Mvc: MVC app crashes in release but not in debug
Problem
An MVC application crashes in release mode (but not in debug mode) given the following conditions:
- The app is run in release mode
- The view has a model, but no model is passed to the
ViewResult - The view model has a property that is a
readonly struct - The
readonly structproperty is used in aninputtag-helper
I'm not quite sure what I'm looking at here, but the exception seems to occur outside of the normal request pipeline and does not seem to be catchable from within the MVC app. Naively, it looks like the .NET Core runtime itself is crashing over some reflection calls made when the input tag helper is executed.
Repro
I've put together a small repro here: https://github.com/austindrenski/mvc_view_model_bug
dotnet run -c Releasehttp://localhost:5000/Example/Indexecho $LASTEXITCODE
PS mvc_view_model_bug> dotnet run -c Release
Hosting environment: Production
Content root path: mvc_view_model_bug\bin\Release\netcoreapp2.1\
Now listening on: http://localhost:5000
Now listening on: https://localhost:5001
Application started. Press Ctrl+C to shut down.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5000/Example/Index
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Route matched with {action = "Index", controller = "Example"}. Executing action mvc_view_model_bug.ExampleController.Index (mvc_view_model_bug)
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method mvc_view_model_bug.ExampleController.Index (mvc_view_model_bug) - Validation state: Valid
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action method mvc_view_model_bug.ExampleController.Index (mvc_view_model_bug), returned result Microsoft.AspNetCore.Mvc.ViewResult in 0.3802ms.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[1]
Executing ViewResult, running view Index.cshtml.
PS mvc_view_model_bug> echo $LASTEXITCODE
-1073741819
Version
__OS:__ Windows 10.0.17134.0
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<LangVersion>latest</LangVersion>
<OutputType>exe</OutputType>
<TargetFramework>netcoreapp2.1</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.5" />
</ItemGroup>
</Project>
austindrenski
All 23 comments
I tried to replicate this, and got the error "Segmentation fault" which is bad news.
It means that the process is trying to access a memory that is not allocated for it!
obayit
on 9 Oct 2018
I was able to make it work by adding the model when calling View() in the controller:
public IActionResult Index() => View("Index.cshtml", new ExampleModel());
this is probably happening because the model is null when the view is trying to access it!
obayit
on 9 Oct 2018
@obayit Yes, that fixes it in my real-world case too. But this is not a requirement of models without a readonly struct property or models not used in the input tag helper.
Out of curiosity, how did you identify the segfault?
austindrenski
on 9 Oct 2018
It was there in the output:
Edit: I use bash terminal from git
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action method mvc_view_model_bug.ExampleController.Index (mvc_view_model_bug), returned result Microsoft.AspNetCore.Mvc.ViewResult in 0.414ms.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.ViewResultExecutor[1]
Executing ViewResult, running view Index.cshtml.
Segmentation fault
Also another solution fixed it for me. In the view use this:
<input asp-for="@model.ExampleProperty"/>
I am trying to dig on the InputTagHelper code to find the cause of this
obayit
on 9 Oct 2018
Interesting. That doesn't appear when run from the donet CLI (at least not on my side).
austindrenski
on 9 Oct 2018
Also, it doesn't happen with thelabel tag helper:
<label asp-for="ExampleProperty"></label>
This narrow things.
Using visual studio debugging might give some clue, I am at it but it is loading slowly, probably because of my internet connection. But this will allow us to know the exact line causing the issue.
Edit: Using visual studio debugging is not very helpful, because it is showing assembly code!
obayit
on 9 Oct 2018
Thanks for getting to the bottom of this, folks.
@NTaylorMullen, can you please look at this and see whether there is something to improve on our end? Thanks!
mkArtakMSFT
on 9 Oct 2018
Is this is an app crash, the CLR needs to look at it as well. We expect all of the code running in a view to throw exceptions if it has a problem, not crash the process.
rynowak
on 9 Oct 2018
I'm not seeing this crash the process or seg fault. As for the exit code; i'm investigating why that's the case.
NTaylorMullen
on 10 Oct 2018
@NTaylorMullen Are you running it in release _without_ a debugger attached?
austindrenski
on 10 Oct 2018
@NTaylorMullen Are you running it in release _without_ a debugger attached?
Yes
NTaylorMullen
on 10 Oct 2018
I'm a bit out of my depth with this, but here's what I can see when attaching from WinDbg:
(34b0.e18): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Unable to read dynamic function table entries
Unable to read dynamic function table entries
coreclr!JIT_ByRefWriteBarrier:
00007ff9`e11def80 488b0e mov rcx,qword ptr [rsi] ds:00000000`00000008=????????????????
Unable to read dynamic function table entries
Unable to read dynamic function table entries
Unable to read dynamic function table entries
Unable to read dynamic function table entries
0:015> !analyze -v
Unable to read dynamic function table entries
Unable to read dynamic function table entries
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for C:\Users\adren\rider\mvc_view_model_bug\bin\release\netcoreapp2.1\win10-x64\mvc_view_model_bug.exe
Failed to request MethodData, not in JIT code range
MethodDesc: 00007ff98224d148
Method Name: Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ExpressionMetadataProvider+<>c__DisplayClass0_0`2[[System.__Canon, System.Private.CoreLib],[Microsoft.Extensions.Primitives.StringValues, Microsoft.Extensions.Primitives]].<FromLambdaExpression>b__0(System.Object)
Class: 00007ff9822588f0
MethodTable: 00007ff98224d168
mdToken: 00000000060006f0
Module: 00007ff9818e4a58
IsJitted: yes
Current CodeAddr: 00007ff982269390
Code Version History:
CodeAddr: 00007ff982269390 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff9821d3240
Method Name: Microsoft.AspNetCore.Mvc.ViewFeatures.ModelExplorer.get_Model()
Class: 00007ff9821c9cc0
MethodTable: 00007ff9821d3338
mdToken: 000000000600041f
Module: 00007ff9818e4a58
IsJitted: yes
Current CodeAddr: 00007ff9820c7440
Code Version History:
CodeAddr: 00007ff9820c7440 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff9821d3250
Method Name: Microsoft.AspNetCore.Mvc.ViewFeatures.ModelExplorer.get_ModelType()
Class: 00007ff9821c9cc0
MethodTable: 00007ff9821d3338
mdToken: 0000000006000420
Module: 00007ff9818e4a58
IsJitted: yes
Current CodeAddr: 00007ff982269300
Code Version History:
CodeAddr: 00007ff982269300 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981fb8530
Method Name: Microsoft.AspNetCore.Mvc.TagHelpers.InputTagHelper+<GetInputTypeHints>d__41.MoveNext()
Class: 00007ff981faac20
MethodTable: 00007ff981fb85e8
mdToken: 00000000060001ec
Module: 00007ff9818e8228
IsJitted: yes
Current CodeAddr: 00007ff982268fb0
Code Version History:
CodeAddr: 00007ff982268fb0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981a231f0
Method Name: Microsoft.AspNetCore.Mvc.TagHelpers.InputTagHelper.GetInputType(Microsoft.AspNetCore.Mvc.ViewFeatures.ModelExplorer, System.String ByRef)
Class: 00007ff981a1b130
MethodTable: 00007ff981a23280
mdToken: 000000000600009e
Module: 00007ff9818e8228
IsJitted: yes
Current CodeAddr: 00007ff982268d30
Code Version History:
CodeAddr: 00007ff982268d30 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981a231e8
Method Name: Microsoft.AspNetCore.Mvc.TagHelpers.InputTagHelper.Process(Microsoft.AspNetCore.Razor.TagHelpers.TagHelperContext, Microsoft.AspNetCore.Razor.TagHelpers.TagHelperOutput)
Class: 00007ff981a1b130
MethodTable: 00007ff981a23280
mdToken: 000000000600009d
Module: 00007ff9818e8228
IsJitted: yes
Current CodeAddr: 00007ff982268870
Code Version History:
CodeAddr: 00007ff982268870 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981a22f88
Method Name: Microsoft.AspNetCore.Razor.TagHelpers.TagHelper.ProcessAsync(Microsoft.AspNetCore.Razor.TagHelpers.TagHelperContext, Microsoft.AspNetCore.Razor.TagHelpers.TagHelperOutput)
Class: 00007ff981a1b0a8
MethodTable: 00007ff981a22f98
mdToken: 0000000006000043
Module: 00007ff9818e6928
IsJitted: yes
Current CodeAddr: 00007ff9820ea620
Code Version History:
CodeAddr: 00007ff9820ea620 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98221b4a8
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner+<RunAsync>d__0.MoveNext()
Class: 00007ff98220f9f0
MethodTable: 00007ff98221b538
mdToken: 0000000006000072
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff9820e53c0
Code Version History:
CodeAddr: 00007ff9820e53c0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff982235a18
Method Name: System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner+<RunAsync>d__0, Microsoft.AspNetCore.Razor.Runtime]](<RunAsync>d__0 ByRef)
Class: 00007ff9cdf234b8
MethodTable: 00007ff9ce85b950
mdToken: 0000000006004fa4
Module: 00007ff9cde21000
IsJitted: yes
Current CodeAddr: 00007ff9820e5270
Code Version History:
CodeAddr: 00007ff9820e5270 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff9821f55d8
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner.RunAsync(Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperExecutionContext)
Class: 00007ff9821ea078
MethodTable: 00007ff9821f5600
mdToken: 0000000006000016
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff9820e5200
Code Version History:
CodeAddr: 00007ff9820e5200 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98224b178
Method Name: AspNetCore.Index+<<ExecuteAsync>b__13_2>d.MoveNext()
Class: 00007ff9822571c0
MethodTable: 00007ff98224b208
mdToken: 0000000006000019
Module: 00007ff9819c30b8
IsJitted: yes
Current CodeAddr: 00007ff982266ff0
Code Version History:
CodeAddr: 00007ff982266ff0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98224b330
Method Name: System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[AspNetCore.Index+<<ExecuteAsync>b__13_2>d, mvc_view_model_bug.Views]](<<ExecuteAsync>b__13_2>d ByRef)
Class: 00007ff9cdf234b8
MethodTable: 00007ff9ce85b950
mdToken: 0000000006004fa4
Module: 00007ff9cde21000
IsJitted: yes
Current CodeAddr: 00007ff982266ea0
Code Version History:
CodeAddr: 00007ff982266ea0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff982149910
Method Name: AspNetCore.Index.<ExecuteAsync>b__13_2()
Class: 00007ff98211ca50
MethodTable: 00007ff982149988
mdToken: 0000000006000011
Module: 00007ff9819c30b8
IsJitted: yes
Current CodeAddr: 00007ff982266e30
Code Version History:
CodeAddr: 00007ff982266e30 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98224acb0
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperExecutionContext+<GetChildContentAsync>d__31.MoveNext()
Class: 00007ff982256c60
MethodTable: 00007ff98224ad40
mdToken: 0000000006000070
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff982266b80
Code Version History:
CodeAddr: 00007ff982266b80 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98224afc8
Method Name: System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperExecutionContext+<GetChildContentAsync>d__31, Microsoft.AspNetCore.Razor.Runtime]](<GetChildContentAsync>d__31 ByRef)
Class: 00007ff9cdf234b8
MethodTable: 00007ff9ce85b950
mdToken: 0000000006004fa4
Module: 00007ff9cde21000
IsJitted: yes
Current CodeAddr: 00007ff982266a30
Code Version History:
CodeAddr: 00007ff982266a30 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981fbbc38
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperExecutionContext.GetChildContentAsync(Boolean, System.Text.Encodings.Web.HtmlEncoder)
Class: 00007ff981fac3f0
MethodTable: 00007ff981fbbc60
mdToken: 0000000006000015
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff9822669a0
Code Version History:
CodeAddr: 00007ff9822669a0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981fb90e0
Method Name: Microsoft.AspNetCore.Mvc.TagHelpers.RenderAtEndOfFormTagHelper+<ProcessAsync>d__7.MoveNext()
Class: 00007ff981faafb8
MethodTable: 00007ff981fb9170
mdToken: 00000000060001fe
Module: 00007ff9818e8228
IsJitted: yes
Current CodeAddr: 00007ff9822661c0
Code Version History:
CodeAddr: 00007ff9822661c0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98224a160
Method Name: System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.AspNetCore.Mvc.TagHelpers.RenderAtEndOfFormTagHelper+<ProcessAsync>d__7, Microsoft.AspNetCore.Mvc.TagHelpers]](<ProcessAsync>d__7 ByRef)
Class: 00007ff9cdf234b8
MethodTable: 00007ff9ce85b950
mdToken: 0000000006004fa4
Module: 00007ff9cde21000
IsJitted: yes
Current CodeAddr: 00007ff982266070
Code Version History:
CodeAddr: 00007ff982266070 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff981fb4520
Method Name: Microsoft.AspNetCore.Mvc.TagHelpers.RenderAtEndOfFormTagHelper.ProcessAsync(Microsoft.AspNetCore.Razor.TagHelpers.TagHelperContext, Microsoft.AspNetCore.Razor.TagHelpers.TagHelperOutput)
Class: 00007ff981fa6d58
MethodTable: 00007ff981fb4548
mdToken: 000000000600010c
Module: 00007ff9818e8228
IsJitted: yes
Current CodeAddr: 00007ff982265ff0
Code Version History:
CodeAddr: 00007ff982265ff0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff98221b4a8
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner+<RunAsync>d__0.MoveNext()
Class: 00007ff98220f9f0
MethodTable: 00007ff98221b538
mdToken: 0000000006000072
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff9820e53c0
Code Version History:
CodeAddr: 00007ff9820e53c0 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff982235a18
Method Name: System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner+<RunAsync>d__0, Microsoft.AspNetCore.Razor.Runtime]](<RunAsync>d__0 ByRef)
Class: 00007ff9cdf234b8
MethodTable: 00007ff9ce85b950
mdToken: 0000000006004fa4
Module: 00007ff9cde21000
IsJitted: yes
Current CodeAddr: 00007ff9820e5270
Code Version History:
CodeAddr: 00007ff9820e5270 (Non-Tiered)
NativeCodeVersion: 0000000000000000
MethodDesc: 00007ff9821f55d8
Method Name: Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner.RunAsync(Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperExecutionContext)
Class: 00007ff9821ea078
MethodTable: 00007ff9821f5600
mdToken: 0000000006000016
Module: 00007ff9818155a8
IsJitted: yes
Current CodeAddr: 00007ff9820e5200
Code Version History:
CodeAddr: 00007ff9820e5200 (Non-Tiered)
NativeCodeVersion: 0000000000000000
KEY_VALUES_STRING: 1
Key : Timeline.OS.Boot.DeltaSec
Value: 426929
Key : Timeline.Process.Start.DeltaSec
Value: 31
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2018-10-10T01:53:45.276Z
Diff: 9723 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2018-10-10T01:53:55.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2018-10-10T01:53:24.0Z
Diff: 31000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2018-10-05T03:18:26.0Z
Diff: 426929000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
coreclr!JIT_ByRefWriteBarrier+0 [E:\A\_work\36\s\src\vm\amd64\JitHelpers_Fast.asm @ 600]
00007ff9`e11def80 488b0e mov rcx,qword ptr [rsi]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ff9e11def80 (coreclr!JIT_ByRefWriteBarrier)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008
FAULTING_THREAD: 00000e18
DEFAULT_BUCKET_ID: MEMORY_CORRUPTION_LARGE
PROCESS_NAME: mvc_view_model_bug.exe
FOLLOWUP_IP:
coreclr!JIT_ByRefWriteBarrier+0 [E:\A\_work\36\s\src\vm\amd64\JitHelpers_Fast.asm @ 600]
00007ff9`e11def80 488b0e mov rcx,qword ptr [rsi]
READ_ADDRESS: 0000000000000008
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000008
WATSON_BKT_PROCSTAMP: 5ba1bb46
WATSON_BKT_MODULE: coreclr.dll
WATSON_BKT_MODSTAMP: 5ba198ed
WATSON_BKT_MODOFFSET: 15ef80
WATSON_BKT_MODVER: 4.6.26919.2
MODULE_VER_PRODUCT: Microsoft庐 .NET Core
BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804
MODLIST_WITH_TSCHKSUM_HASH: c4aaf8026adf33d81f0bab585f1e1fa9b9231620
MODLIST_SHA1_HASH: fcf28d8404ced7ac8a5c7d75f88cb4a74a3130e0
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
CHKIMG_EXTENSION: !chkimg -lo 50 -d !coreclr
7ff9e11deee3-7ff9e11deee6 4 bytes - coreclr!JIT_WriteBarrier+3
[ 48 8b c1 49:0f 1f 00 48 ]
7ff9e11deee8-7ff9e11deeef 8 bytes - coreclr!JIT_WriteBarrier+8 (+0x05)
[ f0 f0 f0 f0 f0 f0 f0 f0:80 b5 ae 3f d9 01 00 00 ]
7ff9e11deef2-7ff9e11def00 15 bytes - coreclr!JIT_WriteBarrier+12 (+0x0a)
[ e8 0c 66 90 49 b9 f0 f0:e9 0b 80 3c 01 ff 75 02 ]
7ff9e1505d58-7ff9e1505d5d 6 bytes - coreclr!s_gsCookie
[ 00 00 00 00 00 00:64 77 f8 c5 35 aa ]
33 errors : !coreclr (7ff9e11deee3-7ff9e1505d5d)
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: AUSTIN-SP4
ANALYSIS_SESSION_TIME: 10-09-2018 21:53:45.0276
ANALYSIS_VERSION: 10.0.18239.1000 amd64fre
MANAGED_CODE: 1
MANAGED_ENGINE_MODULE: coreclr
MANAGED_ANALYSIS_PROVIDER: SOS
THREAD_ATTRIBUTES:
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
OS_LOCALE: ENU
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_MEMORY_CORRUPTION_LARGE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
PROBLEM_CLASSES:
ID: [0n313]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0xe18]
Frame: [0] : coreclr!JIT_ByRefWriteBarrier
ID: [0n285]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0xe18]
Frame: [0] : coreclr!JIT_ByRefWriteBarrier
ID: [0n310]
Type: [NULL_CLASS_PTR_READ]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x34b0]
TID: [0xe18]
Frame: [0] : coreclr!JIT_ByRefWriteBarrier
ID: [0n209]
Type: [MEMORY_CORRUPTION]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x34b0]
TID: [0xe18]
Frame: [Unspecified]
ID: [0n155]
Type: [LARGE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x34b0]
TID: [0xe18]
Frame: [Unspecified]
IP_ON_HEAP: 00007ff981cc1d92
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 00007ff981cc1d92 to 00007ff9e11def80
STACK_TEXT:
00000000`00000000 00000000`00000000 memory_corruption!coreclr+0x0
THREAD_SHA1_HASH_MOD_FUNC: 238f9bbe42e62ed91d52364df4f517b7195eb1bd
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31ac0b998b86500375cad1720a79ca2fe1a32068
THREAD_SHA1_HASH_MOD: 7da7fbec386ce361a40d03d69a994bc4836f03e8
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: memory_corruption!coreclr
FOLLOWUP_NAME: MachineOwner
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 1f5a19fdc40 ** ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE_c0000005_memory_corruption!coreclr
BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_MEMORY_CORRUPTION_LARGE_memory_corruption!coreclr
FAILURE_EXCEPTION_CODE: c0000005
IMAGE_NAME: memory_corruption
FAILURE_IMAGE_NAME: memory_corruption
BUCKET_ID_IMAGE_STR: memory_corruption
MODULE_NAME: memory_corruption
FAILURE_MODULE_NAME: memory_corruption
BUCKET_ID_MODULE_STR: memory_corruption
FAILURE_FUNCTION_NAME: coreclr
BUCKET_ID_FUNCTION_STR: coreclr
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 0
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: memory_corruption!coreclr
TARGET_TIME: 2018-10-10T01:54:39.000Z
OSBUILD: 17134
OSSERVICEPACK: 1
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2020-08-28 00:38:41
BUILDDATESTAMP_STR: 180410-1804
BUILDLAB_STR: rs4_release
BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804
ANALYSIS_SESSION_ELAPSED_TIME: d41f
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:memory_corruption_large_c0000005_memory_corruption!coreclr
FAILURE_ID_HASH: {86a2bf15-f560-8236-4e0b-c8d3ccc2df8b}
Followup: MachineOwner
---------
0:015> g
ntdll!NtTerminateProcess+0x14:
00007ffa`1bc7a474 c3 ret
0:015> g
^ No runnable debuggees error in 'g'
@NTaylorMullen can you confirm that replacing Debug with Trace in this line fixes the issue?
obayit
on 10 Oct 2018
@NTaylorMullen can you confirm that replacing Debug with Trace in this line fixes the issue?
I sadly don't see any crashes, exceptions or issues of any kind. That being said it looks like something heinous is happening on your end given that your process is crashing. I've reached out to some corefx folks to see if it makes sense to investigate further.
As for the exit code being non-0 after a graceful shutdown, that is a potential corefx issue.
NTaylorMullen
on 10 Oct 2018
/cc @jkotas - what are the right next steps here
rynowak
on 10 Oct 2018
The segmentation fault is duplicate of https://github.com/dotnet/coreclr/issues/19444 . The problem is that the segmentation fault was not translated to NullReferenceException in one corner case.
Once you pick up the fix for the segmentation fault translation, you will see NullReferenceException instead because of the mvc_view_model_bug.ExampleModel argument passed to the dynamic_lambda method is null at this callstack:
DynamicClass.lambda_method(System.Runtime.CompilerServices.Closure, mvc_view_model_bug.ExampleModel)+0x12
Microsoft_AspNetCore_Mvc_ViewFeatures!Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ExpressionMetadataProvider+<>c__DisplayClass0_0`2[[System.__Canon, System.Private.CoreLib],[Microsoft.Extensions.Primitives.StringValues, Microsoft.Extensions.Primitives]].<FromLambdaExpression>b__0(System.Object)+0x97
I guess you want to figure out why the mvc_view_model_bug.ExampleModel argument is null and stop doing that.
jkotas
on 10 Oct 2018
@jkotas Thanks for the explanation. It looks like that dynamic_lambda does anticipate the possibility of a NullReferenceException, but (if I've understood you correctly) the anticipated NRE is never thrown because the segfault isn't translated:
Right now, null models are passed to the view without issue, except for when the model has a property similar to StringValues. I can work around this by passing an initialized model in these cases (e.g. View() to View(new ExampleModel)), but that changes some business logic which interprets null models differently than newly constructed model. The real pain here is that this failure is only happening in release builds, making it easy to miss during normal development/unit testing.
Some concrete questions:
It looks like dotnet/coreclr#19444 is tagged for
3.0. Are there any plans to backport this for2.2?- If not, can anything be done in
ExpressionMetadataProviderto catch or avoid the segfault? - If not, should we discontinue
InputTagHelperusage until patched? Or some other mitigation?
- If not, can anything be done in
Could anyone define the exact characteristics of the model/properties that cause this failure?
- Is it any
struct? Is it anyreadonly struct? Is it layout related? - Basically, can we mitigate by modifying our type definitions/metadata?
- Is it any
austindrenski
on 11 Oct 2018
Are there any plans to backport this for 2.2?
We should be able to backport this to 2.2 since we have a real customer scenario hitting the bug. I will reactivate the bug to make it considered for back-porting.
to catch or avoid the segfault?
This segfault cannot be caught or handled.
Is it any struct? Is it any readonly struct? Is it layout related?
This bug is triggered by structs that do not fit into register (this is platform dependent. e.g. 8 bytes on Windows x64, 16 bytes on Linux x64) and first field of the struct is object reference.
jkotas
on 11 Oct 2018
@austindrenski try using the solution in my previous comment and see if that doesn't break your business logic.
obayit
on 11 Oct 2018
@obayit I gave that a try, but no luck. Looking at the accessor in ExpressionMetadataProvider, I would expect both asp-for="ExampleProperty" and asp-for="@Model.ExampleProperty to generate the same expression (e.g. m => m.ExampleProperty) and subsequent issue. Are you seeing something else?
austindrenski
on 12 Oct 2018
@austindrenski you are right. That doesn't work.
obayit
on 12 Oct 2018
Closing as a duplicate of an external issue.
NTaylorMullen
on 30 Oct 2018
Related issues
dotnetjunkie
路
43Comments
eat-sleep-code
路
40Comments
janpieterz
路
43Comments
MicahZoltu
路
37Comments
dougbu
路
54Comments