[Crossgen2] AV in Loader\classloader\generics\Instantiation\Positive\NestedInterface07

[trylek]

Example run: https://dev.azure.com/dnceng/public/_build/results?buildId=1127214&view=ms.vss-test-web.build-test-results-tab

OS: All
Architecture: All (at least x64 and arm64 are demonstrated by the example run)

Diagnostic info:

(75e0.6a68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for D:\git\runtime2\artifacts\tests\coreclr\windows.x64.Debug\Tests\Core_Root\System.Private.CoreLib.dll
*** WARNING: Unable to verify checksum for D:\git\runtime2\artifacts\tests\coreclr\windows.x64.Release\Loader\classloader\generics\Instantiation\Positive\NestedInterface07\NestedInterface07.dll
CLRStub[VSD_ResolveStub]@7ffcf627b170:
00007ffc`f627b170 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000001=????????????????
0:000> k
*** WARNING: Unable to verify checksum for D:\git\runtime2\artifacts\tests\coreclr\windows.x64.Debug\Tests\Core_Root\coreclr.dll
 # Child-SP          RetAddr               Call Site
00 000000e0`fa17d2c8 00007ffd`56ba4630     CLRStub[VSD_ResolveStub]@7ffcf627b170
01 000000e0`fa17d2d0 00007ff6`8cbf21b5     System_Private_CoreLib!System.Type.Equals(System.Type)+0x30 [D:\git\runtime2\src\libraries\System.Private.CoreLib\src\System\Type.cs @ 542] 
02 000000e0`fa17d310 00007ff6`8cbf1e22     NestedInterface07!Gen`1[[System.__Canon, System.Private.CoreLib]].InstVerify(System.Type)+0x35 [D:\git\runtime2\src\tests\Loader\classloader\generics\Instantiation\Positive\NestedInterface07.cs @ 45] 
03 000000e0`fa17d360 00007ffd`551cf463     NestedInterface07!Test.Main()+0x1d2 [D:\git\runtime2\src\tests\Loader\classloader\generics\Instantiation\Positive\NestedInterface07.cs @ 88] 
04 000000e0`fa17d400 00007ffd`54beb89e     coreclr!CallDescrWorkerInternal+0x83
05 000000e0`fa17d440 00007ffd`54bec554     coreclr!CallDescrWorkerWithHandler+0x12e [D:\git\runtime2\src\coreclr\vm\callhelpers.cpp @ 74] 
06 000000e0`fa17d4a0 00007ffd`54793baa     coreclr!MethodDescCallSite::CallTargetWorker+0xca4 [D:\git\runtime2\src\coreclr\vm\callhelpers.cpp @ 550] 
07 000000e0`fa17dd00 00007ffd`547a2096     coreclr!MethodDescCallSite::Call_RetArgSlot+0x11a [D:\git\runtime2\src\coreclr\vm\callhelpers.h @ 458] 
08 000000e0`fa17de60 00007ffd`547a1a59     coreclr!RunMainInternal+0x296 [D:\git\runtime2\src\coreclr\vm\assembly.cpp @ 1481] 
09 000000e0`fa17e060 00007ffd`547a1b51     coreclr!``RunMain'::`30'::__Body::Run'::`5'::__Body::Run+0x59 [D:\git\runtime2\src\coreclr\vm\assembly.cpp @ 1549] 
0a 000000e0`fa17e0b0 00007ffd`547a1d81     coreclr!`RunMain'::`30'::__Body::Run+0xa1 [D:\git\runtime2\src\coreclr\vm\assembly.cpp @ 1551] 
0b 000000e0`fa17e150 00007ffd`5479792d     coreclr!RunMain+0x1c1 [D:\git\runtime2\src\coreclr\vm\assembly.cpp @ 1551] 
0c 000000e0`fa17e250 00007ffd`548a8b0d     coreclr!Assembly::ExecuteMainMethod+0x50d [D:\git\runtime2\src\coreclr\vm\assembly.cpp @ 1661] 
0d 000000e0`fa17e880 00007ffd`55508a68     coreclr!CorHost2::ExecuteAssembly+0x60d [D:\git\runtime2\src\coreclr\vm\corhost.cpp @ 384] 
0e 000000e0`fa17ed80 00007ff7`3ad5428e     coreclr!coreclr_execute_assembly+0x138 [D:\git\runtime2\src\coreclr\dlls\mscoree\unixinterface.cpp @ 446] 
0f 000000e0`fa17ee70 00007ff7`3ad57ea8     corerun!run+0xfee [D:\git\runtime2\src\coreclr\hosts\corerun\corerun.cpp @ 371] 
10 000000e0`fa17f910 00007ff7`3ad591c9     corerun!wmain+0x108 [D:\git\runtime2\src\coreclr\hosts\corerun\corerun.cpp @ 553] 
11 000000e0`fa17fa30 00007ff7`3ad5906e     corerun!invoke_main+0x39 [d:\agent\_work\49\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 91] 
12 000000e0`fa17fa80 00007ff7`3ad58f2e     corerun!__scrt_common_main_seh+0x12e [d:\agent\_work\49\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
13 000000e0`fa17faf0 00007ff7`3ad5925e     corerun!__scrt_common_main+0xe [d:\agent\_work\49\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331] 
14 000000e0`fa17fb20 00007ffd`d08b7034     corerun!wmainCRTStartup+0xe [d:\agent\_work\49\s\src\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17] 
15 000000e0`fa17fb50 00007ffd`d0a62651     KERNEL32!BaseThreadInitThunk+0x14 [clientcore\base\win32\client\thread.c @ 64] 
16 000000e0`fa17fb80 00000000`00000000     ntdll!RtlUserThreadStart+0x21 [minkernel\ntdll\rtlstrt.c @ 1153] 

I have locally verified that the test passes with a rollback of #52210. @AndyAyersMS, do we need to make changes to the JIT interface matching your JIT change?

Thanks

Tomas

cc @dotnet/crossgen-contrib, @dotnet/jit-contrib

[mangod9]

Andy fixed a related issue earlier today, not sure if that resolves this too: #52450 ?

[trylek]

Crossgen1 R2RDump: https://gist.github.com/trylek/436f16484e7e4756308bed1aea0dae30
Crossgen2 R2RDump: https://gist.github.com/trylek/15f057a22fb3c7dd6114369dd12e0c60

The only significant difference I see is in Test.Main where the Crossgen2 version has a bit that's absent in the Crossgen1 version:

    011c:  lea     r11, [bool Outer+IGen`1.InstVerify(System.Type) (VIRTUAL_ENTRY)]
    0123:  call    qword ptr [bool Outer+IGen`1.InstVerify(System.Type) (VIRTUAL_ENTRY)]
    0129:  movzx   ecx, al
    012c:  call    qword ptr [void Test.Eval(bool) (METHOD_ENTRY)]
    0132:  xorps   xmm0, xmm0
    0135:  movups  xmmword ptr [rsp + 112], xmm0
    013a:  xorps   xmm0, xmm0
    013d:  movups  xmmword ptr [rsp + 72], xmm0
    0142:  lea     rcx, [rsp + 72]
    0147:  movups  xmm0, xmmword ptr [rsp + 112]
    014c:  movups  xmmword ptr [rsp + 32], xmm0
    0151:  lea     rdx, [rsp + 32]
    0156:  call    qword ptr [void Gen`1..ctor(!0) (METHOD_ENTRY)]
    015c:  call    qword ptr [Gen`1 (NEW_OBJECT)]
    0162:  mov     rsi, rax

[AndyAyersMS]

Unlikely that my recent PR fixes this, it was a change in crossgen.

I'll work on reproing this.

[AndyAyersMS]

I can repro, should have more info in a bit.

[AndyAyersMS]

The jit is invoking the unboxed entry of a generic struct. Seems like this might be a case where we really should be passing an inst param (in which case the jit would not do the transformation).

I wonder if the logic here is off?

runtime/src/coreclr/tools/Common/JitInterface/CorInfoImpl.cs

Lines 1194 to 1207 in ebd695f

	private CORINFO_METHOD_STRUCT_* getUnboxedEntry(CORINFO_METHOD_STRUCT_* ftn, ref bool requiresInstMethodTableArg)
	{
	MethodDesc result = null;
	requiresInstMethodTableArg = false;
	MethodDesc method = HandleToObject(ftn);
	if (method.IsUnboxingThunk())
	{
	result = method.GetUnboxedMethod();
	requiresInstMethodTableArg = method.RequiresInstMethodTableArg();
	}
	return result != null ? ObjectToHandle(result) : null;
	}

Seems like Line 1203 should be

    requiresInstMethodTableArg = result.RequiresInstMethodTableArg();

The jit does not often ask for the unboxed entry point, so perhaps this has slipped past us all this time.

I'll give this a try.

[AndyAyersMS]

No, that wasn't the issue (or wasn't enough of a fix). Here's what the jit is doing in Test.Main:

    [ 2]  23 (0x017) callvirt 0A000010
In Compiler::impImportCall: opcode is callvirt, kind=2, callRetType is bool, structSize is 0

impDevirtualizeCall: Trying to devirtualize interface call:
    class for 'this' is Gen`1[System.Int32] [exact] (attrib 20010010)
    base method is Outer+IGen`1[System.Int32]::InstVerify
--- base class is interface
    devirt to Gen`1[System.Int32]::InstVerify -- exact
               [000027] --C-G-------              *  CALLV stub int    IGen`1.InstVerify
               [000022] ------------ this in rcx  +--*  LCL_VAR   ref    V00 loc0         
               [000026] --C-G------- arg1         \--*  CALL help ref    HELPER.CORINFO_HELP_TYPEHANDLE_TO_RUNTIMETYPE
               [000024] #----------- arg0            \--*  IND       long  
               [000023] H-----------                    \--*  CNS_INT(h) long   0x4000000000420158 class
    exact; can devirtualize
... after devirt...
               [000027] --C-G-------              *  CALL nullcheck int    Gen`1.InstVerify
               [000022] ------------ this in rcx  +--*  LCL_VAR   ref    V00 loc0         
               [000026] --C-G------- arg1         \--*  CALL help ref    HELPER.CORINFO_HELP_TYPEHANDLE_TO_RUNTIMETYPE
               [000024] #----------- arg0            \--*  IND       long  
               [000023] H-----------                    \--*  CNS_INT(h) long   0x4000000000420158 class
Have a direct call to boxed entry point. Trying to optimize to call an unboxed entry point
revising call to invoke unboxed entry

STMT00005 (IL 0x00C...  ???)
               [000027] I-C-G-------              *  CALL r2r_ind int    Gen`1.InstVerify (exactContextHnd=0x4000000000420111)
               [000029] ------------ this in rcx  +--*  ADD       byref 
               [000022] ------------              |  +--*  LCL_VAR   ref    V00 loc0         
               [000028] ------------              |  \--*  CNS_INT   long   8
               [000026] --C-G------- arg1         \--*  CALL help ref    HELPER.CORINFO_HELP_TYPEHANDLE_TO_RUNTIMETYPE
               [000024] #----------- arg0            \--*  IND       long  
               [000023] H-----------                    \--*  CNS_INT(h) long   0x4000000000420158 class

[only the last to invoke the unboxed entry is new]

but that reminds me: I think we may cache some method info for R2R in gtEntryPoint and the cache may be stale if we switch methods. So I'll look into that next.

[AndyAyersMS]

We do the entry point update at the end of impDevirtualizeCall. So that's not it either.

But note we've (likely) been doing this transformation all along when there's a box nearby, so it's not clear how these new cases differ from the ones we already appeared to be properly handling. Perhaps box removal is inhibited in R2R though...

[AndyAyersMS]

Also a bit odd (but likely unrelated): this test has about 10 similar cases, we're only able to devirtualize the ones that involve Int32 and Double. Not sure why the other cases fail to devirt as we know the exact type for all of them.

[mangod9]

I had a somewhat related fix in cg2 recently: https://github.com/dotnet/runtime/pull/52060/files. But that shouldn't affect generic types specifically I don't think

[MichalStrehovsky]

This sounds quite related to #51982 (this one is in the VM though) and #51983 (crossgen2).

[AndyAyersMS]

Looks like we're not in the app code at the point of the crash ... will try debugging further later today if I have time.

0:000> t-
Time Travel Position: 1192C3:185C
CLRStub[VSD_ResolveStub]@7ffb832ab0f0:
00007ffb`832ab0f0 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000010=????????????????
0:000> t-
Time Travel Position: 1192C3:185B
*** WARNING: Unable to verify checksum for NestedInterface07.dll
*** WARNING: Unable to verify checksum for coreclr.dll
System_Private_CoreLib!System.Type.Equals(System.Type)+0x2a:
00007ffb`f7c018fa ff1528987900    call    qword ptr [System_Private_CoreLib!System.Collections.Generic.Dictionary`2[[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib]].TryGetValue(System.__Canon, System.__Canon ByRef)+0x4ae8e8 (00007ffb`f839b128)] ds:00007ffb`f839b128={CLRStub[VSD_ResolveStub]@7ffb832ab0f0 (00007ffb`832ab0f0)}

0:000> !clrstack
OS Thread Id: 0x61f8 (0)
        Child SP               IP Call Site
0000008BF7F7E6B0 00007ffbf7c018fa System.Type.Equals(System.Type)
0000008BF7F7E6F0 00007ff667b93085 Gen`1[[System.__Canon, System.Private.CoreLib]].InstVerify(System.Type) [C:\repos\runtime0\src\tests\Loader\classloader\generics\Instantiation\Positive\NestedInterface07.cs @ 45]
0000008BF7F7E740 00007ff667b92cf2 Test.Main() [C:\repos\runtime0\src\tests\Loader\classloader\generics\Instantiation\Positive\NestedInterface07.cs @ 88]