-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mono][s390x] Wrong implementation of OP_CHECK_THIS #76915
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
* Only access a single byte in memory for OP_CHECK_THIS * Remove unnecessary ltgr instruction * Fixes #76915
I've opened the backport PR but as far as I know it's too late for 7.0 release so it'll have to wait for 7.0.1 servicing |
* Only access a single byte in memory for OP_CHECK_THIS * Remove unnecessary ltgr instruction * Fixes #76915
* Only access a single byte in memory for OP_CHECK_THIS * Remove unnecessary ltgr instruction * Fixes #76915 Co-authored-by: Ulrich Weigand <[email protected]>
As described here #75996 (comment) I've seen frequent crashes with rc1 on
s390x
(Mono-based big-endian platform) - these were all segmentation faults inSpanHelpers.IndexOfValueType
called from various different places, caused by accessing beyond the end of a page into an unmapped page.The symptom disappeared after the
SpanHelper
changes were reverted on Mono, so I initially thought it was somehow a problem in those changes. However, as it turns out, the real underlying problem is a Mono codegen bug ons390x
.The accesses that span the page boundary turn out to be emitted from the implementation of the
OP_CHECK_THIS
opcode. This is intended to perform a memory access, just to see if this triggers a segmentation fault if the incoming pointer was invalid. However, theOP_CHECK_THIS
implementation currently always emits an 8-byte memory access - potentially resulting in a false positive if the pointer was valid, but only to access less than 8 bytes.This should be fixed by changing
OP_CHECK_THIS
to only access a single byte. I'll submit a PR to that effect shortly.This should probably be backported to .NET 7 as well, even though ithe bug no longer triggers in the runtime itself - it could still be triggered by other code.
FYI @nealef @lambdageek @vargaz @akoeplinger
Also FYI @janani66 - you should look into that on ppc as well, just from code inspection the ppc code appears to have the same bug.
The text was updated successfully, but these errors were encountered: