JIT: TransformUnusedIndirection may create unused non-faulting loads

[AndyAyersMS]

For IR like TransformUnusedIndirection

               [000077] D----------                   t77 =    LCL_ADDR  byref  V06 loc2         [+0]
N001 (  1,  1) [000000] -----+-----                    t0 =    LCL_VAR   byref  V02 arg0         u:1 (last use) $c0
                                                            /--*  t0     byref
N002 (  7,  5) [000068] nc--G+-----                   t68 = *  IND       struct
                                                            /--*  t77    byref
                                                            +--*  t68    struct
N003 ( 17, 12) [000030] sA---+-----                         *  STORE_BLK struct<System.Runtime.Intrinsics.Vector128`1, 16> (copy) (memory.copy)

Liveness (during Lower) will transform the IND to a NULLCHECK when it reaches the LCL_ADDR, but this IND is nonfaulting, and could be removed, as well as its address. Liveness will also remove the LCL_ADDR.

However (since we're transforming nodes we already processed) we've already registered V02 as live at that point so if we remove the LCL_VR we end up with an inconsistency where V02 is claimed to be live during codegen but is not live out and has no uses in the block.

Not sure how common this is, perhaps rare, but Wasm got tripped up by it because the codegen for IND (now a NULLCHECK) wanted to branch to a throw helper block, but the JIT never asked for one since, the NULLCHECK does not have GTF_EXCEPT set.

[AndyAyersMS]

@jakobbotsch any thoughts on how to fix this? Seems like we could force Liveness to iterate once more on that block maybe.

[dotnet-policy-service]

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

[jakobbotsch]

ComputeLifeLIR probably just forgets to set m_compiler->fgStmtRemoved = true for this case.

[AndyAyersMS]

It gets set by TryRemoveDeadStoreLIR, but that's not sufficient since live in for this block doesn't change (both src and dest of the original dead store were based on V02, so we don't set m_livenessChanged).

runtime/src/coreclr/jit/liveness.cpp

Lines 2453 to 2464 in 1136c24

	if (TryRemoveDeadStoreLIR(store, node->AsLclVarCommon(), block))
	{
	JITDUMP("Removing dead LclVar address:\n");
	DISPNODE(node);
	blockRange.Remove(node);
	GenTree* data = store->AsIndir()->Data();
	data->SetUnusedValue();
	if (data->isIndir())
	{
	Lowering::TransformUnusedIndirection(data->AsIndir(), m_compiler, block);

If I set m_livnessChanged after the call to Transform.. then things work.

Seems to be a rare case though -- no SPMI diffs (though we don't seem to have a crossgen collection, which is where this came up for Wasm).

I can teach Wasm that GT_NULLCHECK might not need to do a nullcheck after all.