AV in Release build of C implementation of EventPipe

[josalem]

I started my attempts at collecting end-to-end throughput measurements, but I'm getting an AV in a Release macos-x64 build with the C implementation that doesn't happen with the C++ implementation.

Process 69371 resuming
Process 69371 stopped
* thread #11, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001041bb967 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 151
libcoreclr.dylib`ep_buffer_manager_write_event:
->  0x1041bb967 <+151>: movq   0x10(%rbx), %rdi
    0x1041bb96b <+155>: testq  %rdi, %rdi
    0x1041bb96e <+158>: jne    0x1041bba0b               ; <+315>
    0x1041bb974 <+164>: jmp    0x1041bba4e               ; <+382>
Target 0: (corescaletest) stopped.
(lldb) bt
* thread #11, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001041bb967 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 151
    frame #1: 0x00000001041c3d34 libcoreclr.dylib`ep_session_write_event(_EventPipeSession*, Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 292
    frame #2: 0x00000001041c6b8a libcoreclr.dylib`write_event_2(Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 234
    frame #3: 0x00000001041c0fff libcoreclr.dylib`ep_write_event_2(_EventPipeEvent*, _EventData*, unsigned int, unsigned char const*, unsigned char const*) + 191
    frame #4: 0x0000000103f3191d libcoreclr.dylib`EventPipeInternal::WriteEventData(long, _EventData*, unsigned int, _GUID const*, _GUID const*) + 61
    frame #5: 0x000000011abdea9d
    frame #6: 0x000000011abde62d
    frame #7: 0x000000011abde1da
    frame #8: 0x000000011abddc85
    frame #9: 0x000000011abddc44
    frame #10: 0x000000011a732912
    frame #11: 0x000000011a73dab1
    frame #12: 0x000000011a732a2e
    frame #13: 0x0000000104097019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #14: 0x0000000103efe00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #15: 0x0000000103f0e984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #16: 0x0000000103ec859b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #17: 0x0000000103ec8b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #18: 0x0000000103f0eaff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #19: 0x0000000103dbc14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #20: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #21: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15

I'll try switching to a checked build and see if I can't pin down what's happening.

For reference, the test I'm running writes events across N threads (N == number of cores on machine, 4 in my case) without pausing in between. It's meant to saturate the buffer system and drop events. I have levers for reducing that stream to more realistic values and simulate bursts and periodic behavior.

Belongs to #46079

CC - @lateralusX

[josalem]

(Note the below is on macOS x64)

Here's the full dissassembly for the AV:

libcoreclr.dylib`ep_buffer_manager_write_event:
    0x10fecc8d0 <+0>:    movq   0x8(%rcx), %rax
    0x10fecc8d4 <+4>:    testq  %rax, %rax
    0x10fecc8d7 <+7>:    je     0x10fecc979               ; <+169>
    0x10fecc8dd <+13>:   pushq  %rbp
    0x10fecc8de <+14>:   movq   %rsp, %rbp
    0x10fecc8e1 <+17>:   pushq  %r15
    0x10fecc8e3 <+19>:   pushq  %r14
    0x10fecc8e5 <+21>:   pushq  %r13
    0x10fecc8e7 <+23>:   pushq  %r12
    0x10fecc8e9 <+25>:   pushq  %rbx
    0x10fecc8ea <+26>:   subq   $0x388, %rsp              ; imm = 0x388
    0x10fecc8f1 <+33>:   movq   %r9, %r15
    0x10fecc8f4 <+36>:   movq   %r8, %r13
    0x10fecc8f7 <+39>:   movq   %rdx, %rbx
    0x10fecc8fa <+42>:   movq   %rsi, %r12
    0x10fecc8fd <+45>:   movq   %rdi, %r8
    0x10fecc900 <+48>:   movq   0x20(%rbp), %rdx
    0x10fecc904 <+52>:   movq   0x18(%rbp), %rax
    0x10fecc908 <+56>:   testq  %rax, %rax
    0x10fecc90b <+59>:   cmovneq %rax, %r12
    0x10fecc90f <+63>:   movl   $0x0, -0x90(%rbp)
    0x10fecc919 <+73>:   testq  %rdx, %rdx
    0x10fecc91c <+76>:   je     0x10fecc97c               ; <+172>
    0x10fecc91e <+78>:   callq  0x10fedfad0               ; thread-local wrapper routine for EventPipeCoreCLRThreadHolderTLS::g_threadHolderTLS
    0x10fecc923 <+83>:   movq   (%rax), %rax
    0x10fecc926 <+86>:   testq  %rax, %rax
    0x10fecc929 <+89>:   je     0x10feccc15               ; <+837>
    0x10fecc92f <+95>:   movq   (%rax), %r14
    0x10fecc932 <+98>:   testq  %r14, %r14
    0x10fecc935 <+101>:  je     0x10feccc15               ; <+837>
    0x10fecc93b <+107>:  movq   %r8, -0x38(%rbp)
    0x10fecc93f <+111>:  movq   %rcx, -0x70(%rbp)
    0x10fecc943 <+115>:  movq   %rdx, -0x78(%rbp)
    0x10fecc947 <+119>:  movq   0x208(%r14), %rdi
    0x10fecc94e <+126>:  callq  0x10fbc5720               ; SpinLock::AcquireLock(SpinLock*)
    0x10fecc953 <+131>:  movq   %rbx, -0x50(%rbp)
    0x10fecc957 <+135>:  movl   0x40(%rbx), %eax
    0x10fecc95a <+138>:  movq   %r14, -0x40(%rbp)
    0x10fecc95e <+142>:  movq   (%r14,%rax,8), %rbx
    0x10fecc962 <+146>:  testq  %rbx, %rbx
    0x10fecc965 <+149>:  je     0x10fecc9a1               ; <+209>
->  0x10fecc967 <+151>:  movq   0x10(%rbx), %rdi
    0x10fecc96b <+155>:  testq  %rdi, %rdi
    0x10fecc96e <+158>:  jne    0x10fecca0b               ; <+315>
    0x10fecc974 <+164>:  jmp    0x10fecca4e               ; <+382>
    0x10fecc979 <+169>:  xorl   %eax, %eax
    0x10fecc97b <+171>:  retq
    0x10fecc97c <+172>:  cmpb   $0x0, 0x30(%rcx)
    0x10fecc980 <+176>:  je     0x10fecc98d               ; <+189>
    0x10fecc982 <+178>:  movl   0x44(%rbx), %eax
    0x10fecc985 <+181>:  testl  %eax, %eax
    0x10fecc987 <+183>:  je     0x10feccbc8               ; <+760>
    0x10fecc98d <+189>:  xorl   %edx, %edx
    0x10fecc98f <+191>:  callq  0x10fedfad0               ; thread-local wrapper routine for EventPipeCoreCLRThreadHolderTLS::g_threadHolderTLS
    0x10fecc994 <+196>:  movq   (%rax), %rax
    0x10fecc997 <+199>:  testq  %rax, %rax
    0x10fecc99a <+202>:  jne    0x10fecc92f               ; <+95>
    0x10fecc99c <+204>:  jmp    0x10feccc15               ; <+837>
    0x10fecc9a1 <+209>:  leaq   0x3d7c4(%rip), %rsi       ; nothrow
    0x10fecc9a8 <+216>:  movl   $0x28, %edi
    0x10fecc9ad <+221>:  callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10fecc9b2 <+226>:  testq  %rax, %rax
    0x10fecc9b5 <+229>:  je     0x10fecccc9               ; <+1017>
    0x10fecc9bb <+235>:  movq   %rax, %rbx
    0x10fecc9be <+238>:  movq   $0x0, 0x20(%rax)
    0x10fecc9c6 <+246>:  movq   $0x0, 0x18(%rax)
    0x10fecc9ce <+254>:  movq   $0x0, 0x10(%rax)
    0x10fecc9d6 <+262>:  movq   $0x0, 0x8(%rax)
    0x10fecc9de <+270>:  movq   -0x40(%rbp), %rcx
    0x10fecc9e2 <+274>:  movq   %rcx, (%rax)
    0x10fecc9e5 <+277>:  lock
    0x10fecc9e6 <+278>:  incl   0x218(%rcx)
    0x10fecc9ec <+284>:  movq   -0x50(%rbp), %rax
    0x10fecc9f0 <+288>:  movq   %rax, 0x8(%rbx)
    0x10fecc9f4 <+292>:  movl   $0x1, 0x20(%rbx)
    0x10fecc9fb <+299>:  movl   0x40(%rax), %eax
    0x10fecc9fe <+302>:  movq   %rbx, (%rcx,%rax,8)
    0x10fecca02 <+306>:  movq   0x10(%rbx), %rdi
    0x10fecca06 <+310>:  testq  %rdi, %rdi
    0x10fecca09 <+313>:  je     0x10fecca4e               ; <+382>
    0x10fecca0b <+315>:  movq   %r12, %rsi
    0x10fecca0e <+318>:  movq   -0x50(%rbp), %rdx
    0x10fecca12 <+322>:  movq   -0x70(%rbp), %rcx
    0x10fecca16 <+326>:  movq   %r13, %r8
    0x10fecca19 <+329>:  movq   %r15, %r9
    0x10fecca1c <+332>:  pushq  -0x78(%rbp)
    0x10fecca1f <+335>:  pushq  0x10(%rbp)
    0x10fecca22 <+338>:  callq  0x10fecb7e0               ; ep_buffer_write_event(_EventPipeBuffer*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, _EventPipeStackContents*)
    0x10fecca27 <+343>:  addq   $0x10, %rsp
    0x10fecca2b <+347>:  testb  %al, %al
    0x10fecca2d <+349>:  je     0x10fecca4e               ; <+382>
    0x10fecca2f <+351>:  movl   0x20(%rbx), %eax
    0x10fecca32 <+354>:  incl   %eax
    0x10fecca34 <+356>:  movl   %eax, 0x20(%rbx)
    0x10fecca37 <+359>:  movq   -0x40(%rbp), %rax
    0x10fecca3b <+363>:  movq   0x208(%rax), %rdi
    0x10fecca42 <+370>:  callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10fecca47 <+375>:  xorl   %ebx, %ebx
    0x10fecca49 <+377>:  jmp    0x10feccd95               ; <+1221>
    0x10fecca4e <+382>:  movq   %r15, -0x88(%rbp)
    0x10fecca55 <+389>:  movq   -0x40(%rbp), %rax
    0x10fecca59 <+393>:  movq   0x208(%rax), %rdi
    0x10fecca60 <+400>:  callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10fecca65 <+405>:  movq   %r13, %rax
    0x10fecca68 <+408>:  movl   $0x378, %r13d             ; imm = 0x378
    0x10fecca6e <+414>:  movq   %rax, -0x80(%rbp)
    0x10fecca72 <+418>:  addl   0x14(%rax), %r13d
    0x10fecca76 <+422>:  movq   -0x38(%rbp), %r14
    0x10fecca7a <+426>:  movq   0x18(%r14), %rdi
    0x10fecca7e <+430>:  callq  0x10fbc5720               ; SpinLock::AcquireLock(SpinLock*)
    0x10fecca83 <+435>:  movq   %r14, %rdx
    0x10fecca86 <+438>:  movq   %rbx, -0x30(%rbp)
    0x10fecca8a <+442>:  movq   0x18(%rbx), %rax
    0x10fecca8e <+446>:  movq   %rax, %r15
    0x10fecca91 <+449>:  movq   %rax, -0x68(%rbp)
    0x10fecca95 <+453>:  testq  %rax, %rax
    0x10fecca98 <+456>:  je     0x10feccc1c               ; <+844>
    0x10fecca9e <+462>:  movq   0x48(%rdx), %rax
    0x10feccaa2 <+466>:  subq   0x40(%rdx), %rax
    0x10feccaa6 <+470>:  movl   %r13d, %ecx
    0x10feccaa9 <+473>:  cmpq   %rcx, %rax
    0x10feccaac <+476>:  jae    0x10feccac0               ; <+496>
    0x10feccaae <+478>:  movq   0x18(%rdx), %rdi
    0x10feccab2 <+482>:  callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10feccab7 <+487>:  movq   -0x30(%rbp), %r14
    0x10feccabb <+491>:  jmp    0x10feccd60               ; <+1168>
    0x10feccac0 <+496>:  imull  $0x19000, 0x20(%r15), %r15d ; imm = 0x19000
    0x10feccac8 <+504>:  addl   $0x19000, %r15d           ; imm = 0x19000
    0x10feccacf <+511>:  cmpl   %r13d, %r15d
    0x10feccad2 <+514>:  cmovbl %r13d, %r15d
    0x10feccad6 <+518>:  cmpl   %eax, %r15d
    0x10feccad9 <+521>:  cmovael %eax, %r15d
    0x10feccadd <+525>:  leaq   0xf9564(%rip), %rax       ; g_SystemInfo
    0x10feccae4 <+532>:  movl   0x28(%rax), %r14d
    0x10feccae8 <+536>:  movq   -0x30(%rbp), %rax
    0x10feccaec <+540>:  movl   0x20(%rax), %ecx
    0x10feccaef <+543>:  movl   %ecx, -0x48(%rbp)
    0x10feccaf2 <+546>:  movq   (%rax), %r13
    0x10feccaf5 <+549>:  leaq   0x3d670(%rip), %rsi       ; nothrow
    0x10feccafc <+556>:  movl   $0x48, %edi
    0x10feccb01 <+561>:  callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10feccb06 <+566>:  testq  %rax, %rax
    0x10feccb09 <+569>:  je     0x10feccd04               ; <+1076>
    0x10feccb0f <+575>:  movq   %rax, %rbx
    0x10feccb12 <+578>:  cmpl   $0x100000, %r15d          ; imm = 0x100000
    0x10feccb19 <+585>:  movl   $0x100000, %eax           ; imm = 0x100000
    0x10feccb1e <+590>:  cmovbl %r15d, %eax
    0x10feccb22 <+594>:  leal   -0x1(%r14,%rax), %eax
    0x10feccb27 <+599>:  negl   %r14d
    0x10feccb2a <+602>:  andl   %eax, %r14d
    0x10feccb2d <+605>:  movq   $0x0, 0x40(%rbx)
    0x10feccb35 <+613>:  movq   $0x0, 0x38(%rbx)
    0x10feccb3d <+621>:  movq   $0x0, 0x30(%rbx)
    0x10feccb45 <+629>:  movq   $0x0, 0x28(%rbx)
    0x10feccb4d <+637>:  movq   $0x0, 0x20(%rbx)
    0x10feccb55 <+645>:  movq   $0x0, 0x18(%rbx)
    0x10feccb5d <+653>:  movq   $0x0, 0x10(%rbx)
    0x10feccb65 <+661>:  movq   $0x0, (%rbx)
    0x10feccb6c <+668>:  movq   %r13, 0x8(%rbx)
    0x10feccb70 <+672>:  movl   -0x48(%rbp), %eax
    0x10feccb73 <+675>:  movl   %eax, 0x44(%rbx)
    0x10feccb76 <+678>:  xorl   %edi, %edi
    0x10feccb78 <+680>:  movq   %r14, %rsi
    0x10feccb7b <+683>:  movl   $0x1000, %edx             ; imm = 0x1000
    0x10feccb80 <+688>:  movl   $0x4, %ecx
    0x10feccb85 <+693>:  callq  0x10fc4d130               ; ClrVirtualAlloc(void*, unsigned long, unsigned int, unsigned int)
    0x10feccb8a <+698>:  movq   %rax, 0x10(%rbx)
    0x10feccb8e <+702>:  testq  %rax, %rax
    0x10feccb91 <+705>:  je     0x10fecccfc               ; <+1068>
    0x10feccb97 <+711>:  movq   %r14, %r15
    0x10feccb9a <+714>:  leaq   (%rax,%r14), %rcx
    0x10feccb9e <+718>:  movq   %rcx, 0x20(%rbx)
    0x10feccba2 <+722>:  addq   $0x7, %rax
    0x10feccba6 <+726>:  andq   $-0x8, %rax
    0x10feccbaa <+730>:  movq   %rax, 0x18(%rbx)
    0x10feccbae <+734>:  leaq   -0x60(%rbp), %rdi
    0x10feccbb2 <+738>:  callq  0x10faac620               ; QueryPerformanceCounter
    0x10feccbb7 <+743>:  testl  %eax, %eax
    0x10feccbb9 <+745>:  je     0x10feccdac               ; <+1244>
    0x10feccbbf <+751>:  movq   -0x60(%rbp), %rax
    0x10feccbc3 <+755>:  jmp    0x10feccdae               ; <+1246>
    0x10feccbc8 <+760>:  movl   $0x0, -0x90(%rbp)
    0x10feccbd2 <+770>:  leaq   0xf1247(%rip), %rdi       ; gCurrentThreadInfo
    0x10feccbd9 <+777>:  callq  *(%rdi)
    0x10feccbdb <+779>:  movq   (%rax), %rdi
    0x10feccbde <+782>:  testq  %rdi, %rdi
    0x10feccbe1 <+785>:  je     0x10feccbfd               ; <+813>
    0x10feccbe3 <+787>:  leaq   -0x3b0(%rbp), %rsi
    0x10feccbea <+794>:  movq   %rcx, %r14
    0x10feccbed <+797>:  movq   %r8, -0x38(%rbp)
    0x10feccbf1 <+801>:  callq  0x10fedf940               ; ep_rt_coreclr_walk_managed_stack_for_thread(Thread*, _EventPipeStackContents*)
    0x10feccbf6 <+806>:  movq   -0x38(%rbp), %r8
    0x10feccbfa <+810>:  movq   %r14, %rcx
    0x10feccbfd <+813>:  leaq   -0x3b0(%rbp), %rdx
    0x10feccc04 <+820>:  callq  0x10fedfad0               ; thread-local wrapper routine for EventPipeCoreCLRThreadHolderTLS::g_threadHolderTLS
    0x10feccc09 <+825>:  movq   (%rax), %rax
    0x10feccc0c <+828>:  testq  %rax, %rax
    0x10feccc0f <+831>:  jne    0x10fecc92f               ; <+95>
    0x10feccc15 <+837>:  xorl   %eax, %eax
    0x10feccc17 <+839>:  jmp    0x10feccd9a               ; <+1226>
    0x10feccc1c <+844>:  movq   -0x30(%rbp), %rax
    0x10feccc20 <+848>:  movq   (%rax), %rbx
    0x10feccc23 <+851>:  leaq   0x3d542(%rip), %rsi       ; nothrow
    0x10feccc2a <+858>:  movl   $0x28, %edi
    0x10feccc2f <+863>:  callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10feccc34 <+868>:  testq  %rax, %rax
    0x10feccc37 <+871>:  je     0x10fecccef               ; <+1055>
    0x10feccc3d <+877>:  movq   %rax, %r15
    0x10feccc40 <+880>:  movq   $0x0, 0x20(%rax)
    0x10feccc48 <+888>:  movq   $0x0, 0x18(%rax)
    0x10feccc50 <+896>:  movq   $0x0, 0x10(%rax)
    0x10feccc58 <+904>:  movq   $0x0, 0x8(%rax)
    0x10feccc60 <+912>:  movq   %rbx, (%rax)
    0x10feccc63 <+915>:  lock
    0x10feccc64 <+916>:  incl   0x218(%rbx)
    0x10feccc6a <+922>:  movq   -0x38(%rbp), %rbx
    0x10feccc6e <+926>:  movq   %rbx, 0x8(%rax)
    0x10feccc72 <+930>:  movq   $0x0, 0x20(%rax)
    0x10feccc7a <+938>:  movq   $0x0, 0x18(%rax)
    0x10feccc82 <+946>:  movq   $0x0, 0x10(%rax)
    0x10feccc8a <+954>:  leaq   0x3d4db(%rip), %rsi       ; nothrow
    0x10feccc91 <+961>:  movl   $0x10, %edi
    0x10feccc96 <+966>:  callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10feccc9b <+971>:  testq  %rax, %rax
    0x10feccc9e <+974>:  je     0x10fecccf6               ; <+1062>
    0x10feccca0 <+976>:  movq   $0x0, (%rax)
    0x10feccca7 <+983>:  movq   -0x30(%rbp), %rsi
    0x10fecccab <+987>:  movq   %rsi, 0x8(%rax)
    0x10fecccaf <+991>:  movq   (%rbx), %rcx
    0x10fecccb2 <+994>:  movq   0x10(%rcx), %rdx
    0x10fecccb6 <+998>:  movq   %rax, (%rdx)
    0x10fecccb9 <+1001>: movq   %rax, 0x10(%rcx)
    0x10fecccbd <+1005>: movq   %r15, 0x18(%rsi)
    0x10fecccc1 <+1009>: movq   %rbx, %rdx
    0x10fecccc4 <+1012>: jmp    0x10fecca9e               ; <+462>
    0x10fecccc9 <+1017>: movq   -0x50(%rbp), %rax
    0x10feccccd <+1021>: movl   0x40(%rax), %eax
    0x10fecccd0 <+1024>: movq   -0x40(%rbp), %rcx
    0x10fecccd4 <+1028>: movq   $0x0, (%rcx,%rax,8)
    0x10fecccdc <+1036>: movq   0x208(%rcx), %rdi
    0x10feccce3 <+1043>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10feccce8 <+1048>: xorl   %eax, %eax
    0x10fecccea <+1050>: jmp    0x10feccd9a               ; <+1226>
    0x10fecccef <+1055>: xorl   %r15d, %r15d
    0x10fecccf2 <+1058>: movq   -0x38(%rbp), %rbx
    0x10fecccf6 <+1062>: movq   -0x30(%rbp), %r14
    0x10fecccfa <+1066>: jmp    0x10feccd10               ; <+1088>
    0x10fecccfc <+1068>: movq   %rbx, %rdi
    0x10fecccff <+1071>: callq  0x10fda9130               ; operator delete(void*)
    0x10feccd04 <+1076>: movq   -0x30(%rbp), %r14
    0x10feccd08 <+1080>: movq   -0x38(%rbp), %rbx
    0x10feccd0c <+1084>: movq   -0x68(%rbp), %r15
    0x10feccd10 <+1088>: movq   0x18(%rbx), %rdi
    0x10feccd14 <+1092>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10feccd19 <+1097>: xorl   %ebx, %ebx
    0x10feccd1b <+1099>: testq  %r15, %r15
    0x10feccd1e <+1102>: je     0x10feccd3e               ; <+1134>
    0x10feccd20 <+1104>: movq   (%r15), %rdi
    0x10feccd23 <+1107>: testq  %rdi, %rdi
    0x10feccd26 <+1110>: je     0x10feccd36               ; <+1126>
    0x10feccd28 <+1112>: lock
    0x10feccd29 <+1113>: decl   0x218(%rdi)
    0x10feccd2f <+1119>: jne    0x10feccd36               ; <+1126>
    0x10feccd31 <+1121>: callq  0x10fed54e0               ; ep_thread_free(_EventPipeThread*)
    0x10feccd36 <+1126>: movq   %r15, %rdi
    0x10feccd39 <+1129>: callq  0x10fda9130               ; operator delete(void*)
    0x10feccd3e <+1134>: testq  %rbx, %rbx
    0x10feccd41 <+1137>: je     0x10feccd60               ; <+1168>
    0x10feccd43 <+1139>: movq   0x10(%rbx), %rdi
    0x10feccd47 <+1143>: testq  %rdi, %rdi
    0x10feccd4a <+1146>: je     0x10feccd58               ; <+1160>
    0x10feccd4c <+1148>: xorl   %esi, %esi
    0x10feccd4e <+1150>: movl   $0x8000, %edx             ; imm = 0x8000
    0x10feccd53 <+1155>: callq  0x10fc4d140               ; ClrVirtualFree(void*, unsigned long, unsigned int)
    0x10feccd58 <+1160>: movq   %rbx, %rdi
    0x10feccd5b <+1163>: callq  0x10fda9130               ; operator delete(void*)
    0x10feccd60 <+1168>: movq   -0x40(%rbp), %rbx
    0x10feccd64 <+1172>: movq   0x208(%rbx), %rdi
    0x10feccd6b <+1179>: callq  0x10fbc5720               ; SpinLock::AcquireLock(SpinLock*)
    0x10feccd70 <+1184>: movl   0x20(%r14), %eax
    0x10feccd74 <+1188>: incl   %eax
    0x10feccd76 <+1190>: movl   %eax, 0x20(%r14)
    0x10feccd7a <+1194>: movq   0x208(%rbx), %rdi
    0x10feccd81 <+1201>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10feccd86 <+1206>: movb   $0x1, %bl
    0x10feccd88 <+1208>: movq   -0x38(%rbp), %rax
    0x10feccd8c <+1212>: movq   0x10(%rax), %rdi
    0x10feccd90 <+1216>: callq  0x10fcd9190               ; CLREventBase::Set()
    0x10feccd95 <+1221>: testb  %bl, %bl
    0x10feccd97 <+1223>: sete   %al
    0x10feccd9a <+1226>: addq   $0x388, %rsp              ; imm = 0x388
    0x10feccda1 <+1233>: popq   %rbx
    0x10feccda2 <+1234>: popq   %r12
    0x10feccda4 <+1236>: popq   %r13
    0x10feccda6 <+1238>: popq   %r14
    0x10feccda8 <+1240>: popq   %r15
    0x10feccdaa <+1242>: popq   %rbp
    0x10feccdab <+1243>: retq
    0x10feccdac <+1244>: xorl   %eax, %eax
    0x10feccdae <+1246>: movq   -0x30(%rbp), %r14
    0x10feccdb2 <+1250>: movq   -0x38(%rbp), %rsi
    0x10feccdb6 <+1254>: movq   %rax, (%rbx)
    0x10feccdb9 <+1257>: movq   $0x0, 0x38(%rbx)
    0x10feccdc1 <+1265>: movq   $0x0, 0x30(%rbx)
    0x10feccdc9 <+1273>: movq   $0x0, 0x28(%rbx)
    0x10feccdd1 <+1281>: movl   $0x0, 0x40(%rbx)
    0x10feccdd8 <+1288>: addq   %r15, 0x40(%rsi)
    0x10feccddc <+1292>: cmpq   $0x0, 0x58(%rsi)
    0x10feccde1 <+1297>: je     0x10feccf89               ; <+1721>
    0x10feccde7 <+1303>: movq   0x50(%rsi), %rax
    0x10feccdeb <+1307>: subq   %r15, %rax
    0x10feccdee <+1310>: ja     0x10feccf85               ; <+1717>
    0x10feccdf4 <+1316>: leaq   0x3d371(%rip), %rsi       ; nothrow
    0x10feccdfb <+1323>: movl   $0x20, %edi
    0x10fecce00 <+1328>: callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10fecce05 <+1333>: testq  %rax, %rax
    0x10fecce08 <+1336>: je     0x10feccf2e               ; <+1630>
    0x10fecce0e <+1342>: movq   %rax, %r15
    0x10fecce11 <+1345>: movq   $0x0, 0x18(%rax)
    0x10fecce19 <+1353>: movq   $0x0, 0x10(%rax)
    0x10fecce21 <+1361>: movq   $0x0, 0x8(%rax)
    0x10fecce29 <+1369>: movq   $0x0, (%rax)
    0x10fecce30 <+1376>: leaq   0x3d335(%rip), %rsi       ; nothrow
    0x10fecce37 <+1383>: movl   $0x18, %edi
    0x10fecce3c <+1388>: callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10fecce41 <+1393>: testq  %rax, %rax
    0x10fecce44 <+1396>: je     0x10feccf07               ; <+1591>
    0x10fecce4a <+1402>: movq   %rbx, -0x48(%rbp)
    0x10fecce4e <+1406>: movq   $0x0, 0x10(%rax)
    0x10fecce56 <+1414>: movq   $0x0, 0x8(%rax)
    0x10fecce5e <+1422>: movq   $0x0, (%rax)
    0x10fecce65 <+1429>: movq   %rax, 0x10(%r15)
    0x10fecce69 <+1433>: movq   $0x0, 0x8(%r15)
    0x10fecce71 <+1441>: movq   $0x0, (%r15)
    0x10fecce78 <+1448>: movq   -0x38(%rbp), %rcx
    0x10fecce7c <+1452>: movq   (%rcx), %rcx
    0x10fecce7f <+1455>: movq   0x8(%rcx), %rcx
    0x10fecce83 <+1459>: movq   (%rcx), %rbx
    0x10fecce86 <+1462>: testq  %rbx, %rbx
    0x10fecce89 <+1465>: movq   %r15, %r14
    0x10fecce8c <+1468>: je     0x10feccef1               ; <+1569>
    0x10fecce8e <+1470>: movq   0x8(%rbx), %r15
    0x10fecce92 <+1474>: movl   0x20(%r15), %ecx
    0x10fecce96 <+1478>: decl   %ecx
    0x10fecce98 <+1480>: movq   %r15, -0x60(%rbp)
    0x10fecce9c <+1484>: movl   %ecx, -0x58(%rbp)
    0x10fecce9f <+1487>: leaq   -0x60(%rbp), %rsi
    0x10feccea3 <+1491>: movq   %rax, %rdi
    0x10feccea6 <+1494>: callq  0x10fed8330               ; SHash<NoRemoveSHashTraits<MapSHashTraits<_EventPipeThreadSessionState*, unsigned int> > >::AddNoThrow(KeyValuePair<_EventPipeThreadSessionState*, unsigned int> const&)
    0x10fecceab <+1499>: movq   (%r15), %rax
    0x10fecceae <+1502>: lock
    0x10fecceaf <+1503>: incl   0x218(%rax)
    0x10fecceb5 <+1509>: movq   (%rbx), %rbx
    0x10fecceb8 <+1512>: testq  %rbx, %rbx
    0x10feccebb <+1515>: je     0x10feccef1               ; <+1569>
    0x10feccebd <+1517>: leaq   -0x60(%rbp), %r15
    0x10feccec1 <+1521>: movq   0x10(%r14), %rdi
    0x10feccec5 <+1525>: movq   0x8(%rbx), %r13
    0x10feccec9 <+1529>: movl   0x20(%r13), %eax
    0x10feccecd <+1533>: decl   %eax
    0x10feccecf <+1535>: movq   %r13, -0x60(%rbp)
    0x10fecced3 <+1539>: movl   %eax, -0x58(%rbp)
    0x10fecced6 <+1542>: movq   %r15, %rsi
    0x10fecced9 <+1545>: callq  0x10fed8330               ; SHash<NoRemoveSHashTraits<MapSHashTraits<_EventPipeThreadSessionState*, unsigned int> > >::AddNoThrow(KeyValuePair<_EventPipeThreadSessionState*, unsigned int> const&)
    0x10feccede <+1550>: movq   (%r13), %rax
    0x10feccee2 <+1554>: lock
    0x10feccee3 <+1555>: incl   0x218(%rax)
    0x10feccee9 <+1561>: movq   (%rbx), %rbx
    0x10fecceec <+1564>: testq  %rbx, %rbx
    0x10fecceef <+1567>: jne    0x10feccec1               ; <+1521>
    0x10feccef1 <+1569>: leaq   -0x60(%rbp), %rdi
    0x10feccef5 <+1573>: callq  0x10faac620               ; QueryPerformanceCounter
    0x10feccefa <+1578>: movq   %r14, %r13
    0x10feccefd <+1581>: testl  %eax, %eax
    0x10fecceff <+1583>: je     0x10feccf38               ; <+1640>
    0x10feccf01 <+1585>: movq   -0x60(%rbp), %rax
    0x10feccf05 <+1589>: jmp    0x10feccf3a               ; <+1642>
    0x10feccf07 <+1591>: movq   $0x0, 0x10(%r15)
    0x10feccf0f <+1599>: movq   $0x0, 0x8(%r15)
    0x10feccf17 <+1607>: movq   $0x0, (%r15)
    0x10feccf1e <+1614>: movq   %r15, %rdi
    0x10feccf21 <+1617>: callq  0x10fed0af0               ; sequence_point_fini(_EventPipeSequencePoint*)
    0x10feccf26 <+1622>: movq   %r15, %rdi
    0x10feccf29 <+1625>: callq  0x10fda9130               ; operator delete(void*)
    0x10feccf2e <+1630>: movq   -0x38(%rbp), %rsi
    0x10feccf32 <+1634>: movq   0x58(%rsi), %rax
    0x10feccf36 <+1638>: jmp    0x10feccf85               ; <+1717>
    0x10feccf38 <+1640>: xorl   %eax, %eax
    0x10feccf3a <+1642>: movq   -0x38(%rbp), %r15
    0x10feccf3e <+1646>: movq   -0x30(%rbp), %r14
    0x10feccf42 <+1650>: movq   -0x48(%rbp), %rbx
    0x10feccf46 <+1654>: movq   %rax, 0x18(%r13)
    0x10feccf4a <+1658>: leaq   0x3d21b(%rip), %rsi       ; nothrow
    0x10feccf51 <+1665>: movl   $0x10, %edi
    0x10feccf56 <+1670>: callq  0x10fda90d0               ; operator new(unsigned long, NoThrow const&)
    0x10feccf5b <+1675>: testq  %rax, %rax
    0x10feccf5e <+1678>: je     0x10fecd05e               ; <+1934>
    0x10feccf64 <+1684>: movq   $0x0, (%rax)
    0x10feccf6b <+1691>: movq   %r13, 0x8(%rax)
    0x10feccf6f <+1695>: movq   %r15, %rsi
    0x10feccf72 <+1698>: movq   0x8(%r15), %rcx
    0x10feccf76 <+1702>: movq   0x10(%rcx), %rdx
    0x10feccf7a <+1706>: movq   %rax, (%rdx)
    0x10feccf7d <+1709>: movq   %rax, 0x10(%rcx)
    0x10feccf81 <+1713>: movq   0x58(%r15), %rax
    0x10feccf85 <+1717>: movq   %rax, 0x50(%rsi)
    0x10feccf89 <+1721>: movq   0x18(%r14), %rax
    0x10feccf8d <+1725>: testq  %rax, %rax
    0x10feccf90 <+1728>: movq   0x10(%rbp), %r14
    0x10feccf94 <+1732>: je     0x10feccfbb               ; <+1771>
    0x10feccf96 <+1734>: movq   0x18(%rax), %rdx
    0x10feccf9a <+1738>: testq  %rdx, %rdx
    0x10feccf9d <+1741>: je     0x10feccfad               ; <+1757>
    0x10feccf9f <+1743>: leaq   0x18(%rax), %rcx
    0x10feccfa3 <+1747>: movq   %rbx, 0x38(%rdx)
    0x10feccfa7 <+1751>: movq   %rdx, 0x30(%rbx)
    0x10feccfab <+1755>: jmp    0x10feccfb5               ; <+1765>
    0x10feccfad <+1757>: movq   %rbx, 0x18(%rax)
    0x10feccfb1 <+1761>: leaq   0x10(%rax), %rcx
    0x10feccfb5 <+1765>: movq   %rbx, (%rcx)
    0x10feccfb8 <+1768>: incl   0x20(%rax)
    0x10feccfbb <+1771>: movq   0x18(%rsi), %rdi
    0x10feccfbf <+1775>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10feccfc4 <+1780>: callq  0x10fedfad0               ; thread-local wrapper routine for EventPipeCoreCLRThreadHolderTLS::g_threadHolderTLS
    0x10feccfc9 <+1785>: movq   (%rax), %rax
    0x10feccfcc <+1788>: movq   (%rax), %r15
    0x10feccfcf <+1791>: movq   0x208(%r15), %rdi
    0x10feccfd6 <+1798>: callq  0x10fbc5720               ; SpinLock::AcquireLock(SpinLock*)
    0x10feccfdb <+1803>: movq   -0x30(%rbp), %rax
    0x10feccfdf <+1807>: movq   0x10(%rax), %rax
    0x10feccfe3 <+1811>: testq  %rax, %rax
    0x10feccfe6 <+1814>: movq   -0x70(%rbp), %rcx
    0x10feccfea <+1818>: je     0x10fecd013               ; <+1859>
    0x10feccfec <+1820>: movl   $0x1, 0x40(%rax)
    0x10feccff3 <+1827>: movq   0x10(%rax), %rdx
    0x10feccff7 <+1831>: addq   $0x7, %rdx
    0x10feccffb <+1835>: andq   $-0x8, %rdx
    0x10feccfff <+1839>: cmpq   %rdx, 0x18(%rax)
    0x10fecd003 <+1843>: jbe    0x10fecd00b               ; <+1851>
    0x10fecd005 <+1845>: movq   %rdx, 0x28(%rax)
    0x10fecd009 <+1849>: jmp    0x10fecd013               ; <+1859>
    0x10fecd00b <+1851>: movq   $0x0, 0x28(%rax)
    0x10fecd013 <+1859>: movq   -0x30(%rbp), %r13
    0x10fecd017 <+1863>: movq   %rbx, 0x10(%r13)
    0x10fecd01b <+1867>: movq   %rbx, %rdi
    0x10fecd01e <+1870>: movq   %r12, %rsi
    0x10fecd021 <+1873>: movq   -0x50(%rbp), %rdx
    0x10fecd025 <+1877>: movq   -0x80(%rbp), %r8
    0x10fecd029 <+1881>: movq   -0x88(%rbp), %r9
    0x10fecd030 <+1888>: pushq  -0x78(%rbp)
    0x10fecd033 <+1891>: pushq  %r14
    0x10fecd035 <+1893>: callq  0x10fecb7e0               ; ep_buffer_write_event(_EventPipeBuffer*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, _EventPipeStackContents*)
    0x10fecd03a <+1898>: addq   $0x10, %rsp
    0x10fecd03e <+1902>: movl   %eax, %ebx
    0x10fecd040 <+1904>: xorb   $0x1, %bl
    0x10fecd043 <+1907>: movl   0x20(%r13), %eax
    0x10fecd047 <+1911>: incl   %eax
    0x10fecd049 <+1913>: movl   %eax, 0x20(%r13)
    0x10fecd04d <+1917>: movq   0x208(%r15), %rdi
    0x10fecd054 <+1924>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10fecd059 <+1929>: jmp    0x10feccd88               ; <+1208>
    0x10fecd05e <+1934>: movq   0x18(%r15), %rdi
    0x10fecd062 <+1938>: callq  0x10fbc5860               ; SpinLock::ReleaseLock(SpinLock*)
    0x10fecd067 <+1943>: movq   %r13, %rdi
    0x10fecd06a <+1946>: callq  0x10fed0af0               ; sequence_point_fini(_EventPipeSequencePoint*)
    0x10fecd06f <+1951>: movq   %r13, %rdi
    0x10fecd072 <+1954>: callq  0x10fda9130               ; operator delete(void*)
    0x10fecd077 <+1959>: movq   -0x68(%rbp), %r15
    0x10fecd07b <+1963>: testq  %r15, %r15
    0x10fecd07e <+1966>: jne    0x10feccd20               ; <+1104>
    0x10fecd084 <+1972>: jmp    0x10feccd3e               ; <+1134>
    0x10fecd089 <+1977>: nopl   (%rax)

Plus all the stacks:

(lldb) bt all
  thread #1, queue = 'com.apple.main-thread'
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac21f6 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 246
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac6ffd libcoreclr.dylib`SleepEx + 141
    frame #5: 0x000000010fbd7507 libcoreclr.dylib`Thread::UserSleep(int) + 311
    frame #6: 0x000000010fc21bae libcoreclr.dylib`ThreadNative::Sleep(int) + 158
    frame #7: 0x000000011e8fd5a5
    frame #8: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #9: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #10: 0x000000010fae97ba libcoreclr.dylib`RunMain(MethodDesc*, short, int*, PtrArray**) + 746
    frame #11: 0x000000010fae9af3 libcoreclr.dylib`Assembly::ExecuteMainMethod(PtrArray**, int) + 387
    frame #12: 0x000000010fb2640d libcoreclr.dylib`CorHost2::ExecuteAssembly(unsigned int, char16_t const*, int, char16_t const**, unsigned int*) + 509
    frame #13: 0x000000010fad30b2 libcoreclr.dylib`coreclr_execute_assembly + 242
    frame #14: 0x000000010fa4c9a7 libhostpolicy.dylib`___lldb_unnamed_symbol137$$libhostpolicy.dylib + 1447
    frame #15: 0x000000010fa4d97e libhostpolicy.dylib`___lldb_unnamed_symbol146$$libhostpolicy.dylib + 270
    frame #16: 0x000000010fa0a8ef libhostfxr.dylib`___lldb_unnamed_symbol492$$libhostfxr.dylib + 1215
    frame #17: 0x000000010fa09be2 libhostfxr.dylib`___lldb_unnamed_symbol490$$libhostfxr.dylib + 786
    frame #18: 0x000000010fa05bea libhostfxr.dylib`___lldb_unnamed_symbol446$$libhostfxr.dylib + 138
    frame #19: 0x000000010f9c32df corescaletest`___lldb_unnamed_symbol156$$corescaletest + 1423
    frame #20: 0x000000010f9c36af corescaletest`___lldb_unnamed_symbol157$$corescaletest + 143
    frame #21: 0x00007fff717bacc9 libdyld.dylib`start + 1
  thread #2
    frame #0: 0x00007fff718fbdfa libsystem_kernel.dylib`mach_msg_trap + 10
    frame #1: 0x00007fff718fc170 libsystem_kernel.dylib`mach_msg + 60
    frame #2: 0x000000010fad0168 libcoreclr.dylib`MachMessage::Receive(unsigned int) + 72
    frame #3: 0x000000010facf38e libcoreclr.dylib`SEHExceptionThread(void*) + 94
    frame #4: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #5: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #3
    frame #0: 0x00007fff71900766 libsystem_kernel.dylib`kevent + 10
    frame #1: 0x000000010fac4814 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ReadBytesFromProcessPipe(int, unsigned char*, int) + 468
    frame #2: 0x000000010fac3e8f libcoreclr.dylib`CorUnix::CPalSynchronizationManager::WorkerThread(void*) + 127
    frame #3: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #4: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #5: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #4
    frame #0: 0x00007fff719023d6 libsystem_kernel.dylib`poll + 10
    frame #1: 0x000000010fe15053 libcoreclr.dylib`ds_ipc_poll(_DiagnosticsIpcPollHandle*, unsigned long, unsigned int, void (*)(char const*, unsigned int)) + 131
    frame #2: 0x000000010fedcdd1 libcoreclr.dylib`ds_ipc_stream_factory_get_next_available_stream(void (*)(char const*, unsigned int)) + 961
    frame #3: 0x000000010fedacbc libcoreclr.dylib`server_thread(void*) + 732
    frame #4: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #5: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #6: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #5
    frame #0: 0x00007fff718fc6a2 libsystem_kernel.dylib`__open + 10
    frame #1: 0x000000010fe15a5f libcoreclr.dylib`TwoWayPipe::WaitForConnection() + 31
    frame #2: 0x000000010fe0dc73 libcoreclr.dylib`DbgTransportSession::TransportWorker() + 147
    frame #3: 0x000000010fe0c869 libcoreclr.dylib`DbgTransportSession::TransportWorkerStatic(void*) + 9
    frame #4: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #5: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #6: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #6
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac2213 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 275
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac68f6 libcoreclr.dylib`CorUnix::InternalWaitForMultipleObjectsEx(CorUnix::CPalThread*, unsigned int, void* const*, int, unsigned int, int, int) + 2102
    frame #5: 0x000000010fac6c02 libcoreclr.dylib`WaitForMultipleObjectsEx + 82
    frame #6: 0x000000010fe0b01a libcoreclr.dylib`DebuggerRCThread::MainLoop() + 186
    frame #7: 0x000000010fe0af00 libcoreclr.dylib`DebuggerRCThread::ThreadProc() + 240
    frame #8: 0x000000010fe0ac9d libcoreclr.dylib`DebuggerRCThread::ThreadProcStatic(void*) + 29
    frame #9: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #10: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #11: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #7
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac2213 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 275
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac68f6 libcoreclr.dylib`CorUnix::InternalWaitForMultipleObjectsEx(CorUnix::CPalThread*, unsigned int, void* const*, int, unsigned int, int, int) + 2102
    frame #5: 0x000000010fac6c02 libcoreclr.dylib`WaitForMultipleObjectsEx + 82
    frame #6: 0x000000010fc44841 libcoreclr.dylib`FinalizerThread::WaitForFinalizerEvent(CLREvent*) + 161
    frame #7: 0x000000010fc44933 libcoreclr.dylib`FinalizerThread::FinalizerThreadWorker(void*) + 99
    frame #8: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #9: 0x000000010fbd9bb0 libcoreclr.dylib`ManagedThreadBase::FinalizerBase(void (*)(void*)) + 32
    frame #10: 0x000000010fc44b48 libcoreclr.dylib`FinalizerThread::FinalizerThreadStart(void*) + 248
    frame #11: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #12: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #13: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #8
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac2213 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 275
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac6ffd libcoreclr.dylib`SleepEx + 141
    frame #5: 0x000000010fbf80f2 libcoreclr.dylib`ThreadpoolMgr::TimerThreadFire() + 146
    frame #6: 0x000000010fbf7fd5 libcoreclr.dylib`ThreadpoolMgr::TimerThreadStart(void*) + 85
    frame #7: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #8: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #9: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #10
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac2213 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 275
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac68f6 libcoreclr.dylib`CorUnix::InternalWaitForMultipleObjectsEx(CorUnix::CPalThread*, unsigned int, void* const*, int, unsigned int, int, int) + 2102
    frame #5: 0x000000010fac6c02 libcoreclr.dylib`WaitForMultipleObjectsEx + 82
    frame #6: 0x000000010fbd5e10 libcoreclr.dylib`Thread::DoAppropriateWaitWorker(int, void**, int, unsigned int, WaitMode) + 720
    frame #7: 0x000000010fbd1430 libcoreclr.dylib`Thread::DoAppropriateWait(int, void**, int, unsigned int, WaitMode, PendingSync*) + 48
    frame #8: 0x000000010fc2ed8c libcoreclr.dylib`WaitHandleNative::CorWaitOneNative(void*, int) + 172
    frame #9: 0x000000011e4680ad
    frame #10: 0x000000011e468cac
    frame #11: 0x000000011e462912
    frame #12: 0x000000011e46dab1
    frame #13: 0x000000011e462a2e
    frame #14: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #15: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #16: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #17: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #18: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #19: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #20: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #21: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #22: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #12
    frame #0: 0x00007fff718ff38e libsystem_kernel.dylib`__sendto + 10
    frame #1: 0x000000010fe157de libcoreclr.dylib`ipc_stream_write_func(void*, unsigned char const*, unsigned int, unsigned int*, unsigned int) + 110
    frame #2: 0x000000010feca362 libcoreclr.dylib`ep_block_fast_serialize(_EventPipeBlock*, _FastSerializer*) + 306
    frame #3: 0x000000010fed2faa libcoreclr.dylib`ep_fast_serializer_write_object(_FastSerializer*, _FastSerializableObject*) + 730
    frame #4: 0x000000010fece341 libcoreclr.dylib`ep_file_flush(_EventPipeFile*, EventPipeFileFlushFlags) + 145
    frame #5: 0x000000010fece25d libcoreclr.dylib`ep_file_write_event(_EventPipeFile*, _EventPipeEventInstance*, unsigned long, unsigned int, bool) + 1789
    frame #6: 0x000000010fecd4ca libcoreclr.dylib`ep_buffer_manager_write_all_buffers_to_file_v4(_EventPipeBufferManager*, _EventPipeFile*, long, bool*) + 218
    frame #7: 0x000000010fed4b4e libcoreclr.dylib`ep_session_write_all_buffers_to_file(_EventPipeSession*, bool*) + 206
    frame #8: 0x000000010fed95bf libcoreclr.dylib`streaming_thread(void*) + 191
    frame #9: 0x000000010fed94dd libcoreclr.dylib`ep_rt_thread_coreclr_start_func(void*) + 13
    frame #10: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #11: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #12: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
* thread #13, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x000000010fecc967 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 151
    frame #1: 0x000000010fed4d34 libcoreclr.dylib`ep_session_write_event(_EventPipeSession*, Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 292
    frame #2: 0x000000010fed7b8a libcoreclr.dylib`write_event_2(Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 234
    frame #3: 0x000000010fed1fff libcoreclr.dylib`ep_write_event_2(_EventPipeEvent*, _EventData*, unsigned int, unsigned char const*, unsigned char const*) + 191
    frame #4: 0x000000010fc4291d libcoreclr.dylib`EventPipeInternal::WriteEventData(long, _EventData*, unsigned int, _GUID const*, _GUID const*) + 61
    frame #5: 0x000000011e90f9ad
    frame #6: 0x000000011e90f53d
    frame #7: 0x000000011e90f0ea
    frame #8: 0x000000011e90e785
    frame #9: 0x000000011e90e744
    frame #10: 0x000000011e462912
    frame #11: 0x000000011e46dab1
    frame #12: 0x000000011e462a2e
    frame #13: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #14: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #15: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #16: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #17: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #18: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #19: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #20: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #21: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #14
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac21f6 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 246
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac68f6 libcoreclr.dylib`CorUnix::InternalWaitForMultipleObjectsEx(CorUnix::CPalThread*, unsigned int, void* const*, int, unsigned int, int, int) + 2102
    frame #5: 0x000000010fac6ae8 libcoreclr.dylib`PAL_WaitForSingleObjectPrioritized + 72
    frame #6: 0x000000010fc2ef9b libcoreclr.dylib`WaitHandleNative::CorWaitOnePrioritizedNative(void*, int) + 59
    frame #7: 0x000000011e33ee3d
    frame #8: 0x000000011e469396
    frame #9: 0x000000011e46926f
    frame #10: 0x000000011e47d8f5
    frame #11: 0x000000011e462912
    frame #12: 0x000000011e46dab1
    frame #13: 0x000000011e462a2e
    frame #14: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #15: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #16: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #17: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #18: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #19: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #20: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #21: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #22: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #15
    frame #0: 0x00007fff718fe882 libsystem_kernel.dylib`__psynch_cvwait + 10
    frame #1: 0x00007fff719bf425 libsystem_pthread.dylib`_pthread_cond_wait + 698
    frame #2: 0x000000010fac21f6 libcoreclr.dylib`CorUnix::CPalSynchronizationManager::ThreadNativeWait(CorUnix::_ThreadNativeWaitData*, unsigned int, CorUnix::ThreadWakeupReason*, unsigned int*) + 246
    frame #3: 0x000000010fac1efa libcoreclr.dylib`CorUnix::CPalSynchronizationManager::BlockThread(CorUnix::CPalThread*, unsigned int, bool, bool, CorUnix::ThreadWakeupReason*, unsigned int*) + 458
    frame #4: 0x000000010fac68f6 libcoreclr.dylib`CorUnix::InternalWaitForMultipleObjectsEx(CorUnix::CPalThread*, unsigned int, void* const*, int, unsigned int, int, int) + 2102
    frame #5: 0x000000010fac6ae8 libcoreclr.dylib`PAL_WaitForSingleObjectPrioritized + 72
    frame #6: 0x000000010fc2ef9b libcoreclr.dylib`WaitHandleNative::CorWaitOnePrioritizedNative(void*, int) + 59
    frame #7: 0x000000011e33ee3d
    frame #8: 0x000000011e469396
    frame #9: 0x000000011e46926f
    frame #10: 0x000000011e47d8f5
    frame #11: 0x000000011e462912
    frame #12: 0x000000011e46dab1
    frame #13: 0x000000011e462a2e
    frame #14: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #15: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #16: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #17: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #18: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #19: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #20: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #21: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #22: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #16
    frame #0: 0x00007fff719b09f0 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 240
    frame #1: 0x000000010fb3ff64 libcoreclr.dylib`EECodeManager::EnsureCallerContextIsValid(REGDISPLAY*, StackwalkCacheEntry*, EECodeInfo*) + 68
    frame #2: 0x000000010fbc875b libcoreclr.dylib`StackFrameIterator::CheckForSkippedFrames() + 75
    frame #3: 0x000000010fbc6e0a libcoreclr.dylib`StackFrameIterator::ProcessCurrentFrame() + 410
    frame #4: 0x000000010fbc866e libcoreclr.dylib`StackFrameIterator::NextRaw() + 1710
    frame #5: 0x000000010fbc63b8 libcoreclr.dylib`Thread::StackWalkFramesEx(REGDISPLAY*, StackWalkAction (*)(CrawlFrame*, void*), void*, unsigned int, Frame*) + 424
    frame #6: 0x000000010fbc6833 libcoreclr.dylib`Thread::StackWalkFrames(StackWalkAction (*)(CrawlFrame*, void*), void*, unsigned int, Frame*) + 211
    frame #7: 0x000000010fedf95b libcoreclr.dylib`ep_rt_coreclr_walk_managed_stack_for_thread(Thread*, _EventPipeStackContents*) + 27
    frame #8: 0x000000010feccbf6 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 806
    frame #9: 0x000000010fed4d34 libcoreclr.dylib`ep_session_write_event(_EventPipeSession*, Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 292
    frame #10: 0x000000010fed7b8a libcoreclr.dylib`write_event_2(Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 234
    frame #11: 0x000000010fed1fff libcoreclr.dylib`ep_write_event_2(_EventPipeEvent*, _EventData*, unsigned int, unsigned char const*, unsigned char const*) + 191
    frame #12: 0x000000010fc4291d libcoreclr.dylib`EventPipeInternal::WriteEventData(long, _EventData*, unsigned int, _GUID const*, _GUID const*) + 61
    frame #13: 0x000000011e90f9ad
    frame #14: 0x000000011e90f53d
    frame #15: 0x000000011e90f0ea
    frame #16: 0x000000011e90e785
    frame #17: 0x000000011e90e744
    frame #18: 0x000000011e462912
    frame #19: 0x000000011e46dab1
    frame #20: 0x000000011e462a2e
    frame #21: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #22: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #23: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #24: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #25: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #26: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #27: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #28: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #29: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #17
    frame #0: 0x000000010fb3ff2d libcoreclr.dylib`EECodeManager::EnsureCallerContextIsValid(REGDISPLAY*, StackwalkCacheEntry*, EECodeInfo*) + 13
    frame #1: 0x000000010fbc875b libcoreclr.dylib`StackFrameIterator::CheckForSkippedFrames() + 75
    frame #2: 0x000000010fbc6e0a libcoreclr.dylib`StackFrameIterator::ProcessCurrentFrame() + 410
    frame #3: 0x000000010fbc866e libcoreclr.dylib`StackFrameIterator::NextRaw() + 1710
    frame #4: 0x000000010fbc63b8 libcoreclr.dylib`Thread::StackWalkFramesEx(REGDISPLAY*, StackWalkAction (*)(CrawlFrame*, void*), void*, unsigned int, Frame*) + 424
    frame #5: 0x000000010fbc6833 libcoreclr.dylib`Thread::StackWalkFrames(StackWalkAction (*)(CrawlFrame*, void*), void*, unsigned int, Frame*) + 211
    frame #6: 0x000000010fedf95b libcoreclr.dylib`ep_rt_coreclr_walk_managed_stack_for_thread(Thread*, _EventPipeStackContents*) + 27
    frame #7: 0x000000010feccbf6 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 806
    frame #8: 0x000000010fed4d34 libcoreclr.dylib`ep_session_write_event(_EventPipeSession*, Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 292
    frame #9: 0x000000010fed7b8a libcoreclr.dylib`write_event_2(Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 234
    frame #10: 0x000000010fed1fff libcoreclr.dylib`ep_write_event_2(_EventPipeEvent*, _EventData*, unsigned int, unsigned char const*, unsigned char const*) + 191
    frame #11: 0x000000010fc4291d libcoreclr.dylib`EventPipeInternal::WriteEventData(long, _EventData*, unsigned int, _GUID const*, _GUID const*) + 61
    frame #12: 0x000000011e90f9ad
    frame #13: 0x000000011e90f53d
    frame #14: 0x000000011e90f0ea
    frame #15: 0x000000011e90e785
    frame #16: 0x000000011e90e744
    frame #17: 0x000000011e462912
    frame #18: 0x000000011e46dab1
    frame #19: 0x000000011e462a2e
    frame #20: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #21: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #22: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #23: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #24: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #25: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #26: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #27: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #28: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15
  thread #18
    frame #0: 0x00007fff719b0e08 libsystem_platform.dylib`_platform_bzero$VARIANT$Haswell + 104
    frame #1: 0x000000010fbc67e4 libcoreclr.dylib`Thread::StackWalkFrames(StackWalkAction (*)(CrawlFrame*, void*), void*, unsigned int, Frame*) + 132
    frame #2: 0x000000010fedf95b libcoreclr.dylib`ep_rt_coreclr_walk_managed_stack_for_thread(Thread*, _EventPipeStackContents*) + 27
    frame #3: 0x000000010feccbf6 libcoreclr.dylib`ep_buffer_manager_write_event(_EventPipeBufferManager*, Thread*, _EventPipeSession*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 806
    frame #4: 0x000000010fed4d34 libcoreclr.dylib`ep_session_write_event(_EventPipeSession*, Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 292
    frame #5: 0x000000010fed7b8a libcoreclr.dylib`write_event_2(Thread*, _EventPipeEvent*, _EventPipeEventPayload*, unsigned char const*, unsigned char const*, Thread*, _EventPipeStackContents*) + 234
    frame #6: 0x000000010fed1fff libcoreclr.dylib`ep_write_event_2(_EventPipeEvent*, _EventData*, unsigned int, unsigned char const*, unsigned char const*) + 191
    frame #7: 0x000000010fc4291d libcoreclr.dylib`EventPipeInternal::WriteEventData(long, _EventData*, unsigned int, _GUID const*, _GUID const*) + 61
    frame #8: 0x000000011e90f9ad
    frame #9: 0x000000011e90f53d
    frame #10: 0x000000011e90f0ea
    frame #11: 0x000000011e90e785
    frame #12: 0x000000011e90e744
    frame #13: 0x000000011e462912
    frame #14: 0x000000011e46dab1
    frame #15: 0x000000011e462a2e
    frame #16: 0x000000010fda8019 libcoreclr.dylib`CallDescrWorkerInternal + 124
    frame #17: 0x000000010fc0f00f libcoreclr.dylib`MethodDescCallSite::CallTargetWorker(unsigned long const*, unsigned long*, int) + 1519
    frame #18: 0x000000010fc1f984 libcoreclr.dylib`ThreadNative::KickOffThread_Worker(void*) + 404
    frame #19: 0x000000010fbd959b libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 315
    frame #20: 0x000000010fbd9b50 libcoreclr.dylib`ManagedThreadBase::KickOff(void (*)(void*), void*) + 32
    frame #21: 0x000000010fc1faff libcoreclr.dylib`ThreadNative::KickOffThread(void*) + 191
    frame #22: 0x000000010facd14a libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 426
    frame #23: 0x00007fff719bf109 libsystem_pthread.dylib`_pthread_start + 148
    frame #24: 0x00007fff719bab8b libsystem_pthread.dylib`thread_start + 15

[lateralusX]

Think I pinpointed the issue, it is a race between TLS Thread holder doing free on destructor when a thread terminates (in this case the streaming thread) and a call disabling a session, iterating all threads in thread list. The disable thread will get a copy of all threads (done while holding lock and addref each thread) in list and then iterate them, but since thread calling release from destructor does the atomic decrement without holding the lock and then takes lock and remove itself from list opens up for a race where a thread on the list is about to be destructed, thread calling release hit refcount to 0, but disable thread takes copies of all threads and bumps refcount back to 1 just before thread calling release takes lock, removes thread from list and free thread. This results in disable thread holding a copy of a freed thread, that in turn will cause random side effects.

Looks like the same race exists in the C++ implementation. I will see if I can implement a fix in the C library to begin with and based on outcome we can probably do the same fix in C++.

So we probably need to split the concept of having a reference to an EventPipeThread object, handling lifetime of object instances and the add/remove from the global thread list in EventPipe. Since a thread can die at any time, triggering the TLS destructor it already means we can have EventPipeThread objects out living the physical thread. So instead of removing the thread from the list as part of hitting a 0 ref count as part of EventPipeThread::Release, we should move that logic into the lifetime of the thread (tracked by our EventPipeThreadHolder thread_local), meaning that we first remove from thread from the list in thread_local gCurrentEventPipeThreadHolder destructor and then decrement ref count, that will prevent us from hitting ref count 0 just before another thread takes copy of list ending up with a thread about to be deleted from the list and freed. I will experiment with that fix.

[josalem]

it is a race between TLS Thread holder doing free on destructor when a thread terminates (in this case the streaming thread) and a call disabling a session

This AV isn't happening on session end or process end. This is happening in the middle of a session, typically immediately upon session start. The assert in #46159 happens on process end while a session is open. The streaming thread shouldn't have a an EventPipeThread on it since it shouldn't be writing events to the buffers. An EventPipeThread gets created for a thread on the first attempt to write an event.

It's possible these have similar causes, but the assert is definitely related to process shutdown while this one is mid-session with the process running.

So we probably need to split the concept of having a reference to an EventPipeThread object, handling lifetime of object instances and the add/remove from the global thread list in EventPipe.

I believe this is the case for the C++ implementation already. The EventPipeThread objects explicitly live longer than the physical thread they belonged to due to a reference in EventPipeThreadSessionState:

runtime/src/coreclr/vm/eventpipethread.h

Line 28 in 69e114c

EventPipeThreadHolder m_pThread;

EventPipeThreadSessionStates don't get cleaned up till a session ends because they belong to the EventPipeBufferManager if I recall correctly.

[lateralusX]

There is a scenario where we could end up in unbalanced ref count when writing events into the stream as well, when that happens you will have the same effect as the race during shutdown.

[lateralusX]

The C++ code removes the thread from global thread list when ref count hits 0, so it has the same potentially race condition between the TLS destructor and copy of threads into the EventPipeSession::SuspendWriteEvent. If a thread terminates and the destruct gets executed it will do EventPipeThread::Release that first does a decrement of the ref count and if it hits 0 it will take lock and remove thread from list, then delete thread. if EventPipeSession::SuspendWriteEvent happens to do the copy just after EventPipeThread::Release has decremented ref count, it will just do AddRef, but since EventPipeThread::Release will detect that it actually hit 0, it will continue on freeing the thread, that EventPipeSession::SuspendWriteEvent has in its list.

When I looked a little deeper into this I realize that the issue is between the disable thread and the streaming thread. That is a difference between the two libraries. The C library called ep_thread_get_or_create to get a reference to the ipc streaming thread in ipc_streaming_thread. That in turn added the thread to the list, exposing the race described above. On C++ library m_pIpcStreamingThread is the underlying CoreClr Thread object, so it won't be added to EventPipe threads, so it won't expose this race. Since this was initially ported, the need for the ipc_streaming_thread has been removed from shared library and pushed into shim, so we could probably eliminate it and avoid this race. But since the race between the list and the ref count is still there I will also change that in the C library, but then I believe it's currently not exploitable under C++ library.

[lateralusX]

The other issue I found that can be hit any time during runtime, when ep_buffer_manager_write_all_buffers_to_file_v4 hitting scenario where we do AddOrReplace in C++ code in ep_rt_thread_sequence_number_map. The CoreClr shim implementation of that method ended up as a Add and since the code didn't refcount thread on add into the hash map, you will end up in unbalanced ref count on thread. I believe that is an issue in C++ library as well, but most likely it will hit the replace scenario, meaning that the original add into the map already have done an addref on the thread in the session state, but in the C library it always hit add, so exposed the issue. I will explicitly add add_or_replace into the C library and use it in that code path to make it explicit. I will also fix the case where we do an add instead of replace and make sure we ref count the thread added to the hash map.

[lateralusX]

Fixes seems to have positive impact on Windows, won't be able to repro issues running 8 threads writing events into a dotnet-trace session. Will collect changes into PR tomorrow morning.

[lateralusX]

PR addressing both identified AV and assert, #46193.