JIT: Assertion failed 'gtOper < GT_COUNT' during 'VN-based dead store removal'

[jakobbotsch]

Seen in Fuzzlyn run https://dev.azure.com/dnceng-public/public/_build/results?buildId=398157&view=results.

// Generated by Fuzzlyn v1.6 on 2023-09-07 11:19:41
// Run on Arm64 MacOS
// Seed: 11985832646151267898
// Reduced from 30.2 KiB to 0.9 KiB in 00:00:24
// Hits JIT assert in Release:
// Assertion failed 'gtOper < GT_COUNT' in 'Program:Main(Fuzzlyn.ExecutionServer.IRuntime)' during 'VN-based dead store removal' (IL size 94; hash 0xade6b36b; FullOpts)
// 
//     File: /Users/runner/work/1/s/src/coreclr/jit/gentree.h Line: 1024
// 
using System.Runtime.CompilerServices;

public interface I0
{
}

public interface I2
{
}

public struct S0
{
    public ulong F0;
    public long F2;
    public short F3;
    public S0(long f2): this()
    {
        F2 = f2;
    }
}

public class C0 : I0
{
}

public struct S1
{
    public S0 F4;
    public bool F5;
    public S1(S0 f4): this()
    {
        F4 = f4;
    }
}

public class Program
{
    public static I0[] s_1;
    public static I2 s_5;
    public static void Main()
    {
        S1 vr2 = new S1(new S0(0));
        if (vr2.F5)
        {
            s_5 = s_5;
        }

        S1 vr3 = vr2;
        vr3.F4 = vr3.F4;
        for (int vr4 = 0; vr4 < 1; vr4++)
        {
            var vr5 = vr3.F4;
            M2(vr5);
        }

        System.Console.WriteLine(vr3.F4.F2);
    }

    public static void M2(S0 arg0)
    {
        s_1 = new I0[]{new C0()};
    }
}

Haven't been able to repro this with AltJit.

[ghost]

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Seen in Fuzzlyn run https://dev.azure.com/dnceng-public/public/_build/results?buildId=398157&view=results.

// Generated by Fuzzlyn v1.6 on 2023-09-07 11:19:41
// Run on Arm64 MacOS
// Seed: 11985832646151267898
// Reduced from 30.2 KiB to 0.9 KiB in 00:00:24
// Hits JIT assert in Release:
// Assertion failed 'gtOper < GT_COUNT' in 'Program:Main(Fuzzlyn.ExecutionServer.IRuntime)' during 'VN-based dead store removal' (IL size 94; hash 0xade6b36b; FullOpts)
// 
//     File: /Users/runner/work/1/s/src/coreclr/jit/gentree.h Line: 1024
// 
using System.Runtime.CompilerServices;

public interface I0
{
}

public interface I2
{
}

public struct S0
{
    public ulong F0;
    public long F2;
    public short F3;
    public S0(long f2): this()
    {
        F2 = f2;
    }
}

public class C0 : I0
{
}

public struct S1
{
    public S0 F4;
    public bool F5;
    public S1(S0 f4): this()
    {
        F4 = f4;
    }
}

public class Program
{
    public static I0[] s_1;
    public static I2 s_5;
    public static void Main()
    {
        S1 vr2 = new S1(new S0(0));
        if (vr2.F5)
        {
            s_5 = s_5;
        }

        S1 vr3 = vr2;
        vr3.F4 = vr3.F4;
        for (int vr4 = 0; vr4 < 1; vr4++)
        {
            var vr5 = vr3.F4;
            M2(vr5);
        }

        System.Console.WriteLine(vr3.F4.F2);
    }

    public static void M2(S0 arg0)
    {
        s_1 = new I0[]{new C0()};
    }
}

Haven't been able to repro this with AltJit.

Author:	jakobbotsch
Assignees:	-
Labels:	area-CodeGen-coreclr
Milestone:	-

[jakobbotsch]

This one actually requires DOTNET_JitStressModeNames=STRESS_NO_OLD_PROMOTION. It repros on all platforms with that.

It seems like optVNBasedDeadStoreRemoval finds and tries to remove a def that was removed previously as part of assertion prop:

*************** Starting PHASE Assertion prop
After constant propagation on [000096]:
STMT00007 ( 0x01F[E-] ... 0x027 )
N005 ( 20, 20) [000098] -A---------                         ▌  COMMA     void   $VN.Void
N002 ( 19, 17) [000030] UA---------                         ├──▌  STORE_LCL_FLD struct<S0, 24> V00 loc0         ud:2->3[+0] $VN.Void
N001 (  9,  8) [000028] -----------                         │  └──▌  LCL_FLD   struct<S0, 24> V00 loc0         u:2[+0] (last use) $85
N004 (  1,  3) [000097] DA---------                         └──▌  STORE_LCL_VAR long   V13 tmp11        d:2 $VN.Void
               [000125] -----------                            └──▌  CNS_INT   long   0 $c0
MorphCopyBlock:
PrepareDst for [000030] have found a local var V00.
block assignment to morph:
N002 ( 19, 17) [000030] UA---------                         ▌  STORE_LCL_FLD struct<S0, 24> V00 loc0         ud:2->3[+0] $VN.Void
N001 (  9,  8) [000028] -----------                         └──▌  LCL_FLD   struct<S0, 24> V00 loc0         u:2[+0] (last use) $85
Self-copy; replaced with a NOP.
MorphCopyBlock (after):
               [000126] -----+-----                         ▌  NOP       void  

...

*************** Starting PHASE VN-based dead store removal
Considering [000023] for removal...
 -- no; 'explicit init'
Considering [000030] for removal...
  VNForLoad:
      select($1c0 {$82[0:23] := $85]}, [0:23]) ==> $85
    VNForMapPhysicalSelect($1c0, [0:23]):struct returns $85 {ZeroObj($c1: S0)}
Removed dead store:
N002 ( 19, 17) [000030] UA---------                         ▌  STORE_LCL_FLD struct<S0, 24> V00 loc0         ud:2->3[+0] $VN.Void
N001 (  9,  8) [000028] -----------                         └──▌  LCL_FLD   struct<S0, 24> V00 loc0         u:2[+0] (last use) $85

Assert failure(PID 24260 [0x00005ec4], Thread: 30712 [0x77f8]): Assertion failed 'gtOper < GT_COUNT' in 'Program:Main()' during 'VN-based dead store removal' (IL size 84; hash 0xcb019401; FullOpts)

    File: C:\dev\dotnet\runtime3\src\coreclr\jit\gentree.h Line: 1024
    Image: C:\dev\dotnet\runtime3\artifacts\tests\coreclr\windows.x64.Checked\Tests\Core_Root\corerun.exe

cc @SingleAccretion

[SingleAccretion]

@jakobbotsch there is an assumption in this phase that SSA defs are not removable, except as dead code (which is questionable in the sense that it relies on munging dead IR being ok...).

At first glance it looks like an assertion propagation bug. I'll take a closer look in a few days.