[Android] .Net 10.0.102 random crash with SIGSEGV in sgen

[juwens]

Description

* thread #1
  * frame #0: 0x0000007c70d3dfb8 libart.so`art_sigsegv_fault
    frame #1: 0x0000007c70d3db58 libart.so`art::FaultManager::HandleSigsegvFault(int, siginfo*, void*) - 18446743539240674471
    frame #2: 0x0000007f376a1c8c libsigchain.so`art::SignalChain::Handler(int, siginfo*, void*) + 372
    frame #3: 0x0000007f397d9860 [vdso]`__kernel_rt_sigreturn
    frame #4: 0x0000007bcc9632b8 libmonosgen-2.0.so`push_object [inlined] bridge_object_forward(obj=0x0000000000001000) at sgen-tarjan-bridge.c:373:7
    frame #5: 0x0000007bcc9632b8 libmonosgen-2.0.so`push_object(obj=0x0000000000001000) at sgen-tarjan-bridge.c:607:8
    frame #6: 0x0000007bcc961d50 libmonosgen-2.0.so`processing_stw_step [inlined] push_all(data=<unavailable>) at sgen-scan-object.h:59:3
    frame #7: 0x0000007bcc961d38 libmonosgen-2.0.so`processing_stw_step [inlined] dfs at sgen-tarjan-bridge.c:892:4
    frame #8: 0x0000007bcc961af4 libmonosgen-2.0.so`processing_stw_step at sgen-tarjan-bridge.c:1028:4
    frame #9: 0x0000007bcc95dba8 libmonosgen-2.0.so`sgen_bridge_processing_stw_step at sgen-bridge.c:224:2
    frame #10: 0x0000007bcc97bd5c libmonosgen-2.0.so`finish_gray_stack [inlined] sgen_client_bridge_processing_stw_step at sgen-client-mono.h:239:2
    frame #11: 0x0000007bcc97bd58 libmonosgen-2.0.so`finish_gray_stack(generation=0, ctx=ScanCopyContext @ 0x000001ba12e13d10) at sgen-gc.c:1191:3
    frame #12: 0x0000007bcc97ae88 libmonosgen-2.0.so`collect_nursery(reason="Nursery full", is_overflow=0) at sgen-gc.c:1930:2
    frame #13: 0x0000007bcc977370 libmonosgen-2.0.so`sgen_perform_collection [inlined] sgen_perform_collection_inner(requested_size=<unavailable>, generation_to_collect=<unavailable>, reason=<unavailable>, forced_serial=<unavailable>, stw=<unavailable>) at sgen-gc.c:2650:7
    frame #14: 0x0000007bcc97719c libmonosgen-2.0.so`sgen_perform_collection(requested_size=4096, generation_to_collect=0, reason="Nursery full", forced_serial=0, stw=1) at sgen-gc.c:2739:2
    frame #15: 0x0000007bcc977158 libmonosgen-2.0.so`sgen_ensure_free_space(size=4096, generation=-270389504) at sgen-gc.c:2616:2
    frame #16: 0x0000007bcc97398c libmonosgen-2.0.so`sgen_alloc_obj_nolock(vtable=0xb400007ce3c95a28, size=128) at sgen-alloc.c:279:6
    frame #17: 0x0000007bcc973e50 libmonosgen-2.0.so`sgen_alloc_obj(vtable=0xb400007ce3c95a28, size=128) at sgen-alloc.c:454:8
    frame #18: 0x0000007bcc965824 libmonosgen-2.0.so`mono_gc_alloc_obj(vtable=<unavailable>, size=<unavailable>) at sgen-mono.c:690:20
    frame #19: 546325651364 (wrapper managed-to-native) object:__icall_wrapper_mono_gc_alloc_obj (intptr,intptr) [{0xb400007ce35fa1b0} + 0x74]  (0x7f338bdf30 0x7f338be008) [0xb400007d3356ebb0 - RootDomain]
    frame #20: 546350011060 (wrapper alloc) object:AllocSmall (intptr,intptr) [{0xb400007ce35f9bd0} + 0xfc]  (0x7f34ff91b8 0x7f34ff92d0) [0xb400007d3356ebb0 - RootDomain]
    frame #21: 533639199944 Microsoft.AspNetCore.Components.WebView.WebViewManager:MessageReceived (System.Uri,string) [{0xb400007cebe23868} + 0x138]  (0x7c3f5ffb90 0x7c3f5ffd88) [0xb400007d3356ebb0 - RootDomain]
    frame #22: 533639199456 Microsoft.AspNetCore.Components.WebView.Maui.AndroidWebKitWebViewManager:<SetUpMessageChannel>b__16_0 (string) [{0xb400007cebe02760} + 0x48]  (0x7c3f5ffa98 0x7c3f5ffaec) [0xb400007d3356ebb0 - RootDomain]
    frame #23: 533639198848 Microsoft.AspNetCore.Components.WebView.Maui.AndroidWebKitWebViewManager/BlazorWebMessageCallback:OnMessage (Android.Webkit.WebMessagePort,Android.Webkit.WebMessage) [{0xb400007cebe02800} + 0x88]  (0x7c3f5ff7f8 0x7c3f5ff8cc) [0xb400007d3356ebb0 - RootDoma"..
    frame #24: 533639197956 Android.Webkit.WebMessagePort/WebMessageCallback:n_OnMessage_Landroid_webkit_WebMessagePort_Landroid_webkit_WebMessage_ (intptr,intptr,intptr,intptr) [{0xb400007cec0f6e58} + 0xec]  (0x7c3f5ff418 0x7c3f5ff5e0) [0xb400007d3356ebb0 - RootDomain]
    frame #25: 533639184376 (wrapper native-to-managed) Android.Webkit.WebMessagePort/WebMessageCallback:n_OnMessage_Landroid_webkit_WebMessagePort_Landroid_webkit_WebMessage_ (intptr,intptr,intptr,intptr) [{0xb400007cec0f6ee8} + 0x68]  (0x7c3f5fbf90 0x7c3f5fc034) [0xb400007d3356ebb"..

Reproduction Steps

At random places in our LOB app.

Expected behavior

App should not be crashed by runtime/sgen

Actual behavior

App app crashes due to error in runtime/sgen

Regression?

Not really. We've seen these crashes in .Net 8, and it was promised in the corresponding Tickets that the issues have been fixed with .Net 10.

Known Workarounds

none

Configuration

• .Net 10.0.102
• Android 16
• ARM64
• Pixel 7a

Other information

No response

[dotnet-policy-service]

Tagging subscribers to 'arch-android': @vitek-karas, @simonrozsival, @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

[dotnet-policy-service]

Tagging subscribers to this area: @BrzVlad
See info in area-owners.md if you want to be subscribed.

[BrzVlad]

This crash doesn't really seem related to the other tarjan bridge crashes that you were referring. It rather looks like memory corruption inside managed objects. Did you try to see whether using the new bridge fixes these crashes ?

[MihuBot]

I'm a bot. Here is a possible related and/or duplicate issue (I may be wrong):

• # Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr ************ in tid **** (SGen worker) #105389