Problem
The tvOS arm64 NativeAOT library leg in https://dev.azure.com/dnceng-public/public/_build/results?buildId=1502636 has 163 work items that exit with XHarness code 80 because the application crashes during GC stack walking.
Representative crash reports from AppleHybrid.Tests and System.Runtime.Extensions.Tests show EXC_BAD_INSTRUCTION with SIGILL on AppleTV5,3. The faulting opcode is 0xDAC143E0, which decodes to xpaci x0.
PacStripPtr
StackFrameIterator::InternalInit
Thread::GcScanRoots
GCToEEInterface::GcScanRoots
The affected Apple TV model uses the Apple A8 processor, which does not implement pointer authentication. xpaci is not a hint-space instruction, so executing it on this device raises an illegal-instruction exception.
#128950 introduced this NativeAOT implementation in src/coreclr/nativeaot/Runtime/arm64/MiscStubs.S and src/coreclr/nativeaot/Runtime/arm64/MiscStubs.asm.
PacStripPtr:
xpaci x0
ret
#129130 previously fixed the equivalent CoreCLR implementation by moving the pointer through lr and using xpaclri. The xpaclri encoding is in architectural hint space and acts as a no-op on hardware without pointer authentication. The NativeAOT implementation was added later and did not use that pattern. Current main still contains xpaci x0.
Representative artifacts
Proposed fix
Port the safe CoreCLR PacStripPtr implementation from #129130 to both NativeAOT assembly files.
- Move the input pointer from
x0 to lr.
- Execute
xpaclri, using raw encoding 0xD50320FF where required.
- Move the stripped pointer back to
x0.
- Preserve and restore the caller's original
lr.
- Validate the fix on an
AppleTV5,3 device and on a pointer-authentication-capable arm64 device.
Problem
The tvOS arm64 NativeAOT library leg in https://dev.azure.com/dnceng-public/public/_build/results?buildId=1502636 has 163 work items that exit with XHarness code 80 because the application crashes during GC stack walking.
Representative crash reports from
AppleHybrid.TestsandSystem.Runtime.Extensions.TestsshowEXC_BAD_INSTRUCTIONwithSIGILLonAppleTV5,3. The faulting opcode is0xDAC143E0, which decodes toxpaci x0.The affected Apple TV model uses the Apple A8 processor, which does not implement pointer authentication.
xpaciis not a hint-space instruction, so executing it on this device raises an illegal-instruction exception.#128950 introduced this NativeAOT implementation in
src/coreclr/nativeaot/Runtime/arm64/MiscStubs.Sandsrc/coreclr/nativeaot/Runtime/arm64/MiscStubs.asm.#129130 previously fixed the equivalent CoreCLR implementation by moving the pointer through
lrand usingxpaclri. Thexpaclriencoding is in architectural hint space and acts as a no-op on hardware without pointer authentication. The NativeAOT implementation was added later and did not use that pattern. Currentmainstill containsxpaci x0.Representative artifacts
Proposed fix
Port the safe CoreCLR
PacStripPtrimplementation from #129130 to both NativeAOT assembly files.x0tolr.xpaclri, using raw encoding0xD50320FFwhere required.x0.lr.AppleTV5,3device and on a pointer-authentication-capable arm64 device.