Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JIT: libraries jitstress AV failures #109730

Closed
AndyAyersMS opened this issue Nov 12, 2024 · 3 comments · Fixed by #109714
Closed

JIT: libraries jitstress AV failures #109730

AndyAyersMS opened this issue Nov 12, 2024 · 3 comments · Fixed by #109714
Assignees
@AndyAyersMS
Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI in-pr There is an active PR which will close this issue when it is merged JitStress CLR JIT issues involving JIT internal stress modes
Milestone
10.0.0

Comments

@AndyAyersMS
Copy link
Member

See eg https://dev.azure.com/dnceng-public/public/_build/results?buildId=867258&view=ms.vss-test-web.build-test-results-tab

windows x64 jitstress 2 (and many others)

DOTNET_JitStress=2
DOTNET_TieredCompilation=0

... 

C:\h\w\A30E091D\w\B1B8091D\e>"C:\h\w\A30E091D\p\dotnet.exe" exec --runtimeconfig System.Text.Json.Tests.runtimeconfig.json --depsfile System.Text.Json.Tests.deps.json xunit.console.dll System.Text.Json.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing  
  Discovering: System.Text.Json.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Text.Json.Tests (found 8722 of 8789 test cases)
  Starting:    System.Text.Json.Tests (parallel test collections = on [4 threads], stop on fail = off)
Fatal error. 0xC0000005
@AndyAyersMS AndyAyersMS added area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI JitStress CLR JIT issues involving JIT internal stress modes labels Nov 12, 2024
@AndyAyersMS AndyAyersMS added this to the 10.0.0 milestone Nov 12, 2024
@AndyAyersMS AndyAyersMS self-assigned this Nov 12, 2024
@AndyAyersMS AndyAyersMS mentioned this issue Nov 12, 2024
Merged
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Nov 12, 2024
edited
Loading

Looks like m_dfsTree is null when we got to build loop info in VN. Trying to track down how this happens.

Stress mode enables early prop to fold a null check under an explicit throw in a block that is BBJ_THROW. Remorphing during early prop sees the throw and unconditionally converts the block to BBJ_THROW and thinks it has changed control flow, and so invalidates the DFS. VN doesn't expect this and so crashes.

So one possible fix is to teach remorphing that changing a BBJ_THROW to a BBJ_THROW is a no-op, and the DFS is fine. Or we could have VN note if the DFS is invalid and rebuild it.

For now I'm going to do the detection as this seems like a rare case?

Going to add the fix to #109714

@jakobbotsch
Copy link
Member

Note the DFS tree invalidation in morph was added by #106637, so that's what exposed this.

It would probably be a good idea to stop calling morph entirely from early prop, or to skip folding control flow entirely outside global morph.

@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label Nov 12, 2024
AndyAyersMS added a commit that referenced this issue Nov 13, 2024
@AndyAyersMS
JIT: fix inliner profile consistency computation (#109714)
714c5a0 
It's possible for the JIT to inline a profiled inlinee into an unprofiled context, and then have a subsequent inline fold a profiled branch. If so we may see a case where the folded edges don't have profile information.

Tolerate this.

Fixes #109657

Re-morphing of a statement during early-prop may mistakenly believe it has altered the flow graph and so invalidates DFS. Value numbering is not set up to handle this and crashes. Since this seems like a rare occurrence, have morph detect if it has really changed the flowgraph and avoid invalidating the DFS when it hasn't.

Fixes #109730
mikelle-rogers pushed a commit to mikelle-rogers/runtime that referenced this issue Dec 10, 2024
@AndyAyersMS @mikelle-rogers
JIT: fix inliner profile consistency computation (dotnet#109714)
61912ec 
It's possible for the JIT to inline a profiled inlinee into an unprofiled context, and then have a subsequent inline fold a profiled branch. If so we may see a case where the folded edges don't have profile information.

Tolerate this.

Fixes dotnet#109657

Re-morphing of a statement during early-prop may mistakenly believe it has altered the flow graph and so invalidates DFS. Value numbering is not set up to handle this and crashes. Since this seems like a rare occurrence, have morph detect if it has really changed the flowgraph and avoid invalidating the DFS when it hasn't.

Fixes dotnet#109730
@github-actions github-actions bot locked and limited conversation to collaborators Dec 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@AndyAyersMS AndyAyersMS

Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI in-pr There is an active PR which will close this issue when it is merged JitStress CLR JIT issues involving JIT internal stress modes
Projects
None yet
Milestone
10.0.0
Development

Successfully merging a pull request may close this issue.

JIT: fix inliner profile consistency computation AndyAyersMS/runtime
2 participants
@jakobbotsch @AndyAyersMS