Project segfaults on Ubuntu ( ARM64 )

[budgetdevv]

Description

The project @ https://github.com/budgetdevv/JITBugRepro segfaults on my Ubuntu ( ARM64 ) machine when ran. However, it seems to run fine on my Windows x64 machine.

Reproduction Steps

1. Clone the project @ https://github.com/budgetdevv/JITBugRepro
2. Run Program.cs located in the BugRepro folder

Expected behavior

The program should run indefinitely, given that there is an await Task.Delay(Timeout.Infinite)

Actual behavior

The program segfaults. Interestingly, Services.GetRequiredService<InvitesModule>().OnReady() is ran to completion ( The program prints "Bleh" ) before segfaulting. When debugging with GDB, the program exited with Thread 7 ".NET Tiered Com" received signal SIGSEGV, Segmentation fault..

Both of which suggest to me that it is a JIT bug.

Regression?

No response

Known Workarounds

Use Windows :p

Configuration

Which version of .NET is the code running on?

• .NET 7 RC 1

What OS and version, and what distro if applicable?

• Ubuntu 20.04.3 LTS (GNU/Linux 5.15.0-1017-oracle aarch64)

What is the architecture (x64, x86, ARM, ARM64)?

• ARM64

Do you know whether it is specific to that configuration

• Seems to be the case, it works on my Windows x64 machine

Other information

Suspects

• Executing project using NonBlocking.ConcurrentDictionary bundled in referenced project

• Services.GetRequiredService<MemberDB>() calls into ctor, which calls ConnectionPool.CreateOrGetConnection("") which reads from a static readonly NonBlocking.ConcurrentDictionary field

• Services.GetRequiredService<InvitesModule>().OnReady() contains a foreach loop that writes into a NonBlocking.ConcurrentDictionary. The write happens after an await, which might also be responsible for the weird behavior

• This bug seems to be caused by tiered compilation ( GDB mentioned TC and threadpool thread )

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[ghost]

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

The project @ https://github.com/budgetdevv/JITBugRepro segfaults on my Ubuntu ( ARM64 ) machine when ran. However, it seems to run fine on my Windows x64 machine.

Reproduction Steps

1. Clone the project @ https://github.com/budgetdevv/JITBugRepro
2. Run Program.cs located in the BugRepro folder

Expected behavior

The program should run indefinitely, given that there is an await Task.Delay(Timeout.Infinite)

Actual behavior

The program segfaults. Interestingly, Services.GetRequiredService<InvitesModule>().OnReady() is ran to completion ( The program prints "Bleh" ) before segfaulting. When debugging with GDB, the program exited with Thread 7 ".NET Tiered Com" received signal SIGSEGV, Segmentation fault..

Both of which suggest to me that it is a JIT bug.

Regression?

No response

Known Workarounds

Use Windows :p

Configuration

Which version of .NET is the code running on?

• .NET 7 RC 1

What OS and version, and what distro if applicable?

• Ubuntu 20.04.3 LTS (GNU/Linux 5.15.0-1017-oracle aarch64)

What is the architecture (x64, x86, ARM, ARM64)?

• ARM64

Do you know whether it is specific to that configuration

• Seems to be the case, it works on my Windows x64 machine

Other information

Suspects

• Executing project using NonBlocking.ConcurrentDictionary bundled in referenced project

• Services.GetRequiredService<MemberDB>() calls into ctor, which calls ConnectionPool.CreateOrGetConnection("") which reads from a static readonly NonBlocking.ConcurrentDictionary field

• Services.GetRequiredService<InvitesModule>().OnReady() contains a foreach loop that writes into a NonBlocking.ConcurrentDictionary. The write happens after an await, which might also be responsible for the weird behavior

• This bug seems to be caused by tiered compilation ( GDB mentioned TC and threadpool thread )

Author:	budgetdevv
Assignees:	-
Labels:	area-CodeGen-coreclr, untriaged
Milestone:	-

[AndyAyersMS]

I can repro with x64 win, WSL2, arm64 altjit (repros with main).

We are morphing a complex tree in NonBlocking.Counter32:Increment():this

fgMorphIndexAddr (before remorph):
               [000135] -A-X-------                         *  COMMA     byref
               [000122] -A-X-------                         +--*  ASG       int
               [000121] D------N---                         |  +--*  LCL_VAR   int    V12 tmp9
               [000079] ---X-------                         |  \--*  CAST      int <- long
               [000078] ---X-------                         |     \--*  UMOD      long
               [000072] -----------                         |        +--*  LCL_VAR_ADDR long   V09 tmp6
               [000077] ---------U-                         |        \--*  CAST      long <- ulong <- uint
               [000076] -----------                         |           \--*  LCL_VAR   int   (AX) V09 tmp6

               [000134] ---X-------                         \--*  COMMA     byref
               [000126] ---X-------                            +--*  BOUNDS_CHECK_Rng void
               [000123] -----------                            |  +--*  LCL_VAR   int    V12 tmp9
               [000125] ---X-------                            |  \--*  ARR_LENGTH int
               [000042] -----------                            |     \--*  LCL_VAR   ref    V07 tmp4
               [000133] -----------                            \--*  ARR_ADDR  byref ref[]
               [000132] -----------                               \--*  ADD       byref
               [000131] -----------                                  +--*  ADD       byref
               [000120] -----------                                  |  +--*  LCL_VAR   ref    V07 tmp4
               [000130] -----------                                  |  \--*  CNS_INT   long   16
               [000129] -----------                                  \--*  MUL       long
               [000127] ---------U-                                     +--*  CAST      long <- uint
               [000124] -----------                                     |  \--*  LCL_VAR   int    V12 tmp9

               [000128] -------N---                                     \--*  CNS_INT   long   8

Morphing MOD/UMOD [000078] to Sub/Mul/Div

It looks like in fgMorphModToSubMulDiv we assume gtClone will always succeed, which is not the case.

[EgorBo]

Minimal repro:

unsafe int GetIndex(uint cellCount) => (int)((ulong)&cellCount % cellCount);

with arm64 jit (or altjit)

[AndyAyersMS]

Seems like this is a result of #69770, before then we were using fgMakeMultiUse which was invoking gtCloneExpr for simple things and introducing commas for more complex ones.

[jakobbotsch]

I don't think this was #69770, if I read the diff right fgMakeMultiUse was also using gtClone before that.

I think this was exposed by #68484. Before that the IsInvariant check was returning false for GT_LCL_VAR_ADDR so we would introduce a temp in this case.

It is odd that gtClone does not handle GT_LCL_VAR_ADDR, yet does handle GT_LCL_FLD_ADDR.

[jakobbotsch]

Hmm, actually this reproduces on the parent of #68484 too. From a bisection it seems to actually be introduced with #65118.

[AndyAyersMS]

From a bisection it seems to actually be introduced with #65118.

There goes my plan for trying to pin this on somebody else.