Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix duplicated FldSeq in block morphing #62687

Merged
merged 3 commits into from
Dec 16, 2021
Merged

Fix duplicated FldSeq in block morphing #62687

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c4e93e2
Fix duplicated FldSeq in block morphing
SingleAccretion Dec 11, 2021
f48008b
Add a test
SingleAccretion Dec 12, 2021
7dde072
Add a description of the issue to the test
SingleAccretion Dec 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/coreclr/jit/morphblock.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1259,9 +1259,9 @@ GenTree* MorphCopyBlockHelper::CopyFieldByField()
}
else
{
if (i == 0)
if (i == (fieldCnt - 1))
{
// Use the orginal m_dstAddr tree when i == 0
// Reuse the orginal m_dstAddr tree for the last field.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we assert that we're not reusing an address with a zero offset field seq?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, it is legal for the address to contain a zero-offset sequence before the morphing, so I suppose asserting here would require:

  1. Getting the "base" sequence (essentially perform the reverse of what fgAddFieldSeqForZeroOffset does).
  2. After morphing, loop over all the created address trees and assert that we only added one field to the "base", and all of them are distinct.

I am not sure it is worth the amount of code required. Once #58312 is finished, we will have asserts in VN that would have caught this case.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a fan of how we handle the zero offset case today. We've had a number of bugs in this area.

Ok by me if it is too hard to check -- just wanted to see if you had any ideas.

dstAddrClone = m_dstAddr;
}
else
Expand Down Expand Up @@ -1381,9 +1381,9 @@ GenTree* MorphCopyBlockHelper::CopyFieldByField()
}
else
{
if (i == 0)
if (i == (fieldCnt - 1))
{
// Use the orginal m_srcAddr tree when i == 0
// Reuse the orginal m_srcAddr tree for the last field.
srcAddrClone = m_srcAddr;
}
else
Expand Down
54 changes: 54 additions & 0 deletions src/tests/JIT/Directed/StructPromote/FldSeqsInPromotedCpBlk.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.

using System.Runtime.CompilerServices;

// In this test, we have a block assignment with a source that is a promoted struct and
// an indirect destination. When morphing it, we would decompose that assignment into a series
// of field assignments: `IND(ADDR) = FirstLngValue; IND(ADDR_CLONE + 8) = SecondLngValue`.
// In the process, we would also attach field sequences to the destination addresses so that VN
// knew to analyze them. That was the part which was susceptible to the bug being tested: morphing
// reused the address node (the "firstElem" LCL_VAR) for the first field, and at the same time
// used it to create more copies for subsequent addresses.
//
// Thus:
// 1) A zero-offset field sequence for the first field was attached to ADDR
// 2) ADDR was cloned, the clone still had the sequence attached
// 3) ADD(ADDR_CLONE [FldSeq FirstLngValue], 8 [FldSeq SecondLngValue]) was created.
//
// And so we ended up with an incorrect FldSeq: [FirstLngValue, SecondLngValue], causing
// VN to wrongly treat the "firstElem = b" store as not modifiying SecondLngValue.
//
// The fix was to reuse the address for the last field instead.

class FldSeqsInPromotedCpBlk
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment linking this test to the PR and/or describing the problem this test is supposed to cover?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added one, hopefully it captures the problem precisely enough.

{
public static int Main()
{
PromotableStruct s = default;
return Problem(new PromotableStruct[1]) == 2 ? 100 : 101;
}

[MethodImpl(MethodImplOptions.NoInlining)]
private static long Problem(PromotableStruct[] a)
{
ref var firstElem = ref a[0];

firstElem.SecondLngValue = 1;
var b = new PromotableStruct() { SecondLngValue = 2 };

if (firstElem.SecondLngValue == 1)
{
firstElem = b;
return firstElem.SecondLngValue;
}

return -1;
}
}

struct PromotableStruct
{
public long FirstLngValue;
public long SecondLngValue;
}
13 changes: 13 additions & 0 deletions src/tests/JIT/Directed/StructPromote/FldSeqsInPromotedCpBlk.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<CLRTestPriority>1</CLRTestPriority>
</PropertyGroup>
<PropertyGroup>
<DebugType>None</DebugType>
<Optimize>True</Optimize>
</PropertyGroup>
<ItemGroup>
<Compile Include="$(MSBuildProjectName).cs" />
</ItemGroup>
</Project>