ushort argument mysteriously mutated

[bradmarder]

Description

Discovered with Fuzzlyn.

M10(ushort arg0) is called with the value 53474 and is never reassigned inside the method. When the value of the arg is printed in debug mode, it is correctly 53474, while release mode prints 226.

Reproduction Steps

// Generated by Fuzzlyn v1.5 on 2022-03-14 21:20:55
// Run on X64 Windows
// Seed: 16520696696442011600
// Reduced from 677.9 KiB to 2.4 KiB in 00:04:01
// Debug: Outputs 53474
// Release: Outputs 226
public class C0
{
    public byte F0;
    public sbyte F3;
    public byte F4;
    public byte F5;
    public uint F6;
    public C0(byte f4, byte f5, uint f6)
    {
        F4 = f4;
        F5 = f5;
        F6 = f6;
    }
}

public class C1
{
    public C0 F4;
    public C1(C0 f4)
    {
        F4 = f4;
    }
}

public struct S0
{
    public sbyte F0;
    public C0 F2;
    public bool F4;
    public ulong F5;
    public uint F6;
    public bool F7;
    public S0(sbyte f0, C0 f1, C0 f2, bool f4, ulong f5, uint f6, bool f7) : this()
    {
        F0 = f0;
        F2 = f2;
        F4 = f4;
        F5 = f5;
        F6 = f6;
        F7 = f7;
    }
}

public class Program
{
    public static IRuntime s_rt;
    public static C0 s_1 = new C0(0, 0, 0);
    public static C1[][] s_3 = new C1[][] { new C1[] { new C1(new C0(0, 0, 0)) } };
    public static void Main()
    {
        CollectibleALC alc = new CollectibleALC();
        System.Reflection.Assembly asm = alc.LoadFromAssemblyPath(System.Reflection.Assembly.GetExecutingAssembly().Location);
        System.Reflection.MethodInfo mi = asm.GetType(typeof(Program).FullName).GetMethod(nameof(MainInner));
        System.Type runtimeTy = asm.GetType(typeof(Runtime).FullName);
        mi.Invoke(null, new object[] { System.Activator.CreateInstance(runtimeTy) });
    }

    public static void MainInner(IRuntime rt)
    {
        s_rt = rt;
        M10(53474);
    }

    public static void M10(ushort arg0)
    {
        var vr1 = new S0[] { new S0(0, new C0(0, 0, 0), new C0(0, 0, 0), false, 0, 0, false) };
        S0 var1 = new S0(s_1.F3, new C0(0, 0, s_3[0][0].F4.F6), new C0(0, 0, 0), true, 0, 0, false);
        try
        {
            byte vr5 = var1.F2.F0;
        }
        finally
        {
            var1 = new S0(0, new C0(0, 0, 0), new C0(0, 1, 0), true, 0, 0, true);
        }

        if ((byte)arg0 < 1)
        {
            C0[] var4 = new C0[] { new C0(0, 0, 0) };
        }

        s_rt.WriteLine("c_4102", arg0);
    }
}

public interface IRuntime
{
    void WriteLine<T>(string site, T value);
}

public class Runtime : IRuntime
{
    public void WriteLine<T>(string site, T value) => System.Console.WriteLine(value);
}

public class CollectibleALC : System.Runtime.Loader.AssemblyLoadContext
{
    public CollectibleALC() : base(true)
    {
    }
}

Expected behavior

The printed value of arg0 should be 53474.

Actual behavior

The printed value of arg0 is 226.

Regression?

Appears to be a regression as of .net 6 (this works correctly in .net 5).

Known Workarounds

No response

Configuration

win10 x64 and tested with 7.0.100-preview.1.22110.4

Other information

No response

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @JulieLeeMSFT
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Discovered with Fuzzlyn.

M10(ushort arg0) is called with the value 53474 and is never reassigned inside the method. When the value of the arg is printed in debug mode, it is correctly 53474, while release mode prints 226.

Reproduction Steps

// Generated by Fuzzlyn v1.5 on 2022-03-14 21:20:55
// Run on X64 Windows
// Seed: 16520696696442011600
// Reduced from 677.9 KiB to 2.4 KiB in 00:04:01
// Debug: Outputs 53474
// Release: Outputs 226
public class C0
{
    public byte F0;
    public sbyte F3;
    public byte F4;
    public byte F5;
    public uint F6;
    public C0(byte f4, byte f5, uint f6)
    {
        F4 = f4;
        F5 = f5;
        F6 = f6;
    }
}

public class C1
{
    public C0 F4;
    public C1(C0 f4)
    {
        F4 = f4;
    }
}

public struct S0
{
    public sbyte F0;
    public C0 F2;
    public bool F4;
    public ulong F5;
    public uint F6;
    public bool F7;
    public S0(sbyte f0, C0 f1, C0 f2, bool f4, ulong f5, uint f6, bool f7) : this()
    {
        F0 = f0;
        F2 = f2;
        F4 = f4;
        F5 = f5;
        F6 = f6;
        F7 = f7;
    }
}

public class Program
{
    public static IRuntime s_rt;
    public static C0 s_1 = new C0(0, 0, 0);
    public static C1[][] s_3 = new C1[][] { new C1[] { new C1(new C0(0, 0, 0)) } };
    public static void Main()
    {
        CollectibleALC alc = new CollectibleALC();
        System.Reflection.Assembly asm = alc.LoadFromAssemblyPath(System.Reflection.Assembly.GetExecutingAssembly().Location);
        System.Reflection.MethodInfo mi = asm.GetType(typeof(Program).FullName).GetMethod(nameof(MainInner));
        System.Type runtimeTy = asm.GetType(typeof(Runtime).FullName);
        mi.Invoke(null, new object[] { System.Activator.CreateInstance(runtimeTy) });
    }

    public static void MainInner(IRuntime rt)
    {
        s_rt = rt;
        M10(53474);
    }

    public static void M10(ushort arg0)
    {
        var vr1 = new S0[] { new S0(0, new C0(0, 0, 0), new C0(0, 0, 0), false, 0, 0, false) };
        S0 var1 = new S0(s_1.F3, new C0(0, 0, s_3[0][0].F4.F6), new C0(0, 0, 0), true, 0, 0, false);
        try
        {
            byte vr5 = var1.F2.F0;
        }
        finally
        {
            var1 = new S0(0, new C0(0, 0, 0), new C0(0, 1, 0), true, 0, 0, true);
        }

        if ((byte)arg0 < 1)
        {
            C0[] var4 = new C0[] { new C0(0, 0, 0) };
        }

        s_rt.WriteLine("c_4102", arg0);
    }
}

public interface IRuntime
{
    void WriteLine<T>(string site, T value);
}

public class Runtime : IRuntime
{
    public void WriteLine<T>(string site, T value) => System.Console.WriteLine(value);
}

public class CollectibleALC : System.Runtime.Loader.AssemblyLoadContext
{
    public CollectibleALC() : base(true)
    {
    }
}

Expected behavior

The printed value of arg0 should be 53474.

Actual behavior

The printed value of arg0 is 226.

Regression?

Appears to be a regression as of .net 6 (this works correctly in .net 5).

Known Workarounds

No response

Configuration

win10 x64 and tested with 7.0.100-preview.1.22110.4

Other information

No response

Author:	bradmarder
Assignees:	-
Labels:	area-CodeGen-coreclr, untriaged
Milestone:	-

[janvorli]

The 226 is the lower byte of the 53474, it seems as if JIT somehow used the result of the (byte)arg0 that is executed before the print instead of the original arg0.

[jakobbotsch]

Surprisingly this repros in .NET 6 as well so it has been there for a while without our Fuzzlyn runs finding it.

[jakobbotsch]

Lowering removes the cast in the comparison by optimizing

------------ BB05 [08D..092) -> BB07 (cond), preds={BB04} succs={BB06,BB07}
               [000608] ------------                 IL_OFFSET void   INLRT @ 0x08D[E-]
N001 (  2,  2) [000110] ------------       t110 =    LCL_VAR   int    V00 arg0         u:1 $80
                                                  ┌──▌  t110   int    
N002 (  3,  4) [000111] ------------       t111 = ▌  CAST      int <- ubyte <- int $54f
N003 (  1,  1) [000112] ------------       t112 =    CNS_INT   int    0 $40
                                                  ┌──▌  t111   int    
                                                  ├──▌  t112   int    
N004 (  5,  6) [000113] J------N----       t113 = ▌  GT        int    $550
                                                  ┌──▌  t113   int    
N005 (  7,  8) [000114] ------------              ▌  JTRUE     void   $VN.Void

into

------------ BB05 [08D..092) -> BB07 (cond), preds={BB04} succs={BB06,BB07}
               [000608] ------------                 IL_OFFSET void   INLRT @ 0x08D[E-]
N001 (  2,  2) [000110] ------------       t110 =    LCL_VAR   ubyte  V00 arg0         u:1 $80
N003 (  1,  1) [000112] -c----------       t112 =    CNS_INT   ubyte  0 $40
                                                  ┌──▌  t110   ubyte  
                                                  ├──▌  t112   ubyte  
N004 (  5,  6) [000113] J------N-U--              ▌  GT        void   $550
N005 (  7,  8) [000114] ------------              ▌  JTRUE     void   $VN.Void

LSRA then allocates this TYP_UBYTE instance of the argument to rbx and it is kept there and reused for the later appearence of the arg:

N565 (  2,  2) [000122] ------------       t122 =    LCL_VAR   int    V00 arg0         u:1 rbx (last use) REG rbx $80

Interestingly we have code that is supposed to compensate for this:

runtime/src/coreclr/jit/codegenlinear.cpp

Lines 1215 to 1232 in ba5a582

	// Load local variable from its home location.
	// In most cases the tree type will indicate the correct type to use for the load.
	// However, if it is NOT a normalizeOnLoad lclVar (i.e. NOT a small int that always gets
	// widened when loaded into a register), and its size is not the same as the actual register type
	// of the lclVar, then we need to change the type of the tree node when loading.
	// This situation happens due to "optimizations" that avoid a cast and
	// simply retype the node when using long type lclVar as an int.
	// While loading the int in that case would work for this use of the lclVar, if it is
	// later used as a long, we will have incorrectly truncated the long.
	// In the normalizeOnLoad case ins_Load will return an appropriate sign- or zero-
	// extending load.
	var_types lclActualType = varDsc->GetActualRegisterType();
	assert(lclActualType != TYP_UNDEF);
	if (spillType != lclActualType && !varTypeIsGC(spillType) && !varDsc->lvNormalizeOnLoad())
	{
	assert(!varTypeIsGC(varDsc));
	spillType = lclActualType;
	}

However, we skip this for normalize-on-load locals such as small parameters.

It's very possible the same bug exists in .NET 5 but just is not exposed because of different register allocation. The generated byte load into rbx happens during an unspill.

cc @dotnet/jit-contrib