Incorrect NRE during operations on structures in method marked with AgressiveOptimization #92218
Assignees
Labels
area-CodeGen-coreclr
CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI
bug
Milestone
Comments
dotnet-issue-labeler
bot
added
the
area-CodeGen-coreclr
|
Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch Issue DetailsDescriptionTesting our code on .NET 8 we encountered getting NRE where it is not supposed to be. I managed to write a minimal sample for the test (below). The described behavior is repeated on Preview.7, RC.1, RC.2 (haven't tried other versions, but it works fine on .NET 7) Apparently, the problem is in the generated JIT code, because with optimization enabled, the method generates an explicit reference to address 0. ; Method MutableStructs.Program:TestMethod() (FullOpts)
G_M000_IG01: ;; offset=0x0000
sub rsp, 56
xor eax, eax
mov qword ptr [rsp+0x30], rax
mov qword ptr [rsp+0x28], rax
G_M000_IG02: ;; offset=0x0010
mov qword ptr [rsp+0x30], 420
mov qword ptr [rsp+0x28], 42
mov ecx, 3
call [System.TimeSpan:op_UnaryNegation(System.TimeSpan):System.TimeSpan]
mov rcx, qword ptr [rsp+0x30]
cmp rcx, qword ptr [rsp+0x28]
jl SHORT G_M000_IG04
align [7 bytes for IG03]
G_M000_IG03: ;; offset=0x0040
add qword ptr [0x0000], rax ;; <- NRE
mov rcx, qword ptr [rsp+0x30]
cmp rcx, qword ptr [rsp+0x28]
jge SHORT G_M000_IG03
G_M000_IG04: ;; offset=0x0054
add rsp, 56
ret
; Total bytes of code: 89
Reproduction Stepsusing System.Runtime.CompilerServices;
namespace MutableStructs;
public struct MutableStruct
{
private long _internalValue;
public long InternalValue
{
get => Volatile.Read(ref _internalValue);
private set => Volatile.Write(ref _internalValue, value);
}
public void Add(long value) => AddInternal(value);
private void AddInternal(long value) => InternalValue += value;
public MutableStruct(long value) => InternalValue = value;
}
internal static class Program
{
private static void Main() => TestMethod();
[MethodImpl(MethodImplOptions.AggressiveOptimization)]
private static void TestMethod()
{
var test = new MutableStruct(420);
var from = new MutableStruct(42);
var wrapper = -new TimeSpan(3);
while (test.InternalValue >= from.InternalValue)
{
test.Add(wrapper.Ticks); // <- NRE
}
}
}Expected behaviorThe code is successfully executed Actual behavior
Regression?At least since .NET 7 Known WorkaroundsThe behavior described is quite sensitive to a combination of factors. Small changes will normalize the situation: you can remove Configuration.NET 8 RC.2 Other informationNo response
|
|
It hits an assert on Checked JIT: cc @dotnet/jit-contrib |
|
@AndyAyersMS PTAL |
|
We have an RWM memory op This should produce something like add [rsp + offset(V09)], reg(V10)but this case of |
|
Seems like xarch's diff --git a/src/coreclr/jit/emitxarch.cpp b/src/coreclr/jit/emitxarch.cpp
index ba599c9e465..c1d7e2df5d4 100644
--- a/src/coreclr/jit/emitxarch.cpp
+++ b/src/coreclr/jit/emitxarch.cpp
@@ -5485,6 +5485,13 @@ void emitter::emitInsRMW(instruction ins, emitAttr attr, GenTreeStoreInd* storeI
{
assert(!src->isContained()); // there must be one non-contained src
+ if (addr->isContained() && addr->OperIs(GT_LCL_ADDR))
+ {
+ GenTreeLclVarCommon* lclVar = addr->AsLclVarCommon();
+ emitIns_S_R(ins, attr, src->GetRegNum(), lclVar->GetLclNum(), lclVar->GetLclOffs());
+ return;
+ }
+
// ind, reg
id = emitNewInstrAmd(attr, offset);
emitHandleMemOp(storeInd, id, emitInsModeFormat(ins, IF_ARD_RRD), ins);fixes the test: add qword ptr [rsp+0x30], raxSince this is regression, let me look at what happens in .NET 7. |
|
In .NET 7 we had so it was not driven off of STOREIND. Emitting was done via |
AndyAyersMS
added a commit
to AndyAyersMS/runtime
that referenced
this issue
Sep 18, 2023
Handle the case where we're indirectly updating a local with a value that is not a constant. Fixes dotnet#92218.
ghost
added
the
in-pr
AndyAyersMS
added a commit
that referenced
this issue
Sep 19, 2023
Handle the case where we're indirectly updating a local with a value that is not a constant. Fixes #92218.
ghost
removed
the
in-pr
github-actions bot
pushed a commit
that referenced
this issue
Sep 19, 2023
Handle the case where we're indirectly updating a local with a value that is not a constant. Fixes #92218.
carlossanlop
added a commit
that referenced
this issue
Sep 20, 2023
Handle the case where we're indirectly updating a local with a value that is not a constant. Fixes #92218. Co-authored-by: Andy Ayers <andya@microsoft.com> Co-authored-by: Carlos Sánchez López <1175054+carlossanlop@users.noreply.github.com>
|
@nsentinel thank you for reporting this bug. It should be fixed in the official .NET8 RC2 release which will be available around Oct 10th. The fix should also appear in interim .NET 8 RC2 and .NET 9 builds with versions higher than 23469 (may take a few days for one of these to show up). |
|
@AndyAyersMS Thank you very much for the quick fix! I will check it once it will be available in the daily builds of .NET 8 RC.2 |
|
@nsentinel a fix should be in the recent RC2 builds, let me know if you get chance to try one out. |
|
@AndyAyersMS I apologize for the delay in checking. Didn't have a chance to check it right away as I was going to, although I managed to put daily build on the same day we were discussing. Checked with SDK 8.0.100-rtm.23479.3-win-x64 today with the same source code. The issue was not repeated neither in automatic tests, nor in manual testing, so I think the fix covers all the nuances at least in our code. Thanks again for the quick fix. |
Artromskiy
added a commit
to Artromskiy/runtime
that referenced
this issue
Oct 4, 2023
commit a5b75b8 Author: Jakob Botsch Nielsen <Jakob.botsch.nielsen@gmail.com> Date: Wed Sep 20 22:04:58 2023 +0200 JIT: Fix invalid containment of vector broadcasts (dotnet#92333) The containment checks for vector broadcasts were missing a size check, meaning that a uint broadcast could contain a ubyte/ushort indirection. That would lead to out-of-bounds reads. Fix dotnet#83387 commit 614d864 Author: Stephen Toub <stoub@microsoft.com> Date: Wed Sep 20 15:56:37 2023 -0400 Use Utf8JsonWriterCache in JsonNode.To{Json}String (dotnet#92358) commit c0b5150 Author: Andy Gocke <angocke@microsoft.com> Date: Wed Sep 20 12:46:37 2023 -0700 Bring back CopyOutputSymbolsToPublishDirectory (dotnet#92315) I accidentally removed this property from AOT compilation when adding support for Mac dsym bundles. This change re-enables support for suppressing debugging symbols in the output. Fixes dotnet#92188 commit b4be77b Author: Kunal Pathak <Kunal.Pathak@microsoft.com> Date: Wed Sep 20 10:17:22 2023 -0700 Update the assert for BlendVariable (dotnet#92183) * Update the assert for BlendVariable * Add test cases * Add Sse41.IsSupported check commit e235aef Author: Miha Zupan <mihazupan.zupan1@gmail.com> Date: Wed Sep 20 17:45:31 2023 +0200 Set severity of rule CA1870 to warning (dotnet#92135) * Set severity of rule CA1870 to warning * Replace one more usage in nativeaot corelib * Set severity for tests as well * pragma disable the rule in nativeaot's reflection impl commit 901f780 Author: Ilona Tomkowicz <32700855+ilonatommy@users.noreply.github.com> Date: Wed Sep 20 17:45:01 2023 +0200 [wasm][debugger] Add tests for indexing by object schema (dotnet#92268) * Indexing with object: works. * Update expected line numbers. commit d6ff465 Author: Johan Lorensson <lateralusx.github@gmail.com> Date: Wed Sep 20 17:24:39 2023 +0200 Add missing case for constrained gsharedvt call. (dotnet#92338) dotnet@1b788f4 added a new value to our MonoRgctxInfoType enum type, but appears that all cases where not full adjusted. Running System.Buffers tests in full AOT hits the assert in info_equal about missing case, https://github.com/dotnet/runtime/blob/0dc5903679606b072adac70a268cdb77d1147b3e/src/mono/mono/mini/mini-generic-sharing.c#L2908. This commit adds the new enum value and align handling similar to other cases added by that commit. commit 36ab905 Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Wed Sep 20 09:51:37 2023 -0500 Update dependencies from https://github.com/dotnet/installer build 20230919.3 (dotnet#92339) Microsoft.Dotnet.Sdk.Internal From Version 9.0.100-alpha.1.23464.17 -> To Version 9.0.100-alpha.1.23469.3 Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> commit 32c3355 Author: Stephen Toub <stoub@microsoft.com> Date: Wed Sep 20 09:42:27 2023 -0400 Fix downlevel build break in TensorPrimitives (dotnet#92269) * Fix downlevel build break in TensorPrimitives * Make net6.0 Tensors use ns2.0 implementation * Add net6.0 and net7.0 to Tensors temporarily since those are shipping in 8.0 branch * Only build net6.0 and net7.0 Tensors when not in source-build --------- Co-authored-by: Eric StJohn <ericstj@microsoft.com> commit e8c3052 Author: Matt Thalman <mthalman@microsoft.com> Date: Wed Sep 20 07:45:55 2023 -0500 Update Newtonsoft.Json from 13.0.1 to 13.0.3 (dotnet#92298) commit b4912a7 Author: Zoltan Varga <vargaz@gmail.com> Date: Wed Sep 20 08:12:52 2023 -0400 [wasi] Fix llvm target triple. (dotnet#92256) commit 0dc5903 Author: Artur Zgodziński <bivaro@gmail.com> Date: Wed Sep 20 11:45:46 2023 +0100 Fix trimming of DebuggerDisplay with Name (dotnet#92191) The `Name` and `Type` property of the `DebuggerDisplay` attribute accepts the same format string as its `Value` property, but does not prevent trimming members it references. Thanks to this fix, members referenced by any of these two properties are not trimmed and can be displayed by a debugger. commit 521e1e6 Author: Marie Píchová <11718369+ManickaP@users.noreply.github.com> Date: Wed Sep 20 12:28:18 2023 +0200 [QUIC] Throw ODE if connection/listener is disposed (dotnet#92215) * AcceptConnection/StreamAsync now throw ODE in case the listener/connection was stopped by DisposeAsync. * Fix exception type and make behavior stable for disposal commit d411f50 Author: Stephen Toub <stoub@microsoft.com> Date: Wed Sep 20 06:24:58 2023 -0400 Avoid unnecessary array allocation in JsonHelpers.Utf8GetString on netstandard (dotnet#92304) commit 5883b72 Author: Tarek Mahmoud Sayed <tarekms@microsoft.com> Date: Tue Sep 19 19:52:38 2023 -0700 Fix options Validation with objects have indexers (dotnet#92309) commit fcf7b11 Author: Sven Boemer <sbomer@gmail.com> Date: Tue Sep 19 17:51:32 2023 -0700 Prevent restoring illink for native-binplace.proj (dotnet#92289) Fixes dotnet#92194. The reference to illink from `native-binplace.proj`, built as a reference of `build-native.proj`, was hitting a nuget bug with static graph restore. The bug seems to be specific to something about the project file (maybe the language-specific targets, since `native-binplace.proj` imports the `Microsoft.NET.Sdk`, but doesn't have a `csproj` extension). Fixed by explicitly marking this as not a source project, which will prevent the import of illink.targets. commit b049f42 Author: Egor Bogatov <egorbo@gmail.com> Date: Wed Sep 20 01:39:30 2023 +0200 Fix optSwitchConvert (dotnet#92249) Co-authored-by: Egor <egorbo@Egors-MacBook-Pro.local> commit 41a8e39 Author: Tanner Gooding <tagoo@outlook.com> Date: Tue Sep 19 15:09:19 2023 -0700 Ensure VN handles both forms of the xarch shift instructions for SIMD (dotnet#91601) commit 3b9b4fd Author: Viktor Hofer <viktor.hofer@microsoft.com> Date: Tue Sep 19 23:29:29 2023 +0200 Move portable RID graph into runtime and clean-up (dotnet#92211) * Move portable RID graph into runtime and clean-up 1. Move portable RID graph into runtime 2. Allow updates to both the non-portable and portable RID graphs under source build. 3. Clean-up project and remove hacks * Update README and delete test * Fix RID graph update when the key already exists * Update src/libraries/Microsoft.NETCore.Platforms/readme.md Co-authored-by: Jan Kotas <jkotas@microsoft.com> * Update src/libraries/Microsoft.NETCore.Platforms/readme.md Co-authored-by: Andy Gocke <angocke@microsoft.com> --------- Co-authored-by: Jan Kotas <jkotas@microsoft.com> Co-authored-by: Andy Gocke <angocke@microsoft.com> commit 1185d19 Author: Tanner Gooding <tagoo@outlook.com> Date: Tue Sep 19 13:41:15 2023 -0700 Don't generate AddMask as it requires more explicit consideration of semantics (dotnet#92282) commit a7cafec Author: Carlos Sánchez López <1175054+carlossanlop@users.noreply.github.com> Date: Tue Sep 19 12:14:24 2023 -0700 [main] Bump Microsoft.Private.IntelliSense package version (dotnet#92255) commit 094801e Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Tue Sep 19 12:13:49 2023 -0700 [main] Update dependencies from dotnet/runtime dotnet/emsdk dotnet/hotreload-utils dotnet/cecil dotnet/sdk dotnet/source-build-reference-packages (dotnet#92175) * Update dependencies from https://github.com/dotnet/emsdk build 20230915.3 Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport From Version 9.0.0-alpha.1.23457.3 -> To Version 9.0.0-alpha.1.23465.3 * Update dependencies from https://github.com/dotnet/sdk build 20230915.37 Microsoft.DotNet.ApiCompat.Task From Version 9.0.100-alpha.1.23465.4 -> To Version 9.0.100-alpha.1.23465.37 * Update dependencies from https://github.com/dotnet/emsdk build 20230915.3 Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport From Version 9.0.0-alpha.1.23457.3 -> To Version 9.0.0-alpha.1.23465.3 * Update dependencies from https://github.com/dotnet/sdk build 20230916.1 Microsoft.DotNet.ApiCompat.Task From Version 9.0.100-alpha.1.23465.4 -> To Version 9.0.100-alpha.1.23466.1 * Update dependencies from https://github.com/dotnet/emsdk build 20230915.3 Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport From Version 9.0.0-alpha.1.23457.3 -> To Version 9.0.0-alpha.1.23465.3 * Update dependencies from https://github.com/dotnet/sdk build 20230918.4 Microsoft.DotNet.ApiCompat.Task From Version 9.0.100-alpha.1.23465.4 -> To Version 9.0.100-alpha.1.23468.4 * Update dependencies from https://github.com/dotnet/runtime build 20230916.6 Microsoft.DotNet.ILCompiler , Microsoft.NET.ILLink.Tasks , Microsoft.NET.Sdk.IL , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.ILAsm , runtime.native.System.IO.Ports , System.Text.Json From Version 9.0.0-alpha.1.23460.2 -> To Version 9.0.0-alpha.1.23466.6 * Update dependencies from https://github.com/dotnet/source-build-reference-packages build 20230915.1 Microsoft.SourceBuild.Intermediate.source-build-reference-packages From Version 8.0.0-alpha.1.23457.1 -> To Version 9.0.0-alpha.1.23465.1 * Update dependencies from https://github.com/dotnet/emsdk build 20230915.3 Microsoft.NET.Workload.Emscripten.Current.Manifest-9.0.100.Transport From Version 9.0.0-alpha.1.23457.3 -> To Version 9.0.0-alpha.1.23465.3 * Update dependencies from https://github.com/dotnet/hotreload-utils build 20230918.2 Microsoft.DotNet.HotReload.Utils.Generator.BuildTool From Version 8.0.0-alpha.0.23461.1 -> To Version 8.0.0-alpha.0.23468.2 * Update dependencies from https://github.com/dotnet/cecil build 20230918.2 Microsoft.DotNet.Cecil From Version 0.11.4-alpha.23461.1 -> To Version 0.11.4-alpha.23468.2 * Update dependencies from https://github.com/dotnet/sdk build 20230918.31 Microsoft.DotNet.ApiCompat.Task From Version 9.0.100-alpha.1.23465.4 -> To Version 9.0.100-alpha.1.23468.31 * Update dependencies from https://github.com/dotnet/source-build-reference-packages build 20230918.3 Microsoft.SourceBuild.Intermediate.source-build-reference-packages From Version 8.0.0-alpha.1.23457.1 -> To Version 9.0.0-alpha.1.23468.3 --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> commit 9bd0e0d Author: Jeremy Koritzinsky <jekoritz@microsoft.com> Date: Tue Sep 19 12:11:38 2023 -0700 Remove "Is supported on this TFM" logic from marshalling generators and instead handle it during factory construction (dotnet#91768) Co-authored-by: Jackson Schuster <36744439+jtschuster@users.noreply.github.com> commit 17eff3b Author: Andy Ayers <andya@microsoft.com> Date: Tue Sep 19 11:37:48 2023 -0700 JIT: generalize assert to handle SIMD64 (dotnet#92235) Fixes dotnet#91799. commit 67dbbeb Author: Andy Ayers <andya@microsoft.com> Date: Tue Sep 19 11:30:38 2023 -0700 JIT: add missing xarch RMW case (dotnet#92252) Handle the case where we're indirectly updating a local with a value that is not a constant. Fixes dotnet#92218.
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
Testing our code on .NET 8 we encountered getting NRE where it is not supposed to be. I managed to write a minimal sample for the test (below). The described behavior is repeated on Preview.7, RC.1, RC.2 (haven't tried other versions, but it works fine on .NET 7)
Apparently, the problem is in the generated JIT code, because with optimization enabled, the method generates an explicit reference to address 0.
Reproduction Steps
Expected behavior
The code is successfully executed
Actual behavior
Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object. at MutableStructs.Program.TestMethod()Regression?
At least since .NET 7
Known Workarounds
The behavior described is quite sensitive to a combination of factors. Small changes will normalize the situation: you can remove
Volatile, or makeInternalValuean auto property, or not wrapAdd/AddInternalcalls, or use your own structure instead ofTimeSpan- all of the above will remove the issueConfiguration
.NET 8 RC.2
Windows 10 Pro 22H2 x64
12th Gen Intel(R) Core(TM) i9-12900K
Other information
No response
The text was updated successfully, but these errors were encountered: