[Mono-bugs] [Bug 668170] New: Invalid IL in dynamic method can crash in method-to-irc

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Sat Jan 29 17:56:31 EST 2011 

https://bugzilla.novell.com/show_bug.cgi?id=668170

https://bugzilla.novell.com/show_bug.cgi?id=668170#c0


           Summary: Invalid IL in dynamic method can crash in
                    method-to-irc
    Classification: Mono
           Product: Mono: Runtime
           Version: SVN
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Minor
          Priority: P5 - None
         Component: JIT
        AssignedTo: lupus at novell.com
        ReportedBy: gnorton at novell.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


Came across a dynamic method in the wild which runs on the ms-clr and crashes
our runtime:


using System.Reflection;
using System.Reflection.Emit;
using System.Collections.Generic;

class T {
    public delegate void Getter (object that);

    static void Main (string [] args) {
        var pis = typeof (System.Type).GetProperty ("DefaultBinder",
BindingFlags.Static | BindingFlags.Public);

        WrapGetProperty (pis);
    }

        static object WrapGetProperty (PropertyInfo prop) {
            DynamicMethod dm = new DynamicMethod ("dyn_getter", null , new
Type[] { typeof (object) } );
            MethodInfo info = prop.GetGetMethod ();

            var code = dm.GetILGenerator ();

            code.Emit (OpCodes.Callvirt, info);

            code.Emit (OpCodes.Ret);

            return (Getter) dm.CreateDelegate (typeof (Getter), null);
    }
}

The issue is with the callvirt call, since the target is a non-virtual static.

Crash log is:


Program received signal SIGBUS, Bus error.
0x000120b3 in mono_type_to_regmove (cfg=0x89d000, type=0x0) at
method-to-ir.c:247
247        if (type->byref)
(gdb) bt
#0  0x000120b3 in mono_type_to_regmove (cfg=0x89d000, type=0x0) at
method-to-ir.c:247
#1  0x0003db34 in mono_method_to_ir (cfg=0x89d000, method=0x85b9a4,
start_bblock=0x8ae2a4, end_bblock=0x8ae354, return_var=0x8ae274,
dont_inline=0x534d40, inline_args=0x8ae264, inline_offset=0, is_virtual_call=1)
at method-to-ir.c:6024
#2  0x000385d4 in inline_method (cfg=0x89d000, cmethod=0x85b9a4, fsig=0x85b4a4,
sp=0x8ae264, ip=0x534760 "o\001", real_offset=0, dont_inline=0x534bd0,
inline_always=0) at method-to-ir.c:4912
#3  0x00047217 in mono_method_to_ir (cfg=0x89d000, method=0x535000,
start_bblock=0x8adf84, end_bblock=0x8ae034, return_var=0x0,
dont_inline=0x534bd0, inline_args=0x0, inline_offset=0, is_virtual_call=0) at
method-to-ir.c:6899
#4  0x0000bf43 in mini_method_compile (method=0x535000, opts=59861503,
domain=0x4aae00, run_cctors=1, compile_aot=0, parts=0) at mini.c:4411
#5  0x0000dc20 in mono_jit_compile_method_inner (method=0x535000,
target_domain=0x4aae00, opt=59861503, jit_ex=0xbffff2cc) at mini.c:5117
#6  0x0000e7b3 in mono_jit_compile_method_with_opt (method=0x535000,
opt=59861503, ex=0xbffff2cc) at mini.c:5340
#7  0x0000e93d in mono_jit_compile_method (method=0x535000) at mini.c:5365
#8  0x001e5803 in mono_compile_method (method=0x535000) at object.c:565
#9  0x00187102 in ves_icall_System_Delegate_CreateDelegate_internal
(type=0x4b1da0, target=0x0, info=0x715f50, throwOnBindFailure=1 '\001') at
icall.c:5867
#10 0x00777a92 in ?? ()
#11 0x0077689e in ?? ()
#12 0x007762db in ?? ()
#13 0x00775df3 in ?? ()
#14 0x0076b1e0 in ?? ()
#15 0x00700d0d in ?? ()
#16 0x00700da4 in ?? ()
#17 0x0000f305 in mono_jit_runtime_invoke (method=0x80041c, obj=0x0,
params=0xbffff5b8, exc=0x0) at mini.c:5703
#18 0x001ea54c in mono_runtime_invoke (method=0x80041c, obj=0x0,
params=0xbffff5b8, exc=0x0) at object.c:2730
#19 0x001ece58 in mono_runtime_exec_main (method=0x80041c, args=0x4b2e40,
exc=0x0) at object.c:3913
#20 0x001ec192 in mono_runtime_run_main (method=0x80041c, argc=0,
argv=0xbffff868, exc=0x0) at object.c:3535
#21 0x000a588f in mono_jit_exec (domain=0x4aae00, assembly=0x5178d0, argc=1,
argv=0xbffff864) at driver.c:944
#22 0x000a5ac6 in main_thread_handler (user_data=0xbffff700) at driver.c:1003
#23 0x000a7b8c in mono_main (argc=2, argv=0xbffff860) at driver.c:1848
#24 0x00002282 in mono_main_with_options (argc=2, argv=0xbffff860) at main.c:66
#25 0x000022e1 in main (argc=2, argv=0xbffff860) at main.c:97

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list