Skip to content

Fix DynamicMethodDesc::Destroy vs code heap enumeration race #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
janvorli merged 1 commit into from
Dec 10, 2019
Merged

Fix DynamicMethodDesc::Destroy vs code heap enumeration race #713

janvorli merged 1 commit into from
Dec 10, 2019

Conversation

@janvorli
Copy link
Member

@janvorli janvorli commented Dec 9, 2019

There is a race between DynamicMethodDesc::Destroy called from
the finalizer thread and the MethodDescs enumeration called from
ETW::MethodLog::SendEventsForJitMethods at process exit.
DynamicMethodDesc::Destroy cleanos up its members m_pSig and
m_pszMethodName and then it calls GetLCGMethodResolver()->Destroy();
That calls EEJitManager::FreeCodeMemory, which tries to take the
m_CodeHeapCritSec lock. But this lock is already held by
the ETW::MethodLog::SendEventsForJitMethods.
So the iterator can see half-destroyed DynamicMethodDesc and
a crash happens when trying to get the dynamic method name
from the m_pszMethodName for the ETW event purposes.

The fix is to call the GetLCGMethodResolver()->Destroy() before
destroying the m_pSig and m_pszMethodName.

@janvorli
Fix DynamicMethodDesc::Destroy vs code heap enumeration race
bd3814b 
There is a race between DynamicMethodDesc::Destroy called from
the finalizer thread and the MethodDescs enumeration called from
ETW::MethodLog::SendEventsForJitMethods at process exit.
DynamicMethodDesc::Destroy cleanos up its members m_pSig and
m_pszMethodName and then it calls GetLCGMethodResolver()->Destroy();
That calls EEJitManager::FreeCodeMemory, which tries to take the
m_CodeHeapCritSec lock. But this lock is already held by
the ETW::MethodLog::SendEventsForJitMethods.
So the iterator can see half-destroyed DynamicMethodDesc and
a crash happens when trying to get the dynamic method name
from the m_pszMethodName for the ETW event purposes.

The fix is to call the GetLCGMethodResolver()->Destroy() before
destroying the m_pSig and m_pszMethodName.
@janvorli janvorli added this to the 5.0 milestone Dec 9, 2019
@janvorli janvorli requested a review from jkotas December 9, 2019 22:53
@janvorli janvorli merged commit bd920ac into dotnet:master Dec 10, 2019
@janvorli janvorli deleted the fix-dynamic-method-desc-destroy-race branch December 10, 2019 11:52
@yaananth yaananth mentioned this pull request Apr 21, 2020
Closed
@janvorli janvorli mentioned this pull request Apr 27, 2020
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Dec 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jkotas jkotas jkotas approved these changes

Assignees

No one assigned

Labels

area-VM-coreclr

Projects

None yet

Milestone

5.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@janvorli @jkotas