Fix iOS arm64 CoreCLR crash from shared MethodDesc::CalliCookie slot#127876
Open
kotlarmilos wants to merge 3 commits intodotnet:mainfrom
Open
Fix iOS arm64 CoreCLR crash from shared MethodDesc::CalliCookie slot#127876kotlarmilos wants to merge 3 commits intodotnet:mainfrom
kotlarmilos wants to merge 3 commits intodotnet:mainfrom
Conversation
PR dotnet#127016 added a new writer to MethodDescCodeData::CalliCookie in CInterpreterJitInfo::GetCookieForInterpreterCalliSig that caches a per-calli-signature CallStubHeader* on the P/Invoke target MethodDesc. The same slot already has writers/readers that key on different signatures (UpdateCallStubForMethod for InvokeManagedMethod / InvokeDelegateInvokeMethod, and the FEATURE_PORTABLE_ENTRYPOINTS INTOP_CALLI path / wasm/helpers.cpp using MetaSig(targetMethod)). First-writer-wins meant later readers dispatched through an incompatible Routines array and CallJittedMethodRetI8 jumped to a PCODE 0 entry. On iOS arm64 device this surfaces as EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE at 0x0 → CODESIGNING / Invalid Page → SIGKILL (CS_KILL on app-bundle processes). Drop the pContextMD->{Set,Get}CalliCookie reads/writes in GetCookieForInterpreterCalliSig. The function now always computes the cookie via GetCookieForCalliSig(sig, pContextMD), matching pre-dotnet#127016 behavior. pContextMD is still passed so Swift calling-convention detection is preserved. Fixes dotnet#127869 (and the duplicates dotnet#127863 / dotnet#127867). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Tagging subscribers to this area: @JulieLeeMSFT, @BrzVlad, @janvorli, @kg |
kotlarmilos
requested review from
AaronAstle,
AaronRobinsonMSFT,
jkotas and
radekdoulik
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
|
Github does not allow me to comment on this PR inline for some reason (hitting internal github errors). A better wording of the comment: |
jkotas
approved these changes
May 6, 2026
kotlarmilos
commented
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #127016 updated
MethodDescCodeData::CallStubadded a new writer inCInterpreterJitInfo::GetCookieForInterpreterCalliSigthat caches a calli signatureCallStubHeader*on the P/Invoke targetMethodDesc.PR #127016 added a small "calli cookie" cache. Each managed method has one slot where this cookie is stored. The problem is that two different parts of the runtime now write to that one slot:
calliinstruction inside an IL stub.On iOS, when an app tries to execute address 0 the kernel does not give us a normal crash. It assumes the page is unsigned/tampered and kills the process with
SIGKILLand aCODESIGNING / Invalid Pagereason.Proposed fix
Drop the new
pContextMD->{Set,Get}CalliCookiecache reads/writes inCInterpreterJitInfo::GetCookieForInterpreterCalliSig. The function now always computes the cookie viaGetCookieForCalliSig(sig, pContextMD), matching pre-#127016 behavior.Fixes #127869 #127863 #127867