16 71f3768a50  x17 71f36dbae0  x18 71526ce000  x19 b40000721a06c800
    x20 716e6fae20  x21 0  x22 7159b0cc00  x23 b40000721a02ec00
    x24 0  x25 0  x26 b4000071d9d553b0  x27 204000
    x28 716e6fc000  x29 716e6fadb0  lr  71f36caed8  sp  716e6fadb0
    pc  71f36cad98  pst 80001000

    #00 pc 000000000026dd98  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_object_handle_isinst [src/mono/mono/metadata/object.c : 6878 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #01 pc 000000000026ded4  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_object_isinst_checked [src/mono/mono/metadata/object.c : 6861 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #02 pc 0000000000242b50  /data/app/~~gMT592BO36bs-lquJCj79Q==/com.company.xxx-CUfrVWi9DEvhzM7E9W-VsQ==/lib/arm64/libmonosgen-2.0.so (mono_marshal_isinst_with_cache [src/mono/mono/metadata/marshal.c : 4356 + 0x0]) (BuildId: 42c8b61931986227e9bad5b46aa5cb7748fd9c9b)
    #03 pc 0000000000009f48  <anonymous:732d339000>

we also dump the c# stacktrace when crash:

=================================================================
	Managed Stacktrace:
=================================================================
	  at <unknown> <0xffffffff>
	  at System.Object:__icall_wrapper_mono_marshal_isinst_with_cache in System.Private.CoreLib.dll:token 0x0+0xffffffff
	  at System.Object:__castclass_with_cache in System.Private.CoreLib.dll:token 0x0+0x2d
	  at System.Dynamic.Utils.ExpressionUtils:ReturnObject in System.Linq.Expressions.dll:token 0x6001204+0x0
	  at System.Linq.Expressions.Expression2`1:GetParameter in System.Linq.Expressions.dll:token 0x600068a+0xf
	  at System.Linq.Expressions.LambdaExpression:System.Linq.Expressions.IParameterProvider.GetParameter in System.Linq.Expressions.dll:token 0x6000665+0x2
	  at <GetEnumerator>d__6:MoveNext in System.Linq.Expressions.dll:token 0x6000eea+0x45
	  at System.Linq.Expressions.Compiler.CompilerScope:.ctor in System.Linq.Expressions.dll:token 0x6000ea1+0x60
	  at System.Linq.Expressions.Compiler.VariableBinder:VisitLambda in System.Linq.Expressions.dll:token 0x600105d+0x14
	  at System.Linq.Expressions.Expression`1:Accept in System.Linq.Expressions.dll:token 0x6000677+0x2
	  at System.Linq.Expressions.ExpressionVisitor:Visit in System.Linq.Expressions.dll:token 0x60005d5+0x7
	  at System.Linq.Expressions.Compiler.VariableBinder:Visit in System.Linq.Expressions.dll:token 0x600105a+0x3c
	  at System.Linq.Expressions.Compiler.VariableBinder:Bind in System.Linq.Expressions.dll:token 0x6001058+0x8
	  at System.Linq.Expressions.Compiler.LambdaCompiler:AnalyzeLambda in System.Linq.Expressions.dll:token 0x6000f65+0xb
	  at System.Linq.Expressions.Compiler.LambdaCompiler:Compile in System.Linq.Expressions.dll:token 0x6000f64+0x8
	  at System.Linq.Expressions.Expression`1:Compile in System.Linq.Expressions.dll:token 0x6000672+0x8
	  at SpanJson.Formatters.RuntimeFormatter`2:BuildSerializeDelegate in SpanJson.dll:token 0x6000606+0xbc
	  at <>c:<Serialize>b__5_0 in SpanJson.dll:token 0x6000700+0x1
	  at System.Collections.Concurrent.ConcurrentDictionary`2:GetOrAdd in System.Collections.Concurrent.dll:token 0x60000c9+0x4a
	  at SpanJson.Formatters.RuntimeFormatter`2:Serialize in SpanJson.dll:token 0x6000605+0x34
	  at Inner`3:InnerSerializeToByteArray in SpanJson.dll:token 0x6000731+0x14
	  at SpanJson.Helpers.PreCreateSerializerHelper:SerializeObject in SpanJson.dll:token 0x6000200+0x7
	  at <>c__DisplayClass3_0:<PreCreateAsync>b__0 in SpanJson.dll:token 0x600068c+0x14
	  at System.Threading.Tasks.Task:InnerInvoke in System.Private.CoreLib.dll:token 0x6003f45+0x10
	  at <>c:<.cctor>b__281_0 in System.Private.CoreLib.dll:token 0x6003ff4+0x6
	  at System.Threading.ExecutionContext:RunFromThreadPoolDispatchLoop in System.Private.CoreLib.dll:token 0x6003a39+0x17
	  at System.Threading.Tasks.Task:ExecuteWithThreadLocal in System.Private.CoreLib.dll:token 0x6003f44+0xae
	  at System.Threading.Tasks.Task:ExecuteEntryUnsafe in System.Private.CoreLib.dll:token 0x6003f42+0x32
	  at System.Threading.Tasks.Task:ExecuteFromThreadPool in System.Private.CoreLib.dll:token 0x6003f41+0x2
	  at System.Threading.ThreadPoolWorkQueue:Dispatch in System.Private.CoreLib.dll:token 0x6003bb7+0x140
	  at WorkerThread:WorkerThreadStart in System.Private.CoreLib.dll:token 0x6003d46+0xa1
	  at System.Threading.Thread:StartCallback in System.Private.CoreLib.dll:token 0x60038f5+0xe
	  at System.Object:runtime_invoke_void__this__ in System.Private.CoreLib.dll:token 0x0+0x32

mabye the main thread is calling gc.collect

[dotnet-policy-service]

Tagging subscribers to this area: @cston
See info in area-owners.md if you want to be subscribed.

[srxqds]

@lambdageek can you help figure out this issuse?

[srxqds]

why the MonoClass* is nullptr, access the offset 0x20, when call __icall_wrapper_mono_marshal_isinst_with_cache?

runtime/src/mono/mono/mini/method-to-ir.c

Lines 9606 to 9624 in 797306f

	case MONO_CEE_ISINST: {
	--sp;
	klass = mini_get_class (method, token, generic_context);
	CHECK_TYPELOAD (klass);
	if (sp [0]->type != STACK_OBJ)
	UNVERIFIED;
	MONO_INST_NEW (cfg, ins, (il_op == MONO_CEE_ISINST) ? OP_ISINST : OP_CASTCLASS);
	ins->dreg = alloc_preg (cfg);
	ins->sreg1 = (*sp)->dreg;
	ins->klass = klass;
	ins->type = STACK_OBJ;
	MONO_ADD_INS (cfg->cbb, ins);
	CHECK_CFG_EXCEPTION;
	*sp++ = ins;
	cfg->flags |= MONO_CFG_HAS_TYPE_CHECK;
	break;

the CHECK_TYPELOAD will check the klass value.
this will be effected by gc?

[srxqds]

the crash code of main branch :

runtime/src/mono/mono/metadata/object.c

Line 6809 in 797306f

if (!m_class_is_inited (klass))

[srxqds]

the reason maybe the same with this issuse #109443

hope it can give you more clues to help analyze.

[dotnet-policy-service]

Tagging subscribers to 'arch-android': @vitek-karas, @simonrozsival, @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

[srxqds]

hi, @steveisok this issue only rise on production game, not found in development.

it is happened many times, have a great bad impact on our project.

[kg]

This appears to occur on CI sometimes, see https://helixr18s23ayyeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-pull-113095-merge-69d6ba870ecc462abc/Microsoft.Extensions.Configuration.Binder.SourceGeneration.Tests/1/console.4f47176f.log?helixlogtype=result (recurred at least twice for me)

[srxqds]

Hope the official can try to fix this bug.