Skip to content

JIT: fix widened IV init placed in unreachable block#130190

Open
EgorBo wants to merge 1 commit into
dotnet:mainfrom
EgorBo:fix-130189-rbo-stale-ssa
Open

JIT: fix widened IV init placed in unreachable block#130190
EgorBo wants to merge 1 commit into
dotnet:mainfrom
EgorBo:fix-130189-rbo-stale-ssa

Conversation

@EgorBo

@EgorBo EgorBo commented Jul 3, 2026

Copy link
Copy Markdown
Member

Fixes #130189.

optWidenPrimaryIV initializes the widened IV in the block that holds the narrow IV's reaching def when that block is not the preheader. Redundant branch opts jump threading can bypass that def block and leave it unreachable while its SSA def still reaches the loop (stale SSA). The widened IV init was then emitted into that dead block, which a later flow-graph pass removes, so the widened IV was never initialized and the loop produced a wrong result.

Fix: only use the reaching-def block for the init when it is still reachable (present in the DFS tree). Otherwise fall back to the preheader, which is always reachable.

Notes:

  • The root cause is stale SSA left by RBO dominator-based jump threading. Making RBO bail in that case is correct but pessimizes many cases where the stale SSA is harmless, so this instead hardens the only consumer that trips on it (IV widening).

Copilot AI review requested due to automatic review settings July 3, 2026 19:55
@github-actions github-actions Bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Jul 3, 2026
@dotnet-policy-service

Copy link
Copy Markdown
Contributor

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens redundant-branch optimization (RBO) dominator-based jump threading to avoid leaving SSA in an invalid state when threading bypasses blocks that contain PHI definitions with non-local (global) uses. It aligns the dominator-based path with the existing PHI-based threading safety checks by requiring PHI-use resolution (via optCanRewritePhiUses) or bailing out when resolution isn’t safe, and it adds a regression test for the reported miscompile.

Changes:

  • Extend optJumpThreadCheck to detect globally-used local PHI defs for both dom-based and PHI-based threading, and treat promoted-field PHIs as non-threadable.
  • Update dominator-based jump threading (optJumpThreadDom) to invoke optCanRewritePhiUses when global PHI uses are detected, and skip jump threading if uses can’t be safely rewritten.
  • Add a new JitBlue regression test (C# + csproj) validating the previously incorrect result.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/coreclr/jit/redundantbranchopts.cpp Adds PHI global-use detection to jump-thread eligibility checks and gates dominator-based threading on optCanRewritePhiUses when PHI-use rewriting is required.
src/tests/JIT/Regression/JitBlue/Runtime_130189/Runtime_130189.cs Adds an xUnit regression test reproducing the miscompile and asserting the correct result.
src/tests/JIT/Regression/JitBlue/Runtime_130189/Runtime_130189.csproj Adds the test project with optimization enabled and tiered compilation disabled for determinism.

@EgorBo EgorBo force-pushed the fix-130189-rbo-stale-ssa branch from 4ecb3a9 to 77795a9 Compare July 3, 2026 20:16
@EgorBo EgorBo changed the title JIT: fix stale SSA in RBO dominator-based jump threading JIT: fix widened IV init placed in unreachable block Jul 3, 2026
optWidenPrimaryIV initializes the widened IV in the block that holds the
narrow IV's reaching def when that is not the preheader. Redundant branch
opts jump threading can leave that def block unreachable while its SSA def
still reaches the loop (stale SSA). The init was then emitted into dead
code that later gets removed, leaving the widened IV uninitialized and
producing a wrong result.

Only use the reaching-def block for the init when it is still reachable
(present in the DFS tree); otherwise fall back to the preheader.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 20:56
@EgorBo EgorBo force-pushed the fix-130189-rbo-stale-ssa branch from 77795a9 to c17d3c3 Compare July 3, 2026 20:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

A JIT bug in IV or RBO

2 participants