mono sgen problem

[srxqds]

we have hit the sgen proble when gc collection, the whole call stack show below :

>	mono-2.0-sgen.dll!copy_object_no_checks(_MonoObject * obj, _SgenGrayQueue * queue) Line 69	C
 	[Inline Frame] mono-2.0-sgen.dll!major_copy_or_mark_object_with_evacuation(_MonoObject * * obj, _MonoObject *) Line 86	C
 	mono-2.0-sgen.dll!major_scan_object_with_evacuation(_MonoObject * full_object, unsigned __int64 desc, _SgenGrayQueue * queue) Line 64	C
 	[Inline Frame] mono-2.0-sgen.dll!SGEN_LOAD_VTABLE_UNCHECKED(_MonoObject *) Line 23	C
 	[Inline Frame] mono-2.0-sgen.dll!sgen_safe_object_get_size(_MonoObject *) Line 757	C
 	mono-2.0-sgen.dll!sgen_cardtable_scan_object(_MonoObject * obj, unsigned __int64 block_obj_size, unsigned char * cards, ScanCopyContext ctx) Line 594	C
 	mono-2.0-sgen.dll!scan_card_table_for_block(_MSBlockInfo * block, CardTableScanType scan_type, ScanCopyContext ctx) Line 2625	C
 	mono-2.0-sgen.dll!major_scan_card_table(CardTableScanType scan_type, ScanCopyContext ctx, int job_index, int job_split_count, int block_count) Line 2667	C
 	mono-2.0-sgen.dll!job_scan_major_mod_union_card_table(void * worker_data_untyped, _SgenThreadPoolJob * job) Line 1483	C
 	mono-2.0-sgen.dll!sgen_workers_enqueue_job(int generation, _SgenThreadPoolJob * job, int enqueue) Line 185	C
 	mono-2.0-sgen.dll!major_copy_or_mark_from_roots(_SgenGrayQueue * gc_thread_gray_queue, unsigned __int64 * old_next_pin_slot, CopyOrMarkFromRootsMode mode, SgenObjectOperations * object_ops_nopar, SgenObjectOperations * object_ops_par) Line 2107	C
 	mono-2.0-sgen.dll!major_finish_collection(_SgenGrayQueue * gc_thread_gray_queue, const char * reason, int is_overflow, unsigned __int64 old_next_pin_slot, int forced) Line 2212	C
 	[Inline Frame] mono-2.0-sgen.dll!major_finish_concurrent_collection(int) Line 2460	C
 	mono-2.0-sgen.dll!sgen_perform_collection_inner(unsigned __int64 requested_size, int generation_to_collect, const char * reason, int forced_serial, int stw) Line 2549	C
 	[Inline Frame] mono-2.0-sgen.dll!sgen_perform_collection(unsigned __int64) Line 2636	C
 	mono-2.0-sgen.dll!sgen_ensure_free_space(unsigned __int64 size, int generation) Line 2511	C
 	mono-2.0-sgen.dll!sgen_alloc_obj_nolock(MonoVTable * vtable, unsigned __int64 size) Line 241	C
 	mono-2.0-sgen.dll!mono_gc_alloc_vector(MonoVTable * vtable, unsigned __int64 size, unsigned __int64 max_length) Line 1317	C

the vt is nullptr

static MONO_NEVER_INLINE GCObject *
copy_object_no_checks (GCObject *obj, SgenGrayQueue *queue)
{
	GCVTable vt = SGEN_LOAD_VTABLE_UNCHECKED (obj);
	gboolean has_references = SGEN_VTABLE_HAS_REFERENCES (vt);

how can I figure out the reason about it, can you give some advice or tricks to find what's wrong with it.

[srxqds]

or any debug settings?

Tagging subscribers to this area: @BrzVlad
See info in area-owners.md if you want to be subscribed.

Issue Details

---

we have hit the sgen proble when gc collection, the whole call stack show below :

>	mono-2.0-sgen.dll!copy_object_no_checks(_MonoObject * obj, _SgenGrayQueue * queue) Line 69	C
 	[Inline Frame] mono-2.0-sgen.dll!major_copy_or_mark_object_with_evacuation(_MonoObject * * obj, _MonoObject *) Line 86	C
 	mono-2.0-sgen.dll!major_scan_object_with_evacuation(_MonoObject * full_object, unsigned __int64 desc, _SgenGrayQueue * queue) Line 64	C
 	[Inline Frame] mono-2.0-sgen.dll!SGEN_LOAD_VTABLE_UNCHECKED(_MonoObject *) Line 23	C
 	[Inline Frame] mono-2.0-sgen.dll!sgen_safe_object_get_size(_MonoObject *) Line 757	C
 	mono-2.0-sgen.dll!sgen_cardtable_scan_object(_MonoObject * obj, unsigned __int64 block_obj_size, unsigned char * cards, ScanCopyContext ctx) Line 594	C
 	mono-2.0-sgen.dll!scan_card_table_for_block(_MSBlockInfo * block, CardTableScanType scan_type, ScanCopyContext ctx) Line 2625	C
 	mono-2.0-sgen.dll!major_scan_card_table(CardTableScanType scan_type, ScanCopyContext ctx, int job_index, int job_split_count, int block_count) Line 2667	C
 	mono-2.0-sgen.dll!job_scan_major_mod_union_card_table(void * worker_data_untyped, _SgenThreadPoolJob * job) Line 1483	C
 	mono-2.0-sgen.dll!sgen_workers_enqueue_job(int generation, _SgenThreadPoolJob * job, int enqueue) Line 185	C
 	mono-2.0-sgen.dll!major_copy_or_mark_from_roots(_SgenGrayQueue * gc_thread_gray_queue, unsigned __int64 * old_next_pin_slot, CopyOrMarkFromRootsMode mode, SgenObjectOperations * object_ops_nopar, SgenObjectOperations * object_ops_par) Line 2107	C
 	mono-2.0-sgen.dll!major_finish_collection(_SgenGrayQueue * gc_thread_gray_queue, const char * reason, int is_overflow, unsigned __int64 old_next_pin_slot, int forced) Line 2212	C
 	[Inline Frame] mono-2.0-sgen.dll!major_finish_concurrent_collection(int) Line 2460	C
 	mono-2.0-sgen.dll!sgen_perform_collection_inner(unsigned __int64 requested_size, int generation_to_collect, const char * reason, int forced_serial, int stw) Line 2549	C
 	[Inline Frame] mono-2.0-sgen.dll!sgen_perform_collection(unsigned __int64) Line 2636	C
 	mono-2.0-sgen.dll!sgen_ensure_free_space(unsigned __int64 size, int generation) Line 2511	C
 	mono-2.0-sgen.dll!sgen_alloc_obj_nolock(MonoVTable * vtable, unsigned __int64 size) Line 241	C
 	mono-2.0-sgen.dll!mono_gc_alloc_vector(MonoVTable * vtable, unsigned __int64 size, unsigned __int64 max_length) Line 1317	C

the vt is nullptr

static MONO_NEVER_INLINE GCObject *
copy_object_no_checks (GCObject *obj, SgenGrayQueue *queue)
{
	GCVTable vt = SGEN_LOAD_VTABLE_UNCHECKED (obj);
	gboolean has_references = SGEN_VTABLE_HAS_REFERENCES (vt);

how can I figure out the reason about it, can you give some advice or tricks to find what's wrong with it.

Author:	srxqds
Assignees:	-
Labels:	untriaged, area-GC-mono, needs-area-label
Milestone:	-

[srxqds]

hi, @lambdageek @BrzVlad can you help me?
are there any settings to help me check this problem?
it's not reproduced stable but more common

[BrzVlad]

Seems like a missing write barrier. You could try running with MONO_GC_DEBUG=check-remset-consistency. This will look up missing cards for major->minor references.

Concurrent collector requires also marking cards for major->major references. Running with MONO_GC_PARAMS=major=marksweep might make the crash go away.

The crash seems to happen during a collection compacting the heap. MONO_GC_PARAMS=no-evacuation might also influence the crash.

[srxqds]

Seems like a missing write barrier. You could try running with MONO_GC_DEBUG=check-remset-consistency. This will look up missing cards for major->minor references.

Concurrent collector requires also marking cards for major->major references. Running with MONO_GC_PARAMS=major=marksweep might make the crash go away.

The crash seems to happen during a collection compacting the heap. MONO_GC_PARAMS=no-evacuation might also influence the crash.

we are using default gc settings

[steveisok]

@srxqds what's the environment where you're hitting this? Am I right in assuming .NET 8?

[srxqds]

@srxqds what's the environment where you're hitting this? Am I right in assuming .NET 8?

we are using the mono-6.0 version from mono/mono, the dotnet/runtime 7.0 version seams also have this problem.

so I need to find out what's the problem. I will try the advice from @BrzVlad

[srxqds]

hi, @BrzVlad When I use MONO_GC_DEBUG=check-remset-consistency, it check failed

2023-05-02 08:50:44 Fragment creation: 33468 usecs, 146856 bytes available
2023-05-02 08:50:44 Heap size: 118281840, LOS size: 75502064
2023-05-02 08:50:44 nursery collection didn't find enough room for 4096 alloc (0 pinned)
2023-05-02 08:50:44 restarted (pause time: 124169 usec, max: 226658)
2023-05-02 08:51:50 Start nursery collection 58 000001FA82000000-000001FA82400000, size: 4194304
2023-05-02 08:51:50 Scanning pinned roots (1672887 bytes, 3195/18 entries)
2023-05-02 08:51:50 Begin heap consistency check...
2023-05-02 08:51:50 Oldspace->newspace reference 000001FA8210C8C8 at offset 256 in object 000002029AC7CCB8 (UnrealEngine.Game.UI.UUI_CommonClick) not found in remsets.
2023-05-02 08:51:50 Oldspace->newspace reference 000001FA8210C8C8 at offset 256 in object 000002029AC7CE00 (UnrealEngine.Game.UI.UUI_CommonClick) not found in remsets.
2023-05-02 08:51:50 Heap consistency check done.

[BrzVlad]

This basically means that, into an object of type UnrealEngine.Game.UI.UUI_CommonClick at offset of 256 a object reference is stored without the proper write barrier. You could figure out the field from C# definition, although it would be best if you could break in the debugger when this heap check fails so you can investigate the type of the object in the nursery. You would want then to lookup into the code base to see where this storing happens and what goes wrong. Especially if this is done in native code.