Possible JIT (?) or code gen regression between .NET 10 preview 3 and 4 (10.0.100-preview.3.25201.16 vs. 10.0.100-preview.4.25258.110)

[varelen]

Description

Hey, I am currently experimenting with a custom programming language with the Compiler and VM implementation written in .NET, and I am not quite sure what is wrong.

I have noticed after wanting to check if there is a performance difference between .NET 9 and the latest .NET 10 preview 5, that the VM had a weird runtime error when doing a binary MULTIPLY operation.

The weird thing is that the error place changes if I change the overloaded operator * from [MethodImpl(MethodImplOptions.AggressiveInlining)] to [MethodImpl(MethodImplOptions.NoInlining)]. Then the exception occurs for example for an ADD operation etc.

I also couldn't hit the break point and the test log said both IsNumber props returned true:

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator *(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() * right.AsNumber());
        }

        Console.WriteLine($"Left: {left.IsNumber}, Right: {right.IsNumber}");

        throw new RuntimeException($"Unsupported operator type * for left '{left}' and right '{right}'");
    }

The problem only occurs in a release build, in a debug build it works.

I have got the following JIT disassembly (part of it) from 10.0.100-preview.3.25201.16 and 10.0.100-preview.4.25258.110 (there was no difference between 10.0.100-preview.4.25258.110 to 10.0.100-preview.5.25277.114).

The JIT disasm is from the main Execute method that contains the VM main loop switch in a release build.

Some noise like:

10.0.100-preview.3.25201.16:

G_M000_IG34:
       mov      rcx, gword ptr [r14+0x10]
       mov      rdx, 0xD1FFAB1E
       and      rdx, rsi
       mov      r8, 0xD1FFAB1E
       cmp      rdx, r8
       je       SHORT G_M000_IG36

       call     CORINFO_HELP_STRCNS

10.0.100-preview.4.25258.110:

G_M000_IG34:
       mov      rcx, gword ptr [r14+0x10]
       mov      rdx, rsi
       not      rdx
       mov      r8, 0xD1FFAB1E
       and      rdx, r8
       je       SHORT G_M000_IG36

       call     [CORINFO_HELP_STRCNS]

But the largest diff was this (middle part):

10.0.100-preview.3.25201.16:

G_M000_IG67:
       call     [VmTest.VmObjectList:get_Items():System.Collections.Generic.List`1[VmTest.Value]:this]
       mov      r14, rax
       lea      rcx, [rbp-0x88]
       call     [VmTest.Value:AsNumber():double:this]
       vmovddup xmm1, xmm0
       vmovddup xmm2, xmm0
       vmovddup xmm0, xmm0
       vcmppd   xmm1, xmm2, xmm1, 0
       vandpd   xmm0, xmm1, xmm0
       vcmppd   xmm1, xmm0, xmmword ptr [reloc @RWD00], 13
       vcvttsd2si ecx, xmm0
       vmovd    xmm0, ecx
       vpbroadcastd xmm0, xmm0
       vpblendvb xmm0, xmm0, xmmword ptr [reloc @RWD16], xmm1
       vmovd    edx, xmm0
       mov      rcx, r14
       cmp      dword ptr [rcx], ecx
       call     [System.Collections.Generic.List`1[VmTest.Value]:get_Item(int):VmTest.Value:this]
       mov      rdx, rax
       mov      rcx, rbx
       call     [VmTest.VirtualMachine:Push(VmTest.Value):this]
       jmp      G_M000_IG148

10.0.100-preview.4.25258.110:

G_M000_IG67:
       call     [VmTest.VmObjectList:get_Items():System.Collections.Generic.List`1[VmTest.Value]:this]
       mov      r14, rax
       lea      rcx, [rbp-0x88]
       call     [VmTest.Value:AsNumber():double:this]
       vcmpsd   xmm1, xmm0, xmm0, 7
       vandpd   xmm1, xmm1, xmm0
       mov      ecx, 0xD1FFAB1E
       vcvttsd2si edx, xmm1
       vucomisd xmm0, qword ptr [reloc @RWD00]
       cmovb    ecx, edx
       mov      edx, ecx
       mov      rcx, r14
       cmp      dword ptr [rcx], ecx
       call     [System.Collections.Generic.List`1[VmTest.Value]:get_Item(int):VmTest.Value:this]
       mov      rdx, rax
       mov      rcx, rbx
       call     [VmTest.VirtualMachine:Push(VmTest.Value):this]
       jmp      G_M000_IG148

These are a few times in the diff. The problem seems to occur with and without native AOT.

Reproduction Steps

If desired I can send the project to an MS employee or maybe try to create a minimal project and create a public repository. I want to have it as an open-source project, but currently it's more of a testing ground.

Expected behavior

The executed program should execute like before with 10.0.100-preview.3.25201.16 and .NET 9.

Source code of the custom language:

number counter = 0

for i in 0..1_500
	counter += 1

WriteLine("Counter: {counter}")

Output working program (with .NET 9 and .NET 10 preview 3):

FunctionRegistry:Load took 5 ms
ClassRegistry:Load took 1 ms
Counter: 1500

Actual behavior

Source code of the custom language:

number counter = 0

for i in 0..1_500
	counter += 1

WriteLine("Counter: {counter}")

Output of not working program (with .NET 10 preview 4):

FunctionRegistry:Load took 5 ms
ClassRegistry:Load took 1 ms
Unhandled exception. VmTest.Exceptions.RuntimeException: RuntimeError: Unsupported operator type + for left '1427' and right '1'
   at VmTest.VirtualMachine.Execute() in C:\Users\{USER}\source\repos\VmTest\VmTest\VirtualMachine.cs:line 314
   at Program.<Main>$(String[] args) in C:\Users\{USER}\source\repos\VmTest\VmTest\Program.cs:line 40

As you can see, the left and right operand are both ints (numbers in my language).

Interesting enough is that it does not occur with a lower iteration count like for example 1000.

Regression?

Maybe, it woks with -c Release with 10.0.100-preview.3.25201.16 and fails with 10.0.100-preview.4.25258.110

Known Workarounds

Use .NET 10 preview 3 or run in debug mode.

Configuration

OS: Windows 11 23H2
Architecture: x64

Working:
.NET 9 and 10.0.100-preview.3.25201.16

Not working in release mode (works in debug mode):

= 10.0.100-preview.4.25258.110

Other information

If you have any questions or things I can provide or test please let me know.

[huoyaoyuan]

Can you show the definition of Value and generated IL for invoking it? For custom languages, it's possible that the IL is semi-valid and causing undefined behaviour.

[varelen]

Hey @huoyaoyuan, do you mean invoking via constructor or a specific property / method / operator?

[varelen]

Snippet of the Value.cs source code:

using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

/// <summary>
/// Based on the C NAN boxing version shown by Bob Nystrom in his book "Crafting Interpreters".
/// </summary>
[DebuggerDisplay("Value: {GetDebuggerDisplay()}")]
[StructLayout(LayoutKind.Explicit)]
public readonly struct Value
{
    private const ulong QNaN = 0x7ffc000000000000;
    private const ulong SignBit = 0x8000000000000000;

    private const ulong TagNull = 1;
    private const ulong TagFalse = 2;
    private const ulong TagTrue = 3;

    public static readonly Value Null = QNaN | TagNull;
    public static readonly Value True = (QNaN | TagTrue);
    public static readonly Value False = new(QNaN | TagFalse);

    [FieldOffset(0)]
    private readonly ulong value;

    public bool IsNumber
    {
        [MethodImpl(MethodImplOptions.AggressiveInlining)]
        get => (this.value & QNaN) != QNaN;
    }

    public bool IsBool
    {
        [MethodImpl(MethodImplOptions.AggressiveInlining)]
        get => (this.value | 1) == True.value;
    }

    public bool IsNull
    {
        [MethodImpl(MethodImplOptions.AggressiveInlining)]
        get => this.value == Null.value;
    }

    public bool IsObject
    {
        [MethodImpl(MethodImplOptions.AggressiveInlining)]
        get => (this.value & (QNaN | SignBit)) == (QNaN | SignBit);
    }

    private Value(ulong value)
    {
        this.value = value;
    }

    public unsafe Value(double value)
    {
        this.value = *(ulong*)&value;

        Debug.Assert(this.AsNumber() == value, $"AsNumber has returned '{this.AsNumber()}' but expected was '{value}'");
    }

    public Value(bool value)
    {
        this.value = value ? True.value : False.value;

        Debug.Assert(this.AsBool() == value, $"AsBool has returned '{this.AsBool()}' but expected was '{value}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public unsafe double AsNumber()
    {
        Debug.Assert(this.IsNumber, "Value is not a number");

        double v;
        fixed (void* valuePtr = &this.value)
        {
            v = *(double*)valuePtr;
        }

        return v;
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public bool AsBool()
    {
        Debug.Assert(this.IsBool, "Value is not a boolean");
        return this.value == True.value;
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator +(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() + right.AsNumber());
        }
        else if (left.IsObject && right.IsObject)
        {
            // Removed for simplicity
        }

        throw new InvalidOperationException($"Unsupported operator type '+' for left '{left}' and right '{right}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator -(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() - right.AsNumber());
        }

        throw new InvalidOperationException($"Unsupported operator type '-' for left '{left}' and right '{right}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator *(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() * right.AsNumber());
        }

        Console.WriteLine($"Left: {left.IsNumber}, Right: {right.IsNumber}");

        throw new InvalidOperationException($"Unsupported operator type '*' for left '{left}' and right '{right}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator /(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() / right.AsNumber());
        }

        throw new InvalidOperationException($"Unsupported operator type '/' for left '{left}' and right '{right}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static Value operator %(Value left, Value right)
    {
        if (left.IsNumber && right.IsNumber)
        {
            return new Value(left.AsNumber() % right.AsNumber());
        }

        throw new InvalidOperationException($"Unsupported operator type '%' for left '{left}' and right '{right}'");
    }

    [MethodImpl(MethodImplOptions.AggressiveInlining)]
    public static implicit operator Value(ulong value)
        => new(value);

    // ... more AsSomething, equality and operator methods
}

Edit: Added operator overloads for reproducible example below.

[varelen]

Hey again, I have hopefully a reproducible minimal example using just the code from above and this simple code trying to force trigger the problem:

using System.Runtime.CompilerServices;

internal class Program
{
    private static void Main(string[] args)
    {
        var sum = ForceException();
        Console.WriteLine(sum);
    }

    [MethodImpl(MethodImplOptions.NoInlining)]
    private static double ForceException()
    {
        double sum = 0;
        for (int i = 0; i < 1_000_000_000; i++)
        {
            var left = new Value(i);
            var right = new Value(i + 1);

            Value result = left + right;
            result *= new Value(2.0);
            result /= new Value(3.0);
            result -= new Value(1.0);
            result %= new Value(2.0);

            sum += result.AsNumber();
        }

        return sum;
    }
}

I get the following exception:

Unhandled exception. System.InvalidOperationException: Unsupported operator type '+' for left '0' and right '1'
   at Program.ForceException() in C:\Users\{USER}\source\repos\VmTest\CrashTest\Program.cs:line 20
   at Program.Main(String[] args) in C:\Users\{USER}\source\repos\VmTest\CrashTest\Program.cs:line 7

Maybe someone can test if this is also reproducible for others?

This program works with .NET 9 and interestingly with 10.0.100-preview.4.25258.110 but crashes with 10.0.100-preview.5.25277.114 now.

Here the jitdisasm diff ($env:DOTNET_JitDisasm="ForceException") between release run 10.0.100-preview.4.25258.110 and 10.0.100-preview.5.25277.114:

diff --git "a/.\\jit_execute_preview_4_crash_test.txt" "b/.\\jit_execute_preview_5_crash_test.txt"
index c3ddca1..e28d886 100644
--- "a/.\\jit_execute_preview_4_crash_test.txt"
+++ "b/.\\jit_execute_preview_5_crash_test.txt"
@@ -40,15 +40,15 @@ G_M000_IG03:
        vxorps   ymm0, ymm0, ymm0
        vmovdqu  ymmword ptr [rsp+0x108], ymm0
        vmovdqu  xmmword ptr [rsp+0x120], xmm0
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x130]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG08
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x100]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG08
        lea      rax, bword ptr [rsp+0x130]
        vmovsd   xmm0, qword ptr [rax]
@@ -63,15 +63,15 @@ G_M000_IG03:
        vxorps   ymm0, ymm0, ymm0
        vmovdqu  ymmword ptr [rsp+0xD0], ymm0
        vmovdqu  xmmword ptr [rsp+0xE8], xmm0
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0xF8]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG15
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0xC8]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG15
        lea      rax, bword ptr [rsp+0xF8]
        vmovsd   xmm0, qword ptr [rax]
@@ -81,22 +81,22 @@ G_M000_IG03:
        vmovd    rax, xmm0
        mov      qword ptr [rsp+0x138], rax
        mov      qword ptr [rsp+0xC0], rax
- 
-G_M000_IG04:
        mov      rax, 0xD1FFAB1E
        mov      qword ptr [rsp+0x90], rax
        vxorps   ymm0, ymm0, ymm0
        vmovdqu  ymmword ptr [rsp+0x98], ymm0
+ 
+G_M000_IG04:
        vmovdqu  xmmword ptr [rsp+0xB0], xmm0
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0xC0]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG26
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x90]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG26
        lea      rax, bword ptr [rsp+0xC0]
        vmovsd   xmm0, qword ptr [rax]
@@ -111,15 +111,15 @@ G_M000_IG04:
        vxorps   ymm0, ymm0, ymm0
        vmovdqu  ymmword ptr [rsp+0x60], ymm0
        vmovdqu  xmmword ptr [rsp+0x78], xmm0
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x88]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG33
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x58]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG33
        lea      rax, bword ptr [rsp+0x88]
        vmovsd   xmm0, qword ptr [rax]
@@ -134,17 +134,17 @@ G_M000_IG04:
        vxorps   ymm0, ymm0, ymm0
        vmovdqu  ymmword ptr [rsp+0x28], ymm0
        vmovdqu  xmmword ptr [rsp+0x40], xmm0
- 
-G_M000_IG05:
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x50]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
        je       G_M000_IG40
-       mov      rax, 0xD1FFAB1E
-       and      rax, qword ptr [rsp+0x20]
+       mov      rax, NA
+       not      rax
        mov      rcx, 0xD1FFAB1E
-       cmp      rax, rcx
+       and      rax, rcx
+ 
+G_M000_IG05:
        je       G_M000_IG40
        lea      rax, bword ptr [rsp+0x50]
        vmovsd   xmm0, qword ptr [rax]
@@ -297,10 +297,10 @@ G_M000_IG16:
        call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:GrowThenCopyString(System.String):this]
  
 G_M000_IG17:
-       mov      rdx, 0xD1FFAB1E
-       and      rdx, qword ptr [rsp+0xF8]
+       mov      rdx, NA
+       not      rdx
        mov      rcx, 0xD1FFAB1E
-       cmp      rdx, rcx
+       and      rdx, rcx
        setne    dl
        movzx    rdx, dl
        lea      rcx, [rsp+0xD0]
@@ -329,10 +329,10 @@ G_M000_IG18:
        call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:GrowThenCopyString(System.String):this]
  
 G_M000_IG19:
-       mov      rdx, 0xD1FFAB1E
-       and      rdx, qword ptr [rsp+0xC8]
+       mov      rdx, NA
+       not      rdx
        mov      rcx, 0xD1FFAB1E
-       cmp      rdx, rcx
+       and      rdx, rcx
        setne    dl
        movzx    rdx, dl
        lea      rcx, [rsp+0xD0]
@@ -683,67 +683,4 @@ G_M000_IG42:
        mov      word  ptr [rdx+0x18], 39
        mov      ecx, dword ptr [rsp+0x38]
        add      ecx, 13
-       mov      dword ptr [rsp+0x38], ecx
-       jmp      SHORT G_M000_IG44
- 
-G_M000_IG43:
-       lea      rcx, [rsp+0x28]
-       mov      rdx, 0xD1FFAB1E
-       call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:GrowThenCopyString(System.String):this]
- 
-G_M000_IG44:
-       lea      rcx, [rsp+0x28]
-       mov      rdx, qword ptr [rsp+0x20]
-       call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:AppendFormatted[Value](Value):this]
-       mov      ecx, dword ptr [rsp+0x38]
-       cmp      ecx, dword ptr [rsp+0x48]
-       jbe      SHORT G_M000_IG46
- 
-G_M000_IG45:
-       call     [System.ThrowHelper:ThrowArgumentOutOfRangeException()]
-       int3     
- 
-G_M000_IG46:
-       mov      rdx, bword ptr [rsp+0x40]
-       mov      eax, ecx
-       lea      rdx, bword ptr [rdx+2*rax]
-       mov      eax, dword ptr [rsp+0x48]
-       sub      eax, ecx
-       je       SHORT G_M000_IG47
-       mov      word  ptr [rdx], 39
-       mov      ecx, dword ptr [rsp+0x38]
-       inc      ecx
-       mov      dword ptr [rsp+0x38], ecx
-       jmp      SHORT G_M000_IG48
- 
-G_M000_IG47:
-       lea      rcx, [rsp+0x28]
-       mov      rdx, 0xD1FFAB1E
-       call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:GrowThenCopyString(System.String):this]
- 
-G_M000_IG48:
-       mov      rcx, 0xD1FFAB1E
-       call     CORINFO_HELP_NEWSFAST
-       mov      rbx, rax
-       lea      rcx, [rsp+0x28]
-       call     [System.Runtime.CompilerServices.DefaultInterpolatedStringHandler:ToStringAndClear():System.String:this]
-       mov      rdx, rax
-       mov      rcx, rbx
-       call     [System.InvalidOperationException:.ctor(System.String):this]
-       mov      rcx, rbx
-       call     CORINFO_HELP_THROW
-       int3     
- 
-RWD00  	dq	00750073006E0055h, 0072006F00700070h, 0020006400650074h, 007200650070006Fh
-RWD32  	dq	0072006F00740061h, 0070007900740020h, 002B002700200065h, 006F006600200027h
-RWD64  	dq	0065006C00200072h, 0027002000740066h
-RWD80  	dq	006E006100200027h, 0069007200200064h
-RWD96  	dq	006900520020002Ch, 003A007400680067h
-RWD112 	dd	00000000h, 00000000h, 00000000h, 00000000h
-RWD128 	dq	0072006F00740061h, 0070007900740020h, 002A002700200065h, 006F006600200027h
-RWD160 	dq	0072006F00740061h, 0070007900740020h, 002F002700200065h, 006F006600200027h
-RWD192 	dq	0072006F00740061h, 0070007900740020h, 002D002700200065h, 006F006600200027h
-RWD224 	dq	0072006F00740061h, 0070007900740020h, 0025002700200065h, 006F006600200027h
-
-; Total bytes of code 3501
-
+       mov      dw
\ No newline at end of file

[varelen]

On Compiler Explorer (https://godbolt.org/z/h8xcYPazK) with generic X64 + VEX on Unix I get an SIGSEGV with .NET (main) CoreCLR branch and the example from above copied in. With the .NET 9.0 CoreCLR branch it works.

[jkotas]

Thank you for a great repro!

Current main win x64 checked build fails with:

Assert failure(PID 32432 [0x00007eb0], Thread: 6272 [0x1880]): Assertion failed 'operand->isUsedFromReg()' in 'Program:ForceException():double' during 'Generate code' (IL size 150; hash 0x95ed1a8f; Tier1-OSR)

[amanasifkhalid]

This assert hits in CodeGen::genCodeForNegNot, the same place as the one in #116657.

[JulieLeeMSFT]

@EgorBo, PTAL.