Skip to content

[release/7.0] JIT: fix gc hole in peephole optimizations #78109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 10, 2022
Merged

[release/7.0] JIT: fix gc hole in peephole optimizations #78109

merged 2 commits into from
Nov 10, 2022

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Nov 9, 2022
edited by AndyAyersMS
Loading

Backport of #78074 to release/7.0

/cc @AndyAyersMS

Customer Impact

Possible GC heap corruption, caused by an unsafe peephole optimization that straddles a nogc/gc codegen boundary.

Issue was found by our own internal stress testing.

The problem here should occur somewhat rarely; the vulnerable window is just one instruction wide, in an optimization that doesn't happen very often, and it may only happen on arm64 (though the fix includes patching x64 too).

However, a number of methods in Roslyn or in BCL utilities Roslyn uses are impacted, so despite the small window here the code paths may be executed quite often.

Testing

Normal CI innerloop, plus selected jitstress/gcstress outerloop.

SPMI diffs show one impacted method in Roslyn, on arm64. Local runs of the libraries tests show another 29 impacted methods including a more Roslyn methods and methods for ImmutableArray<T>.

One impacted method is

https://github.com/dotnet/roslyn/blob/80277a5a67e34e17f0cc903ad8fb89ea4c8ea0ae/src/Compilers/Core/Portable/DiagnosticAnalyzer/AnalysisScope.cs#L184-L208

The problem arises when setting up args for the comparer call, because AdditionalFile is a small struct with two GC references that needs to be copied, and the copy is done in a nogc region. Right after the copy the GC field is read, and the peephole may elide this read as the register being loaded already has the right value from the nogc region code, but that register is not GC tracked. If a gc happens right after the nogc region is exited, the reference in that register may move without the register being updated.

Risk

Low.

This fix prevents peephole optimizations that might straddle a nogc/gc codegen boundary.

IMPORTANT: Is this backport for a servicing release? If so and this change touches code that ships in a NuGet package, please make certain that you have added any necessary package authoring and gotten it explicitly reviewed.

@AndyAyersMS
JIT: fix gc hole in peephole optimizations
50f8b60 
We cannot safely peephole instructions that straddle a gc enable boundary.
Detecting when this might happen is a bit subtle; currently we rely on
`emitForceNewIG` to be set.

Add a new utility 'emitCanPeepholeLastIns` to centralize the logic that
decides whether basing current emission on `emitLastIns` is safe.

Closed #77661.
@AndyAyersMS
revise per feedback
1c4bca1
@ghost ghost added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Nov 9, 2022
@AndyAyersMS
Copy link
Member

cc @JulieLeeMSFT @jeffschwMSFT

jeffschwMSFT
jeffschwMSFT approved these changes Nov 9, 2022
View reviewed changes
Copy link
Member

@jeffschwMSFT jeffschwMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved. we will take for consideration in 7.0.x

@jeffschwMSFT jeffschwMSFT added the Servicing-consider Issue for next servicing release review label Nov 9, 2022
@jeffschwMSFT jeffschwMSFT added this to the 7.0.x milestone Nov 9, 2022
@ghost
Copy link

ghost commented Nov 9, 2022

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

Backport of #78074 to release/7.0

/cc @AndyAyersMS

Customer Impact

Testing

Risk

IMPORTANT: Is this backport for a servicing release? If so and this change touches code that ships in a NuGet package, please make certain that you have added any necessary package authoring and gotten it explicitly reviewed.

Author: github-actions[bot]
Assignees: -
Labels:

area-CodeGen-coreclr
Milestone: -

@AndyAyersMS
Copy link
Member

Related issues: #77153, #77661

@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Nov 10, 2022
@rbhanda rbhanda modified the milestones: 7.0.x, 7.0.1 Nov 10, 2022
@carlossanlop
Copy link
Contributor

CI re-run finished green.
Signed-off by area owners. Approved by Tactics. No OOB package authoring changes needed.
Ready to merge. :shipit:

@carlossanlop carlossanlop merged commit 9d890f4 into release/7.0 Nov 10, 2022
@carlossanlop carlossanlop deleted the backport/pr-78074-to-release/7.0 branch November 10, 2022 22:35
@ghost ghost locked as resolved and limited conversation to collaborators Dec 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jeffschwMSFT jeffschwMSFT jeffschwMSFT approved these changes

@BruceForstall BruceForstall BruceForstall approved these changes

Assignees
No one assigned
Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI Servicing-approved Approved for servicing release
Projects
None yet
Milestone
7.0.1
Development

Successfully merging this pull request may close these issues.
5 participants
@AndyAyersMS @carlossanlop @jeffschwMSFT @BruceForstall @rbhanda