We should not limit VerifyObjectMember to objects on small object heap only

[cshung]

This potential issue is found by code review.

The VerifyObject call here is used to power the !VerifyObj command.

diagnostics/src/SOS/Strike/gcroot.cpp

Lines 1703 to 1716 in 24cfdb2

	BOOL VerifyObject(const GCHeapDetails &heap, DWORD_PTR objAddr, DWORD_PTR MTAddr, size_t objSize, BOOL bVerifyMember)
	{
	// This is only used by the other VerifyObject function if bVerifyMember is true,
	// so we only initialize it if we need it for verifying object members.
	DacpHeapSegmentData seg;
	if (bVerifyMember)
	{
	// if we fail to find the segment, we cannot verify the object's members
	bVerifyMember = FindSegment(heap, seg, objAddr);
	}
	return VerifyObject(heap, seg, objAddr, MTAddr, objSize, bVerifyMember);
	}

If I read the code correctly, bVerifyMember is reset to FALSE if FindSegment fails. Now FindSegment searches only from the small object heap segments.

diagnostics/src/SOS/Strike/gcroot.cpp

Lines 1642 to 1701 in 24cfdb2

	BOOL FindSegment(const GCHeapDetails &heap, DacpHeapSegmentData &seg, CLRDATA_ADDRESS addr)
	{
	if (heap.has_regions)
	{
	CLRDATA_ADDRESS dwAddrSeg;
	for (UINT n = 0; n <= GetMaxGeneration(); n++)
	{
	dwAddrSeg = (DWORD_PTR)heap.generation_table[n].start_segment;
	while (dwAddrSeg != 0)
	{
	if (IsInterrupt())
	return FALSE;
	if (seg.Request(g_sos, dwAddrSeg, heap.original_heap_details) != S_OK)
	{
	ExtOut("Error requesting heap segment %p\n", SOS_PTR(dwAddrSeg));
	return FALSE;
	}
	if (addr >= TO_TADDR(seg.mem) &&
	addr < (dwAddrSeg == heap.ephemeral_heap_segment ? heap.alloc_allocated : TO_TADDR(seg.allocated)))
	{
	break;
	}
	dwAddrSeg = (DWORD_PTR)seg.next;
	}
	if (dwAddrSeg != 0)
	break;
	}
	}
	else
	{
	CLRDATA_ADDRESS dwAddrSeg = heap.generation_table[GetMaxGeneration()].start_segment;
	// Request the inital segment.
	if (seg.Request(g_sos, dwAddrSeg, heap.original_heap_details) != S_OK)
	{
	ExtOut("Error requesting heap segment %p.\n", SOS_PTR(dwAddrSeg));
	return FALSE;
	}
	// Loop while the object is not in range of the segment.
	while (addr < TO_TADDR(seg.mem) ||
	addr >= (dwAddrSeg == heap.ephemeral_heap_segment ? heap.alloc_allocated : TO_TADDR(seg.allocated)))
	{
	// get the next segment
	dwAddrSeg = seg.next;
	// We reached the last segment without finding the object.
	if (dwAddrSeg == NULL)
	return FALSE;
	if (seg.Request(g_sos, dwAddrSeg, heap.original_heap_details) != S_OK)
	{
	ExtOut("Error requesting heap segment %p.\n", SOS_PTR(dwAddrSeg));
	return FALSE;
	}
	}
	}
	return TRUE;
	}

Yes, the region case has a bug, ignore it for now ...

As GetMaxGeneration() returns 2, this will never search for the large object heap or the pinned object heap. I do not believe this restriction is intentional, since gc_heap::verify_heap in gc.cpp explicitly includes them.

[tommcdon]

@cshung feel free to submit a PR

[Maoni0]

I agree this should include LOH and POH if present. I was looking at this code and noticed that the other check, before we can verify members wrt BGC, also needs to be updated for regions, I've filed issue #2208 to track it.

[cshung]

This comment is meant to explain the work better for the community.

To get started, it is helpful to explain what this work is for. This work is an enhancement of the dotnet-sos tool used for debugging .NET Core applications. Here is a brief instruction on how to get started.

Since we are working on the debugger (technically, just a debugger extension), we do not need to change .NET Core itself, which means we can simply install one online. Here is a link for downloading .NET Core.

We will need a build for this repo, to build this repo, simply use the Build.cmd command.

This description assumes the work is done on Windows.

Once .NET Core is installed, we can create a new HelloWorld project as follow:

mkdir c:\HelloWorld
cd c:\HelloWorld
dotnet new console

This creates a HelloWorld console application. To reproduce the bug, we modify the code as follow:

using System;

namespace HelloWorld
{
    unsafe struct BigObject
    {
        public string s;
        public fixed byte headerBytes[90000];          
    }
    class Program
    {
        static void Main(string[] args)
        {
            Object[] arr = new Object[1];
            BigObject big = new BigObject();
            arr[0] = big;
            System.Diagnostics.Debugger.Break();
        }
    }
}

This program intentionally pause right after creating a large object, giving us opportunity to reproduce the bug.

It should be straightforward to try it out:

dotnet publish --self-contained -r win-x64

Next, we wanted to debug it. To do that, we install the Debugger Tools for Windows.

After installation, we can debug the process as follow:

windbg ...\HelloWorld.exe

The debugger windows should pop up with a command window, just hit g (stands for go) to continue executing the process, the process would launch and then stop at break.

So far, these are all capabilities of the Debugger Tools for Windows. Next, we want to exercise our own code. The component we are using here is named Son of Strike, or sos for short. It is an extension of the Debugger Tools for Windows. By default, the installation comes with a version of it, and we want to use our, therefore, we will unload the one come with the installation first by typing this into the command window:

0:000> .unload sos

Next, we want to load our own, so we type this into the command window:

0:000> .load C:\Dev\diagnostics\artifacts\bin\Windows_NT.x64.Debug\sos.dll

At this point, we will be running our own version of sos.dll. Now let's inspect the objects:

First, we look at the stack to find out where is the object array, it should be the non-null local

0:000> !clrstack -a
OS Thread Id: 0x5414 (0)
        Child SP               IP Call Site
0000003B6DD682E8 00007ff9e6039a92 [HelperMethodFrame: 0000003b6dd682e8] System.Diagnostics.Debugger.BreakInternal()
0000003B6DD683F0 00007ff9957ca66a System.Diagnostics.Debugger.Break() [/_/src/coreclr/src/System.Private.CoreLib/src/System/Diagnostics/Debugger.cs @ 17]

0000003B6DD68420 00007ff94a945ce7 HelloWorld.Program.Main(System.String[]) [C:\HelloWorld\Program.cs @ 17]
    PARAMETERS:
        args (0x0000003B6DD7E420) = 0x000001d500009338
    LOCALS:
        0x0000003B6DD68468 = 0x000001d50000a340
        0x0000003B6DD68470 = 0x0000000000000000

As we expect, the object array has one element and it is the big object we are looking for:

0:000> !DumpObj /d 000001d50000a340
Name:        System.Object[]
MethodTable: 00007ff94a906860
EEClass:     00007ff94a9067c8
Size:        32(0x20) bytes
Array:       Rank 1, Number of elements 1, Type CLASS (Print Array)
Fields:
None

0:000> !DumpArray /d 000001d50000a340
Name:        System.Object[]
MethodTable: 00007ff94a906860
EEClass:     00007ff94a9067c8
Size:        32(0x20) bytes
Array:       Rank 1, Number of elements 1, Type CLASS
Element Methodtable: 00007ff94a900c68
[0] 000001d510001038
0:000> !do 000001d510001038
Name:        HelloWorld.BigObject
MethodTable: 00007ff94aa13990
EEClass:     00007ff94a9ffa98
Size:        90024(0x15fa8) bytes
File:        C:\HelloWorld\bin\Debug\net5.0\win-x64\publish\HelloWorld.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff94a9c7a90  4000001        8        System.String  0 instance 0000000000000000 s
00007ff94aa138e0  4000002       10 ...es>e__FixedBuffer  1 instance 000001d510001048 headerBytes

The string s is currently null, as expected, now we will intentionally corrupt the object by writing garbage in it and then we confirm the object is indeed corrupted.

0:000> eq 000001d510001038+8 0xdeadbeefdeadbeef
0:000> !do 000001d510001038
Name:        HelloWorld.BigObject
MethodTable: 00007ff94aa13990
EEClass:     00007ff94a9ffa98
Size:        90024(0x15fa8) bytes
File:        C:\HelloWorld\bin\Debug\net5.0\win-x64\publish\HelloWorld.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
00007ff94a9c7a90  4000001        8        System.String  0 instance deadbeefdeadbeef s
00007ff94aa138e0  4000002       10 ...es>e__FixedBuffer  1 instance 000001d510001048 headerBytes

Finally, we get to repro our bug. !VerifyObj is unable to detect the corruption.

0:000> !VerifyObj 000001d510001038
object 000001D510001038 is a valid object

The initial bug description should explain why we have this bug, good luck fixing it :)