[Mono-bugs] [Bug 601982] New: SIGSEGV in mono_compile_create_var / mono_type_is_long

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Mon May 3 08:51:51 EDT 2010 

http://bugzilla.novell.com/show_bug.cgi?id=601982

http://bugzilla.novell.com/show_bug.cgi?id=601982#c0


           Summary: SIGSEGV in mono_compile_create_var / mono_type_is_long
    Classification: Mono
           Product: Mono: Runtime
           Version: SVN
          Platform: x86-64
        OS/Version: openSUSE 11.2
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: JIT
        AssignedTo: rkumpera at novell.com
        ReportedBy: spouliot at novell.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


Created an attachment (id=358656)
 --> (http://bugzilla.novell.com/attachment.cgi?id=358656)
assembly that cause the sigsegv

gdb --args mono --security=core-clr --compile-all
bin/System.Xml.sigabrt.8429.dll

..

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff62c5910 (LWP 14487)]
0x0000000000419daa in mono_compile_create_var (cfg=0xd8e010, type=0xbf9120,
opcode=326) at mini.c:1033
1033        if (mono_type_is_long (type))
(gdb) p type
$1 = (MonoType *) 0xbf9120
(gdb) p *type
$2 = {data = {klass = "System.Xml.XmlTokenizedType", type = 0xbf9058, array =
0xbf9058, method = 0xbf9058, generic_param = 0xbf9058, generic_class = 
    0xbf9058}, attrs = 0, type = MONO_TYPE_VALUETYPE, num_mods = 0, byref = 0,
pinned = 0, modifiers = 0xbf912c}
(gdb) bt
#0  0x0000000000419daa in mono_compile_create_var (cfg=0xd8e010, type=0xbf9120,
opcode=326) at mini.c:1033
#1  0x000000000041e3c1 in mono_compile_create_vars (cfg=0xd8e010) at
mini.c:2973
#2  0x00000000004218db in mini_method_compile
(method="System.Xml.XmlSchemaDatatype:get_TokenizedType ()", opts=51472895,
domain=0x7ffff7e7dd48, run_cctors=
    0, compile_aot=0, parts=0) at mini.c:4040
#3  0x00000000004ac6ca in compile_all_methods_thread_main (args=0x7fffffffdbb0)
at driver.c:879
#4  0x000000000063db1c in start_wrapper (data=0xabd780) at threads.c:747
#5  0x000000000066db83 in thread_start_routine (args=0xa9f968) at
wthreads.c:285
#6  0x000000000069ff7d in GC_start_routine (arg=0x7ffff7e2afc0) at
pthread_support.c:1390
#7  0x00007ffff709c65d in start_thread (arg=<value optimized out>) at
pthread_create.c:297
#8  0x00007ffff6e0be1d in clone () from /lib64/libc.so.6
#9  0x0000000000000000 in ?? ()

The issue is that mono_type_get_underlying_type can return NULL and the macro
does not check for a NULL value.

#define mono_type_is_long(type) (!(type)->byref &&
((mono_type_get_underlying_type (type)->type == MONO_TYPE_I8) ||
(mono_type_get_underlying_type (type)->type == MONO_TYPE_U8)))

(gdb) p mono_type_get_underlying_type (type)
$3 = (MonoType *) 0x0

This either needs to be detected earlier (verifier) or the macro needs to deal
with the NULL value.

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list