Fix analyzer treatment of flow captures of arrays #93420
Conversation
dotnet-issue-labeler
bot
added
the
area-Tools-ILLink
ghost
added
the
linkable-framework
|
Tagging subscribers to this area: @agocke, @sbomer, @vitek-karas Issue Details#93259 uncovered an issue around how the analyzer tracks arrays. It hit an analyzer assert while trying to create an l-value flow capture of another flow capture reference, which should never happen as far as I understand. The assert was firing for Now tested in TestNullCoalescingAssignment: (arr ??= arr2)[0] = typeof (V);The CFG had three flow captures:
flowchart TD
style 0 text-align: left;
0("<code></code>")
style 1 text-align: left;
1("<code> LocalReferenceOperation: arr = new Type[1] { typeof (T) }
LiteralOperation: 1
TypeOfOperation: typeof (T)
ArrayInitializerOperation: { typeof (T) }
ArrayCreationOperation: new Type[1] { typeof (T) }
SimpleAssignmentOperation: arr = new Type[1] { typeof (T) }
LocalReferenceOperation: arr2 = new Type[1] { typeof (U) }
LiteralOperation: 1
TypeOfOperation: typeof (U)
ArrayInitializerOperation: { typeof (U) }
ArrayCreationOperation: new Type[1] { typeof (U) }
SimpleAssignmentOperation: arr2 = new Type[1] { typeof (U) }
</code>")
0 --> 1
style 2 text-align: left;
2("<code> LocalReferenceOperation: arr
FlowCaptureOperation: arr (0)
</code>")
1 --> 2
style 3 text-align: left;
3("<code> FlowCaptureReferenceOperation: arr (0)
FlowCaptureOperation: arr (1)
FlowCaptureReferenceOperation: arr (1)
IsNullOperation: arr
</code>")
2 --> 3
style 4 text-align: left;
4("<code> FlowCaptureReferenceOperation: arr (1)
FlowCaptureOperation: arr ??= arr2 (2)
</code>")
3 --> 4
style 5 text-align: left;
5("<code> FlowCaptureReferenceOperation: arr (0)
LocalReferenceOperation: arr2
SimpleAssignmentOperation: arr ??= arr2
FlowCaptureOperation: arr ??= arr2 (2)
</code>")
3 --> 5
style 6 text-align: left;
6("<code> FlowCaptureReferenceOperation: arr ??= arr2 (2)
LiteralOperation: 0
ArrayElementReferenceOperation: (arr ??= arr2)[0]
TypeOfOperation: typeof (V)
SimpleAssignmentOperation: (arr ??= arr2)[0] = typeof (V)
ExpressionStatementOperation: (arr ??= arr2)[0] = typeof (V);
</code>")
4 --> 6
5 --> 6
style 7 text-align: left;
7("<code> LocalReferenceOperation: arr
LiteralOperation: 0
ArrayElementReferenceOperation: arr[0]
ArgumentOperation: arr[0]
InvocationOperation: arr[0].RequiresAll ()
ExpressionStatementOperation: arr[0].RequiresAll ();
LocalReferenceOperation: arr2
LiteralOperation: 0
ArrayElementReferenceOperation: arr2[0]
ArgumentOperation: arr2[0]
InvocationOperation: arr2[0].RequiresPublicFields ()
ExpressionStatementOperation: arr2[0].RequiresPublicFields ();
</code>")
6 --> 7
style 8 text-align: left;
8("<code></code>")
7 --> 8
The bug, I believe, is that capture 2 should have been an r-value flow capture instead. Even though it's used for writing to the array, the assignment doesn't modify the array pointer represented by this capture - it dereferences this pointer and modifies the array. This was introduced by my modifications to the l-value detection logic in #90287. This undoes that portion of the change so that capture 2 is now treated as an r-value capture.
|
| @@ -235,45 +235,11 @@ TValue ProcessSingleTargetAssignment (IOperation targetOperation, ISimpleAssignm | |||
| if (arrayElementRef.Indices.Length != 1) | |||
| break; | |||
|
|
|||
| // Similarly to VisitSimpleAssignment, this needs to handle cases where the array reference | |||
There was a problem hiding this comment.
This logic is no longer needed now that the array reference should never be an l-value capture. If the array reference is a flow capture, it should be an r-value capture, handled in the normal visitor logic.
There was a problem hiding this comment.
By this you mean, that the array (LHS) part of the ArrayReference should be an rvalue, right? Not the thing as a whole?
There was a problem hiding this comment.
Exactly - the (arr ?? arr2) temp should be an r-value, while (arr ?? arr2)[0] should be an l-value. At least that's how I think it should work after pondering this for a while, and is the behavior in the PR. ;)
| // Analysis hole: https://github.com/dotnet/runtime/issues/90335 | ||
| // The array element assignment assigns to a temp array created as a copy of | ||
| // arr1 or arr2, and writes to it aren't reflected back in arr1/arr2. | ||
| static void TestArrayElementAssignment (bool b = true) |
There was a problem hiding this comment.
Test moved from ByRefDataflow. Note this introduces a behavior change: analyzer no longer produces warnings for the GetWithPublicMethods value, bringing it closer to the ILLink/ILCompiler behavior. Once we fix the tracking of reference types, it should fix all three.
There was a problem hiding this comment.
I must admit this is a bit too much compiler theory for me :-)
I think it does make sense, but it would be really good if @agocke could also take a look at this.
src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/LocalDataFlowVisitor.cs
Outdated
Show resolved
Hide resolved
|
Looking.... Also, cool Mermaid graph :) |
| @@ -235,45 +235,11 @@ TValue ProcessSingleTargetAssignment (IOperation targetOperation, ISimpleAssignm | |||
| if (arrayElementRef.Indices.Length != 1) | |||
| break; | |||
|
|
|||
| // Similarly to VisitSimpleAssignment, this needs to handle cases where the array reference | |||
There was a problem hiding this comment.
By this you mean, that the array (LHS) part of the ArrayReference should be an rvalue, right? Not the thing as a whole?
|
The browser-wasm monointerpreter leg is hitting #93134. |
#93259 uncovered an issue around how the analyzer tracks arrays. It hit an analyzer assert while trying to create an l-value flow capture of another flow capture reference, which should never happen as far as I understand. The assert was firing for
runtime/src/libraries/System.Private.CoreLib/src/System/IO/RandomAccess.Windows.cs
Line 511 in 946c524
Now tested in TestNullCoalescingAssignment:
The CFG had three flow captures:
arr. Used later in the branch that assignsarr2toarr.arr ??= arr2, used to write index 0 of the array.arr2)flowchart TD style 0 text-align: left; 0("<code></code>") style 1 text-align: left; 1("<code> LocalReferenceOperation: arr = new Type[1] { typeof (T) } LiteralOperation: 1 TypeOfOperation: typeof (T) ArrayInitializerOperation: { typeof (T) } ArrayCreationOperation: new Type[1] { typeof (T) } SimpleAssignmentOperation: arr = new Type[1] { typeof (T) } LocalReferenceOperation: arr2 = new Type[1] { typeof (U) } LiteralOperation: 1 TypeOfOperation: typeof (U) ArrayInitializerOperation: { typeof (U) } ArrayCreationOperation: new Type[1] { typeof (U) } SimpleAssignmentOperation: arr2 = new Type[1] { typeof (U) } </code>") 0 --> 1 style 2 text-align: left; 2("<code> LocalReferenceOperation: arr FlowCaptureOperation: arr (0) </code>") 1 --> 2 style 3 text-align: left; 3("<code> FlowCaptureReferenceOperation: arr (0) FlowCaptureOperation: arr (1) FlowCaptureReferenceOperation: arr (1) IsNullOperation: arr </code>") 2 --> 3 style 4 text-align: left; 4("<code> FlowCaptureReferenceOperation: arr (1) FlowCaptureOperation: arr ??= arr2 (2) </code>") 3 --> 4 style 5 text-align: left; 5("<code> FlowCaptureReferenceOperation: arr (0) LocalReferenceOperation: arr2 SimpleAssignmentOperation: arr ??= arr2 FlowCaptureOperation: arr ??= arr2 (2) </code>") 3 --> 5 style 6 text-align: left; 6("<code> FlowCaptureReferenceOperation: arr ??= arr2 (2) LiteralOperation: 0 ArrayElementReferenceOperation: (arr ??= arr2)[0] TypeOfOperation: typeof (V) SimpleAssignmentOperation: (arr ??= arr2)[0] = typeof (V) ExpressionStatementOperation: (arr ??= arr2)[0] = typeof (V); </code>") 4 --> 6 5 --> 6 style 7 text-align: left; 7("<code> LocalReferenceOperation: arr LiteralOperation: 0 ArrayElementReferenceOperation: arr[0] ArgumentOperation: arr[0] InvocationOperation: arr[0].RequiresAll () ExpressionStatementOperation: arr[0].RequiresAll (); LocalReferenceOperation: arr2 LiteralOperation: 0 ArrayElementReferenceOperation: arr2[0] ArgumentOperation: arr2[0] InvocationOperation: arr2[0].RequiresPublicFields () ExpressionStatementOperation: arr2[0].RequiresPublicFields (); </code>") 6 --> 7 style 8 text-align: left; 8("<code></code>") 7 --> 8The bug, I believe, is that capture 2 should have been an r-value flow capture instead. Even though it's used for writing to the array, the assignment doesn't modify the array pointer represented by this capture - it dereferences this pointer and modifies the array. This was introduced by my modifications to the l-value detection logic in #90287.
This undoes that portion of the change so that capture 2 is now treated as an r-value capture. This simplifies the array element assignment logic so that it no longer can see an assignment where the array is an l-value.
Fixes #93420 by adding an explicit check for
IsInitializationso that we don't hit the related asserts for string interpolation handlers.