[mlir][Inliner] Assertion \symbolUses && "expected uses to be valid" on function with no terminator containing an op with a region

[YuanchengJiang]

Summary

The MLIR inliner crashes with an assertion failure when processing a func.func that has no return terminator and contains an unregistered op with a region. The assertion fires in walkReferencedSymbolNodes during call graph construction.

Assertion

mlir-opt: mlir/lib/Transforms/Utils/Inliner.cpp:42:
void walkReferencedSymbolNodes(...):
Assertion `symbolUses && "expected uses to be valid"' failed.

Minimal Reproducer

File (min.mlir):

module {
  func.func @f() {
    "a.b"() ({}) : () -> ()
  }
}

Command:

mlir-opt --allow-unregistered-dialect --inline min.mlir

Stack Trace (key frames)

#9  walkReferencedSymbolNodes(...)  Inliner.cpp:62
#12 CGUseList::recomputeUses(...)   Inliner.cpp:233
#13 CGUseList(...)                  Inliner.cpp:159
#14 mlir::Inliner::doInlining()     Inliner.cpp:759
#15 InlinerPass::runOnOperation()   InlinerPass.cpp:152

Analysis

The inliner calls SymbolTable::getSymbolUses() on the parent region of an operation during call graph construction. When a func.func has no terminator (not caught by a verifier pass beforehand because --allow-unregistered-dialect relaxes verification), the function body is malformed in a way that causes getSymbolUses() to return std::nullopt — indicating the symbol table is not analyzable for that scope. The assertion on the returned value then fires unconditionally rather than handling the failure gracefully.

The inliner should either (a) guard against std::nullopt from getSymbolUses() and emit a diagnostic instead of asserting, or (b) run the verifier before the inliner to reject malformed inputs early.

Environment

• MLIR from llvm-project (see build at projects/mlir/llvm-mlir-build)
• Triggered with --allow-unregistered-dialect --inline
• Also triggered with the full pass pipeline: --allow-unregistered-dialect --inline --loop-invariant-code-motion --cse --canonicalize --symbol-dce --sccp --verify-each

This bug was found by fusion-fuzz

[llvmorg-github-actions]

@llvm/issue-subscribers-mlir

Author: YuanchengJiang

Details

## Summary

The MLIR inliner crashes with an assertion failure when processing a func.func that has no return terminator and contains an unregistered op with a region. The assertion fires in walkReferencedSymbolNodes during call graph construction.

Assertion

mlir-opt: mlir/lib/Transforms/Utils/Inliner.cpp:42:
void walkReferencedSymbolNodes(...):
Assertion `symbolUses && "expected uses to be valid"' failed.

Minimal Reproducer

File (min.mlir):

module {
  func.func @<!-- -->f() {
    "a.b"() ({}) : () -&gt; ()
  }
}

Command:

mlir-opt --allow-unregistered-dialect --inline min.mlir

Stack Trace (key frames)

#<!-- -->9  walkReferencedSymbolNodes(...)  Inliner.cpp:62
#<!-- -->12 CGUseList::recomputeUses(...)   Inliner.cpp:233
#<!-- -->13 CGUseList(...)                  Inliner.cpp:159
#<!-- -->14 mlir::Inliner::doInlining()     Inliner.cpp:759
#<!-- -->15 InlinerPass::runOnOperation()   InlinerPass.cpp:152

Analysis

The inliner calls SymbolTable::getSymbolUses() on the parent region of an operation during call graph construction. When a func.func has no terminator (not caught by a verifier pass beforehand because --allow-unregistered-dialect relaxes verification), the function body is malformed in a way that causes getSymbolUses() to return std::nullopt — indicating the symbol table is not analyzable for that scope. The assertion on the returned value then fires unconditionally rather than handling the failure gracefully.

The inliner should either (a) guard against std::nullopt from getSymbolUses() and emit a diagnostic instead of asserting, or (b) run the verifier before the inliner to reject malformed inputs early.

Environment

• MLIR from llvm-project (see build at projects/mlir/llvm-mlir-build)
• Triggered with --allow-unregistered-dialect --inline
• Also triggered with the full pass pipeline: --allow-unregistered-dialect --inline --loop-invariant-code-motion --cse --canonicalize --symbol-dce --sccp --verify-each

This bug was found by fusion-fuzz

[CoTinker]

I think this is not a bug. The -allow-unregistered-dialect flag is meant for testing, and we should ensure the correctness of the test operations. As for "a.b"() ({}) : () -> (), it has a region, so isPotentiallyUnknownSymbolTable returns false, and we are therefore unable to collect symbol uses. If the op has no region, the test does not crash — for example:

module {
  func.func @f() {
    "a.b"() : () -> ()
  }
}

llvm-project/mlir/lib/IR/SymbolTable.cpp

Lines 19 to 23 in 199e750

	/// Return true if the given operation is unknown and may potentially define a
	/// symbol table.
	static bool isPotentiallyUnknownSymbolTable(Operation *op) {
	return op->getNumRegions() == 1 && !op->getDialect();
	}

[joker-eph]

A crash is always a bug IMO, I don't see an exception for -allow-unregistered-dialect actually (unlike --mlir-very-unsafe-disable-verifier-on-parsing for example).

The pass (or the tool) should be defensive in face of valid IR and bail out without crashing.

Now of course fuzzer-generated crashes with a flag like -allow-unregistered-dialect are not representative of real-world issues and likely to be treated low-priority.

[toby85509-alt]

I can reproduce this on a recent MLIR 23 development package, and I found a related variant where the parent func.func is normally terminated with return.

Environment:

• mlir-opt-23
• Package version: 1:23~++20260530031447+f7d576010fc1-1~exp1~20260530151611.3159
• Command:

mlir-opt-23 --allow-unregistered-dialect --inline -o - repro.mlir

Variant:

module {
  func.func @f() {
    "a.b"() ({
      "a.t"() : () -> ()
    }) : () -> ()
    return
  }
}

Observation:

• mlir-opt-23 --allow-unregistered-dialect -o - repro.mlir succeeds.
• Adding --inline crashes with a stack dump in mlir::Inliner::doInlining().
• A closer variant with a normally terminated parent function and an empty nested region also crashes:

module {
  func.func @f() {
    "a.b"() ({
    }) : () -> ()
    return
  }
}

• Registered-region controls such as scf.if and normal func.call do not crash.
• An unknown op without a region also does not crash.

This suggests that the issue may not require the parent func.func to be missing a terminator. The broader trigger seems to be symbol-use/callgraph handling over unknown nested regions accepted under --allow-unregistered-dialect.

Could you confirm whether this returned-function variant is considered the same root cause as this issue, or should it be tracked separately?