AOT-ReleaseX64 crash divergence #35335
Comments
aartbik
added
area-vm
|
Debug AOT crashes as:
while release AOT hits the error above:
|
|
Bit more details:
which in both the first attempt and the retry is due to the following (even though temp index changes):
Introduced by LICM: Before: After: |
|
The problem is that the CanDeoptimize() property changes due to hoisting. The unwritten contract, of course, is that this does not change. This is due to copying a non-empty environment into an unbox that formerly had no environment. Hence the deopt property changes (due to the way CanDeoptimize() is implemented). In most typical cases, the CanDeoptimize() property does not change, even when the environment changes. So it seems that either a stricter test is needed or the instruction should have had an env to start with! This particular unbox is generated during representation selection, using FlowGraph::InsertConversion(). Perhaps we miss copying an env there? |
|
New nightly run has several failures that are probably very related (now the CanDeoptimize() assert is violated for an UnboxInstr, somewhat similar to above). So adding one failure here to make sure we verify this once fixed. JIT-DebugSIMARM - AOT-DebugX64: !DIVERGENCE! 1.2:3494344839 (output=false) fail2: This seems indeed reflective of the same problem. The representation selection pass introduces v5337 <- Unbox(v5135) which may deoptimize, but has no environment, and thus returns false for CanDeoptimize(). |
|
Note, continuing nightly failures with similar error messages. This bug really needs fixing! |
|
I have looked at the graph. This happens in the unreachable dead code: we have The type of this redefinition is non-Nullable Null - empty set - this should be impossible. Then this flows into note that I think we need to be aggressively deleting impossible code like this. Alternative fix is to make sure that type propagation does not produce impossible types like this: diff --git a/runtime/vm/compiler/backend/type_propagator.cc b/runtime/vm/compiler/backend/type_propagator.cc
index c587626f12..791cba021f 100644
--- a/runtime/vm/compiler/backend/type_propagator.cc
+++ b/runtime/vm/compiler/backend/type_propagator.cc
@@ -283,7 +283,7 @@ void FlowGraphTypePropagator::VisitCheckClassId(CheckClassIdInstr* check) {
void FlowGraphTypePropagator::VisitCheckNull(CheckNullInstr* check) {
Definition* receiver = check->value()->definition();
CompileType* type = TypeOf(receiver);
- if (type->is_nullable()) {
+ if (type->is_nullable() && !type->IsNull()) {
// Insert redefinition for the receiver to guard against invalid
// code motion.
EnsureMoreAccurateRedefinition(check, receiver, type->CopyNonNullable());
@@ -305,7 +305,7 @@ void FlowGraphTypePropagator::CheckNonNullSelector(
if (target.IsNull()) {
// If the selector is not defined on Null, we can propagate non-nullness.
CompileType* type = TypeOf(receiver);
- if (type->is_nullable()) {
+ if (type->is_nullable() && !type->IsNull()) {
// Insert redefinition for the receiver to guard against invalid
// code motion.
EnsureMoreAccurateRedefinition(call, receiver, type->CopyNonNullable()); |
|
Seeds to check after fix (it is always the AOT one that crashes): AOT-ReleaseX64 - KBC-CMP-ReleaseX64: !DIVERGENCE! 1.2:3060628533 (output=false) |
Rationale: Reporting check-class instead of the proper unbox yields an incorrect compiler diagnostic, which may obscure subsequent debugging. #35335 Change-Id: I99358ef3432e77b4432d9a96755747eaadc27067 Reviewed-on: https://dart-review.googlesource.com/c/87161 Reviewed-by: Vyacheslav Egorov <vegorov@google.com> Reviewed-by: Aart Bik <ajcbik@google.com> Commit-Queue: Aart Bik <ajcbik@google.com>
|
Slava's type prop change fixes all known seeds so far related to AOT crashes: AOT fuzz1253864548.dart |
Rationale: Having a literal null checked by CheckNull with a subsequent Redefinition resulted in some strange unboxing that crashed AOT (fix courtesy Slava!). Note that we still have some ambiguity around adding/removing environments from instructions that may deoptimize, but this change fixes all prior related DartFuzz failures. #35335 Change-Id: Ifb50d8cddf93e57758b2bbb83ad397ea281e9307 Reviewed-on: https://dart-review.googlesource.com/c/87280 Reviewed-by: Vyacheslav Egorov <vegorov@google.com> Commit-Queue: Aart Bik <ajcbik@google.com>
|
\O/ |
|
Note that simply ignoring null may not have been the right solution. We should remove the following dead code, just to make sure it is never hoisted before the check. |
|
As a temporary solution we could still create a redefinition after the |
Rationale: Previously, we avoided introducing redefinitions that introduced the empty non-nullable null type. This situation arises when we do a null check on an actual null value (making all subsequent uses effectively dead code). This is too simple, however, since it still allows hoisting the uses before the check. This CL gives a better solution by introducing redefinitions without a constraining type (which are not removed and avoid the type). In the long run perhaps the best solution would be to simply remove all subsequent uses as dead. #32167 #34473 #35335 Change-Id: Ib5dd072a9e546f6b91faa52ea08e8c0f6350d7e0 Reviewed-on: https://dart-review.googlesource.com/c/89922 Reviewed-by: Alexander Markov <alexmarkov@google.com> Commit-Queue: Aart Bik <ajcbik@google.com>
Isolate (/b/s/w/ir/tmp/t/dart_fuzzYMYQOP) AOT-ReleaseX64 - JIT-ReleaseIA32: !DIVERGENCE! 1.2:2915825161 (output=false)
fail1:
../../runtime/vm/compiler/aot/precompiler.cc: 2312: error: unreachable code
thread=27829, isolate=isolate(0x56499373c900)
[0x000056499136478c] Unknown symbol
[0x000056499136478c] Unknown symbol
[0x0000564991565872] Unknown symbol
[0x000056499141a1e8] Unknown symbol
[0x000056499141b8fa] Unknown symbol
[0x0000564991416c25] Unknown symbol
[0x0000564991415647] Unknown symbol
[0x00005649914107b4] Unknown symbol
[0x000056499140e273] Unknown symbol
[0x000056499140e135] Unknown symbol
[0x0000564991562f9a] Unknown symbol
[0x00005649911a016e] Unknown symbol
-- End of DumpStackTrace
The text was updated successfully, but these errors were encountered: