Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Jit doesn't handle certain uses of field addresses correctly #77636

Closed
SingleAccretion opened this issue Oct 29, 2022 · 1 comment · Fixed by #78226
Closed

The Jit doesn't handle certain uses of field addresses correctly #77636

SingleAccretion opened this issue Oct 29, 2022 · 1 comment · Fixed by #78226
Assignees
@SingleAccretion
Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI bug
Milestone
8.0.0

Comments

@SingleAccretion
Copy link
Contributor

Reproduction:

Console.WriteLine(Problem(null));

[MethodImpl(MethodImplOptions.NoInlining)]
static int Problem(StructWithIndex* s)
{
    return *(int*)((nint)(int*)&s->Value | -1);
}

struct StructWithIndex
{
    public int Index;
    public int Value;
}

Compile and run.

Expected result: NullReferenceException is thrown.

Actual result: AccessViolationException is thrown.

Cause: the morphing context used for checking whether an explicit null check is required has fairly non-obvious propagation rules. In particular, it does not get "reset" for arbitrary users, but passed as-is.
@SingleAccretion SingleAccretion added bug area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI labels Oct 29, 2022
@SingleAccretion SingleAccretion added this to the 8.0.0 milestone Oct 29, 2022
@SingleAccretion SingleAccretion self-assigned this Oct 29, 2022
@ghost
Copy link

ghost commented Oct 29, 2022

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

Reproduction:

Console.WriteLine(Problem(null));

[MethodImpl(MethodImplOptions.NoInlining)]
static int Problem(StructWithIndex* s)
{
    return *(int*)((nint)(int*)&s->Value | -1);
}

struct StructWithIndex
{
    public int Index;
    public int Value;
}

Compile and run.

Expected result: NullReferenceException is thrown.

Actual result: AccessViolationException is thrown.

Cause: the morphing context used for checking whether an explicit null check is required has fairly non-obvious propagation rules. In particular, it does not get "reset" for arbitrary users, but passed as-is.

Author: SingleAccretion
Assignees: SingleAccretion
Labels:

bug, area-CodeGen-coreclr
Milestone: 8.0.0

@SingleAccretion SingleAccretion mentioned this issue Nov 11, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Nov 11, 2022
SingleAccretion added a commit to SingleAccretion/runtime that referenced this issue Nov 11, 2022
@SingleAccretion
Add a test for dotnet#77636
a82cce8
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Nov 29, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Dec 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@SingleAccretion SingleAccretion

Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI bug
Projects
None yet
Milestone
8.0.0
Development

Successfully merging a pull request may close this issue.

Use FIELD_ADDR for all ldfldas SingleAccretion/runtime
1 participant
@SingleAccretion