From c951ec29bff3a417f7e4afd7aae9a2ce3f43041d Mon Sep 17 00:00:00 2001 From: Jakob Botsch Nielsen Date: Tue, 13 Aug 2024 17:37:42 +0200 Subject: [PATCH] JIT: Avoid clearing morphed flag in `gtSetEvalOrder` (#106286) Call morphing calls `gtPrepareCost` as part of `EvalArgsToTemps` and `SortArgs`. These functions are called when visiting the call node in post-order, so clearing `GTF_DEBUG_NODE_MORPHED` here ends up clearing it permanently from subtrees. Since post-order morphing for some nodes can return child nodes, this allows for a scenario where post-order morphing returns a descendant node that has had its `GTF_DEBUG_NODE_MORPHED` flag cleared. Fix it by not clearing the flag. Fix #106278 --- src/coreclr/jit/gentree.cpp | 5 --- .../JitBlue/Runtime_106278/Runtime_106278.cs | 31 +++++++++++++++++++ .../Runtime_106278/Runtime_106278.csproj | 8 +++++ 3 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.cs create mode 100644 src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.csproj diff --git a/src/coreclr/jit/gentree.cpp b/src/coreclr/jit/gentree.cpp index aaf67c59530b0..df22bed4b3d5e 100644 --- a/src/coreclr/jit/gentree.cpp +++ b/src/coreclr/jit/gentree.cpp @@ -4904,11 +4904,6 @@ unsigned Compiler::gtSetEvalOrder(GenTree* tree) return gtSetEvalOrderMinOpts(tree); } -#ifdef DEBUG - /* Clear the GTF_DEBUG_NODE_MORPHED flag as well */ - tree->gtDebugFlags &= ~GTF_DEBUG_NODE_MORPHED; -#endif - /* Is this a FP value? */ bool isflt = varTypeIsFloating(tree->TypeGet()); diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.cs b/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.cs new file mode 100644 index 0000000000000..a0a7e2a4873f5 --- /dev/null +++ b/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.cs @@ -0,0 +1,31 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +// Generated by Fuzzlyn v2.2 on 2024-08-12 14:54:43 +// Run on X64 Windows +// Seed: 16070819126771301687-vectort,vector128,vector256,x86aes,x86avx,x86avx2,x86avx512bw,x86avx512bwvl,x86avx512cd,x86avx512cdvl,x86avx512dq,x86avx512dqvl,x86avx512f,x86avx512fvl,x86avx512fx64,x86bmi1,x86bmi1x64,x86bmi2,x86bmi2x64,x86fma,x86lzcnt,x86lzcntx64,x86pclmulqdq,x86popcnt,x86popcntx64,x86sse,x86ssex64,x86sse2,x86sse2x64,x86sse3,x86sse41,x86sse41x64,x86sse42,x86sse42x64,x86ssse3,x86x86base +// Reduced from 61.3 KiB to 0.3 KiB in 00:01:27 +// Hits JIT assert in Release: +// Assertion failed '(tree->gtDebugFlags & GTF_DEBUG_NODE_MORPHED) && "ERROR: Did not morph this node!"' in 'Program:Main(Fuzzlyn.ExecutionServer.IRuntime)' during 'Morph - Global' (IL size 18; hash 0xade6b36b; FullOpts) +// +// File: D:\a\_work\1\s\src\coreclr\jit\morph.cpp Line: 12664 +// + +using System; +using Xunit; + +public class Runtime_106278 +{ + [Fact] + public static void TestEntryPoint() + { + try + { + int[] vr0 = default(int[]); + double vr1 = -1216.4287239109472d % vr0[0]; + } + catch (NullReferenceException) + { + } + } +} \ No newline at end of file diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.csproj b/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.csproj new file mode 100644 index 0000000000000..15edd99711a1a --- /dev/null +++ b/src/tests/JIT/Regression/JitBlue/Runtime_106278/Runtime_106278.csproj @@ -0,0 +1,8 @@ + + + True + + + + + \ No newline at end of file