AV occurs during JIT compilation with dynamic PGO for TYP_REF

[kemats]

Description

JIT compiler with dynamic PGO crashes when compiling some TYP_REF involving code.
This reproduces on .NET 8, 9 and 10 RC1.

Reproduction Steps

Create a new console project and paste the following code, then build and run the project.
You will see that application crashes due to "Fatal error. Internal CLR error. (0x80131506)".
This issue does not reproduce when dynamic PGO is disabled.

namespace ConsoleApp1
{
    internal class Program
    {
        static System.Collections.ArrayList array = [];
        static void Foo(ref object[]? a)
        {
            a = new object[1];
            array.Add(a.Clone());
        }

        static void Main()
        {
            while (true)
            {
                object[]? a = null;
                Foo(ref a);
            }
        }
    }
}

Expected behavior

JIT compilation succeeds and application runs without crash.

Actual behavior

AV occurs during JIT compilation and application crashes due to fatal execution engine error.

Regression?

No response

Known Workarounds

No response

Configuration

OS versions: not related.
.NET versions: confirmed reproduction with .NET 8, 9 and 10 RC1.
Dynamic PGO needs to be enabled in order to reproduce this issue.

Other information

Access violation occurs because class handle is null.
It seems necessary to check whether lcl->lvClassHnd is not set to NO_CLASS_HANDLE.

runtime/src/coreclr/jit/fginline.cpp

Lines 624 to 645 in 574100b

	const unsigned lclNum = tree->AsLclVarCommon()->GetLclNum();
	GenTree* const value = tree->AsLclVarCommon()->Data();
	// If we're storing to a ref typed local that has one definition,
	// we may be able to sharpen the type for the local.
	if (tree->TypeGet() == TYP_REF)
	{
	LclVarDsc* lcl = m_compiler->lvaGetDesc(lclNum);
	if (lcl->lvSingleDef)
	{
	bool isExact = false;
	bool isNonNull = false;
	CORINFO_CLASS_HANDLE newClass = m_compiler->gtGetClassHandle(value, &isExact, &isNonNull);
	if (newClass != NO_CLASS_HANDLE)
	{
	m_compiler->lvaUpdateClass(lclNum, newClass, isExact);
	m_madeChanges = true;
	}
	}
	}

0:007> r
rax=0000000000000000 rbx=000000df8687d330 rcx=000000df8687dbf0
rdx=00007ff85601bc68 rsi=000000df8687cba0 rdi=000000df8687ce40
rip=00007ff8b5b37ac3 rsp=000000df8687dba8 rbp=00007ff85601bc68
 r8=00007ff85601bc68  r9=0000025b00111060 r10=0000000000000000
r11=0000000010000400 r12=00007ff8b5850000 r13=0000000000000000
r14=000000df8687e620 r15=0000025b1ccd1d08
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010244
coreclr!MethodTable::GetFlag [inlined in coreclr!TypeHandle::HasTypeEquivalence+0x7]:
00007ff8`b5b37ac3 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????

0:007> k
 # Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     coreclr!MethodTable::GetFlag [D:\a\_work\1\s\src\coreclr\vm\methodtable.h @ 3511] 
01 (Inline Function) --------`--------     coreclr!MethodTable::HasTypeEquivalence [D:\a\_work\1\s\src\coreclr\vm\methodtable.h @ 718] 
02 000000df`8687dba8 00007ff8`b5b37a5d     coreclr!TypeHandle::HasTypeEquivalence+0x7 [D:\a\_work\1\s\src\coreclr\vm\typehandle.inl @ 140] 
03 000000df`8687dbb0 00007ff8`b5b37878     coreclr!isMoreSpecificTypeHelper+0x25 [D:\a\_work\1\s\src\coreclr\vm\jitinterface.cpp @ 4572] 
04 000000df`8687dbf0 00007ff8`b589f32d     coreclr!CEEInfo::isMoreSpecificType+0x28 [D:\a\_work\1\s\src\coreclr\vm\jitinterface.cpp @ 4612] 
05 000000df`8687dc30 00007ff8`b58a0542     clrjit!Compiler::lvaUpdateClass+0x5d [D:\a\_work\1\s\src\coreclr\jit\lclvars.cpp @ 3207] 
06 (Inline Function) --------`--------     clrjit!SubstitutePlaceholdersAndDevirtualizeWalker::LateDevirtualization+0x329 [D:\a\_work\1\s\src\coreclr\jit\fginline.cpp @ 641] 
07 (Inline Function) --------`--------     clrjit!SubstitutePlaceholdersAndDevirtualizeWalker::PostOrderVisit+0x329 [D:\a\_work\1\s\src\coreclr\jit\fginline.cpp @ 278] 
08 000000df`8687dc60 00007ff8`b589f5ef     clrjit!GenTreeVisitor<SubstitutePlaceholdersAndDevirtualizeWalker>::WalkTree+0x372 [D:\a\_work\1\s\src\coreclr\jit\compiler.h @ 11479] 
09 000000df`8687dd00 00007ff8`b5929f20     clrjit!Compiler::fgInline+0xff [D:\a\_work\1\s\src\coreclr\jit\fginline.cpp @ 772] 
0a (Inline Function) --------`--------     clrjit!Phase::Run+0x24 [D:\a\_work\1\s\src\coreclr\jit\phase.cpp @ 61] 
0b (Inline Function) --------`--------     clrjit!DoPhase+0x60 [D:\a\_work\1\s\src\coreclr\jit\phase.h @ 136] 
0c 000000df`8687e6d0 00007ff8`b592d30b     clrjit!Compiler::compCompile+0x4b0 [D:\a\_work\1\s\src\coreclr\jit\compiler.cpp @ 4609] 
0d 000000df`8687e980 00007ff8`b592bfed     clrjit!Compiler::compCompileHelper+0xa4b [D:\a\_work\1\s\src\coreclr\jit\compiler.cpp @ 7150] 
0e 000000df`8687ea60 00007ff8`b58c23bc     clrjit!Compiler::compCompile+0x24d [D:\a\_work\1\s\src\coreclr\jit\compiler.cpp @ 6292] 
0f 000000df`8687eb50 00007ff8`b593ed0f     clrjit!jitNativeCode+0x24c [D:\a\_work\1\s\src\coreclr\jit\compiler.cpp @ 7783] 
10 000000df`8687ecf0 00007ff8`b5b4bb86     clrjit!CILJit::compileMethod+0xaf [D:\a\_work\1\s\src\coreclr\jit\ee_il_dll.cpp @ 299] 
11 (Inline Function) --------`--------     coreclr!invokeCompileMethodHelper+0x77 [D:\a\_work\1\s\src\coreclr\vm\jitinterface.cpp @ 12406] 
12 (Inline Function) --------`--------     coreclr!invokeCompileMethod+0xb0 [D:\a\_work\1\s\src\coreclr\vm\jitinterface.cpp @ 12469] 
13 000000df`8687ed90 00007ff8`b5b4b49a     coreclr!UnsafeJitFunction+0x616 [D:\a\_work\1\s\src\coreclr\vm\jitinterface.cpp @ 12914] 
14 000000df`8687f2e0 00007ff8`b5b4b2dd     coreclr!MethodDesc::JitCompileCodeLocked+0xce [D:\a\_work\1\s\src\coreclr\vm\prestub.cpp @ 939] 
15 000000df`8687f3f0 00007ff8`b5b4afd6     coreclr!MethodDesc::JitCompileCodeLockedEventWrapper+0x17d [D:\a\_work\1\s\src\coreclr\vm\prestub.cpp @ 820] 
16 000000df`8687f520 00007ff8`b5bf72f3     coreclr!MethodDesc::JitCompileCode+0x2c6 [D:\a\_work\1\s\src\coreclr\vm\prestub.cpp @ 707] 
17 000000df`8687f5c0 00007ff8`b5bf75f6     coreclr!MethodDesc::PrepareILBasedCode+0xc3 [D:\a\_work\1\s\src\coreclr\vm\prestub.cpp @ 441] 
18 (Inline Function) --------`--------     coreclr!MethodDesc::PrepareCode+0x10 [D:\a\_work\1\s\src\coreclr\vm\prestub.cpp @ 321] 
19 000000df`8687f650 00007ff8`b5bf6cfc     coreclr!TieredCompilationManager::CompileCodeVersion+0xb2 [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 962] 
1a (Inline Function) --------`--------     coreclr!TieredCompilationManager::OptimizeMethod+0x1d [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 939] 
1b 000000df`8687f770 00007ff8`b5b19050     coreclr!TieredCompilationManager::DoBackgroundWork+0x17c [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 824] 
1c 000000df`8687f8d0 00007ff8`b5b192f0     coreclr!TieredCompilationManager::BackgroundWorkerStart+0xc8 [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 537] 
1d 000000df`8687f920 00007ff8`b5b526c2     coreclr!TieredCompilationManager::BackgroundWorkerBootstrapper1+0x60 [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 486] 
1e (Inline Function) --------`--------     coreclr!ManagedThreadBase_DispatchInner+0xd [D:\a\_work\1\s\src\coreclr\vm\threads.cpp @ 7222] 
1f 000000df`8687f960 00007ff8`b5b52604     coreclr!ManagedThreadBase_DispatchMiddle+0x5e [D:\a\_work\1\s\src\coreclr\vm\threads.cpp @ 7266] 
20 000000df`8687fa10 00007ff8`b5c660dd     coreclr!ManagedThreadBase_DispatchOuter+0x90 [D:\a\_work\1\s\src\coreclr\vm\threads.cpp @ 7425] 
21 (Inline Function) --------`--------     coreclr!ManagedThreadBase_FullTransition+0x27 [D:\a\_work\1\s\src\coreclr\vm\threads.cpp @ 7470] 
22 (Inline Function) --------`--------     coreclr!ManagedThreadBase::KickOff+0x27 [D:\a\_work\1\s\src\coreclr\vm\threads.cpp @ 7505] 
23 000000df`8687fa80 00007ff9`020de8d7     coreclr!TieredCompilationManager::BackgroundWorkerBootstrapper0+0x3d [D:\a\_work\1\s\src\coreclr\vm\tieredcompilation.cpp @ 469] 
24 000000df`8687fad0 00007ff9`03aa8d9c     kernel32!BaseThreadInitThunk+0x17
25 000000df`8687fb00 00000000`00000000     ntdll!RtlUserThreadStart+0x2c

[dotnet-policy-service]

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

[MihuBot]

I'm a bot. Here is a possible related and/or duplicate issue (I may be wrong):

• Access Violation in jithelpers with Dynamic PGO enabled #87597

[AndyAyersMS]

Thank you for reporting this.

[AndyAyersMS]

Fixing the crash seems simple enough, but I'm puzzled why that local didn't already have some kind of class handle. So going to keep looking.

[AndyAyersMS]

Ok, I see why this happens, we have some special treatment of System.Array.Clone that can end up failing to record a type on a spilled return temp when the argument to Clone is a byref.