AOT compilation runs into speculative input use by CalculateElementAddressInstr

[mkustermann]

Fuzzer reproduction

% dart runtime/tools/dartfuzz/dartfuzz.dart --no-fp --no-ffi --flat --seed 3968342993 fuzz.dart
% tools/build.py -mrelease -ax64c runtime dart_precompiled_runtime
% DART_CONFIGURATION='ReleaseX64C' DART_VM_FLAGS='--enable-asserts' pkg/vm/tool/precompiler2 fuzz.dart snapshot
./../runtime/vm/compiler/backend/il.h: 1262: error: unreachable code
version=3.5.0-edge (main) (Unknown timestamp) on "linux_x64"
pid=78754, thread=78754, isolate_group=isolate(0x556761f3e510), isolate=(nil)((nil))
os=linux, arch=x64, comp=yes, sim=no
isolate_instructions=0, vm_instructions=0
fp=7ffdb5cf5710, sp=7ffdb5cf55e0, pc=556760eb239c
  pc 0x0000556760eb239c fp 0x00007ffdb5cf5710 dart::Profiler::DumpStackTrace+0x7c
  pc 0x0000556760d6fdc4 fp 0x00007ffdb5cf57f0 dart::Assert::Fail+0x84
  pc 0x0000556761036f7c fp 0x00007ffdb5cf5810 dart::Instruction::DeoptimizationTarget+0x2c
  pc 0x000055676100e6c8 fp 0x00007ffdb5cf5890 dart::FlowGraph::InsertConversion+0x1e8
  pc 0x000055676100f5bf fp 0x00007ffdb5cf58c0 dart::FlowGraph::InsertConversionsFor+0x8f
  pc 0x000055676100fcac fp 0x00007ffdb5cf5960 dart::FlowGraph::SelectRepresentations+0x6ac
  pc 0x00005567610b9af0 fp 0x00007ffdb5cf5970 dart::CompilerPass_SelectRepresentations::DoBody+0x10
  pc 0x00005567610b926f fp 0x00007ffdb5cf5a30 dart::CompilerPass::Run+0x11f
  pc 0x00005567610b96cf fp 0x00007ffdb5cf5a50 dart::CompilerPass::RunPipeline+0x16f
  pc 0x0000556760fd4cfc fp 0x00007ffdb5cf6190 dart::PrecompileParsedFunctionHelper::Compile+0x5ec
  pc 0x0000556760fd5579 fp 0x00007ffdb5cf6840 dart::PrecompileFunctionHelper+0x2e9
  pc 0x0000556760fd14b7 fp 0x00007ffdb5cf6950 dart::Precompiler::CompileFunction+0x177
  pc 0x0000556760fd0254 fp 0x00007ffdb5cf69e0 dart::Precompiler::ProcessFunction+0xe4
  pc 0x0000556760fcb9fb fp 0x00007ffdb5cf6a40 dart::Precompiler::Iterate+0x9b
  pc 0x0000556760fc8857 fp 0x00007ffdb5cf71d0 dart::Precompiler::DoCompileAll+0x1507
  pc 0x0000556760fc72e8 fp 0x00007ffdb5cf7660 dart::Precompiler::CompileAll+0xb8
  pc 0x00005567611413af fp 0x00007ffdb5cf7850 Dart_Precompile+0x28f
  pc 0x0000556760d69b09 fp 0x00007ffdb5cf79c0 dart::bin::main+0x869
-- End of DumpStackTrace
=== Crash occurred when compiling file:///.../fuzz.dart_::_fooE3|foo3_Extension1 in AOT mode in SelectRepresentations pass
*** BEGIN CFG
SelectRepresentations
==== file:///.../fuzz.dart_::_fooE3|foo3_Extension1 (RegularFunction)
B0[graph]:0 {
      v0 <- Constant(#null) T{Null?}
      v1 <- Constant(#<optimized out>) T{Sentinel~}
      v2 <- Constant(#0) [0, 0] T{_Smi}
      v15 <- Constant(#1) T{_Smi}
      v20 <- Constant(#true) T{bool}
      v74 <- Constant(#_ImmutableList len:5) T{_ImmutableList}
      v83 <- Constant(#Cannot add to a fixed-length list) T{_OneByteString}
      v197 <- Constant(#skipCount) T{_OneByteString}
      v276 <- Constant(#1048576) T{_Smi}
      v277 <- Constant(#3) T{_Smi}
}
B3[function entry]:2
    CheckStackOverflow:8(stack=0, loop=0)
    CheckStackOverflow:58(stack=0, loop=1)
    v39 <- LoadStaticField:4(var22, CallsInitializer) T{_Uint64List}
    v42 <- LoadStaticField:4(var106, CallsInitializer) T{_Map}
    v45 <- LoadStaticField:4(var92, CallsInitializer) T{Expando}
    v48 <- LoadStaticField:4(var6, CallsInitializer) T{_Int8List}
    v24 <- LoadField(v48 . TypedDataBase.length {final}) T{_Smi}
    v296 <- UnboxInt64([non-speculative], v2) int64
    v302 <- UnboxInt64([non-speculative], v24) int64
    v25 <- GenericCheckBound:26(v302 T{_Smi}, v296 T{_Smi}) int64
    v303 <- BoxInt64(v25)
    v26 <- LoadIndexed:26([_Int8List] v48, v303 T{_Smi}) int64
    v304 <- BoxInt64(v26)
    v9 <- StaticCall:28( []<0> v45 T{Expando}, v304 T{_Smi}, using unchecked entrypoint, result_type = T{bool?}) T{bool?}
    v27 <- CheckNull:30(v9, CastError) T{bool}
    v55 <- StaticCall:12( _getValueOrData@3220832<0> v42 T{_Map}, v27 T{bool}, using unchecked entrypoint) T{Object??}
    v95 <- LoadField(v42 T{_Map} . LinkedHashBase.data) T{_List}
    Branch if StrictCompare:16(===, v95 T{_List}, v55) goto (16, 17)
B16[target]:20
    goto:26 B18
B17[target]:22
    goto:28 B18
B18[join]:24 pred(B16, B17) {
      v57 <- phi(v0 T{Null?}, v55) alive T{Object??}
}
    v28 <- CheckNull:34(v57 T{int??}, CastError) T{int?}
    v60 <- LoadStaticField:4(var63, CallsInitializer) T{int??}
    v100 <- LoadField(v39 T{_Uint64List} . TypedDataBase.length {final}) T{_Smi}
    v70 <- StaticCall:32( checkValidRange<0> v28 T{int}, v60 T{int??}, v100 T{_Smi}, result_type = T{int}) int64
    v71 <- BinaryInt64Op(- [tr], v70, v28 T{int}) int64
    v139 <- AllocateTypedData:10(v71 T{int}) T{_Uint64List}
    v125 <- Redefinition(v39 T{_Uint64List} ^ T{Iterable<int>}) T{_Uint64List}
    v126 <- Redefinition(v39 T{_Uint64List}) T{_Uint64List}
    v299 <- UnboxInt64([non-speculative], v2 T{_Smi}) int64
    v154 <- RelationalOp(>, v299 T{_Smi}, v71 T{int}) T{bool}
    Branch if StrictCompare:24(===, v154, v20 T{bool}) goto (58, 55)
B58[target]:48
    goto:50 B56
B55[target]:40
    Branch if RelationalOp(>, v71 T{int}, v71 T{_Smi}) T{bool} goto (59, 60)
B59[target]:52
    goto:54 B56
B56[join]:42 pred(B58, B59)
    v300 <- UnboxInt64([non-speculative], v2 T{_Smi}) int64
    StaticCall:58( checkValidRange<0> v300 T{_Smi}, v71 T{int}, v71 T{_Smi}) int64
    goto:64 B61
B60[target]:60
    goto:66 B61
B61[join]:62 pred(B56, B60)
    v298 <- UnboxInt64([non-speculative], v2 T{_Smi}) int64
    v157 <- RelationalOp(<, v28 T{int}, v298 T{_Smi}) T{bool}
    Branch if StrictCompare:72(===, v157, v20 T{bool}) goto (62, 65)
B62[target]:76
    v171 <- AllocateObject:78(cls=RangeError) T{RangeError}
    StaticCall:80( RangeError.range<0> v171, v28 T{int}, v2 T{_Smi}, v0 T{Null?}, v197 T{_OneByteString})
    Throw:82(v171)
B65[target]:84
    v219 <- LoadField(v126 T{_Uint64List} . TypedDataBase.length {final}) T{_Smi}
    v166 <- BinaryInt64Op(- [tr], v219 T{_Smi}, v28 T{int}) int64
    Branch if RelationalOp(<, v166, v71 T{int}) T{bool} goto (66, 67)
B66[target]:126
    v170 <- StaticCall:128( tooFew<0> ) T{StateError}
    Throw:130(v170)
B67[target]:132
    v297 <- UnboxInt64([non-speculative], v2 T{_Smi}) int64
    v168 <- EqualityCompare(v71 T{int} == v297 T{_Smi}) T{bool}
    Branch if StrictCompare:138(===, v168, v20 T{bool}) goto (68, 69)
B68[target]:142
    goto:146 B27
B69[target]:148
    v254 <- RelationalOp:12(<, v71 T{int}, v276 T{_Smi}) T{bool}
    Branch if StrictCompare:12(===, v254, v20 T{bool}) goto (92, 93)
B92[target]:18
    MemoryCopy(v126 T{_Uint64List}, v139 T{_Uint64List}, v28 T{int}, v2 T{_Smi}, v71 T{int}, dest_cid=_Int64List (139), src_cid=_Int64List (139), element_size=8, can_overlap)
    goto:12 B91
B93[target]:20
    v271 <- SpeculativeShiftInt64Op:24(<< [tr], v71 T{int}, v277) int64
    v261 <- LoadField(v139 T{_Uint64List} . PointerBase.data, MayLoadInnerPointer) untagged
    v264 <- LoadField(v126 T{_Uint64List} . PointerBase.data, MayLoadInnerPointer) untagged
    v265 <- UnboxedConstant(#0) int64
    v266 <- CalculateElementAddress(v264, v28 T{int}, v265, index_scale=8) untagged
    v267 <- LoadThread() untagged
    v268 <- LoadUntagged(v267, 1528) untagged
    LeafRuntimeCall(target_address=v268, v261 T{Object}, v266, v271 T{int}) untagged
    goto:12 B91
B91[join]:10 pred(B92, B93)
    goto:154 B27
B27[join]:33 pred(B68, B91)
    v14 <- LoadStaticField(var62) T{int}
    v301 <- UnboxInt64([non-speculative], v15) int64
    v16 <- BinaryInt64Op(- [tr], v14, v301 T{_Smi}) int64
    StoreStaticField(var62, v16)
    v81 <- AllocateObject:14(cls=UnsupportedError) T{UnsupportedError}
    StoreField(v81 T{UnsupportedError} . message = v83 T{_OneByteString})
    Throw:18(v81)
*** END CFG

This seems to happen in compressed pointer mode when processing a CheckNullInstr in the select representation class that has a use by CalculateElementAddressInstr which then triggers a kTagged -> kUnboxedInt64 conversion which fails due to CalculateElementAddressInstr::SpeculativeModeOfInput answering kGuardInputs - but we don't support deopt in aot.

/cc @sstrickl @alexmarkov

[alexmarkov]

Duplicate to #55595.