[Mono-bugs] [Bug 334210] New: SIGSEGV in mono_method_get_imt_slot while running moonlight

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue Oct 16 06:22:03 EDT 2007 

https://bugzilla.novell.com/show_bug.cgi?id=334210

           Summary: SIGSEGV in mono_method_get_imt_slot while running
                    moonlight
           Product: Mono: Runtime
           Version: 1.2
          Platform: i586
        OS/Version: openSUSE 10.3
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: misc
        AssignedTo: mono-bugs at ximian.com
        ReportedBy: jbevain at novell.com
         QAContact: mono-bugs at ximian.com
          Found By: ---


To reproduce this, I do the following (note that it doesn't always work, so it
could be a memory corruption issue):

* I open a tab on the Chess port
* I open another tab
* I close the Chess one
* And I reopen the Chess port in a tab
* I close the tab

Here it happens.

Here's the gdb log that lupus made me produce:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb70116d0 (LWP 19135)]
mono_metadata_type_hash (t1=0x0) at metadata.c:3803
3803            hash |= t1->byref << 6; /* do not collide with t1->type values
*/
(gdb) bt
#0  mono_metadata_type_hash (t1=0x0) at metadata.c:3803
#1  0xb17f2ab5 in mono_method_get_imt_slot (method=0x9beb1b0) at object.c:972
#2  0xb17f2c7e in add_imt_builder_entry (imt_builder=0x0, method=0xab97260, 
    imt_collisions_bitmap=0xb0efe4d2, vtable_slot=35, slot_num=9)
    at object.c:1012
#3  0xb17f2dba in build_imt_slots (klass=0x9beaf00, vt=0xa7dd0c8, 
    domain=0x21a50, imt=0xa7dd07c, extra_interfaces=0x0, slot_num=9)
    at object.c:1163
#4  0xb17f30c7 in mono_vtable_build_imt_slot (vtable=0xa7dd0c8, imt_slot=9)
    at object.c:1287
#5  0xb17c40a1 in mono_convert_imt_slot_to_vtable_slot (slot=0xa7dd0a0, 
    regs=0xbfe0dfa4, code=0xb04e5d38 "\203?\f?(h0?f\001\203~\f", 
    method=0x9be7d30, impl_method=0xbfe0df54) at mini-trampolines.c:43
#6  0xb17c4547 in mono_magic_trampoline (regs=0xbfe0dfa4, 
    code=0xb04e5d38 "\203?\f?(h0?f\001\203~\f", m=0x9be7d30, tramp=0x0)
    at mini-trampolines.c:110
#7  0xb0f61066 in ?? ()
#8  0xbfe0dfa4 in ?? ()
#9  0xb04e5d38 in ?? ()
#10 0xffffffff in ?? ()
#11 0x00000000 in ?? ()

(gdb) p *(MonoMethod*)0x9beb1b0
$5 = {flags = 1478, iflags = 0, token = 100665501, klass = 0x9bea708, 
  signature = 0x987c4e0, generic_container = 0x0, 
  name = 0xb0efe4c6 "GetEnumerator", inline_info = 0, uses_this = 0, 
  wrapper_type = 0, string_ctor = 0, save_lmf = 0, dynamic = 0, 
  is_inflated = 1, skip_visibility = 0, slot = 0}

(gdb) p mono_pmip(0xb0f61066)
$6 = 0x0

(gdb) p mono_pmip(0xb0f61066)
$6 = 0x0
(gdb) p mono_pmip(0xbfe0dfa4)
$7 = 0x0
(gdb) p mono_pmip(0xb04e5d38)
$8 = 0xa7d0f78 " System.Windows.WebApplication:.ctor () + 0x1b0 (0xb04e5b88
0xb04e5db6) [0x21a50 - moonlight-171656352]"

(gdb) disas 0xb04e5d38 0xb04e5d38+5
Dump of assembler code from 0xb04e5d38 to 0xb04e5d3d:
0xb04e5d38:     add    $0xc,%esp
0xb04e5d3b:     jmp    0xb04e5d65
End of assembler dump.

(gdb) p *(MonoClass*)0x9bea708
$11 = {element_class = 0x9bea708, cast_class = 0x9bea708, 
  supertypes = 0x9b9a6a4, idepth = 1, rank = 0 '\0', instance_size = 8, 
  inited = 1, init_pending = 0, size_inited = 1, valuetype = 0, enumtype = 0, 
  blittable = 1, unicode = 0, wastypebuilder = 0, min_align = 1, 
  packing_size = 0, ghcimpl = 1, has_finalize = 0, marshalbyref = 0, 
  contextbound = 0, delegate = 0, gc_descr_inited = 0, has_cctor = 0, 
  has_references = 0, has_static_refs = 0, no_special_static_fields = 0, 
  is_com_object = 0, exception_type = 0 '\0', exception_data = 0x0, 
  parent = 0x0, nested_in = 0x0, nested_classes = 0x0, image = 0x98ae590, 
  name = 0xb0ef6330 "IEnumerable`1", 
  name_space = 0xb0ef6254 "System.Collections.Generic", enum_basetype = 0x0, 
  declsec_flags = 0, type_token = 33554638, vtable_size = 0, 
  interface_count = 1, interface_id = 424, max_interface_id = 424, 
  interface_offsets_count = 2, interfaces_packed = 0x9b9a6bc, 
  interface_offsets_packed = 0x9b9a6c4, interface_bitmap = 0x9b9a6cc "\200", 
  interfaces = 0x9bea6e0, sizes = {class_size = 0, element_size = 0}, 
  flags = 161, field = {first = 725, count = 0}, method = {first = 2204, 
    count = 1}, property = {first = 0, count = 0}, event = {first = 0, 
    count = 0}, marshal_info = 0x0, fields = 0x0, properties = 0x0, 
  events = 0x0, methods = 0x9bea6d0, this_arg = {data = {klass = 0x9bea6f0, 
      type = 0x9bea6f0, array = 0x9bea6f0, method = 0x9bea6f0, 
      generic_param = 0x9bea6f0, generic_class = 0x9bea6f0}, attrs = 0, 
    type = 21, num_mods = 0, byref = 1, pinned = 0, modifiers = 0x9bea7ac}, 
---Type <return> to continue, or q <return> to quit---
  byval_arg = {data = {klass = 0x9bea6f0, type = 0x9bea6f0, array = 0x9bea6f0, 
      method = 0x9bea6f0, generic_param = 0x9bea6f0, 
      generic_class = 0x9bea6f0}, attrs = 0, type = 21, num_mods = 0, 
    byref = 0, pinned = 0, modifiers = 0x9bea7b4}, generic_class = 0x9bea6f0, 
  generic_container = 0x0, reflection_info = 0x0, gc_descr = 0x0, 
  runtime_info = 0x0, next_class_cache = 0x0, vtable = 0x0}


(gdb) p *(*(MonoMethod*)0x9beb1b0)->signature
$13 = {hasthis = 0, explicit_this = 0, call_convention = 0, pinvoke = 0, 
  ref_count = 0, param_count = 0, sentinelpos = 0, 
  generic_param_count = 176868048, is_inflated = 0, has_type_parameters = 0, 
  ret = 0x0, params = 0x987c4f0}

(gdb) disas 0xb04e5d38-16 0xb04e5d38+5
Dump of assembler code from 0xb04e5d28 to 0xb04e5d3d:
0xb04e5d28:     inc    %ebp
0xb04e5d29:     or     %cl,-0x74aff7c0(%ebx)
0xb04e5d2f:     add    %bh,0x9be7d30(%edx)
0xb04e5d35:     call   *-0x28(%eax)
0xb04e5d38:     add    $0xc,%esp
0xb04e5d3b:     jmp    0xb04e5d65
End of assembler dump.

(gdb) disas 0xb04e5d26 0xb04e5d38+5
Dump of assembler code from 0xb04e5d26 to 0xb04e5d3d:
0xb04e5d26:     xor    %cl,0x408b0845(%ebx)
0xb04e5d2c:     or     %dl,-0x75(%eax)
0xb04e5d2f:     add    %bh,0x9be7d30(%edx)
0xb04e5d35:     call   *-0x28(%eax)
0xb04e5d38:     add    $0xc,%esp
0xb04e5d3b:     jmp    0xb04e5d65
End of assembler dump.

(gdb) disas 0xb04e5d27 0xb04e5d38+5
Dump of assembler code from 0xb04e5d27 to 0xb04e5d3d:
0xb04e5d27:     mov    0x8(%ebp),%eax
0xb04e5d2a:     mov    0x8(%eax),%eax
0xb04e5d2d:     push   %eax
0xb04e5d2e:     mov    (%eax),%eax
0xb04e5d30:     mov    $0x9be7d30,%edx
0xb04e5d35:     call   *-0x28(%eax)
0xb04e5d38:     add    $0xc,%esp
0xb04e5d3b:     jmp    0xb04e5d65
End of assembler dump.


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list