Access Violation Exception in clrjit.dll - lclvars.cpp - lvaMarkLocalVars

[vpenades]

Here's the callstack dump:

clrjit.dll!Compiler::lvaMarkLclRefs(GenTree * tree) Line 3692
    at f:\dd\ndp\clr\src\jit\lclvars.cpp(3692)
[Inline Frame] clrjit.dll!Compiler::lvaMarkLocalVars::__l2::MarkLocalVarsVisitor::PreOrderVisit(GenTree * *) Line 3925
    at f:\dd\ndp\clr\src\jit\lclvars.cpp(3925)
clrjit.dll!GenTreeVisitor<`Compiler::lvaMarkLocalVars'::`2'::MarkLocalVarsVisitor>::WalkTree(GenTree * * use, GenTree *) Line 9637
    at f:\dd\ndp\clr\src\jit\compiler.h(9637)
[Inline Frame] clrjit.dll!Compiler::lvaMarkLocalVars(BasicBlock *) Line 3959
    at f:\dd\ndp\clr\src\jit\lclvars.cpp(3959)
clrjit.dll!Compiler::lvaMarkLocalVars() Line 4082
    at f:\dd\ndp\clr\src\jit\lclvars.cpp(4082)
clrjit.dll!Compiler::compCompile(void * * methodCodePtr, unsigned long * methodCodeSize, JitFlags * compileFlags) Line 4581
    at f:\dd\ndp\clr\src\jit\compiler.cpp(4581)
clrjit.dll!Compiler::compCompileHelper(CORINFO_MODULE_STRUCT_ * classPtr, ICorJitInfo * compHnd, CORINFO_METHOD_INFO * methodInfo, void * * methodCodePtr, unsigned long * methodCodeSize, JitFlags * compileFlags, CorInfoInstantiationVerification) Line 6025
    at f:\dd\ndp\clr\src\jit\compiler.cpp(6025)
clrjit.dll!Compiler::compCompile(CORINFO_METHOD_STRUCT_ * methodHnd, CORINFO_MODULE_STRUCT_ * classPtr, ICorJitInfo * compHnd, CORINFO_METHOD_INFO * methodInfo, void * * methodCodePtr, unsigned long * methodCodeSize, JitFlags * compileFlags) Line 5359
    at f:\dd\ndp\clr\src\jit\compiler.cpp(5359)
clrjit.dll!jitNativeCode(CORINFO_METHOD_STRUCT_ * methodHnd, CORINFO_MODULE_STRUCT_ * classPtr, ICorJitInfo * compHnd, CORINFO_METHOD_INFO * methodInfo, void * * methodCodePtr, unsigned long * methodCodeSize, JitFlags * compileFlags, void * inlineInfoPtr) Line 6666
    at f:\dd\ndp\clr\src\jit\compiler.cpp(6666)
clrjit.dll!CILJit::compileMethod(ICorJitInfo * compHnd, CORINFO_METHOD_INFO * methodInfo, unsigned int flags, unsigned char * * entryAddress, unsigned long * nativeSizeOfCode) Line 315
    at f:\dd\ndp\clr\src\jit\ee_il_dll.cpp(315)
[External Code]
mscoreei.dll!00007ffc2b107b2d()
mscoree.dll!00007ffc2b50a4cc()
kernel32.dll!00007ffc42443034()
ntdll.dll!00007ffc44bb1431()

Assembly code:

--- f:\dd\ndp\clr\src\jit\lclvars.cpp ------------------------------------------
00007FFC2125E5B0  mov         rax,rsp  
00007FFC2125E5B3  mov         qword ptr [rax+8],rbx  
00007FFC2125E5B7  mov         qword ptr [rax+10h],rbp  
00007FFC2125E5BB  mov         qword ptr [rax+18h],rsi  
00007FFC2125E5BF  mov         qword ptr [rax+20h],rdi  
00007FFC2125E5C3  push        r14  
00007FFC2125E5C5  sub         rsp,20h  
00007FFC2125E5C9  mov         ebp,edx  
00007FFC2125E5CB  mov         edi,r9d  
00007FFC2125E5CE  mov         r14d,r8d  
00007FFC2125E5D1  mov         rsi,rcx  
00007FFC2125E5D4  cmp         edx,0FFFFFFFFh  
00007FFC2125E5D7  je          AliasSet::AliasSet+9D970h (07FFC212F4F28h)  
00007FFC2125E5DD  mov         r9d,8  
00007FFC2125E5E3  cmp         r14d,r9d  
00007FFC2125E5E6  jb          Compiler::lvaAllocLocalAndSetVirtualOffset+72h (07FFC2125E622h)  
00007FFC2125E5E8  mov         r8d,dword ptr [rsi+2A84h]  
00007FFC2125E5EF  xor         ebx,ebx  
00007FFC2125E5F1  mov         r10b,4  
00007FFC2125E5F4  cmp         r8d,5  
00007FFC2125E5F8  jne         Compiler::lvaAllocLocalAndSetVirtualOffset+519A2h (07FFC212AFF52h)  
00007FFC2125E5FE  mov         eax,edi  
00007FFC2125E600  cdq  
00007FFC2125E601  idiv        eax,r9d  
00007FFC2125E604  test        edx,edx  
00007FFC2125E606  jne         Compiler::lvaAllocLocalAndSetVirtualOffset+519A2h (07FFC212AFF52h)  
00007FFC2125E60C  mov         rax,qword ptr [rsi+78h]  
00007FFC2125E610  mov         rcx,rbp  
00007FFC2125E613  shl         rcx,7  
00007FFC2125E617  test        byte ptr [rcx+rax+6],r10b  
00007FFC2125E61C  jne         Compiler::lvaAllocLocalAndSetVirtualOffset+519A2h (07FFC212AFF52h)  
00007FFC2125E622  mov         edx,3FFFFFFFh  
00007FFC2125E627  cmp         r14d,edx  
00007FFC2125E62A  ja          Compiler::lvaAllocLocalAndSetVirtualOffset+83D20h (07FFC212E22D0h)  
00007FFC2125E630  mov         ecx,dword ptr [rsi+2BB4h]  
00007FFC2125E636  add         ecx,r14d  
00007FFC2125E639  cmp         ecx,edx  
00007FFC2125E63B  ja          Compiler::lvaAllocLocalAndSetVirtualOffset+83D20h (07FFC212E22D0h)  
00007FFC2125E641  mov         rax,qword ptr [rsi+78h]  
00007FFC2125E645  sub         edi,r14d  
00007FFC2125E648  mov         rbx,qword ptr [rsp+30h]  
00007FFC2125E64D  mov         dword ptr [rsi+2BB4h],ecx  
00007FFC2125E653  mov         rcx,rbp  
00007FFC2125E656  mov         rbp,qword ptr [rsp+38h]  
00007FFC2125E65B  mov         rsi,qword ptr [rsp+40h]  
00007FFC2125E660  shl         rcx,7  
00007FFC2125E664  mov         dword ptr [rcx+rax+20h],edi  
00007FFC2125E668  mov         eax,edi  
00007FFC2125E66A  mov         rdi,qword ptr [rsp+48h]  
00007FFC2125E66F  add         rsp,20h  
00007FFC2125E673  pop         r14  
00007FFC2125E675  ret  
00007FFC2125E676  movzx       eax,byte ptr [rdi+1]  
00007FFC2125E67A  mov         rbp,qword ptr [rdi+38h]  
00007FFC2125E67E  sub         al,2  
00007FFC2125E680  mov         rbx,qword ptr [rdi+40h]  
00007FFC2125E684  cmp         al,2  
00007FFC2125E686  jbe         $NOT_BOOL+2B582h (07FFC21289C44h)  
00007FFC2125E68C  cmp         byte ptr [rbp],1  
00007FFC2125E690  jne         Compiler::lvaMarkLclRefs+32h (07FFC2123F632h)  

>>>>>>  00007FFC2125E696  cmp         byte ptr [rbx+1],2  

00007FFC2125E69A  je          Compiler::lvaMarkLclRefs+32h (07FFC2123F632h)  
00007FFC2125E6A0  cmp         byte ptr [rdi],3Fh  
00007FFC2125E6A3  jne         $NOT_BOOL (07FFC2125E6C2h)  
00007FFC2125E6A5  movzx       eax,byte ptr [rbx]  
00007FFC2125E6A8  cmp         al,0Bh  
00007FFC2125E6AA  je          $NOT_BOOL+14F71h (07FFC21273633h)  
00007FFC2125E6B0  movzx       eax,al  
00007FFC2125E6B3  test        byte ptr GenTree::gtOperKindTable (07FFC21322330h)[r15+rax*2-7FFC21230000h],10h  
00007FFC2125E6BC  jne         Compiler::lvaMarkLclRefs+32h (07FFC2123F632h)  
00007FFC2125E6C2  mov         ebx,dword ptr [rbp+40h]  
00007FFC2125E6C5  cmp         ebx,dword ptr [rsi+70h]  
00007FFC2125E6C8  jae         AliasSet::AliasSet+9DCC5h (07FFC212F527Dh)  
00007FFC2125E6CE  mov         rax,qword ptr [rsi+78h]  
00007FFC2125E6D2  mov         rcx,rbx  
00007FFC2125E6D5  shl         rcx,7  
00007FFC2125E6D9  and         byte ptr [rcx+rax+3],0F7h  
00007FFC2125E6DE  jmp         Compiler::lvaMarkLclRefs+32h (07FFC2123F632h)  
00007FFC2125E6E3  int         3  

Other relevant info:

• Using Latest version of VS2017 community, on a x64bit machine.
• The project is a classic Desktop Application
• It was using Net452 by default but it also crashes with Net471.
• Release mode crashes, Debug mode works.
• It crashes with target platform x64
• It works well with target platform x86, for now we're going to force x86 as a temporary solution.

I'll post any other info I can get.

[vpenades]

Proof of concept to reproduce the exception:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net462</TargetFramework>
    <Platforms>x64</Platforms>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="System.Numerics.Vectors" Version="4.5.0" />
  </ItemGroup>

</Project>

using System;
using System.Numerics;

namespace JitCrashPOC
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello World!");

            var map = new ItemRunner();

            map.UpdateItem(0,10);            
        }
    }

    class Item
    {
        public Vector3 _Position = new Vector3(0.0f, 0.0f, 0.0f);
    }

    class ItemRunner
    {
        public ItemRunner()
        {
            for (int i = 0; i < _Pool.Length; ++i) { _Pool[i] = new Item(); }
        }

        private const float _LenghtZ = 1000.0f;

        private static readonly Vector3 _Start = new Vector3(0.0f, -1021.7f, -3451.3f);
        private static readonly Vector3 _Slope = new Vector3(0.0f, 0.286f, 0.958f);

        private Item[] _Pool = new Item[30];

        private Item _LastGenerated;        

        public void UpdateItem(float fDelta, int depth)
        {
            if (depth == 0) return;

            for (int i = 0; i < _Pool.Length; i++)
            {
                var vDelta = _Slope * fDelta;

                if (_LastGenerated != null) _Pool[i]._Position = _LastGenerated._Position - _Slope * _LenghtZ;
                else _Pool[i]._Position = _Start - vDelta;

                _LastGenerated = _Pool[i];

            }

            UpdateItem(0, depth-1);            
        }
    }
}

[mikedn]

@briansull Seems related to dotnet/coreclr#18775

Assert failure(PID 3372 [0x00000d2c], Thread: 14092 [0x370c]): Assertion failed '!"Bad type in gtNewZeroConNode"' in 'JitCrashPOC.ItemRunner:UpdateItem(float,int):this' (IL size 142)

    File: d:\projects\coreclr\src\jit\gentree.cpp Line: 6108
    Image: D:\Projects\coreclr\bin\Product\Windows_NT.x64.Checked\CoreRun.exe

[briansull]

I am testing a fix

[briansull]

PR dotnet/coreclr#19065 addresses this issue

[vpenades]

Thanks for the fix.

So, do you have an estimation of when it will be available for end users?

[briansull]

Fix is now checked in to master

[briansull]

vpenades - Is it the case that you want this fix on the desktop CLR?

[vpenades]

Yes, the crash was initially reported on an end users machine.

What I don't know is if the crash happened because the compiler generatea bad IL, in which case I guess the fix will come with the next VS2017 update... Or the .Net JIT generated bad native code...

[briansull]

The issue occurs in the .Net JIT compiler, when it finds a method that it can optimize in a special way, by turning a recursive call into a method that uses a loop instead of tail-recursion. The method also must be using the SIMD types such as Vector3.