JIT: Assertion failed '!"Bad CastToType() in gtFoldExprConst() for a cast from long"

[jakobbotsch]

// Generated by Fuzzlyn v1.6 on 2023-08-18 14:29:26
// Run on X64 Windows
// Seed: 8230539981346104025
// Reduced from 106.2 KiB to 0.3 KiB in 00:00:51
// Hits JIT assert in Release:
// Assertion failed '!"Bad CastToType() in gtFoldExprConst() for a cast from long"' in 'Program:Main(Fuzzlyn.ExecutionServer.IRuntime)' during 'Morph - Global' (IL size 43; hash 0xade6b36b; FullOpts)
//
//     File: C:\dev\dotnet\runtime4\src\coreclr\jit\gentree.cpp Line: 15048
//
using System.Runtime.CompilerServices;

public struct S1
{
    public ulong F0;
}

public class Program
{
    public static void Main()
    {
        S1 vr2 = new S1();
        bool vr3 = Unsafe.ReadUnaligned<bool>(ref Unsafe.As<ulong, byte>(ref vr2.F0));
        System.Console.WriteLine(vr3);
    }
}

[ghost]

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

---

// Generated by Fuzzlyn v1.6 on 2023-08-18 14:29:26
// Run on X64 Windows
// Seed: 8230539981346104025
// Reduced from 106.2 KiB to 0.3 KiB in 00:00:51
// Hits JIT assert in Release:
// Assertion failed '!"Bad CastToType() in gtFoldExprConst() for a cast from long"' in 'Program:Main(Fuzzlyn.ExecutionServer.IRuntime)' during 'Morph - Global' (IL size 43; hash 0xade6b36b; FullOpts)
//
//     File: C:\dev\dotnet\runtime4\src\coreclr\jit\gentree.cpp Line: 15048
//
using System.Runtime.CompilerServices;

public struct S1
{
    public ulong F0;
}

public class Program
{
    public static void Main()
    {
        S1 vr2 = new S1();
        bool vr3 = Unsafe.ReadUnaligned<bool>(ref Unsafe.As<ulong, byte>(ref vr2.F0));
        System.Console.WriteLine(vr3);
    }
}

Author:	jakobbotsch
Assignees:	-
Labels:	area-CodeGen-coreclr, untriaged
Milestone:	-

[EgorBo]

*************** Starting PHASE Morph - Structs/AddrExp
LocalAddressVisitor visiting statement:
STMT00000 ( 0x000[E-] ... 0x003 )
               [000002] DA---------                         *  STORE_LCL_VAR struct<S1, 8>(P) V00 loc0         
                                                            *    long   field V00.F0 (fldOffset=0x0) -> V02 tmp1         
               [000001] -----------                         \--*  CNS_INT   int    0

LocalAddressVisitor visiting statement:
STMT00001 ( 0x008[E-] ... 0x01E )
               [000006] --C-G------                         *  CALL      void   System.Console:WriteLine(bool)
               [000005] U---G------ arg0                    \--*  IND       bool  
               [000004] -----------                            \--*  FIELD_ADDR byref  S1:F0
               [000003] -----------                               \--*  LCL_ADDR  byref  V00 loc0         [+0]
                                                                     *    long   field V00.F0 (fldOffset=0x0) -> V02 tmp1         
Replacing the field in promoted struct with local var V02
LocalAddressVisitor modified statement:
STMT00001 ( 0x008[E-] ... 0x01E )
               [000006] --C-G------                         *  CALL      void   System.Console:WriteLine(bool)
               [000008] ----------- arg0                    \--*  CAST      int <- bool <- long
               [000004] -----------                            \--*  LCL_VAR   long   V02 tmp1         

[EgorBo]

Looks like

            case IndirTransform::NarrowCast:
                assert(varTypeIsIntegral(indir));
                assert(varTypeIsIntegral(varDsc));
                assert(genTypeSize(varDsc) >= genTypeSize(indir));
                assert(!isDef);

                lclNode = indir->gtGetOp1()->BashToLclVar(m_compiler, lclNum);
                *use    = m_compiler->gtNewCastNode(genActualType(indir), lclNode, false, indir->TypeGet());
                break;

is the culprit since it woud have to do two casts due to small type?

[jakobbotsch]

@EgorBo It works if you change ReadUnaligned<bool>(ref Unsafe.As<long, byte> to Unsafe.As<long, bool>. I think the problem is how ReadUnaligned and co. were intrinsified, probably TYP_BOOL needs to be changed to TYP_BYTE when we create the loads.

[jakobbotsch]

Hmm, we do create TYP_BOOL indirections in other places, so perhaps the folding in gtFoldExprConst should just be taught about it.

[EgorBo]

so CAST int <- bool <- long is a legal IR node?

Ah, I see it is.

[jakobbotsch]

I don't think we should be creating TYP_BOOL indirections for Read/ReadUnaligned<bool>. If stored to a bool it will cause us to retain lvIsBoolean on the destination's LclVarDsc which seems to imply that we can assume the value is 0 or 1 which is certainly not true for Read/ReadUnaligned. optimizebools.cpp looks to have a few transformations that are illegal for non-1 trues that kick in when this field is true.

[SingleAccretion]

which seems to imply that we can assume the value is 0 or 1 which is certainly not true for Read/ReadUnaligned

Note that this is not true for TYP_BOOL in general. TYP_BOOL is a lie and the fact optimizebools relies on it is a correctness hole (in the presence of non-canonical booleans).

[MichalPetryka]

I don't think we should be creating TYP_BOOL indirections for Read/ReadUnaligned<bool>. If stored to a bool it will cause us to retain lvIsBoolean on the destination's LclVarDsc which seems to imply that we can assume the value is 0 or 1 which is certainly not true for Read/ReadUnaligned. optimizebools.cpp looks to have a few transformations that are illegal for non-1 trues that kick in when this field is true.

Should we introduce a test for this? Something like:

byte byte2 = 2;
Assert(1 == (Unsafe.ReadUnaligned<byte>(ref byte2) ? 1 : 0));