Properly guard UpsilonNode unboxed store

[Keno]

In #51852, we are coercing a boxed Union{@NamedTuple{progress::String}, @NamedTuple{progress::Float64}}
to @NamedTuple{progress::String} via convert_julia_type. This results in a jl_cgval_t that has
a Vboxed that points to a boxed @NamedTuple{progress::Float64} but with a @NamedTuple{progress::String}
type tag that the up upsilonnode code then tries to unbox into the typed PhiC slot. This ends up treating
the Float64 as a pointer and crashing in GC. Avoid this by adding a runtime check that the converted value
is actually compatible (we already had this kind of check for the non-boxed cases) and then making the
unboxing runtime-conditional on the type of the union matching the type of the phic.

[vtjnash]

Lgtm. Seems like a couple extraneous return statements added to codegen? But otherwise a good cleanup and fix.

[vtjnash]

Isn't Vboxed potentially nullptr at runtime here? Maybe test that tindex==0x80 instead?

[Keno]

Yes it is. However, tindex==0x80 check isn't sufficient here either. Needs an extra case in emit_exactly_isa to check for null (in this case only).

[gbaraldi]

The underlying inference bug is still present right?

[oscardssmith]

why is this on the backport list? we're pretty sure what this was a big introduced a few weeks ago

[topolarity]

This appears to resolve the more standalone MRE (#51852 (comment)) but not the original one in the issue:

function f(;kwargs...)
    try
        kwargs = rand((values(kwargs), (progress=1.0,)))
    catch
    end
    GC.gc()
    return kwargs
end

f(; progress="0.5")
f(; progress="0.5")
f(; progress="0.5")
f(; progress="0.5")
f(; progress="0.5")

This segfaults for me very reliably locally, with the same signature.

[Keno]

This segfaults for me very reliably locally, with the same signature.

Indeed, although it takes more than one execution for me, so ... progress? I'll take a look.

[oscardssmith]

since it calls rand it only segfaults half the time.

[Keno]

Fair observation.

[Keno]

Updated MRE:

julia> function phic_type5()
           a = (;progress = "a")
           try
               vals = (a, (progress=1.0,))
               a = vals[Base.inferencebarrier(false) ? 1 : 2]
           catch
           end
           GC.gc()
           return a
       end

[Keno]

I managed to fix the MRE, but I found a test case (after fixing a related inference bug that was hiding it) for @vtjnash's comment above, so I'll need to fix that tomorrow before we can merge this.

[Keno]

I'm gonna remove the backport label here. The bug is technically present on 1.10, but we don't have the inference precision to actually see it and I think there is some risk in destabilizing things, esp, since I included that inference precision fix (so it wouldn't backport cleanly anyway).

[Keno]

so I'll need to fix that tomorrow before we can merge this.

I thought about it and it was easier than I thought, so I just did it now.

[topolarity]

What is the inference fix here for? Is it a required part of the change?

[oscardssmith]

The change is in the details of effect convergence.

[Keno]

What is the inference fix here for? Is it a required part of the change?

It's a fix to the logic of the previous phic narrowing PR. It's not required, but without it's not possible to write a test for one of the branches of the codegen fix because it's hidden by the inference issue, so I fixed that too.

[oscardssmith]

CI seems very unhappy about this currently.

[Keno]

@nanosoldier runtests()

[nanosoldier]

The package evaluation job you requested has completed - possible new issues were detected.
The full report is available.

[topolarity]

Another day, another MWE. It looks like the FLoops.jl failure is relevant.

Reduced to:

julia> foo() = try (a = a, b = 2) catch end
foo (generic function with 1 method)

julia> foo()
ERROR: UndefVarError: `a` not defined
Stacktrace:
 [1] foo()
   @ Main ./REPL[1]:1
 [2] top-level scope
   @ REPL[2]:1

Seems like we're incorrectly inferring that the catch block is unreachable.

We then illegally optimize away the try-catch:

julia> @code_typed optimize=false foo()
CodeInfo(
1 ─ %1 = $(Expr(:enter, #4))
2 ─ %2 = (:a, :b)::Core.Const((:a, :b))
│   %3 = Core.apply_type(Core.NamedTuple, %2)::Core.Const(NamedTuple{(:a, :b)})
│   %4 = Core.tuple(Main.a, 2)::Core.PartialStruct(Tuple{Any, Int64}, Any[Any, Core.Const(2)])
│   %5 = (%3)(%4)::NamedTuple{(:a, :b), <:Tuple{Any, Int64}}
└──      $(Expr(:leave, :(%1)))
3 ─      return %5
4 ┄      Core.Const(:($(Expr(:leave, :(%1)))))::Union{}
│        Core.Const(:($(Expr(:pop_exception, :(%1)))))::Union{}
└──      Core.Const(:(return nothing))::Union{}
) => NamedTuple{(:a, :b), <:Tuple{Any, Int64}}

julia> @code_typed optimize=true foo()
CodeInfo(
1 ─      nothing::Nothing
│   %2 = Main.a::Any
│   %3 = Core.tuple(%2, 2)::Tuple{Any, Int64}
│   %4 = Core.typeof(%3)::Type{<:Tuple{Any, Int64}}
│   %5 = Core.apply_type(Core.NamedTuple, (:a, :b), %4)::Type{NamedTuple{(:a, :b), var"#s179"}} where var"#s179"<:Tuple{Any, Int64}
│   %6 = %new(%5, %2, 2)::NamedTuple{(:a, :b), <:Tuple{Any, Int64}}
└──      return %6
) => NamedTuple{(:a, :b), <:Tuple{Any, Int64}}

[Keno]

Ok, that should a quick fix. Looks like we're forgetting that the GlobalRef is not nothrow.

[aviatesk]

Suggested change

	abstract_eval_global(M::Module, s::Symbol) = abstract_eval_globalref_type(GlobalRef(M, s))
	abstract_eval_global_type(M::Module, s::Symbol) = abstract_eval_globalref_type(GlobalRef(M, s))

to reflect the fact that it returns type only? I don't think this definition is being used anywhere though.

[topolarity]

Doesn't this (incorrectly) trap unconditionally trap in the new (v.Vboxed && (v.isboxed || mustbox_union)) case?

This branch seems to be dead at least when compiling the sysimage + stdlibs, but perhaps it'd be a bug if it were exercised?

[Keno]

Can you try to come up with a testcase (or if you can't, you can try pkgevaling this with a compile-time error to find if there's one in the wild).