JIT bug / GC relocating pinned arrays

[rgr21]

The code below I believe should be stable and run forever, but in practice crashes with AccessViolationException very quickly when built with VS15.5 and running with anything up to and including 4.7.2 preview.
VS 15.4 and earlier generate different IL which doesn't trigger the crash.

I believe that dotnet/roslyn#20548 was the change in Roslyn that introduced the different IL. If my understanding is correct, the new IL is still "correct", but sadly doesn't work in the real world.

Believe the bug is outstanding in dotnet core 2.0.6 and 2.1.0-preview1. (I had hopes that https://github.com/dotnet/coreclr/pull/15706/files might resolve, but that is in 2.1.0-preview).

The test case below is obviously artificial, but switch out the NativeMethod(double*) for any PInvoke call to a maths library, and it becomes a bit of a disaster for me.

<useLegacyJit enabled="1" /> appears to mitigate the issue.

Old/good IL:

.method private hidebysig static float64 
          UnsafeMethod_UsingFixed(int32 n,
                                  float64[] a) cil managed
  {
    // Code size       36 (0x24)
    .maxstack  2
    .locals init ([0] float64& pinned pa,
             [1] float64[] V_1)​

New/bad IL:

.method private hidebysig static float64 
          UnsafeMethod_UsingFixed(int32 n,
                                  float64[] a) cil managed
  {
    // Code size       35 (0x23)
    .maxstack  2
    .locals init ([0] float64* pa,
             [1] float64[] pinned V_1)​

Minimal repro case

using System.Collections.Generic;
using System.Threading.Tasks;

namespace RyuJitFixedBug
{
    class Program
    {
        static void Main(string[] args)
        {
            Task.Run(() => WasteMemory());

            while (true)
            {
                var n = 8000;
                var a = new double[n];
                UnsafeMethod_UsingFixed(n, a);
            }
        }

        private static void WasteMemory()
        {
            int allocated = 0;
            var list = new List<byte[]>();
            while (true)
            {
                var b = new byte[80000];
                allocated += b.Length;
                list.Add(b);
                if (allocated >= 100_000_000)
                {
                    allocated = 0;
                    list.Clear();
                }
            }
        }

        private static unsafe double UnsafeMethod_UsingFixed(int n, double[] a)
        {
            double info;
            fixed (double* pa = a) // Fix the array - shouldn't be able to relocate now
            {
                info = NativeMethod(n, pa);
            }
            return info;
        }

        private static unsafe double NativeMethod(long n, double* a) // Pretend this is actually a call to a native library, MKL say. This is the real usecase.
        {
            var s = 0d;
            for (long i = 0; i < n; ++i)
            {
                s += a[i]; // Will segv if array has relocated (Or might just give random numbers. Depends what has been done with the memory we were pointing at?).
            }
            return s;
        }
    }
}

[benaadams]

/cc @Maoni0

[Maoni0]

@RussKeldorph

[AndyAyersMS]

This looks exactly like the bug that dotnet/coreclr#15706 was intended to fix -- the jit is nulling out a pinning slot before the call.

00007ff9`946b05d2 488b542420      mov     rdx,qword ptr [rsp+20h]
00007ff9`946b05d7 4883c210        add     rdx,10h
00007ff9`946b05db 33c0            xor     eax,eax
00007ff9`946b05dd 4889442420      mov     qword ptr [rsp+20h],rax
00007ff9`946b05e2 4863c9          movsxd  rcx,ecx
00007ff9`946b05e5 e8a6faffff      call    RyuJitFixedBug.Program.NativeMethod(Int64, Double*) (00007ff9`946b0090)
>>> 00007ff9`946b05ea 90              nop

with gc info:

entry point 00007ff9946b05a0
Normal JIT generated code
GC info 00007ff9946f1630
Pointer table:
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: <none>
Generics inst context: <none>
PSP slot: <none>
GenericInst slot: <none>
Varargs: 0
Frame pointer: <none>
Wants Report Only Leaf: 0
Size of parameter area: 0
Return Kind: Scalar
Code size: 56
Untracked: +sp+20(pinned)
00000049 is a safepoint: 
00000054 is a safepoint: 

I can't get the example to fail with current master.

[AndyAyersMS]

Current jit codegen unpins after the call, jit dump shows new logic is kicking in.

       4883C210             add      rdx, 16

G_M59951_IG05:
       4863C9               movsxd   rcx, ecx
       E85DFAFFFF           call     RyuJitFixedBug.Program:NativeMethod(long,long):double
       33C0                 xor      rax, rax
       4889442420           mov      gword ptr [rsp+20H], rax

So am puzzled how this still repros in a 2.1 preview 1. Are you sure you see it there?

I will have to see where else we ported this fix to see what expected behavior is in desktop and 2.0.x.

[AndyAyersMS]

Looks like the fix will be in 2.0.7. I had intended to get it into 2.0.6 but that didn't happen.

@briansull do you know if this fix is in 4.7.2?

[briansull]

No it wasn't fixed when we forked for 4.7.2 in September.

[AndyAyersMS]

@rgr21 thanks for reporting this.

Can you confirm you can reproduce in a 2.1 preview 1? I'll try and do the same. If you can repro, please send us the detailed version info.

I recall there were some fairly simple low-impact workarounds. Let me know if those would interest you and I'll go dig up the details.

[rgr21]

I've left the office now, but will still have the VM I ran 2.1 preview 1 test in to confirm tomorrow morning (UK). It reproduced quickly and easily with that code, so if you think that patch should have fixed it and are struggling to reproduce then you are probably right and I ran a test wrong today.
I'm most interesting in 4.7.x to be honest. If there are workarounds there I would be very interested please. Amusingly - or otherwise - compiler upgrade that triggered this for me was primarily driven by dotnetcore porting work, we are still at early stages there.

[AndyAyersMS]

Something like the following should work. Note Workaround gets inlined and so has no perf impact whatsoever. Its main purpose is to make the jit think that there is a potential side effect after the call; this blocks the inadvertent reordering of the call and the unpin.

You will need something like this whenever a fixed block ends in a call and the return value from that call is directly set up as the return value from the method.

        private static unsafe void Workaround(double* a)
        {
        }

        private static unsafe double UnsafeMethod_UsingFixed(int n, double[] a)
        {
            double info;
            fixed (double* pa = a) // Fix the array - shouldn't be able to relocate now
            {
                info = NativeMethod(n, pa);
                Workaround(pa);
            }
            return info;
        }

[AndyAyersMS]

The bug is fixed in the "official" 2.1 preview 1, which is 2.1.0-preview1-26216-03.

Pre-release versions of this preview (eg nightly builds) may also report as 2.1.0-preview1 but will have smaller build numbers. For instance I had 2.1.0-preview1-25915-01 on one of my machines and it still had the bug.

[rgr21]

dotnet --version
2.1.300-preview1-008174

Fails the test (from https://download.microsoft.com/download/D/7/8/D788D3CD-44C4-487D-829B-413E914FB1C3/dotnet-sdk-2.1.300-preview1-008174-win-x64.exe)

However
https://download.microsoft.com/download/A/B/1/AB1AA972-8F2F-43AD-9A81-72E9245CB0F5/dotnet-runtime-2.1.0-preview1-26216-03-win-x64.exe
seems to work. Both are from the page you linked, so something not entirely consistent there. (I don't understand the relationship / version numbers here to be honest).

Your workaround should do me - thanks. If this can get into 4.7.2 somehow that would be excellent - it can be pretty high impact and took a fair while to troubleshoot.

[GPSnoopy]

I would be interested in having this fix backported into .NET 4.7.2 as well.

Otherwise it means I cannot trust any of the unsafe calls to native DLLs involving pinning. Looking at the example above, reproducing the issue requires the GC to move the supposedly pinned array concurrently to being used in unsafe code. This implies chasing a weird race condition in production. Not ideal :-\

[AndyAyersMS]

@rgr21 can you run dotnet --list-runtimes and see what runtime versions you have installed?

[poizan42]

@GPSnoopy This is far worse than random crashes - JIT bugs tends to be that. Consider e.g. https://referencesource.microsoft.com/#System/net/System/Net/Sockets/Socket.cs,1778 - what happens if the buffer gets relocated before another packet is received? Yeah, the client gets to write to some other memory, probably still on the managed heap. Likely to be exploitable in some software out there.

I think you can be pretty sure that its going to be fixed in .NET 4.7.2 before release.

[rgr21]

Annnd I've worked out how to configure which runtime gets used. Sorry, my mistake. You are correct, preview is good in all situations. (Hadn't quite clocked that multiple runtimes were installed side by side, and that runtimeconfig.json was letting it use anything from 2.0.x but not 2.1.x. I am new to dotnet core).