Fix ILLink/ILC hang when tracking too many hoisted local values (#95041)

#87634 introduced a limit
on the number of values tracked in dataflow analysis, but this
approach was incorrect because resetting the set of tracked
values was effectively moving up the dataflow lattice, breaking
the invariant and causing potential hangs.

The hang was observed in
#94831, where (as found
by @vitek-karas) the hoisted local `state` field of an async
method with many await points was getting a large number of
tracked values, hitting the limit, being reset to "empty", but
then growing again, causing the analysis not to converge.

The fix is to instead introduce a special value
`ValueSet<TValue>.Unknown` that is used for this case. It acts
like "bottom" in the lattice, so that it destroys any other
inputs on meet ("bottom" meet anything else is "bottom").

In this testcase the `state` field isn't involved in dataflow
warnings, so this actually allows the method to be analyzed
correctly, producing the expected warning for the `Type` local
that flows across all of the await points.

Fixes #94831

Author: sbomer

src/coreclr/tools/aot/ILCompiler.Compiler/Compiler/Dataflow/ArrayValue.cs

@@ -19,7 +19,7 @@ internal partial record ArrayValue
         public static MultiValue Create(MultiValue size, TypeDesc elementType)
         {
             MultiValue result = MultiValueLattice.Top;
-            foreach (var sizeValue in size)
+            foreach (var sizeValue in size.AsEnumerable ())
             {
                 result = MultiValueLattice.Meet(result, new MultiValue(new ArrayValue(sizeValue, elementType)));
             }
@@ -92,7 +92,7 @@ public override SingleValue DeepCopy()
                 // Since it's possible to store a reference to array as one of its own elements
                 // simple deep copy could lead to endless recursion.
                 // So instead we simply disallow arrays as element values completely - and treat that case as "too complex to analyze".
-                foreach (SingleValue v in kvp.Value.Value)
+                foreach (SingleValue v in kvp.Value.Value.AsEnumerable ())
                 {
                     System.Diagnostics.Debug.Assert(v is not ArrayValue);
                 }
@@ -123,7 +123,7 @@ public override string ToString()
                 result.Append(element.Key);
                 result.Append(",(");
                 bool firstValue = true;
-                foreach (var v in element.Value.Value)
+                foreach (var v in element.Value.Value.AsEnumerable ())
                 {
                     if (firstValue)
                     {

src/coreclr/tools/aot/ILCompiler.Compiler/Compiler/Dataflow/InterproceduralState.cs

@@ -67,7 +67,8 @@ public void TrackMethod(MethodIL methodBody)
             methodBody = GetInstantiatedMethodIL(methodBody);
 
             // Work around the fact that ValueSet is readonly
-            var methodsList = new List<MethodBodyValue>(MethodBodies);
+            Debug.Assert (!MethodBodies.IsUnknown ());
+            var methodsList = new List<MethodBodyValue>(MethodBodies.GetKnownValues ());
             methodsList.Add(new MethodBodyValue(methodBody));
 
             // For state machine methods, also scan the state machine members.

src/coreclr/tools/aot/ILCompiler.Compiler/Compiler/Dataflow/MethodBodyScanner.cs

@@ -210,7 +210,7 @@ private static void ValidateNoReferenceToReference(ValueBasicBlockPair?[] locals
                     continue;
 
                 MultiValue localValue = localVariable.Value.Value;
-                foreach (var val in localValue)
+                foreach (var val in localValue.AsEnumerable ())
                 {
                     if (val is LocalVariableReferenceValue localReference && localReference.ReferencedType.IsByRefOrPointer())
                     {
@@ -309,7 +309,8 @@ public virtual void InterproceduralScan(MethodIL startingMethodBody)
 
                 // Flow state through all methods encountered so far, as long as there
                 // are changes discovered in the hoisted local state on entry to any method.
-                foreach (var methodBodyValue in oldInterproceduralState.MethodBodies)
+                Debug.Assert (!oldInterproceduralState.MethodBodies.IsUnknown ());
+                foreach (var methodBodyValue in oldInterproceduralState.MethodBodies.GetKnownValues ())
                     Scan(methodBodyValue.MethodBody, ref interproceduralState);
             }
 
@@ -327,7 +328,8 @@ public virtual void InterproceduralScan(MethodIL startingMethodBody)
             }
             else
             {
-                Debug.Assert(interproceduralState.MethodBodies.Count() == 1);
+                Debug.Assert (!interproceduralState.MethodBodies.IsUnknown ());
+                Debug.Assert(interproceduralState.MethodBodies.GetKnownValues ().Count() == 1);
             }
 #endif
         }
@@ -1018,7 +1020,7 @@ private void ScanIndirectStore(
         /// <exception cref="LinkerFatalErrorException">Throws if <paramref name="target"/> is not a valid target for an indirect store.</exception>
         protected void StoreInReference(MultiValue target, MultiValue source, MethodIL method, int offset, ValueBasicBlockPair?[] locals, int curBasicBlock, ref InterproceduralState ipState)
         {
-            foreach (var value in target)
+            foreach (var value in target.AsEnumerable ())
             {
                 switch (value)
                 {
@@ -1137,7 +1139,7 @@ private void ScanStfld(
                 return;
             }
 
-            foreach (var value in HandleGetField(methodBody, offset, field))
+            foreach (var value in HandleGetField(methodBody, offset, field).AsEnumerable ())
             {
                 // GetFieldValue may return different node types, in which case they can't be stored to.
                 // At least not yet.
@@ -1189,7 +1191,7 @@ internal MultiValue DereferenceValue(
             ref InterproceduralState interproceduralState)
         {
             MultiValue dereferencedValue = MultiValueLattice.Top;
-            foreach (var value in maybeReferenceValue)
+            foreach (var value in maybeReferenceValue.AsEnumerable ())
             {
                 switch (value)
                 {
@@ -1324,7 +1326,7 @@ private void HandleCall(
 
             foreach (var param in methodArguments)
             {
-                foreach (var v in param)
+                foreach (var v in param.AsEnumerable ())
                 {
                     if (v is ArrayValue arr)
                     {
@@ -1366,7 +1368,7 @@ private void ScanStelem(
             StackSlot indexToStoreAt = PopUnknown(currentStack, 1, methodBody, offset);
             StackSlot arrayToStoreIn = PopUnknown(currentStack, 1, methodBody, offset);
             int? indexToStoreAtInt = indexToStoreAt.Value.AsConstInt();
-            foreach (var array in arrayToStoreIn.Value)
+            foreach (var array in arrayToStoreIn.Value.AsEnumerable ())
             {
                 if (array is ArrayValue arrValue)
                 {

src/coreclr/tools/aot/ILCompiler.Compiler/Compiler/Dataflow/ReflectionMethodBodyScanner.cs

@@ -431,7 +431,7 @@ public static bool HandleCall(
                         // type instead).
                         //
                         // At least until we have shared enum code, this needs extra handling to get it right.
-                        foreach (var value in argumentValues[0])
+                        foreach (var value in argumentValues[0].AsEnumerable ())
                         {
                             if (value is SystemTypeValue systemTypeValue
                                 && !systemTypeValue.RepresentedType.Type.IsGenericDefinition
@@ -466,7 +466,7 @@ public static bool HandleCall(
                             ? 0 : 1;
 
                         // We need the data to do struct marshalling.
-                        foreach (var value in argumentValues[paramIndex])
+                        foreach (var value in argumentValues[paramIndex].AsEnumerable ())
                         {
                             if (value is SystemTypeValue systemTypeValue
                                 && !systemTypeValue.RepresentedType.Type.IsGenericDefinition
@@ -497,7 +497,7 @@ public static bool HandleCall(
                 case IntrinsicId.Marshal_GetDelegateForFunctionPointer:
                     {
                         // We need the data to do delegate marshalling.
-                        foreach (var value in argumentValues[1])
+                        foreach (var value in argumentValues[1].AsEnumerable ())
                         {
                             if (value is SystemTypeValue systemTypeValue
                                 && !systemTypeValue.RepresentedType.Type.IsGenericDefinition
@@ -521,7 +521,7 @@ public static bool HandleCall(
                 //
                 case IntrinsicId.Object_GetType:
                     {
-                        foreach (var valueNode in instanceValue)
+                        foreach (var valueNode in instanceValue.AsEnumerable ())
                         {
                             // Note that valueNode can be statically typed in IL as some generic argument type.
                             // For example:
@@ -619,7 +619,7 @@ public static bool HandleCall(
             // Validate that the return value has the correct annotations as per the method return value annotations
             if (annotatedMethodReturnValue.DynamicallyAccessedMemberTypes != 0)
             {
-                foreach (var uniqueValue in methodReturnValue)
+                foreach (var uniqueValue in methodReturnValue.AsEnumerable ())
                 {
                     if (uniqueValue is ValueWithDynamicallyAccessedMembers methodReturnValueWithMemberTypes)
                     {

src/coreclr/tools/aot/ILCompiler.Compiler/Compiler/Dataflow/TrimAnalysisAssignmentPattern.cs

@@ -48,9 +48,9 @@ public void MarkAndProduceDiagnostics(ReflectionMarker reflectionMarker, Logger
                 logger.ShouldSuppressAnalysisWarningsForRequires(Origin.MemberDefinition, DiagnosticUtilities.RequiresAssemblyFilesAttribute),
                 logger);
 
-            foreach (var sourceValue in Source)
+            foreach (var sourceValue in Source.AsEnumerable ())
             {
-                foreach (var targetValue in Target)
+                foreach (var targetValue in Target.AsEnumerable ())
                 {
                     if (targetValue is not ValueWithDynamicallyAccessedMembers targetWithDynamicallyAccessedMembers)
                         throw new NotImplementedException();

src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/FeatureContextLattice.cs

@@ -14,51 +14,43 @@ namespace ILLink.RoslynAnalyzer.DataFlow
 	public struct FeatureContext : IEquatable<FeatureContext>, IDeepCopyValue<FeatureContext>
 	{
 		// The set of features known to be enabled in this context.
-		// Null represents "all possible features".
-		public ValueSet<string>? EnabledFeatures;
+		// Unknown represents "all possible features".
+		public ValueSet<string> EnabledFeatures;
 
-		public static readonly FeatureContext All = new FeatureContext (null);
+		public static readonly FeatureContext All = new FeatureContext (ValueSet<string>.Unknown);
 
 		public static readonly FeatureContext None = new FeatureContext (ValueSet<string>.Empty);
 
-		public FeatureContext (ValueSet<string>? enabled)
+		public FeatureContext (ValueSet<string> enabled)
 		{
 			EnabledFeatures = enabled;
 		}
 
 		public bool IsEnabled (string feature)
 		{
-			return EnabledFeatures == null || EnabledFeatures.Value.Contains (feature);
+			return EnabledFeatures.IsUnknown () || EnabledFeatures.Contains (feature);
 		}
 
 		public bool Equals (FeatureContext other) => EnabledFeatures == other.EnabledFeatures;
 		public override bool Equals (object? obj) => obj is FeatureContext other && Equals (other);
-		public override int GetHashCode () => EnabledFeatures?.GetHashCode () ?? typeof (FeatureContext).GetHashCode ();
+		public override int GetHashCode () => EnabledFeatures.GetHashCode ();
 
 		public static bool operator == (FeatureContext left, FeatureContext right) => left.Equals (right);
 		public static bool operator != (FeatureContext left, FeatureContext right) => !left.Equals (right);
 
 		public FeatureContext DeepCopy ()
 		{
-			return new FeatureContext (EnabledFeatures?.DeepCopy ());
+			return new FeatureContext (EnabledFeatures.DeepCopy ());
 		}
 
 		public FeatureContext Intersection (FeatureContext other)
 		{
-			if (EnabledFeatures == null)
-				return other.DeepCopy ();
-			if (other.EnabledFeatures == null)
-				return this.DeepCopy ();
-			return new FeatureContext (ValueSet<string>.Intersection (EnabledFeatures.Value, other.EnabledFeatures.Value));
+			return new FeatureContext (ValueSet<string>.Intersection (EnabledFeatures, other.EnabledFeatures));
 		}
 
 		public FeatureContext Union (FeatureContext other)
 		{
-			if (EnabledFeatures == null)
-				return this.DeepCopy ();
-			if (other.EnabledFeatures == null)
-				return other.DeepCopy ();
-			return new FeatureContext (ValueSet<string>.Union (EnabledFeatures.Value, other.EnabledFeatures.Value));
+			return new FeatureContext (ValueSet<string>.Union (EnabledFeatures, other.EnabledFeatures));
 		}
 	}
 

src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/InterproceduralState.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using ILLink.Shared.DataFlow;
 
@@ -50,7 +51,8 @@ public InterproceduralState<TValue, TValueLattice> Clone ()
 
 		public void TrackMethod (MethodBodyValue method)
 		{
-			var methodsList = new List<MethodBodyValue> (Methods);
+			Debug.Assert (!Methods.IsUnknown ());
+			var methodsList = new List<MethodBodyValue> (Methods.GetKnownValues ());
 			methodsList.Add (method);
 			Methods = new ValueSet<MethodBodyValue> (methodsList);
 		}

src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/LocalDataFlowAnalysis.cs

@@ -79,7 +79,8 @@ public void InterproceduralAnalyze ()
 			while (!interproceduralState.Equals (oldInterproceduralState)) {
 				oldInterproceduralState = interproceduralState.Clone ();
 
-				foreach (var method in oldInterproceduralState.Methods) {
+				Debug.Assert (!oldInterproceduralState.Methods.IsUnknown ());
+				foreach (var method in oldInterproceduralState.Methods.GetKnownValues ()) {
 					AnalyzeMethod (method, ref interproceduralState);
 				}
 			}

src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/LocalDataFlowVisitor.cs

@@ -390,9 +390,10 @@ TValue ProcessAssignment (IAssignmentOperation operation, LocalDataFlowState<TVa
 			Debug.Assert (IsLValueFlowCapture (flowCaptureReference.Id));
 			Debug.Assert (flowCaptureReference.GetValueUsageInfo (OwningSymbol).HasFlag (ValueUsageInfo.Write));
 			var capturedReferences = state.Current.LocalState.CapturedReferences.Get (flowCaptureReference.Id);
+			Debug.Assert (!capturedReferences.IsUnknown ());
 			if (!capturedReferences.HasMultipleValues) {
 				// Single captured reference. Treat this as an overwriting assignment.
-				var enumerator = capturedReferences.GetEnumerator ();
+				var enumerator = capturedReferences.GetKnownValues ().GetEnumerator ();
 				enumerator.MoveNext ();
 				targetOperation = enumerator.Current.Reference;
 				return ProcessSingleTargetAssignment (targetOperation, operation, state, merge: false);
@@ -409,7 +410,7 @@ TValue ProcessAssignment (IAssignmentOperation operation, LocalDataFlowState<TVa
 			// if the RHS has dataflow warnings.
 
 			TValue value = TopValue;
-			foreach (var capturedReference in capturedReferences) {
+			foreach (var capturedReference in capturedReferences.GetKnownValues ()) {
 				targetOperation = capturedReference.Reference;
 				var singleValue = ProcessSingleTargetAssignment (targetOperation, operation, state, merge: true);
 				value = LocalStateAndContextLattice.LocalStateLattice.Lattice.ValueLattice.Meet (value, singleValue);
@@ -517,7 +518,9 @@ public override TValue VisitFlowCapture (IFlowCaptureOperation operation, LocalD
 						// If an r-value captures an l-value, we must dereference the l-value
 						// and copy out the value to capture.
 						capturedValue = TopValue;
-						foreach (var capturedReference in state.Current.LocalState.CapturedReferences.Get (captureRef.Id)) {
+						var capturedReferences = state.Current.LocalState.CapturedReferences.Get (captureRef.Id);
+						Debug.Assert (!capturedReferences.IsUnknown ());
+						foreach (var capturedReference in capturedReferences.GetKnownValues ()) {
 							var value = Visit (capturedReference.Reference, state);
 							capturedValue = LocalStateAndContextLattice.LocalStateLattice.Lattice.ValueLattice.Meet (capturedValue, value);
 						}

src/tools/illink/src/ILLink.RoslynAnalyzer/DataFlow/LocalStateAndContextLattice.cs

@@ -41,6 +41,7 @@ public LocalStateAndContextLattice (LocalStateLattice<TValue, TValueLattice> loc
 		{
 			LocalStateLattice = localStateLattice;
 			ContextLattice = contextLattice;
+			Top = new (LocalStateLattice.Top, ContextLattice.Top);
 		}
 
 		public LocalStateAndContext<TValue, TContext> Top { get; }