ReJITID is always zero in ILToNativeMapDCStart event

[pharring]

Description

I've been looking at how we implement "Goto Source (Def)" in PerfView for JIT-compiled frames when using ETW (i.e. not EventPipe)

The mapping from stack frame to source goes via a number of steps. One important piece is mapping from { module, RVA } to { Assembly, Namespace, Type, Method, IL offset }
That's achieved by tracking three tables emitted by the CLR's rundown provider: Loader/ModuleDCStart, Method/DCStartVerbose and Method/ILToNativeMapDCStart.

The first two gets us the Assembly, Namespace, Type, Method part. The final table gives us a way to find the IL offset (which, along with the PDB, allows us to identify the line number in source).

If the method in question has been re-JIT-ted -- perhaps due to tiered compilation -- we get two entries in the DCStartVerbose and ILToNativeMapDCStart tables, as you'd expect. In the DCStartVerbose table, the ReJITID can be used to distinguish them. Typically, I see 0 for "QuickJitted" and 1 for "OptimizedTier1". However, in the ILToNativeMapDCStart table the ReJITID always appears to be 0. That makes it difficult to correlate reliably (you have to rely on heuristics).

It looks like a bug that the ReJITID is always 0 in the ILToNativeMapDCStart event.

Reproduction Steps

I can share a .diagsession, if necessary.

1. Capture a trace with PerfView of a reasonably complex .NET 6 application (something that exercises tiered compilation)
2. Open the trace, view the CPU stacks and try to "Goto Source" for some of the JITted methods. Assuming it works at all, you're likely to end up at the wrong line number. The difference may be very subtle.

More directly (which is how I found it), take a look at the raw events in the trace using PerfView's Events view. Filter to "Method/DCStartVerbose" and "Method/ILToNativeMapDCStart" events. Find an interesting method in the DCStartVerbose table -- one that has been JITted twice for tiered compilation (has a ReJITID of 1). Then search for that MethodID in the ILToNativeMap table. You'll find that it has two entries, each with ReJITID of 0. They likely have completely different IL offsets (view the raw event data) even though they claim to be the same.

Expected behavior

ReJITID is set correctly in the ILToNativeMapDCStart event

Actual behavior

ReJITID is always zero

Regression?

I suspect it's been that way forever -- it's just that tiered compilation only recently became widely available.

Known Workarounds

None

Configuration

.NET 6, Windows, x64

Other information

No response

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @tommcdon
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

I've been looking at how we implement "Goto Source (Def)" in PerfView for JIT-compiled frames when using ETW (i.e. not EventPipe)

The mapping from stack frame to source goes via a number of steps. One important piece is mapping from { module, RVA } to { Assembly, Namespace, Type, Method, IL offset }
That's achieved by tracking three tables emitted by the CLR's rundown provider: Loader/ModuleDCStart, Method/DCStartVerbose and Method/ILToNativeMapDCStart.

The first two gets us the Assembly, Namespace, Type, Method part. The final table gives us a way to find the IL offset (which, along with the PDB, allows us to identify the line number in source).

If the method in question has been re-JIT-ted -- perhaps due to tiered compilation -- we get two entries in the DCStartVerbose and ILToNativeMapDCStart tables, as you'd expect. In the DCStartVerbose table, the ReJITID can be used to distinguish them. Typically, I see 0 for "QuickJitted" and 1 for "OptimizedTier1". However, in the ILToNativeMapDCStart table the ReJITID always appears to be 0. That makes it difficult to correlate reliably (you have to rely on heuristics).

It looks like a bug that the ReJITID is always 0 in the ILToNativeMapDCStart event.

Reproduction Steps

I can share a .diagsession, if necessary.

1. Capture a trace with PerfView of a reasonably complex .NET 6 application (something that exercises tiered compilation)
2. Open the trace, view the CPU stacks and try to "Goto Source" for some of the JITted methods. Assuming it works at all, you're likely to end up at the wrong line number. The difference may be very subtle.

More directly (which is how I found it), take a look at the raw events in the trace using PerfView's Events view. Filter to "Method/DCStartVerbose" and "Method/ILToNativeMapDCStart" events. Find an interesting method in the DCStartVerbose table -- one that has been JITted twice for tiered compilation (has a ReJITID of 1). Then search for that MethodID in the ILToNativeMap table. You'll find that it has two entries, each with ReJITID of 0. They likely have completely different IL offsets (view the raw event data) even though they claim to be the same.

Expected behavior

ReJITID is set correctly in the ILToNativeMapDCStart event

Actual behavior

ReJITID is always zero

Regression?

I suspect it's been that way forever -- it's just that tiered compilation only recently became widely available.

Known Workarounds

None

Configuration

.NET 6, Windows, x64

Other information

No response

Author:	pharring
Assignees:	-
Labels:	area-Diagnostics-coreclr, area-Tracing-coreclr, untriaged
Milestone:	-

[tommcdon]

@davmason @noahfalk

[davmason]

Looking at the code

runtime/src/coreclr/vm/eventtrace.cpp

Lines 6891 to 6915 in 45589f2

	if ((dwEventOptions & ETW::EnumerationLog::EnumerationStructs::JitMethodILToNativeMap) != 0)
	{
	FireEtwMethodILToNativeMap(
	ullMethodIdentifier,
	ilCodeId,
	0, // Extent: This event is only sent for JITted (not NGENd) methods, and
	// currently there is only one extent (hot) for JITted methods.
	cMap,
	rguiILOffset,
	rguiNativeOffset,
	GetClrInstanceId());
	}
	// Rundown provider
	//
	// These macros already check for the JittedMethodILToNativeMapRundownKeyword
	// before choosing to fire the event--we further check our options to see if we
	// should fire the Start and / or End flavor of the event (since the keyword alone
	// is insufficient to distinguish these).
	//
	// (for an explanation of the parameters see the FireEtwMethodILToNativeMap call above)
	if ((dwEventOptions & ETW::EnumerationLog::EnumerationStructs::MethodDCStartILToNativeMap) != 0)
	FireEtwMethodDCStartILToNativeMap(ullMethodIdentifier, 0, 0, cMap, rguiILOffset, rguiNativeOffset, GetClrInstanceId());
	if ((dwEventOptions & ETW::EnumerationLog::EnumerationStructs::MethodDCEndILToNativeMap) != 0)
	FireEtwMethodDCEndILToNativeMap(ullMethodIdentifier, 0, 0, cMap, rguiILOffset, rguiNativeOffset, GetClrInstanceId());

We correctly set the ID for the non-rundown event but it's hardcoded to 0 for the rundown events. I haven't thought about it too much but at the surface level it seems like a one line type of fix.

[pharring]

@davmason thanks for looking at this.
FWIW, the link to code led me to this commit: 3f7a996 which appears to be replacing ReJITID with NativeCodeID. I know almost nothing about the implementation and history here, so please take this with a grain of salt. I just mention it because it seemed relevant. If I've misunderstood the purpose of the ReJITID field, or if PerfView/TraceEvent needs to be modified to understand NativeCodeID, then please let me know. At the end of the day, I just want "Goto Source" to work reliably and accurately every time.

[davmason]

@kouvel is there any compat reason to hard code the rundown ILToNativeMap events to 0? I can't think of any reason so this seems like an easy fix for 7

[kouvel]

I don't know why it was hardcoded to 0, it seems to have been like that from the beginning in the history

[jakobbotsch]

Another weird thing I've noticed is that we seem to have different definitions of "ReJITID" used in different ETW events

• In MethodDCStart (fired by ETW::MethodLog::SendMethodEvent), the "ReJITID" we report is actually a NativeCodeVersionId retrieved through NativeCodeVersion::GetVersionId()
• In ILToNativeMap (fired by ETW::MethodLog::SendMethodILToNativeMapEvent) the "ReJITID" is an actual (typedeffed) ReJITID that we retrieve through NativeCodeVersion::GetILCodeVersionId() for the non-rundown version, and which is 0 for the rundown version.

Correct me if I'm wrong, but while both of these are called "ReJITID" in the events, they are actually two separate IDs and cannot be used for crossreferencing. One difference I believe is that of the two, only the former is incremented when compiling new tiered versions.

It seems like we should figure out how to reconcile these so that crossreferencing is easier/possible.

[jakobbotsch]

Ah, looks like the commit by @kouvel linked above does seem to discuss this. I wonder what the reasoning was not to change ILToNativeMap as well?