runtime: [HeapVerify=2] Assert failure "Pointer updated without using write barrier"

Hi,

Description

Testcase: GC/API/NoGCRegion/NoGC/NoGC.exe

export CORE_LIBRARIES=/home/zhaixiang/runtime/.dotnet/shared/Microsoft.NETCore.App/5.0.0-preview.6.20264.1
export COMPlus_HeapVerify=2
/home/zhaixiang/runtime/artifacts/bin/coreclr/Linux.arm64.Debug/corerun /home/zhaixiang/coreclr-mips64-dev/bin/tests/Linux.arm64.Debug/GC/API/NoGCRegion/NoGC/NoGC.exe


Workstation on 64-bit with 4 procs
=====allocating 100mb allowing full blocking GC first=====

Calling TryStartNoGCRegion(..) with totalSize = 100 MB
100 MB SUCCEEDED, did 1 gen2 GCs
before GC: 980, after GC: 980
ended no gc region
current GC count: 1955

=====allocating 100mb allowing full blocking GC first Succeeded=====
=====allocating 200mb allowing full blocking GC first=====

Calling TryStartNoGCRegion(..) with totalSize = 200 MB
200 MB SUCCEEDED, did 1 gen2 GCs
before GC: 2938, after GC: 2938
ended no gc region

Assert failure(PID 20106 [0x00004e8a], Thread: 20106 [0x4e8a]): !"Pointer updated without using write barrier"
    File: /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp Line: 38307
    Image: /home/zhaixiang/runtime/artifacts/bin/coreclr/Linux.arm64.Debug/corerun

Aborted

Configuration

• coreclr-mips64-dev, coreclr v3.1.6 and runtime master are able to reproduce the issue.
• Loongnix 1.0 (docker image: aoqi/dotnet-buildtools:loongson3a-loongnix-1.0-llvm8ld) and Ubuntu 16.04.3 LTS
• ARM64 and MIPS64

Other information

Assert failure(PID 20298 [0x00004f4a], Thread: 20298 [0x4f4a]): !"Pointer updated without using write barrier"
    File: /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp Line: 38307
    Image: /home/zhaixiang/runtime/artifacts/bin/coreclr/Linux.arm64.Debug/corerun


Thread 1 "corerun" received signal SIGTRAP, Trace/breakpoint trap.
DBG_DebugBreak () at /home/zhaixiang/runtime/src/coreclr/src/pal/src/arch/arm64/debugbreak.S:8
8	    EMIT_BREAKPOINT
(gdb) bt
#0  DBG_DebugBreak () at /home/zhaixiang/runtime/src/coreclr/src/pal/src/arch/arm64/debugbreak.S:8
#1  0x0000007fb74876d8 in DebugBreak () at /home/zhaixiang/runtime/src/coreclr/src/pal/src/debug/debug.cpp:405
#2  0x0000007fb6d5c878 in DbgAssertDialog (szFile=0x7fb77fc4f8 "/home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp", iLine=38307, szExpr=0x7fb78034df "!\"Pointer updated without using write barrier\"") at /home/zhaixiang/runtime/src/coreclr/src/utilcode/debug.cpp:698
#3  0x0000007fb72b7080 in WKS::testGCShadow (ptr=0x7f1800e4a8) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:38307
#4  WKS::testGCShadowHelper (x=0x7f1800ae78 "\220\205U>\177") at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:38324
#5  0x0000007fb7287e24 in WKS::checkGCWriteBarrier () at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:38352
#6  0x0000007fb7287644 in WKS::gc_heap::garbage_collect (n=0) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:17502
#7  0x0000007fb7270848 in WKS::GCHeap::GarbageCollectGeneration (this=0x55555c3780, gen=0, reason=reason_alloc_soh) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:36873
#8  0x0000007fb7272620 in WKS::gc_heap::trigger_gc_for_alloc (gen_number=0, gr=reason_alloc_soh, msl=0x7fb7b7ec48 <WKS::gc_heap::more_space_lock_soh>, loh_p=false, take_state=WKS::mt_try_budget) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:13336
#9  0x0000007fb7273994 in WKS::gc_heap::try_allocate_more_space (acontext=0x55555eb028, size=1984, flags=0, gen_number=0) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:13459
#10 0x0000007fb7273c78 in WKS::gc_heap::allocate_more_space (acontext=0x55555eb028, size=1984, flags=0, alloc_generation_number=0) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:13895
#11 0x0000007fb72b2790 in WKS::gc_heap::allocate (jsize=1977, acontext=0x55555eb028, flags=0) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:13926
#12 WKS::GCHeap::Alloc (this=0x55555c3780, context=0x55555eb028, size=1977, flags=0) at /home/zhaixiang/runtime/src/coreclr/src/gc/gc.cpp:35979
#13 0x0000007fb6f3ed28 in Alloc (size=1977, flags=GC_ALLOC_NO_FLAGS) at /home/zhaixiang/runtime/src/coreclr/src/vm/gchelpers.cpp:229
#14 0x0000007fb6f3d368 in AllocateSzArray (pArrayMT=0x7f3e50f0f0, cElements=1953, flags=GC_ALLOC_NO_FLAGS) at /home/zhaixiang/runtime/src/coreclr/src/vm/gchelpers.cpp:484
#15 0x0000007fb6f591f8 in JIT_NewArr1 (arrayMT=0x7f3e50f0f0, size=1953) at /home/zhaixiang/runtime/src/coreclr/src/vm/jithelpers.cpp:2718
#16 0x0000007fb6f58cc8 in JIT_NewArr1VC_MP_FastPortable (arrayMT=0x7f3e50f0f0, size=1953) at /home/zhaixiang/runtime/src/coreclr/src/vm/jithelpers.cpp:2621
#17 0x0000007f3e2d8e68 in ?? ()
#18 0x0000007f18014ad0 in ?? ()
(gdb) x/22i 0x0000007f3e2d8e68-44
   0x7f3e2d8e3c:	ldr	x2, [x2]
   0x7f3e2d8e40:	ldr	x2, [x2,#72]
   0x7f3e2d8e44:	ldr	x2, [x2,#56]
   0x7f3e2d8e48:	blr	x2
   0x7f3e2d8e4c:	str	w0, [x29,#60]
   0x7f3e2d8e50:	ldr	w1, [x29,#60]
   0x7f3e2d8e54:	sxtw	x1, w1
   0x7f3e2d8e58:	mov	x0, #0xf0f0                	// #61680
   0x7f3e2d8e5c:	movk	x0, #0x3e50, lsl #16
   0x7f3e2d8e60:	movk	x0, #0x7f, lsl #32
   0x7f3e2d8e64:	bl	0x7f3e29db10
   0x7f3e2d8e68:	str	x0, [x29,#48]
   0x7f3e2d8e6c:	ldr	x0, [x29,#48]
   0x7f3e2d8e70:	str	x0, [x29,#72]
   0x7f3e2d8e74:	ldr	w0, [x29,#84]
   0x7f3e2d8e78:	ldr	w1, [x29,#88]
   0x7f3e2d8e7c:	cmp	w1, #0x0
   0x7f3e2d8e80:	b.ne	0x7f3e2d8e88
   0x7f3e2d8e84:	bl	0x7f3e29daf0
   0x7f3e2d8e88:	cmn	w1, #0x1
   0x7f3e2d8e8c:	b.ne	0x7f3e2d8ea0
   0x7f3e2d8e90:	cmn	w0, w0

Thanks, Leslie Zhai