Fix monitoring and specialization interaction

youknowone · youknowone · commit 821e6484a688 · 2026-03-02T11:10:23.000+09:00
- cache_entries() returns correct count for instrumented opcodes
- deoptimize() maps instrumented opcodes back to base
- quicken() skips adaptive counter for instrumented opcodes
- instrument_code Phase 3 deoptimizes specialized opcodes and
  clears CACHE entries to prevent stale pointer dereferences
diff --git a/.cspell.dict/cpython.txt b/.cspell.dict/cpython.txt
@@ -44,6 +44,7 @@ copyslot
 cpucount
 defaultdict
 denom
+deopt
 dictbytype
 DICTFLAG
 dictoffset
diff --git a/crates/compiler-core/src/bytecode.rs b/crates/compiler-core/src/bytecode.rs
@@ -560,10 +560,14 @@ impl CodeUnits {
             let op = units[i].op;
             let caches = op.cache_entries();
             if caches > 0 {
-                let cache_base = i + 1;
-                if cache_base < len {
-                    unsafe {
-                        self.write_adaptive_counter(cache_base, ADAPTIVE_WARMUP_VALUE);
+                // Don't write adaptive counter for instrumented opcodes;
+                // specialization is skipped while monitoring is active.
+                if !op.is_instrumented() {
+                    let cache_base = i + 1;
+                    if cache_base < len {
+                        unsafe {
+                            self.write_adaptive_counter(cache_base, ADAPTIVE_WARMUP_VALUE);
+                        }
                     }
                 }
                 i += 1 + caches;
diff --git a/crates/compiler-core/src/bytecode/instruction.rs b/crates/compiler-core/src/bytecode/instruction.rs
@@ -620,8 +620,11 @@ impl Instruction {
             }
             // RESUME specializations
             Self::ResumeCheck => Self::Resume { arg: Arg::marker() },
-            // Everything else maps to itself
-            _ => self,
+            // Instrumented opcodes map back to their base
+            _ => match self.to_base() {
+                Some(base) => base,
+                None => self,
+            },
         }
     }
 
@@ -739,8 +742,11 @@ impl Instruction {
             | Self::UnpackSequenceTuple
             | Self::UnpackSequenceTwoTuple => 1,
 
-            // Everything else: 0 cache entries
-            _ => 0,
+            // Instrumented opcodes have the same cache entries as their base
+            _ => match self.to_base() {
+                Some(base) => base.cache_entries(),
+                None => 0,
+            },
         }
     }
 }
diff --git a/crates/vm/src/stdlib/sys/monitoring.rs b/crates/vm/src/stdlib/sys/monitoring.rs
@@ -270,13 +270,29 @@ pub fn instrument_code(code: &PyCode, events: u32) {
         }
     }
 
-    // Phase 3: Remove regular INSTRUMENTED_* → restore base opcodes
-    for i in 0..len {
-        let op = code.code.instructions[i].op;
-        if let Some(base) = op.to_base() {
-            unsafe {
-                code.code.instructions.replace_op(i, base);
+    // Phase 3: Remove regular INSTRUMENTED_* and specialized opcodes → restore base opcodes.
+    // Also clear all CACHE entries so specialization starts fresh.
+    {
+        let mut i = 0;
+        while i < len {
+            let op = code.code.instructions[i].op;
+            let de_opt = op.deoptimize();
+            if u8::from(de_opt) != u8::from(op) {
+                unsafe {
+                    code.code.instructions.replace_op(i, de_opt);
+                }
+            }
+            let caches = de_opt.cache_entries();
+            // Zero all CACHE entries (the op+arg bytes may have been overwritten
+            // by specialization with arbitrary data like pointers).
+            for c in 1..=caches {
+                if i + c < len {
+                    unsafe {
+                        code.code.instructions.write_cache_u16(i + c, 0);
+                    }
+                }
             }
+            i += 1 + caches;
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -620,8 +620,11 @@ impl Instruction {`
`620`	`620`	`}`
`621`	`621`	`// RESUME specializations`
`622`	`622`	`Self::ResumeCheck => Self::Resume { arg: Arg::marker() },`
`623`		`- // Everything else maps to itself`
`624`		`- _ => self,`
	`623`	`+ // Instrumented opcodes map back to their base`
	`624`	`+ _ => match self.to_base() {`
	`625`	`+ Some(base) => base,`
	`626`	`+ None => self,`
	`627`	`+ },`
`625`	`628`	`}`
`626`	`629`	`}`
`627`	`630`
`@@ -739,8 +742,11 @@ impl Instruction {`
`739`	`742`	`\| Self::UnpackSequenceTuple`
`740`	`743`	`\| Self::UnpackSequenceTwoTuple => 1,`
`741`	`744`
`742`		`- // Everything else: 0 cache entries`
`743`		`- _ => 0,`
	`745`	`+ // Instrumented opcodes have the same cache entries as their base`
	`746`	`+ _ => match self.to_base() {`
	`747`	`+ Some(base) => base.cache_entries(),`
	`748`	`+ None => 0,`
	`749`	`+ },`
`744`	`750`	`}`
`745`	`751`	`}`
`746`	`752`	`}`