CoreCLR crash under heavy load when using custom host on Windows

[NotNite]

Description

When using a custom host (nethost/hostfxr) on Windows, I experience intermittent crashes when my program is under heavy GC load (in my case, specifically in a code path that creates a lot of short-lived byte arrays). This was also independently observed at Reloaded-Project/Reloaded-II#588.

Reproduction Steps

I don't have exact reproduction steps available for this crash, as it's not 100% consistent, but here's what I've observed so far:

1. This seems to only happen on custom hosts - I can't get this to happen in a standard C# console application. In all cases I've observed this crash, it's been from a C# library loaded in a C++ application using hostfxr.
2. Applications seem to crash semi-consistently when making large amounts of allocations, which leads me to think it's GC related. While I haven't had much success trying to intentionally trigger the crash, @Sewer56 was able to reproduce a crash in their codebase fairly easily with this snippet:

for (int x = 0; x < 10000; x++)
{
    var buf = new byte[1337];
    GC.Collect();
}

3. I was unable to get a MRE in a C++ console application using hostfxr, so there's likely something more at play here.

I apologize for the vague reproduction steps, this bug is quite elusive and I hope to find a proper MRE soon. Hopefully there might be some ideas on how to reproduce this from a .NET team member?

Expected behavior

The runtime should not crash.

Actual behavior

The program displays the message Fatal error. Internal CLR error. (0x80131506) (COR_E_EXECUTIONENGINE) in standard output and then crashes with STATUS_ACCESS_VIOLATION dereferencing a null pointer. While I can't upload the entire minidump here (it contains sensitive information), here's a snippet from WinDbg (referenced source is the commit linked below):

FAULTING_SOURCE_LINE:  D:\code\csharp\crashrepro\runtime\src\coreclr\gc\gc.cpp

FAULTING_SOURCE_FILE:  D:\code\csharp\crashrepro\runtime\src\coreclr\gc\gc.cpp

FAULTING_SOURCE_LINE_NUMBER:  41333

FAULTING_SOURCE_CODE:  
 11606: inline size_t my_get_size (Object* ob)
 11607: {
 11608:     MethodTable* mT = header(ob)->GetMethodTable();
 11609: 
>11610:     return (mT->GetBaseSize() +
 11611:             (mT->HasComponentSize() ?
 11612:              ((size_t)((CObjectHeader*)ob)->GetNumComponents() * mT->RawGetComponentSize()) : 0));
 11613: }
 11614: 
 11615: #define size(i) my_get_size (header(i))


SYMBOL_NAME:  coreclr!WKS::gc_heap::find_first_object+e8

Regression?

This started happening with .NET 9.0.5 and previously worked on .NET 9.0.4.

Known Workarounds

None, beyond pinning to 9.0.4.

Configuration

• Version: .NET 9.0.5, .NET 9.0.6, .NET 10 Preview 5
• OS: Windows 11 23H2 (22631.5189)
• Architecture: x64

Other information

A git bisect led me to 0fb125a as the first bad commit, which matches my testing (the commit before 9226298 is good). I've also heard from a friend that this started with .NET 10 Preview 3, and while I haven't tested the reproduction case myself, that lines up (fa3beb9).

[Sewer56]

@Sewer56 was able to reproduce a crash in their codebase fairly easily with this snippet:

That was actually @Nenkai , after I asked them to put some GC pressure, as the crash point around Windows Crash Dumps was around the GC in native parts of the runtime. It doesn't cause the issue, but just increases probability; at least from what I've heard so far. Testing on my own end has been limited; after all, I needed to spend a full weekend getting thousands of users to an earlier runtime; writing a bunch of code to check, install, etc. for an emergency workaround.

It's been hard to get a MRE for this; but essentially, from our observations so far it was:

nethost+hostfxr -> .NET Library -> Create Threads + ALCs -> Chance of Crash

That on itself seems fine, but once you get additional Threads and AssemblyLoadContext(s) involved; things just fall apart.
Having another peek, it's more likely thread related (edit: Seems like it's an issue deallocating on the finalizer thread?), but we've not got around to finding out the details yet.

[NotNite]

Having another peek, it's more likely thread related, but we've not got around to finding out yet.

Adding onto this, I'd think it's likely, but I have pretty much no clue currently given how hard it is to debug (hoping someone with familiarity in this code area chimes in!). The commit I bisected is related to FLS, so I'd bet it's related to the finalizer of the allocated object, instead of just the allocation itself.

[NotNite]

Some updates:

1. An end user experiencing this crash was willing to provide a full dump (about ~1.9 GB): https://drive.google.com/file/d/1daJnAF6FzSgLRxsOfo92bZUeb7hQMNfY/view?usp=sharing
2. I've also tested this on .NET 10 Preview 5 and it seems to still happen - I've updated the issue description accordingly.
3. A friend of mine mentioned experiencing the same issue in a NativeAOT executable (not a library), and I've asked them to try and reproduce it. Since the commit I bisected is "the same mechanism as used on NativeAOT", it's likely that the root cause was introduced in a separate commit, and the commit I bisected just introduces that behavior to CoreCLR. This probably goes beyond the scope I initially expected...

Again, apologies for this report being all over the place!

[reflectronic]

The call stack leading up to the crash looks like this:

[0x23]   coreclr!EEPolicy::HandleFatalError+0x133   0xae7dba0   0x7ffb78805920   
[0x24]   coreclr!ProcessCLRExceptionNew+0x108   0xae7e1a0   0x7ffb7880508c   
[0x25]   coreclr!ProcessCLRException+0x3c   0xae7e1f0   0x7ffc0ee128bf   
[0x26]   ntdll!RtlpExecuteHandlerForException+0xf   0xae7e3c0   0x7ffc0edc2554   
[0x27]   ntdll!RtlDispatchException+0x244   0xae7e3f0   0x7ffc0ee113ce   
[0x28]   ntdll!KiUserExceptionDispatch+0x2e   0xae7eb00   0x7ffb7858fae1   
[0x29]   coreclr!WKS::CObjectHeader::SetFree+0xb   (Inline Function)   (Inline Function)   
[0x2a]   coreclr!WKS::gc_heap::make_unused_array+0x39   0xae7f210   0x7ffb78648ab7   
[0x2b]   coreclr!WKS::gc_heap::fix_allocation_context+0x5f   0xae7f250   0x7ffb78648a50   
[0x2c]   coreclr!WKS::GCHeap::FixAllocContext+0x20   0xae7f280   0x7ffb78655708   
[0x2d]   coreclr!WKS::fix_alloc_context+0x28   0xae7f2b0   0x7ffb785fea8d   
[0x2e]   coreclr!GCToEEInterface::GcEnumAllocContexts+0x51   0xae7f2f0   0x7ffb78585503   
[0x2f]   coreclr!WKS::gc_heap::fix_allocation_contexts+0x1f   0xae7f320   0x7ffb78584d5a   
[0x30]   coreclr!WKS::gc_heap::garbage_collect+0x36   0xae7f360   0x7ffb78587d36   
[0x31]   coreclr!WKS::GCHeap::GarbageCollectGeneration+0x13e   0xae7f3b0   0x7ffb78667622   
[0x32]   coreclr!WKS::gc_heap::trigger_gc_for_alloc+0x26   0xae7f410   0x7ffb786a1888   
[0x33]   coreclr!WKS::gc_heap::try_allocate_more_space+0x4df4c   0xae7f440   0x7ffb78653915   
[0x34]   coreclr!WKS::gc_heap::allocate_more_space+0x31   0xae7f4a0   0x7ffb7858fe47   
[0x35]   coreclr!WKS::gc_heap::allocate+0x64   (Inline Function)   (Inline Function)   
[0x36]   coreclr!WKS::GCHeap::Alloc+0x97   0xae7f4d0   0x7ffb7855f2f1   
[0x37]   coreclr!Alloc+0x7f   (Inline Function)   (Inline Function)   
[0x38]   coreclr!AllocateObject+0x101   0xae7f510   0x7ffb7855f14d   
[0x39]   coreclr!AllocateObject+0xd   (Inline Function)   (Inline Function)   
[0x3a]   coreclr!JIT_New+0xdd   0xae7f5a0   0x7ffb19bdec40   
[0x3b]   Ryo_Reloaded!Ryo.Reloaded.CRI.CriAtomEx.CriAtomEx.Player_Create+0x200   0xae7f700   0x7ffb1aa94243   
[0x3c]   Reloaded_Mod_Loader!ILStubClass.IL_STUB_ReversePInvoke(Ryo.Definitions.Structs.CriAtomExPlayerConfigTag*, System.Void*, Int32)+0x53   0xae7f7f0   0x147bfdcc0   

Given that 0fb125a is responsible for the change in behavior, and that the call stack is extremely similar to #110442, it suggests the cause is similar to dotnet/winforms#12631: the thread exit notification is being lost, leaving invalid entries in the thread store.

Do you have tips on debugging where this happens? It's still unclear to us whether the native application is using an FLS callback as in the COM scenario.

[jkotas]

Do you have tips on debugging where this happens?

If possible, the best way to debug this is using time-travel debugger built into windbg: https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/time-travel-debugging-overview

Once you collect the time travel trace, set a write breakpoint on the thread allocation context that's gone and run back to see where that allocation context got created.

[dotnet-policy-service]

Tagging subscribers to this area: @mangod9
See info in area-owners.md if you want to be subscribed.

[NotNite]

I was able to get a TTD dump including the crash but I haven't had the time to look into it extensively - will try and post more details tomorrow.

[reflectronic]

The issue seems different from the COM one. The thread which remains in the ThreadStore after terminating never calls coreclr!FiberDetachCallback at all. (It also happens to be the thread which initializes CoreCLR via the hosting API.)

On the left is the list of FLS callbacks that the thread enumerates over before terminating. (The callback is skipped if the slot is NULL, so some of these likely aren't called.) On the right is the equivalent list for some other thread in the process: 

I will keep researching, but it will take some time to understand how Windows is keeping track of the callbacks.

[jkotas]

This likely means that the thread got attached to the runtime very late during its shutdown sequence, after the FLS callbacks go delivered on it.

What's the stacktrace where this thread got attached to the runtime?

[reflectronic]

This thread is the one that launches CoreCLR with the hosting API. It is attached very early.

[0x0]   coreclr!OsAttachThread   0x32506fe2f8   0x7ffd79abb7ec   
[0x1]   coreclr!EnsureTlsDestructionMonitor+0x9   (Inline Function)   (Inline Function)   
[0x2]   coreclr!SetThread+0x5c   0x32506fe300   0x7ffd79a4cb8f   
[0x3]   coreclr!SetupThread+0xe3   0x32506fe330   0x7ffd79a4c74a   
[0x4]   coreclr!EEStartupHelper+0x7d2   0x32506fe3e0   0x7ffd79ac7089   
[0x5]   coreclr!EEStartup+0x2d   0x32506fe4c0   0x7ffd79ac7025   
[0x6]   coreclr!EnsureEEStarted+0x95   0x32506fe500   0x7ffd79ac6f5b   
[0x7]   coreclr!CorHost2::Start+0x5b   0x32506fe540   0x7ffd79ae57f3   
[0x8]   coreclr!coreclr_initialize+0x163   0x32506fe580   0x7ffd8233373d   
[0x9]   hostpolicy!coreclr_t::create+0x2ad   0x32506fe650   0x7ffd8234d755   
[0xa]   hostpolicy!`anonymous namespace'::create_coreclr+0x165   0x32506fe7d0   0x7ffd9cfc19d6   
[0xb]   hostfxr!fx_muxer_t::load_runtime+0x26   0x32506fe830   0x7ffd9cfbb324   
[0xc]   hostfxr!hostfxr_get_runtime_delegate+0xf4   0x32506fe860   0x7ffe737e8b46   
[0xd]   loader!load+0x25c66   0x32506fe8a0   0x7ffe737e4bed   

[reflectronic]

This is the same problem as was fixed in #115546. The thread which initializes .NET does not arm the FLS callback. It will not send the notification when it exits.