Skip to content

[release/8.0] JIT: Disallow mismatched GC-ness for physical promotions #90739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 17, 2023
Merged

[release/8.0] JIT: Disallow mismatched GC-ness for physical promotions #90739

merged 2 commits into from
Aug 17, 2023

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Aug 17, 2023
edited by jakobbotsch
Loading

Backport of #90694 to release/8.0

/cc @jakobbotsch

Customer Impact

Code that involves illegal reinterpretations of GC pointers in unreachable code paths can cause the JIT to generate code with incorrect GC reporting, even in the reachable paths.
For example, MemoryMarshal.Contains is a case. When value is a GC pointer, RuntimeHelpers.IsBitwiseEquatable<T>() will return false, but under some stress scenarios the JIT will still see the later Unsafe.As<T, long>(ref value). This can cause it to mistakenly reinterpret value as a long without any GC reporting, even outside the RuntimeHelpers.IsBitwiseEquatable<T>() branch.
For this particular case, in normal circumstances (no stress modes) the unreachable code is folded away early enough that the JIT does not see the reinterpretation, so no issue happens.

Testing

Verified that the failing test case now generates correct code and GC reporting, even when the stress variables are set.

Risk

Low. Targeted fix with no diffs in any of our own code (under non stress circumstances) that disables physical promotion when the case is detected.

@jakobbotsch
JIT: Disallow mismatched GC-ness for physical promotions
62946ee 
Physical promotion was working under the assumption that reinterpreting
GC pointers is undefined behavior, and would happily promote GC pointers
as integers if it saw such accesses. However, physical promotion is
function wide while the UB accesses can be happening in a restricted
(dynamically unreachable) scope. This exact situation happens in
MemoryExtensions.Contains. The issue was uncovered under jit stress
where we did not fold away the guard early enough, meaning that
promotion then saw a `TYP_LONG` access of a `struct { object, int }` and
proceeded to promote it as such.

Fix #90602
@jakobbotsch
Address feedback
ada908f
@ghost ghost added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Aug 17, 2023
@ghost
Copy link

ghost commented Aug 17, 2023

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

Backport of #90694 to release/8.0

/cc @jakobbotsch

Customer Impact

Testing

Risk

IMPORTANT: If this backport is for a servicing release, please verify that:

  • The PR target branch is release/X.0-staging, not release/X.0.

  • If the change touches code that ships in a NuGet package, you have added the necessary package authoring and gotten it explicitly reviewed.

Author: github-actions[bot]
Assignees: -
Labels:

area-CodeGen-coreclr
Milestone: -

jeffschwMSFT
jeffschwMSFT approved these changes Aug 17, 2023
View reviewed changes
Copy link
Member

@jeffschwMSFT jeffschwMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved. please get a code review, you are good to merge

@build-analysis build-analysis bot mentioned this pull request Aug 17, 2023
Closed
@carlossanlop
Copy link
Contributor

FYI this is going into RC2 (release/8.0). If that's your intention, @jakobbotsch , then I can merge right away, since it has been signed-off and approved by @jeffschwMSFT .

If you intended to send it to RC1, please retarget the PR to release/8.0-rc1 and send an email to Tactics requesting approval.

@jakobbotsch
Copy link
Member

FYI this is going into RC2 (release/8.0). If that's your intention, @jakobbotsch , then I can merge right away, since it has been signed-off and approved by @jeffschwMSFT .

I think RC2 only is just fine.

@carlossanlop carlossanlop added Servicing-consider Issue for next servicing release review Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Aug 17, 2023
@carlossanlop carlossanlop merged commit 3ab4246 into release/8.0 Aug 17, 2023
@carlossanlop carlossanlop deleted the backport/pr-90694-to-release/8.0 branch August 17, 2023 17:27
@ghost ghost locked as resolved and limited conversation to collaborators Sep 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@EgorBo EgorBo EgorBo approved these changes

@jeffschwMSFT jeffschwMSFT jeffschwMSFT approved these changes

Assignees
No one assigned
Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI Servicing-approved Approved for servicing release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@carlossanlop @jakobbotsch @EgorBo @jeffschwMSFT