JIT generates incorrect optimised code in .NET 8

[chris-white-wtw]

Description

After migrating some projects to .NET 8 we observe some behaviour differences in certain methods in release builds, which only occur once those methods have been optimised by the JIT.

Disabling tiered PGO changes the method that fails, but does not fix the problem.

Examining the disassembly suggests a parameter value is being accidentally overwritten.

Reproduction Steps

• Clone https://github.com/chris-white-wtw/JitIssue
• dotnet run -c release

Note that running using debug configuration does not exhibit the problem.

Expected behavior

Should complete with no output.

Actual behavior

Prints exception (thrown because a range-check fails).

Regression?

The program behaves as expected in .NET 6 (6.0.27) and .NET 7 (7.0.14).

Known Workarounds

No response

Configuration

• .NET SDK 8.0.201
• Windows 10 Enterprise, 10.0.19045
• x64

Originally observed via some test failures in CI, running on Windows Server 2016 v10.0 with .NET SDK 8.0.101.

Other information

I have included a README in the repo (https://github.com/chris-white-wtw/JitIssue) with the information I've found so far.

Essentially, in each of the two variants of the bug (with and without tiered PGO), the disassembly of an optimised method includes a vmovq instruction that prematurely moves r8 to a xmm register that's still holding one of the other parameter values.

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

After migrating some projects to .NET 8 we observe some behaviour differences in certain methods in release builds, which only occur once those methods have been optimised by the JIT.

Disabling tiered PGO changes the method that fails, but does not fix the problem.

Examining the disassembly suggests a parameter value is being accidentally overwritten.

Reproduction Steps

• Clone https://github.com/chris-white-wtw/JitIssue
• dotnet run -c release

Note that running using debug configuration does not exhibit the problem.

Expected behavior

Should complete with no output.

Actual behavior

Prints exception (thrown because a range-check fails).

Regression?

The program behaves as expected in .NET 6 (6.0.27) and .NET 7 (7.0.14).

Known Workarounds

No response

Configuration

• .NET SDK 8.0.201
• Windows 10 Enterprise, 10.0.19045
• x64

Originally observed via some test failures in CI, running on Windows Server 2016 v10.0 with .NET SDK 8.0.101.

Other information

I have included a README in the repo (https://github.com/chris-white-wtw/JitIssue) with the information I've found so far.

Essentially, in each of the two variants of the bug (with and without tiered PGO), the disassembly of an optimised method includes a vmovq instruction that prematurely moves r8 to a xmm register that's still holding one of the other parameter values.

Author:	chris-white-wtw
Assignees:	-
Labels:	area-CodeGen-coreclr, untriaged
Milestone:	-

[jakobbotsch]

This looks like the same issue as #96306. #96439 already fixed the issue in main, but we haven't backported the fix to .NET 8 (yet). I'll do that.
One workaround would be to mark the Tolerance parameters in the function signatures with in.

[chris-white-wtw]

Thanks for the quick response and the suggested workaround.

I'd forgotten that .NET 9 now has a preview available but I've now downloaded this and confirmed that the issue does not reproduce when targeting net9.0.

Backporting the fix to .NET 8 will be much appreciated, thank you.

[richardjm]

Is there an expected date for when 8.0-staging becomes GA? Although I can see the PR hasn't actually merged yet.

[jakobbotsch]

I believe this particular fix will be in the April servicing release of .NET 8 (the March release has already been finalized).

[jakobbotsch]

This fix should be in the current .NET 8 release.