[GCStress] JIT/Methodical/tailcall/_il_dbgreference_i Assert failure SanityCheck()

[echesakov]

export COMPlus_TieredCompilation=0
export COMPlus_DbgEnableMiniDump=1
export COMPlus_DbgMiniDumpName=$HELIX_DUMP_FOLDER/coredump.%d.dmp
export COMPlus_GCStress=0xC

    JIT/Methodical/tailcall/_il_dbgreference_i/_il_dbgreference_i.sh [FAIL]
      Unhandled exception. 
      Assert failure(PID 2769 [0x00000ad1], Thread: 2769 [0x0ad1]): SanityCheck()
          File: /__w/1/s/src/coreclr/src/vm/methodtable.cpp Line: 9367
          Image: /root/helix/work/correlation/corerun
      
      /root/helix/work/workitem/JIT/Methodical/tailcall/_il_dbgreference_i/_il_dbgreference_i.sh: line 356:  2769 Aborted                 $LAUNCHER $ExePath "${CLRTestExecutionArguments[@]}"
      
      Return code:      1
      Raw output file:      /root/helix/work/workitem/JIT/Methodical/Reports/JIT.Methodical/tailcall/_il_dbgreference_i/_il_dbgreference_i.output.txt
      Raw output:
      BEGIN EXECUTION
      /root/helix/work/correlation/corerun _il_dbgreference_i.dll ''
      2 Gathering state for process 2769 corerun
      Writing minidump with heap to file /home/helixbot/dotnetbuild/dumps/coredump.2769.dmp
      Written 55345152 bytes (13512 pages) to core file
      Dump successfully written
      Expected: 100
      Actual: 134
      END EXECUTION - FAILED

https://dev.azure.com/dnceng/public/_build/results?buildId=793659&view=results
https://helix.dot.net/api/2019-06-17/jobs/d2e0c1f9-e5dc-4d0c-9252-d4f2d7fe271c/workitems/JIT.Methodical/console

[BruceForstall]

Between two runs of gcstress0x3-gcstress0xc and gcstress-extra, I grabbed four core dumps.

I was able to repro on Windows arm32, but not under a debugger (at least not yet).

I finally got a stack trace from gdb from a core dump:

(gdb) bt
#0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
#1  0xe8f01caa in __waitpid (pid=0xb0d, stat_loc=0xffe3f150, options=0x0) at ../sysdeps/unix/sysv/linux/waitpid.c:30
#2  0xe8a3a974 in PROCCreateCrashDump (argv=<optimized out>) at /__w/1/s/src/coreclr/src/pal/src/thread/process.cpp:3336
#3  0xe8a38ad0 in PROCAbort () at /__w/1/s/src/coreclr/src/pal/src/thread/process.cpp:3471
#4  0xe8a3899c in RaiseFailFastException (pExceptionRecord=<optimized out>, pContextRecord=<optimized out>, dwFlags=<optimized out>) at /__w/1/s/src/coreclr/src/pal/src/thread/process.cpp:1395
#5  0xe88da38a in TerminateOnAssert () at /__w/1/s/src/coreclr/src/utilcode/debug.cpp:189
#6  _DbgBreakCheck (szFile=0xe8a915c6 "/__w/1/s/src/coreclr/src/vm/methodtable.cpp", iLine=0x2497, szExpr=0xe8b05722 "SanityCheck()", fConstrained=<optimized out>) at /__w/1/s/src/coreclr/src/utilcode/debug.cpp:424
#7  0xe88da822 in _DbgBreakCheckNoThrow (szFile=0xe8a915c6 "/__w/1/s/src/coreclr/src/vm/methodtable.cpp", iLine=0x2497, szExpr=0xe8b05722 "SanityCheck()", fConstrained=0x0) at /__w/1/s/src/coreclr/src/utilcode/debug.cpp:534
#8  0xe88daaec in DbgAssertDialog (szFile=0xe8a915c6 "/__w/1/s/src/coreclr/src/vm/methodtable.cpp", iLine=0x2497, szExpr=0x0) at /__w/1/s/src/coreclr/src/pal/inc/pal.h:3341
#9  0xe869e070 in MethodTable::Validate (this=0xdec21a8) at /__w/1/s/src/coreclr/src/vm/methodtable.cpp:9370
#10 0xe86a0e10 in Object::ValidateInner (this=0xe2e1ff64, bDeep=0x1, bVerifyNextHeader=0x1, bVerifySyncBlock=0x1) at /__w/1/s/src/coreclr/src/vm/object.cpp:542
#11 0xe889bd48 in WKS::GCHeap::Promote (ppObject=0xffe42150, sc=<optimized out>, flags=0x1) at /__w/1/s/src/coreclr/src/gc/gc.cpp:36336
#12 0xe883ab3a in GcInfoDecoder::ReportSlotToGC (this=<optimized out>, slotDecoder=..., slotIndex=<optimized out>, pRD=<optimized out>, reportScratchSlots=<optimized out>, inputFlags=<optimized out>, pCallBack=<optimized out>,
    hCallBack=<optimized out>) at /__w/1/s/src/coreclr/src/inc/gcinfodecoder.h:678
#13 GcInfoDecoder::ReportUntrackedSlots (this=0xffe3f4b8, slotDecoder=..., pRD=0xffe3f990, inputFlags=0x0, pCallBack=0xe8769ae1 <GcEnumObject(void*, OBJECTREF*, unsigned int)>, hCallBack=0xffe3ff74)
    at /__w/1/s/src/coreclr/src/vm/gcinfodecoder.cpp:1019
#14 GcInfoDecoder::EnumerateLiveSlots (this=0xffe3f4b8, pRD=0xffe3f990, reportScratchSlots=0x0, inputFlags=<optimized out>, pCallBack=0xe8769ae1 <GcEnumObject(void*, OBJECTREF*, unsigned int)>, hCallBack=0xffe3ff74)
    at /__w/1/s/src/coreclr/src/vm/gcinfodecoder.cpp:968
#15 0xe862e39a in EECodeManager::EnumGcRefs (this=<optimized out>, pRD=0xffe3f990, pCodeInfo=0xffe3f8b4, flags=0x0, pCallBack=0xe8769ae1 <GcEnumObject(void*, OBJECTREF*, unsigned int)>, hCallBack=0xffe3ff74,
    relOffsetOverride=0xffffffff) at /__w/1/s/src/coreclr/src/vm/eetwain.cpp:5149
#16 0xe8769e9e in GcStackCrawlCallBack (pCF=0xffe3f698, pData=0xffe3ff74) at /__w/1/s/src/coreclr/src/vm/gcenv.ee.common.cpp:282
#17 0xe86c63a0 in Thread::MakeStackwalkerCallback (this=0xded9368, pCF=0xffe3f698, pCallback=0xe8769c0d <GcStackCrawlCallBack(CrawlFrame*, void*)>, pData=0xffe3ff74, uFramesProcessed=0x10)
    at /__w/1/s/src/coreclr/src/vm/stackwalk.cpp:833
#18 0xe86c6590 in Thread::StackWalkFramesEx (this=0xded9368, pRD=0xffe3f990, pCallback=0xe8769c0d <GcStackCrawlCallBack(CrawlFrame*, void*)>, pData=0xffe3ff74, flags=0x8500, pStartFrame=0x0)
    at /__w/1/s/src/coreclr/src/vm/stackwalk.cpp:913
#19 0xe86c6d5e in Thread::StackWalkFrames (this=0xded9368, pCallback=0xe8769c0d <GcStackCrawlCallBack(CrawlFrame*, void*)>, pData=0xffe3ff74, flags=0x8500, pStartFrame=0x0) at /__w/1/s/src/coreclr/src/vm/stackwalk.cpp:996
#20 0xe8767026 in ScanStackRoots (pThread=0xded9368, fn=0xe889bcc5 <WKS::GCHeap::Promote(Object**, ScanContext*, unsigned int)>, sc=0xffe40050) at /__w/1/s/src/coreclr/src/vm/gcenv.ee.cpp:147
#21 0xe8766d7c in GCToEEInterface::GcScanRoots (fn=0xe889bcc5 <WKS::GCHeap::Promote(Object**, ScanContext*, unsigned int)>, condemned=0x2, max_gen=0x2, sc=0xffe40050) at /__w/1/s/src/coreclr/src/vm/gcenv.ee.cpp:231
#22 0xe8892358 in WKS::gc_heap::mark_phase (condemned_gen_number=<optimized out>, mark_only_p=0x0) at /__w/1/s/src/coreclr/src/gc/gc.cpp:20745
#23 0xe888ff8c in WKS::gc_heap::gc1 () at /__w/1/s/src/coreclr/src/gc/gc.cpp:16684
#24 0xe8897d52 in WKS::gc_heap::garbage_collect (n=<optimized out>) at /__w/1/s/src/coreclr/src/gc/gc.cpp:18252
#25 0xe888b52c in WKS::GCHeap::GarbageCollectGeneration (this=<optimized out>, gen=0x2, reason=<optimized out>) at /__w/1/s/src/coreclr/src/gc/gc.cpp:37744
#26 0xe88ac190 in WKS::GCHeap::GarbageCollectTry (this=<optimized out>, generation=<optimized out>, low_memory_p=<optimized out>, mode=<optimized out>) at /__w/1/s/src/coreclr/src/gc/gc.cpp:37002
#27 WKS::GCHeap::GarbageCollect (this=<optimized out>, generation=<optimized out>, low_memory_p=<optimized out>, mode=<optimized out>) at /__w/1/s/src/coreclr/src/gc/gc.cpp:36936
#28 0xe88ab496 in WKS::GCHeap::StressHeap (this=0xde9f058, context=<optimized out>) at /__w/1/s/src/coreclr/src/gc/gc.cpp:36590
#29 0xe87667fc in DoGcStress (regs=0xdefaee0, nativeCodeVersion=...) at /__w/1/s/src/coreclr/src/vm/gccover.cpp:1714
#30 0xe87663da in OnGcCoverageInterrupt (regs=0xdefaee0) at /__w/1/s/src/coreclr/src/vm/gccover.cpp:1347
#31 0xe86382ba in IsGcMarker (pContext=0xdefaee0, pExceptionRecord=<optimized out>) at /__w/1/s/src/coreclr/src/vm/excep.cpp:6495
#32 0xe882eec8 in HandleHardwareException (ex=0xffe405f0) at /__w/1/s/src/coreclr/src/vm/exceptionhandling.cpp:5124
#33 0xe89e3ec0 in SEHProcessException (exception=0xffe405f0) at /__w/1/s/src/coreclr/src/pal/src/exception/seh.cpp:267
#34 0xe89e54fa in common_signal_handler (code=<optimized out>, siginfo=<optimized out>, sigcontext=0xffe40938, numParams=<optimized out>) at /__w/1/s/src/coreclr/src/pal/src/exception/signal.cpp:898
#35 0xe89e4bdc in sigill_handler (code=0x4, siginfo=0xffe408b8, context=0xffe40938) at /__w/1/s/src/coreclr/src/pal/src/exception/signal.cpp:352
#36 <signal handler called>
#37 0xe2517310 in ?? ()
#38 0xe251730a in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

[jakobbotsch]

This test has to pass by-refs through the arg buffer. Could it be the following assumption that is not ok on ARM32 when we are loading the by-ref from the arg buffer?

runtime/src/coreclr/src/vm/tailcallhelp.cpp

Lines 635 to 640 in 2d463ee

	if (tyHnd.IsByRef())
	{
	// Note: we can use an "untracked" ldind.i here even with byrefs because
	// we are loading between two tracked positions.
	stream->EmitLDIND_I();
	}

Note also that since #41206 we are no longer loading from the arg buffer into a by-ref typed local first. I wonder if this could have any adverse effects as well. cc @jkotas

[jkotas]

Note: we can use an "untracked" ldind.i here even with byrefs

Is this assumption ever ok? This looks super fragile at best. This may need to use ByReference<T> until we get first class support for byrefs.

[jakobbotsch]

I can look into making that change this weekend. IIRC I was initially using ByReference<T> but hitting asserts in the JIT. Should it be fine to replace the ldind.i with ldobj ByReference<byte> followed by accessing the Value property?

[jkotas]

I do not think you need ldobj ByReference<byte>. It should be enough to just replace ldind.i by the Value property.

[jakobbotsch]

Aha, this would probably have been my mistake last time around then. Is there a similar possibility for the store into the arg buffer?

[jkotas]

I think your best bet is to stay close to the patterns that ByReference<T> is used for today. Creating ByReference<T> is newobj ByReference<T> + stfld, but that does not work for the arg buffer. I would use newobj ByReference<T> + stdobj that is close enough.

[BruceForstall]

fwiw, it appears we're looking for GC refs in the "rems" function ad address 0xe5f51dbd with code:

0xe5f51d21:  stmdb   sp!, {r4, r10, r11, lr}
0xe5f51d25:  sub     sp, #48 ; 0x30
0xe5f51d27:  add.w   r11, sp, #56    ; 0x38
0xe5f51d2b:  sub.w   r4, r11, #56    ; 0x38
0xe5f51d2f:  mov.w   r10, #5
0xe5f51d33:  movs    r2, #0
0xe5f51d35:  movs    r3, #0
0xe5f51d37:  stmia   r4!, {r2, r3}
0xe5f51d39:  subs.w  r10, r10, #1
0xe5f51d3d:  bhi.n   0xe5f51d36
0xe5f51d3f:  str     r0, [sp, #44]   ; 0x2c
0xe5f51d41:  str     r1, [sp, #40]   ; 0x28
0xe5f51d43:  movw    r3, #42404      ; 0xa5a4
0xe5f51d47:  movt    r3, #58879      ; 0xe5ff
0xe5f51d4b:  ldr     r3, [r3, #0]
0xe5f51d4d:  cmp     r3, #0
0xe5f51d4f:  beq.n   0xe5f51d5a
0xe5f51d51:  udf.w   #1
0xe5f51d55:  udf.w   #1
0xe5f51d59:  udf     #0
0xe5f51d5b:  ldr     r0, [sp, #40]   ; 0x28
0xe5f51d5d:  ldr     r0, [r0, #0]
0xe5f51d5f:  cmp     r0, #1
0xe5f51d61:  bne.n   0xe5f51d6a
0xe5f51d63:  movs    r0, #0
0xe5f51d65:  add     sp, #48 ; 0x30
0xe5f51d67:  ldmia.w sp!, {r4, r10, r11, pc}
0xe5f51d6b:  movw    r0, #55940      ; 0xda84
0xe5f51d6f:  movt    r0, #59188      ; 0xe734
0xe5f51d73:  movs    r1, #1
0xe5f51d75:  movw    r3, #39145      ; 0x98e9
0xe5f51d79:  movt    r3, #59512      ; 0xe878
0xe5f51d7d:  blx     r3
0xe5f51d7f:  str     r0, [sp, #32]
0xe5f51d81:  ldr     r0, [sp, #32]
0xe5f51d83:  str     r0, [sp, #36]   ; 0x24
0xe5f51d85:  ldr     r0, [sp, #40]   ; 0x28
0xe5f51d87:  ldr     r0, [r0, #0]
0xe5f51d89:  subs    r0, r0, #1
0xe5f51d8b:  str     r0, [sp, #28]
0xe5f51d8d:  ldr     r0, [sp, #36]   ; 0x24
0xe5f51d8f:  movs    r1, #0
0xe5f51d91:  ldr     r3, [r0, #4]
0xe5f51d93:  cmp     r1, r3
0xe5f51d95:  bcc.n   0xe5f51da0
0xe5f51d97:  udf.w   #1
0xe5f51d9b:  udf.w   #1
0xe5f51d9f:  udf     #0
0xe5f51da1:  add.w   r0, r0, r1, lsl #2
0xe5f51da5:  adds    r0, #8
0xe5f51da7:  ldr     r1, [sp, #28]
0xe5f51da9:  str     r1, [r0, #0]
0xe5f51dab:  ldr     r0, [sp, #44]   ; 0x2c
0xe5f51dad:  ldr     r0, [r0, #0]
0xe5f51daf:  ldr     r1, [sp, #40]   ; 0x28
0xe5f51db1:  ldr     r1, [r1, #0]
0xe5f51db3:  movw    r3, #11385      ; 0x2c79
0xe5f51db7:  movt    r3, #59512      ; 0xe878
0xe5f51dbb:  blx     r3 <---- call to JIT_Mod(int, int)
0xe5f51dbd:  cmp     r0, #0 <---- this is the GC point

Maybe untracked slot 5.

[BruceForstall]

(btw, is the CorElementType ty = tyHnd.GetSignatureCorElementType(); line necessary in TailCallHelp::EmitLoadTyHnd() or TailCallHelp::EmitStoreTyHnd()? The result ty is unused.)

[BruceForstall]

@jakobbotsch With your suggestion above about a possible problem, wouldn't I expect to see the GC problem in the generated stub code? Assuming the stack I show is correct, and we're reporting GC refs in the rems function itself, could that still manifest as a GC hole? Perhaps we've stack walked back to the rems function from a tailcall stub and some mismatch of info is causing this hole?

[BruceForstall]

I got it to fail on Windows arm32 under windbg (after 143 runs), with a better stack:

 # Child-SP RetAddr      Call Site
00 0077c8b8 649037fa     KERNELBASE!DebugBreak+0x6
01 0077c8c0 647497e4     CoreCLR!DbgAssertDialog(char * szFile = 0x64ac15a4 "C:\gh\runtime\src\coreclr\src\vm\methodtable.cpp", int iLine = 0n9367, char * szExpr = 0x64ac2b9c "SanityCheck()")+0xcb [C:\gh\runtime\src\coreclr\src\utilcode\debug.cpp @ 700] 
02 0077c928 6474e4fc     CoreCLR!MethodTable::Validate(void)+0x25 [C:\gh\runtime\src\coreclr\src\vm\methodtable.cpp @ 9403] 
03 0077c958 6474e3f4     CoreCLR!Object::ValidateInner(int bDeep = 0n1, int bVerifyNextHeader = 0n1, int bVerifySyncBlock = 0n1)+0xed [C:\gh\runtime\src\coreclr\src\vm\object.cpp @ 542] 
04 0077ca08 648ca0a0     CoreCLR!Object::Validate(int bDeep = 0n1, int bVerifyNextHeader = 0n1, int bVerifySyncBlock = 0n1)+0x89 [C:\gh\runtime\src\coreclr\src\vm\object.cpp @ 520] 
05 0077ca20 647635dc     CoreCLR!WKS::GCHeap::Promote(class Object ** ppObject = 0x0077da88, struct ScanContext * sc = <Value unavailable error>, unsigned int flags = 1)+0x61 [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 36351] 
06 0077ca50 647cae18     CoreCLR!PromoteCarefully(<function> * fn = 0x648ca041, class Object ** ppObj = 0x0077da88, struct ScanContext * sc = 0x0077d7f8, unsigned int flags = 1)+0x7d [C:\gh\runtime\src\coreclr\src\vm\siginfo.cpp @ 4916] 
07 0077ca70 64898e5a     CoreCLR!GcEnumObject(void * pData = 0x0077d778, class OBJECTREF * pObj = 0x0077da88, unsigned int flags = 1)+0x39 [C:\gh\runtime\src\coreclr\src\vm\gcenv.ee.common.cpp @ 166] 
08 0077ca88 64898ce2     CoreCLR!GcInfoDecoder::ReportStackSlotToGC(int spOffset = <Value unavailable error>, GcStackSlotBase spBase = <Value unavailable error>, unsigned int gcFlags = 1, struct REGDISPLAY * pRD = 0x0077d330, unsigned int flags = 0, <function> * pCallBack = 0x647cade1, void * hCallBack = 0x0077d778)+0x15b [C:\gh\runtime\src\coreclr\src\vm\gcinfodecoder.cpp @ 1834] 
09 0077cac0 64898ee0     CoreCLR!GcInfoDecoder::ReportSlotToGC(class GcSlotDecoder * slotDecoder = 0x0077cb90, unsigned int slotIndex = 2, struct REGDISPLAY * pRD = 0x0077d330, bool reportScratchSlots = true, unsigned int inputFlags = 0, <function> * pCallBack = 0x647cade1, void * hCallBack = 0x0077d778)+0xd3 [C:\gh\runtime\src\coreclr\src\inc\gcinfodecoder.h @ 693] 
0a 0077caf0 6489815c     CoreCLR!GcInfoDecoder::ReportUntrackedSlots(class GcSlotDecoder * slotDecoder = 0x0077cb90, struct REGDISPLAY * pRD = 0x0077d330, unsigned int inputFlags = 0, <function> * pCallBack = 0x647cade1, void * hCallBack = 0x0077d778)+0x39 [C:\gh\runtime\src\coreclr\src\vm\gcinfodecoder.cpp @ 1019] 
0b 0077cb28 646fd962     CoreCLR!GcInfoDecoder::EnumerateLiveSlots(struct REGDISPLAY * pRD = <Value unavailable error>, bool reportScratchSlots = <Value unavailable error>, unsigned int inputFlags = 0x75dbf131, <function> * pCallBack = 0x647cade1, void * hCallBack = 0x0077d778)+0x9b1 [C:\gh\runtime\src\coreclr\src\vm\gcinfodecoder.cpp @ 973] 
0c 0077cc10 647cb070     CoreCLR!EECodeManager::EnumGcRefs(struct REGDISPLAY * pRD = 0x0077d330, class EECodeInfo * pCodeInfo = 0x0077d0b4, unsigned int flags = 0, <function> * pCallBack = 0x647cade1, void * hCallBack = 0x0077d778, unsigned long relOffsetOverride = 0xffffffff)+0x1b3 [C:\gh\runtime\src\coreclr\src\vm\eetwain.cpp @ 5149] 
0d 0077cda0 64765240     CoreCLR!GcStackCrawlCallBack(class CrawlFrame * pCF = 0x0077ce98, void * pData = 0x0077d778)+0x1c1 [C:\gh\runtime\src\coreclr\src\vm\gcenv.ee.common.cpp @ 289] 
0e 0077ce60 64766150     CoreCLR!Thread::MakeStackwalkerCallback(class CrawlFrame * pCF = 0x0077ce98, <function> * pCallback = <Value unavailable error>, void * pData = 0x0077d778, unsigned int uFramesProcessed = 2)+0x41 [C:\gh\runtime\src\coreclr\src\vm\stackwalk.cpp @ 833] 
0f 0077ce88 64766008     CoreCLR!Thread::StackWalkFramesEx(struct REGDISPLAY * pRD = <Value unavailable error>, <function> * pCallback = 0x647caeb1, void * pData = 0x0077d778, unsigned int flags = 0x8500, class Frame * pStartFrame = 0x00000000)+0xd5 [C:\gh\runtime\src\coreclr\src\vm\stackwalk.cpp @ 913] 
10 0077d188 647ca50a     CoreCLR!Thread::StackWalkFrames(<function> * pCallback = 0x647caeb1, void * pData = 0x0077d778, unsigned int flags = 0x8500, class Frame * pStartFrame = 0x00000000)+0xe1 [C:\gh\runtime\src\coreclr\src\vm\stackwalk.cpp @ 997] 
11 0077d768 647c9a8c     CoreCLR!ScanStackRoots(class Thread * pThread = 0x007d9bf8, <function> * fn = 0x648ca041, struct ScanContext * sc = 0x0077d7f8)+0x11f [C:\gh\runtime\src\coreclr\src\vm\gcenv.ee.cpp @ 150] 
12 0077d7a8 648dd486     CoreCLR!GCToEEInterface::GcScanRoots(<function> * fn = 0x648ca041, int condemned = <Value unavailable error>, int max_gen = <Value unavailable error>, struct ScanContext * sc = 0x0077d7f8)+0x109 [C:\gh\runtime\src\coreclr\src\vm\gcenv.ee.cpp @ 232] 
13 0077d7e0 648d7a20     CoreCLR!WKS::gc_heap::mark_phase(int condemned_gen_number = 0n1, int mark_only_p = <Value unavailable error>)+0x167 [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 20759] 
14 0077d838 648d77ec     CoreCLR!WKS::gc_heap::gc1(void)+0x159 [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 16696] 
15 0077d860 648c914c     CoreCLR!WKS::gc_heap::garbage_collect(int n = 0n1)+0x2e5 [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 18282] 
16 0077d890 648cad0c     CoreCLR!WKS::GCHeap::GarbageCollectGeneration(unsigned int gen = <Value unavailable error>, gc_reason reason = reason_gcstress (0n8))+0x24d [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 37755] 
17 (Inline) --------     CoreCLR!WKS::GCHeap::GarbageCollectTry(void)+0x17 (Inline Function @ 648cad0d) [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 37012] 
18 0077d8c8 647ccbd8     CoreCLR!WKS::GCHeap::StressHeap(struct gc_alloc_context * context = <Value unavailable error>)+0x37d [C:\gh\runtime\src\coreclr\src\gc\gc.cpp @ 36597] 
19 (Inline) --------     CoreCLR!_GCStress::StressGcTriggerPolicy::Trigger(void)+0x29 (Inline Function @ 647ccbd9) [C:\gh\runtime\src\coreclr\src\vm\gcstress.h @ 297] 
1a (Inline) --------     CoreCLR!_GCStress::GCSBase<1,_GCStress::IgnoreFastGcSPolicy,_GCStress::AnyGcModePolicy,_GCStress::StressGcTriggerPolicy>::MaybeTrigger(void)+0x4b (Inline Function @ 647ccbd9) [C:\gh\runtime\src\coreclr\src\vm\gcstress.h @ 415] 
1b (Inline) --------     CoreCLR!_GCStress::GCStress<10,mpl::null_type,mpl::null_type,mpl::null_type>::MaybeTrigger(void)+0x4b (Inline Function @ 647ccbd9) [C:\gh\runtime\src\coreclr\src\vm\gcstress.h @ 464] 
1c 0077d928 647cd804     CoreCLR!Alloc(unsigned int size = 0x10, GC_ALLOC_FLAGS flags = GC_ALLOC_NO_FLAGS (0n0))+0x95 [C:\gh\runtime\src\coreclr\src\vm\gchelpers.cpp @ 227] 
1d 0077d950 647e662a     CoreCLR!AllocateSzArray(class MethodTable * pArrayMT = 0x0a1f7bfc, int cElements = 0n1, GC_ALLOC_FLAGS flags = GC_ALLOC_NO_FLAGS (0n0))+0x16d [C:\gh\runtime\src\coreclr\src\vm\gchelpers.cpp @ 483] 
1e 0077d990 0a752726     CoreCLR!JIT_NewArr1(struct CORINFO_CLASS_STRUCT_ * arrayMT = 0x0a1f7bfc, int size = 0n1)+0xdb [C:\gh\runtime\src\coreclr\src\vm\jithelpers.cpp @ 2723] 
1f 0077da60 0a75e02c     _il_dbgreference_i!<Module>.rems(<Win32 error 0n318>)+0x5e
20 0077daa0 0a75df66     _il_dbgreference_i!ILStubClass.IL_STUB_CallTailCallTarget(<Win32 error 0n318>)+0x40
21 0077dad0 0a75283a     System_Private_CoreLib!System.Runtime.CompilerServices.RuntimeHelpers.DispatchTailCalls(<Win32 error 0n318>)+0x52 [C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 317] 
22 0077db00 0a752266     _il_dbgreference_i!<Module>.rems(<Win32 error 0n318>)+0x172
23 0077db40 646a104c     _il_dbgreference_i!<Module>.main(<Win32 error 0n318>)+0x52
24 0077db60 647981ac     CoreCLR!CallDescrWorkerInternal(void)+0x45 [C:\gh\runtime\artifacts\obj\coreclr\Windows_NT.arm.Checked\src\vm\wks\asmhelpers.asm @ 4539] 
25 0077db70 647985f6     CoreCLR!CallDescrWorker(struct CallDescrData * pCallDescrData = 0x0077e070)+0x99 [C:\gh\runtime\src\coreclr\src\vm\callhelpers.cpp @ 127] 
26 0077df98 646b9c96     CoreCLR!MethodDescCallSite::CallTargetWorker(unsigned int64 * pArguments = 0x0077e0f0, unsigned int64 * pReturnValue = <Value unavailable error>, int cbReturnValue = <Value unavailable error>)+0x35b [C:\gh\runtime\src\coreclr\src\vm\callhelpers.cpp @ 547] 
27 (Inline) --------     CoreCLR!MethodDescCallSite::Call_RetArgSlot(void)+0x41 (Inline Function @ 646b9c97) [C:\gh\runtime\src\coreclr\src\vm\callhelpers.h @ 458] 

code:

0:000> !u -gcinfo -o 0xa752727 
Normal JIT generated code
<Module>.rems(Int32 ByRef, Int32 ByRef)
ilAddr is 0A6C2050 pImport is 12CE0AE8
Begin 0A7526C8, size 17a
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: <none>
Generics inst context: <none>
PSP slot: <none>
GenericInst slot: <none>
Varargs: 0
Frame pointer: r11
Has tailcalls: 0
Size of parameter area: 0
Return Kind: Object
Code size: 17a
Untracked: +r11-14 +r11-18 +r11-24 +r11-28 +r11-2c +r11-34 +r11-38 +r11-c(interior) +r11-10(interior)
0000 0a7526c8 e92d4c10 push        {r4,r10,r11,lr}
0004 0a7526cc b08c     sub         sp,sp,#0x30
0006 0a7526ce f10d0b38 add         r11,sp,#0x38
000a 0a7526d2 f1ab0438 sub         r4,r11,#0x38
000e 0a7526d6 f04f0a05 mov         r10,#5
0012 0a7526da 2200     movs        r2,#0
0014 0a7526dc 2300     movs        r3,#0
0016 0a7526de c40c     stm         r4!,{r2,r3}
0018 0a7526e0 f1ba0a01 subs        r10,r10,#1
001c 0a7526e4 d8fb     bhi         0A7526DE
001e 0a7526e6 900b     str         r0,[sp,#0x2C]
0020 0a7526e8 910a     str         r1,[sp,#0x28]
00000022 interruptible
0022 0a7526ea f6431308 mov         r3,#0x3908
0026 0a7526ee f6c0236a movt        r3,#0xA6A
002a 0a7526f2 681b     ldr         r3,[r3]
002c 0a7526f4 2b00     cmp         r3,#0
002e 0a7526f6 d004     beq         0A752702
0030 0a7526f8 f2455301 mov         r3,#0x5501 (gcstress)
0034 0a7526fc f2c6437e movt        r3,#0x647E (gcstress) (CoreCLR!JIT_DbgIsJustMyCode)
0038 0a752700 4798     blx         r3 (gcstress)
003a 0a752702 980a     ldr         r0,[sp,#0x28]
0000003c +r0(interior)
003c 0a752704 6800     ldr         r0,[r0]
0000003e -r0(interior)
003e 0a752706 2801     cmp         r0,#1
0040 0a752708 d103     bne         0A752712
0042 0a75270a 2000     movs        r0,#0
00000044 not interruptible
0044 0a75270c b00c     add         sp,sp,#0x30
0046 0a75270e e8bd8c10 pop         {r4,r10,r11,pc}
0000004a interruptible
004a 0a752712 f64730fc mov         r0,#0x7BFC
004e 0a752716 f6c0201f movt        r0,#0xA1F (MT: System.Int32[])
0052 0a75271a 2101     movs        r1,#1
0054 0a75271c f2465351 mov         r3,#0x6551
0058 0a752720 f2c6437e movt        r3,#0x647E (CoreCLR!JIT_NewArr1)
005c 0a752724 4798     blx         r3
0000005e +r0
>>> 005e 0a752726 9008     str         r0,[sp,#0x20]
0060 0a752728 9808     ldr         r0,[sp,#0x20]
0062 0a75272a 9009     str         r0,[sp,#0x24]
0064 0a75272c 980a     ldr         r0,[sp,#0x28]
00000066 -r0 +r0(interior)
0066 0a75272e 6800     ldr         r0,[r0]
00000068 -r0(interior)
0068 0a752730 1e40     subs        r0,r0,#1
006a 0a752732 9007     str         r0,[sp,#0x1C]
006c 0a752734 9809     ldr         r0,[sp,#0x24]
0000006e +r0
006e 0a752736 2100     movs        r1,#0
0070 0a752738 6843     ldr         r3,[r0,#4]
0072 0a75273a 4299     cmp         r1,r3
0074 0a75273c d304     bcc         0A752748
0076 0a75273e f6445c71 mov         r12,#0x4D71 (gcstress)
007a 0a752742 f2c64c7e movt        r12,#0x647E (gcstress) (CoreCLR!JIT_RngChkFail)
007e 0a752746 47e0     blx         r12 (gcstress)
0080 0a752748 eb000081 add         r0,r0,r1,lsl #2
00000084 -r0 +r0(interior)
0084 0a75274c 3008     adds        r0,r0,#8
0086 0a75274e 9907     ldr         r1,[sp,#0x1C]
0088 0a752750 6001     str         r1,[r0]
008a 0a752752 980b     ldr         r0,[sp,#0x2C]
008c 0a752754 6800     ldr         r0,[r0]
0000008e -r0(interior)
008e 0a752756 990a     ldr         r1,[sp,#0x28]
00000090 +r1(interior)
0090 0a752758 6809     ldr         r1,[r1]
00000092 -r1(interior)
0092 0a75275a f64513e1 mov         r3,#0x59E1
0096 0a75275e f2c6437e movt        r3,#0x647E (CoreCLR!JIT_Mod)
009a 0a752762 4798     blx         r3
009c 0a752764 2800     cmp         r0,#0
009e 0a752766 d143     bne         0A7527F0
00a0 0a752768 9909     ldr         r1,[sp,#0x24]
000000a2 +r1
00a2 0a75276a 2000     movs        r0,#0
00a4 0a75276c 684b     ldr         r3,[r1,#4]
00a6 0a75276e 4298     cmp         r0,r3
00a8 0a752770 d304     bcc         0A75277C
00aa 0a752772 f6445c71 mov         r12,#0x4D71 (gcstress)
00ae 0a752776 f2c64c7e movt        r12,#0x647E (gcstress) (CoreCLR!JIT_RngChkFail)
00b2 0a75277a 47e0     blx         r12 (gcstress)
00b4 0a75277c eb010180 add         r1,r1,r0,lsl #2
000000b8 -r1 +r1(interior)
00b8 0a752780 3108     adds        r1,r1,#8
00ba 0a752782 980b     ldr         r0,[sp,#0x2C]
000000bc +r0(interior)
00bc 0a752784 f642031d mov         r3,#0x281D
00c0 0a752788 f6c02368 movt        r3,#0xA68 (code for MD: <Module>.rems(Int32 ByRef, Int32 ByRef))
00c4 0a75278c 4798     blx         r3
000000c6 -r1(interior) -r0(interior) +r0
00c6 0a75278e 9005     str         r0,[sp,#0x14]
00c8 0a752790 f24201d4 mov         r1,#0x20D4
00cc 0a752794 f2c071ee movt        r1,#0x7EE
00d0 0a752798 6809     ldr         r1,[r1]
000000d2 +r1
00d2 0a75279a 9805     ldr         r0,[sp,#0x14]
00d4 0a75279c f6471341 mov         r3,#0x7941
00d8 0a7527a0 f6c0231c movt        r3,#0xA1C (code for MD: System.String.Concat(System.String, System.String))
00dc 0a7527a4 4798     blx         r3
000000de -r1
00de 0a7527a6 9004     str         r0,[sp,#0x10]
00e0 0a7527a8 980a     ldr         r0,[sp,#0x28]
000000e2 -r0 +r0(interior)
00e2 0a7527aa f64333e1 mov         r3,#0x3BE1
00e6 0a7527ae f6c0231c movt        r3,#0xA1C (code for MD: System.Int32.ToString())
00ea 0a7527b2 4798     blx         r3
000000ec -r0(interior) +r0
00ec 0a7527b4 9003     str         r0,[sp,#0xC]
00ee 0a7527b6 f6471041 mov         r0,#0x7941
000000f2 -r0
00f2 0a7527ba f6c0201c movt        r0,#0xA1C (code for MD: System.String.Concat(System.String, System.String))
00f6 0a7527be 9002     str         r0,[sp,#8]
00f8 0a7527c0 9804     ldr         r0,[sp,#0x10]
000000fa +r0
00fa 0a7527c2 9903     ldr         r1,[sp,#0xC]
000000fc +r1
00fc 0a7527c4 9a02     ldr         r2,[sp,#8]
00fe 0a7527c6 f64d3364 mov         r3,#0xDB64
0102 0a7527ca f6c02374 movt        r3,#0xA74
0106 0a7527ce 681b     ldr         r3,[r3]
0108 0a7527d0 4798     blx         r3 ; ****** call the store args stub
0000010a -r1 -r0
010a 0a7527d2 a80f     add         r0,sp,#0x3C
0000010c +r0(interior)
010c 0a7527d4 aa01     add         r2,sp,#4
0000010e +r2(interior)
010e 0a7527d6 f24221e5 mov         r1,#0x22E5
0112 0a7527da f6c02175 movt        r1,#0xA75 (code for MD: ILStubClass.IL_STUB_CallTailCallTarget(IntPtr, IntPtr, IntPtr))
0116 0a7527de f2463319 mov         r3,#0x6319
011a 0a7527e2 f6c0231c movt        r3,#0xA1C (code for MD: System.Runtime.CompilerServices.RuntimeHelpers.DispatchTailCalls(IntPtr, Void (IntPtr, IntPtr, IntPtr*), IntPtr))
011e 0a7527e6 4798     blx         r3
00000120 -r2(interior) -r0(interior)
0120 0a7527e8 9801     ldr         r0,[sp,#4]
00000122 not interruptible
0122 0a7527ea b00c     add         sp,sp,#0x30
0124 0a7527ec e8bd8c10 pop         {r4,r10,r11,pc}
00000128 interruptible
0128 0a7527f0 f642011d mov         r1,#0x281D
012c 0a7527f4 f6c02168 movt        r1,#0xA68 (code for MD: <Module>.rems(Int32 ByRef, Int32 ByRef))
0130 0a7527f8 9106     str         r1,[sp,#0x18]
0132 0a7527fa 9909     ldr         r1,[sp,#0x24]
00000134 +r1
0134 0a7527fc 2000     movs        r0,#0
0136 0a7527fe 684a     ldr         r2,[r1,#4]
0138 0a752800 4290     cmp         r0,r2
013a 0a752802 d304     bcc         0A75280E
013c 0a752804 f6445c71 mov         r12,#0x4D71 (gcstress)
0140 0a752808 f2c64c7e movt        r12,#0x647E (gcstress) (CoreCLR!JIT_RngChkFail)
0144 0a75280c 47e0     blx         r12 (gcstress)
0146 0a75280e eb010180 add         r1,r1,r0,lsl #2
0000014a -r1 +r1(interior)
014a 0a752812 3108     adds        r1,r1,#8
014c 0a752814 980b     ldr         r0,[sp,#0x2C]
0000014e +r0(interior)
014e 0a752816 9a06     ldr         r2,[sp,#0x18]
0150 0a752818 f64d5380 mov         r3,#0xDD80
0154 0a75281c f6c02374 movt        r3,#0xA74
0158 0a752820 681b     ldr         r3,[r3]
015a 0a752822 4798     blx         r3 ; ****** call the store args stub
0000015c -r1(interior) -r0(interior)
015c 0a752824 a80f     add         r0,sp,#0x3C
0000015e +r0(interior)
015e 0a752826 aa00     add         r2,sp,#0
00000160 +r2(interior)
0160 0a752828 f2423115 mov         r1,#0x2315
0164 0a75282c f6c02175 movt        r1,#0xA75 (code for MD: ILStubClass.IL_STUB_CallTailCallTarget(IntPtr, IntPtr, IntPtr))
0168 0a752830 f2463319 mov         r3,#0x6319
016c 0a752834 f6c0231c movt        r3,#0xA1C (code for MD: System.Runtime.CompilerServices.RuntimeHelpers.DispatchTailCalls(IntPtr, Void (IntPtr, IntPtr, IntPtr*), IntPtr))
0170 0a752838 4798     blx         r3
00000172 -r2(interior) -r0(interior)
0172 0a75283a 9800     ldr         r0,[sp]
00000174 not interruptible
0174 0a75283c b00c     add         sp,sp,#0x30
0176 0a75283e e8bd8c10 pop         {r4,r10,r11,pc}

In this case, the value of r11-0x10 (sp+0x28) is corrupt: the home location for argument 2 (int32& m).

0:000> !gcinfo a75e02c
entry point 0A75DFEC
Normal JIT generated code
GC info 0C27419C
Pointer table:
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: <none>
Generics inst context: <none>
PSP slot: <none>
GenericInst slot: <none>
Varargs: 0
Frame pointer: r11
Has tailcalls: 0
Size of parameter area: 0
Return Kind: Scalar
Code size: 56
Untracked: +r11-18
00000014 interruptible
00000040 +r0
00000044 -r0
00000046 +r1
00000050 not interruptible
00000050 -r1
0:000> u 0xa75dfec 0xa75dfec+56
_il_dbgreference_i!ILStubClass.IL_STUB_CallTailCallTarget(IntPtr, IntPtr, IntPtr) <PERF> (_il_dbgreference_i+0x9dfec):
0a75dfec e92d4c10 push        {r4,r10,r11,lr}
0a75dff0 b088     sub         sp,sp,#0x20
0a75dff2 f10d0b28 add         r11,sp,#0x28
0a75dff6 2300     movs        r3,#0
0a75dff8 9304     str         r3,[sp,#0x10]
0a75dffa 9007     str         r0,[sp,#0x1C]
0a75dffc 9106     str         r1,[sp,#0x18]
0a75dffe 9205     str         r2,[sp,#0x14]

00000014 interruptible

0a75e000 9805     ldr         r0,[sp,#0x14]
0a75e002 f24e012d mov         r1,#0xE02D
0a75e006 f6c02175 movt        r1,#0xA75
0a75e00a 6001     str         r1,[r0]
0a75e00c 9807     ldr         r0,[sp,#0x1C]
0a75e00e 68c0     ldr         r0,[r0,#0xC]     // ****** this is loading the byref argument 0 from the arg buffer, but it's not marked as a byref
0a75e010 9003     str         r0,[sp,#0xC]    // **** this is not marked as byref or untracked?
0a75e012 9807     ldr         r0,[sp,#0x1C]
0a75e014 6900     ldr         r0,[r0,#0x10]     // ****** this is loading the byref argument 1 from the arg buffer, but it's not marked as a byref
0a75e016 9002     str         r0,[sp,#8]    // **** this is not marked as byref or untracked?
0a75e018 9807     ldr         r0,[sp,#0x1C]
0a75e01a 2102     movs        r1,#2
0a75e01c 6001     str         r1,[r0]
0a75e01e 9807     ldr         r0,[sp,#0x1C]
0a75e020 6940     ldr         r0,[r0,#0x14]
0a75e022 9001     str         r0,[sp,#4]
0a75e024 9803     ldr         r0,[sp,#0xC] // *** this should be marked as byref?
0a75e026 9902     ldr         r1,[sp,#8] // *** this should be marked as byref?
0a75e028 9b01     ldr         r3,[sp,#4]
0a75e02a 4798     blx         r3 ////////////// we're in this call

00000040 +r0
0a75e02c 9004     str         r0,[sp,#0x10]
0a75e02e 9806     ldr         r0,[sp,#0x18]

00000044 -r0
0a75e030 9904     ldr         r1,[sp,#0x10]

00000046 +r1
0a75e032 f2420c55 mov         r12,#0x2055
0a75e036 f2c64c6a movt        r12,#0x646A
0a75e03a 47e0     blx         r12

00000050 not interruptible
00000050 -r1
0a75e03c b008     add         sp,sp,#0x20
0a75e03e e8bd8c10 pop         {r4,r10,r11,pc}

0:000> !u -gcinfo -o 0a75df66     
Normal JIT generated code
System.Runtime.CompilerServices.RuntimeHelpers.DispatchTailCalls(IntPtr, Void (IntPtr, IntPtr, IntPtr*), IntPtr)
ilAddr is 6430D0FC pImport is 12CE0638
Begin 0A75DF14, size b2

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 298:
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: caller.sp-14
Generics inst context: <none>
PSP slot: caller.sp-14
GenericInst slot: <none>
Varargs: 0
Frame pointer: r11
Has tailcalls: 0
Size of parameter area: 0
Return Kind: Scalar
Code size: b2
0000 0a75df14 e92d4830 push        {r4,r5,r11,lr}
0004 0a75df18 b088     sub         sp,sp,#0x20
0006 0a75df1a f10d0b28 add         r11,sp,#0x28
000a 0a75df1e ab0c     add         r3,sp,#0x30
000c 0a75df20 9307     str         r3,[sp,#0x1C]
000e 0a75df22 460c     mov         r4,r1
0010 0a75df24 4615     mov         r5,r2
00000012 interruptible
0012 0a75df26 a905     add         r1,sp,#0x14
0014 0a75df28 f6407311 mov         r3,#0xF11
0018 0a75df2c f2c64384 movt        r3,#0x6484 (CoreCLR!TailCallHelp::GetTailCallInfo)
001c 0a75df30 4798     blx         r3
001e 0a75df32 9004     str         r0,[sp,#0x10]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 299:
0020 0a75df34 9804     ldr         r0,[sp,#0x10]
0022 0a75df36 6800     ldr         r0,[r0]
0024 0a75df38 9003     str         r0,[sp,#0xC]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 300:
0026 0a75df3a 9805     ldr         r0,[sp,#0x14]
0028 0a75df3c 9903     ldr         r1,[sp,#0xC]
002a 0a75df3e 6849     ldr         r1,[r1,#4]
002c 0a75df40 4288     cmp         r0,r1
002e 0a75df42 d104     bne         0A75DF4E

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 302:
0030 0a75df44 9803     ldr         r0,[sp,#0xC]
0032 0a75df46 6084     str         r4,[r0,#8]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 330:
00000034 not interruptible
0034 0a75df48 b008     add         sp,sp,#0x20
0036 0a75df4a e8bd8830 pop         {r4,r5,r11,pc}

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 307:
0000003a interruptible
003a 0a75df4e 9803     ldr         r0,[sp,#0xC]
003c 0a75df50 9000     str         r0,[sp]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 311:
003e 0a75df52 a800     add         r0,sp,#0
00000040 +r0(interior)
0040 0a75df54 9904     ldr         r1,[sp,#0x10]
0042 0a75df56 6008     str         r0,[r1]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 315:
00000044 -r0(interior)
0044 0a75df58 2000     movs        r0,#0
0046 0a75df5a 9002     str         r0,[sp,#8]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 316:
0048 0a75df5c 9804     ldr         r0,[sp,#0x10]
004a 0a75df5e 6840     ldr         r0,[r0,#4]
004c 0a75df60 4629     mov         r1,r5
004e 0a75df62 aa01     add         r2,sp,#4
00000050 +r2(interior)
0050 0a75df64 47a0     blx         r4

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 317:
00000052 -r2(interior)
>>> 0052 0a75df66 9c02     ldr         r4,[sp,#8]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 318:
0054 0a75df68 2c00     cmp         r4,#0
0056 0a75df6a d1f5     bne         0A75DF58
0058 0a75df6c 9b04     ldr         r3,[sp,#0x10]
005a 0a75df6e 9a03     ldr         r2,[sp,#0xC]
005c 0a75df70 601a     str         r2,[r3]
005e 0a75df72 9b04     ldr         r3,[sp,#0x10]
0060 0a75df74 685b     ldr         r3,[r3,#4]
0062 0a75df76 461a     mov         r2,r3
0064 0a75df78 2a00     cmp         r2,#0
0066 0a75df7a d005     beq         0A75DF88
0068 0a75df7c 4619     mov         r1,r3
006a 0a75df7e 680a     ldr         r2,[r1]
006c 0a75df80 2a01     cmp         r2,#1
006e 0a75df82 d101     bne         0A75DF88
0070 0a75df84 2102     movs        r1,#2 (gcstress)
0072 0a75df86 6019     str         r1,[r3] (gcstress)

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 330:
00000074 not interruptible
0074 0a75df88 b008     add         sp,sp,#0x20
0076 0a75df8a e8bd8830 pop         {r4,r5,r11,pc}

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 298:
007a 0a75df8e e92d483c push        {r2-r5,r11,lr}
007e 0a75df92 f10b0308 add         r3,r11,#8
0082 0a75df96 9301     str         r3,[sp,#4]

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 322:
00000084 interruptible
0084 0a75df98 f85b3c18 ldr         r3,[r11,#-0x18] (gcstress)
0088 0a75df9c f85b2c1c ldr         r2,[r11,#-0x1C] (gcstress)
008c 0a75dfa0 601a     str         r2,[r3] (gcstress)

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 325:
008e 0a75dfa2 f85b3c18 ldr         r3,[r11,#-0x18] (gcstress)
0092 0a75dfa6 685a     ldr         r2,[r3,#4] (gcstress)
0094 0a75dfa8 2a00     cmp         r2,#0 (gcstress)
0096 0a75dfaa d00a     beq         0C26AAD2 (gcstress)
0098 0a75dfac f85b3c18 ldr         r3,[r11,#-0x18] (gcstress)
009c 0a75dfb0 6859     ldr         r1,[r3,#4] (gcstress)
009e 0a75dfb2 680b     ldr         r3,[r1] (gcstress)
00a0 0a75dfb4 2b01     cmp         r3,#1 (gcstress)
00a2 0a75dfb6 d104     bne         0C26AAD2 (gcstress)

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 327:
00a4 0a75dfb8 f85b3c18 ldr         r3,[r11,#-0x18] (gcstress)
00a8 0a75dfbc 685b     ldr         r3,[r3,#4] (gcstress)
00aa 0a75dfbe 2202     movs        r2,#2 (gcstress)
00ac 0a75dfc0 601a     str         r2,[r3] (gcstress)

C:\gh\runtime\src\coreclr\src\System.Private.CoreLib\src\System\Runtime\CompilerServices\RuntimeHelpers.CoreCLR.cs @ 330:
000000ae not interruptible
00ae 0a75dfc2 e8bd883c pop         {r2-r5,r11,pc}

StoreTailCall stub:

0:000> !gcinfo a75e0f1
entry point 0A75E0F0
Normal JIT generated code
GC info 0C274280
Pointer table:
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: <none>
Generics inst context: <none>
PSP slot: <none>
GenericInst slot: <none>
Varargs: 0
Frame pointer: r11
Has tailcalls: 0
Size of parameter area: 0
Return Kind: Scalar
Code size: 56
Untracked: +r11-c +r11-10
00000010 interruptible
0000002e +r1
00000038 -r1
00000040 +r1
0000004a -r1
00000050 not interruptible
0:000> u a75e0f1 0xa75e0f1+0x56
_il_dbgreference_i!ILStubClass.IL_STUB_StoreTailCallArgs(System.Object, System.Object, IntPtr):
0a75e0f0 e92d4c10 push        {r4,r10,r11,lr}
0a75e0f4 b084     sub         sp,sp,#0x10
0a75e0f6 f10d0b18 add         r11,sp,#0x18
0a75e0fa 9003     str         r0,[sp,#0xC]
0a75e0fc 9102     str         r1,[sp,#8]
0a75e0fe 9201     str         r2,[sp,#4]
0a75e100 2018     movs        r0,#0x18
0a75e102 f64d2118 mov         r1,#0xDA18
0a75e106 f6c02174 movt        r1,#0xA74
0a75e10a f24013e1 mov         r3,#0x1E1
0a75e10e f2c64384 movt        r3,#0x6484
0a75e112 4798     blx         r3
0a75e114 9000     str         r0,[sp]
0a75e116 9900     ldr         r1,[sp]
0a75e118 f101000c add         r0,r1,#0xC
0a75e11c 9903     ldr         r1,[sp,#0xC]
0a75e11e f2420c55 mov         r12,#0x2055
0a75e122 f2c64c6a movt        r12,#0x646A
0a75e126 47e0     blx         r12
0a75e128 9900     ldr         r1,[sp]
0a75e12a f1010010 add         r0,r1,#0x10
0a75e12e 9902     ldr         r1,[sp,#8]
0a75e130 f2420c55 mov         r12,#0x2055
0a75e134 f2c64c6a movt        r12,#0x646A
0a75e138 47e0     blx         r12
0a75e13a 9b00     ldr         r3,[sp]
0a75e13c 9a01     ldr         r2,[sp,#4]
0a75e13e 615a     str         r2,[r3,#0x14]
0a75e140 b004     add         sp,sp,#0x10
0a75e142 e8bd8c10 pop         {r4,r10,r11,pc}

store tail call args 2

0:000> !gcinfo a75dec5
entry point 0A75DEC4
Normal JIT generated code
GC info 0C273F58
Pointer table:
Prolog size: 0
Security object: <none>
GS cookie: <none>
PSPSym: <none>
Generics inst context: <none>
PSP slot: <none>
GenericInst slot: <none>
Varargs: 0
Frame pointer: r11
Has tailcalls: 0
Size of parameter area: 0
Return Kind: Scalar
Code size: 3e
Untracked: +r11-c(interior) +r11-10(interior)
00000010 interruptible
0000002a +r2(interior)
00000036 -r2(interior)
00000038 not interruptible
0:000> u a75dec5 a75dec5+3e
_il_dbgreference_i!ILStubClass.IL_STUB_StoreTailCallArgs(Byte ByRef, Byte ByRef, IntPtr):
0a75dec4 e92d4c10 push        {r4,r10,r11,lr}
0a75dec8 b084     sub         sp,sp,#0x10
0a75deca f10d0b18 add         r11,sp,#0x18
0a75dece 9003     str         r0,[sp,#0xC]
0a75ded0 9102     str         r1,[sp,#8]
0a75ded2 9201     str         r2,[sp,#4]
0a75ded4 2018     movs        r0,#0x18
0a75ded6 f64d512c mov         r1,#0xDD2C
0a75deda f6c02174 movt        r1,#0xA74
0a75dede f24013e1 mov         r3,#0x1E1
0a75dee2 f2c64384 movt        r3,#0x6484
0a75dee6 4798     blx         r3
0a75dee8 9000     str         r0,[sp]
0a75deea 9b00     ldr         r3,[sp]
0a75deec 9a03     ldr         r2,[sp,#0xC]
0a75deee 60da     str         r2,[r3,#0xC]
0a75def0 9b00     ldr         r3,[sp]
0a75def2 9a02     ldr         r2,[sp,#8]
0a75def4 611a     str         r2,[r3,#0x10]
0a75def6 9b00     ldr         r3,[sp]
0a75def8 9a01     ldr         r2,[sp,#4]
0a75defa 615a     str         r2,[r3,#0x14]
0a75defc b004     add         sp,sp,#0x10
0a75defe e8bd8c10 pop         {r4,r10,r11,pc}

[BruceForstall]

@jakobbotsch I annotated a few places in the _il_dbgreference_i!ILStubClass.IL_STUB_CallTailCallTarget code above that I think show GC holes due to byrefs not being marked properly, which I believe is exactly what you were referring to in the note above regarding EmitLoadTyHnd. Correct?

[jakobbotsch]

(btw, is the CorElementType ty = tyHnd.GetSignatureCorElementType(); line necessary in TailCallHelp::EmitLoadTyHnd() or TailCallHelp::EmitStoreTyHnd()? The result ty is unused.)

No, looks like old leftover code. This one looks unused too:

runtime/src/coreclr/src/vm/tailcallhelp.cpp

Line 375 in 341b8b2

CorElementType ty = arg.TyHnd.GetSignatureCorElementType();

I can clean this up.

@jakobbotsch With your suggestion above about a possible problem, wouldn't I expect to see the GC problem in the generated stub code? Assuming the stack I show is correct, and we're reporting GC refs in the rems function itself, could that still manifest as a GC hole? Perhaps we've stack walked back to the rems function from a tailcall stub and some mismatch of info is causing this hole?

@jakobbotsch I annotated a few places in the _il_dbgreference_i!ILStubClass.IL_STUB_CallTailCallTarget code above that I think show GC holes due to byrefs not being marked properly, which I believe is exactly what you were referring to in the note above regarding EmitLoadTyHnd. Correct?

Right, the issue would be in IL_STUB_StoreTailCallTarget and IL_STUB_CallTailCallTarget and indeed from your annotations it looks to be in CallTailCallTarget. I assume this can corrupt a byref that only shows up later (after CallTailCallTarget calls into rems).

[JulieLeeMSFT]

@jakobbotsch Thanks a lot for fixing this issue.

[JulieLeeMSFT]

Reopening this issue in order to wait for completing backport to RC2.

[BruceForstall]

RC2 merge is now done.