[wasm] Fix interpreter crash with MethodImpl .override on PortableEntryPoints#126124
[wasm] Fix interpreter crash with MethodImpl .override on PortableEntryPoints#126124radekdoulik wants to merge 10 commits intomainfrom
Conversation
radekdoulik
added
arch-wasm
There was a problem hiding this comment.
Pull request overview
Fixes a CoreCLR interpreter crash on WASM when a MethodImpl .override causes a virtual method’s vtable slot to be remapped to a different method’s PortableEntryPoint, which can prevent interpreter code from being established during prestub execution.
Changes:
- Adjusts
MethodDesc::ShouldCallPrestub()(PortableEntryPoints builds) to consult the method’s own PortableEntryPoint when the vtable slot has been remapped to a different method’s PE. - Enhances
PrepareInterpreterCode()to detect vtable-slot PE redirection to a differentMethodDesc(MethodImpl scenario), prepare interpreter code for the redirected method, and cache it on the original target method.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/coreclr/vm/method.cpp | Updates prestub decision logic to handle MethodImpl-induced vtable PE remapping correctly under PortableEntryPoints. |
| src/coreclr/vm/interpexec.cpp | Adds MethodImpl redirect detection when interpreter code isn’t established, preparing interpreter code via the redirected slot method instead. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
…ryPoints Resolve MethodImpl overrides in getCallInfo for direct calls when FEATURE_PORTABLE_ENTRYPOINTS is enabled. On non-WASM, this resolution happens in getFunctionEntryPoint via MapMethodDeclToMethodImpl, but that function is not available with portable entry points. Adding the resolution to getCallInfo ensures the interpreter compiler receives the correct target MethodDesc at compile time. This fixes a crash where a non-virtual call to a MethodImpl-overridden method (e.g. call instance MyBar::DoBar() with .override pointing to DoBarOverride) would target the wrong method, leading to uninitialized interpreter code. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radekdoulik
force-pushed
the
wasm-fix-methodimpl-interpreter-crash
branch
from
05dd3a6 to
7dbe917
Compare
radekdoulik
changed the title
This comment has been minimized.
This comment has been minimized.
Fix crash when a .override directive replaces a virtual method's vtable slot on WASM (PortableEntryPoints). The .override directive causes the overriding method's entry point to be placed in the overridden method's vtable slot. This makes SetNativeCode CAS fail for the overridden method (the slot no longer belongs to it), so SetInterpreterCode is never reached and GetInterpreterCode returns NULL, leading to a crash. Two fixes: - jitinterface.cpp: Resolve the .override at compile time in getCallInfo so the interpreter compiler targets the overriding method directly for non-virtual calls. - interpexec.cpp: In PrepareInterpreterCode, when GetInterpreterCode returns NULL and the vtable slot points to a different method due to .override, follow the redirect to prepare and cache the overriding method's interpreter code. This handles runtime paths (delegates, reflection) where the target is not known at compile time. Add delegate test coverage to self_override5.il using Delegate.CreateDelegate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
Drop the MapMethodDeclToMethodImpl resolution in getCallInfo (Option D) which ran on every direct call (32,405 times per Loader suite, 1 hit). Instead, fix ShouldCallPrestub to check the method's own PortableEntryPoint when a .override directive has remapped its vtable slot. This is cheaper (IsVtableSlot flag check) and fixes the root cause for all callers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
| InterpByteCodeStart* targetIp = targetMethod->GetInterpreterCode(); | ||
|
|
||
| #ifdef FEATURE_PORTABLE_ENTRYPOINTS | ||
| // Handle the case where .override replaces a virtual method's vtable slot. |
There was a problem hiding this comment.
It does not look right to try to compile the wrong method, and then retry with the right method.
Most places in the runtime deal with this situation by calling MapMethodDeclToMethodImpl. We should follow that plan for the interpreter. I think you earlier commit was closer to the right fix.
There was a problem hiding this comment.
I considered it before and it seemed costly for such corner case. We would make all direct calls slower, while we will reach this case very rarely. So it is very rare unnecessary compilation against more expensive way to avoid it on every direct call.
This is what I measured back then on Loader merged runner:
Profiling data from the full Loader test suite (387 tests, browser-wasm Debug) on PR #126124.
Summary
| Previous change | ShouldCallPrestub | |
|---|---|---|
| Hot-path calls | 32,405 | ~1,782 |
| Cost per call | method table walk | bit-flag check |
| Actual resolutions | 1 | 1 |
The current ShouldCallPrestub approach is dramatically cheaper — fewer calls, each much lighter weight, and fixes the root cause for all callers (reflection, delegates, class init), not just the compiler path.
Previous change — MapMethodDeclToMethodImpl in getCallInfo (jitinterface.cpp)
Resolves .override at compile time for every direct non-virtual call.
| Metric | Count |
|---|---|
directCall invocations |
32,405 |
Actual .override resolution (target changed) |
1 |
| Hit rate | 0.003% |
MapMethodDeclToMethodImpl is a real function call that walks method tables — called on every direct call.
Current solution — ShouldCallPrestub fix (method.cpp)
Adds an IsVtableSlot() check in ShouldCallPrestub to detect when a .override directive has remapped the vtable slot.
| Metric | Count |
|---|---|
Total ShouldCallPrestub calls |
~9,000 |
IsVtableSlot() = true (bit-flag check) |
~1,782 |
Actual .override redirect |
1 |
IsVtableSlot() is a simple bit-flag check; GetPortableEntryPointIfExists() is a flag + pointer read — both essentially free.
There was a problem hiding this comment.
It does not look right to try to compile the wrong method, and then retry with the right method.
Most places in the runtime deal with this situation by calling
MapMethodDeclToMethodImpl. We should follow that plan for the interpreter. I think you earlier commit was closer to the right fix.
I will look into whether we can detect it in the interpexec and avoid the unnecessary compilation.
There was a problem hiding this comment.
With the latest change we don't compile the unwanted body. The cost is still much better than resolving it in compiler. 1,730 calls vs 32,405 of MapMethodDeclToMethodImpl
| Metric | Count |
|---|---|
PrepareInterpreterCode total calls |
8,500 |
IsVtableSlot() = true → MapMethodDeclToMethodImpl called |
1,730 (20%) |
Actual .override resolution |
1 |
The IsVtableSlot() guard skips MapMethodDeclToMethodImpl for 80% of calls (6,770 out of 8,500).
|
|
||
| #ifdef FEATURE_PORTABLE_ENTRYPOINTS | ||
| methodEntryPoint = GetStableEntryPoint(); | ||
| // When the .override directive remaps this method's vtable slot, the entry point |
There was a problem hiding this comment.
Similar issue exists for some of the existing callers of ShouldCallPrestub on non-portable entrypoints targets.
For example, if you run the following on a regular x64 runtime, PrepareMethod won't actually compile the B method body.
using System;
using System.Runtime.CompilerServices;
class Program
{
public virtual void A() => Console.WriteLine("A");
// Add `.override Program::A` to .il
public virtual void B() => Console.WriteLine("B");
static void Main()
{
var h = typeof(Program).GetMethod("A").MethodHandle;
for (;;) RuntimeHelpers.PrepareMethod(h);
}
}
You may want to consider and fix these cases too when devising the fix.
There was a problem hiding this comment.
We should decide whether it is ok to call ShouldCallPrestub and DoPrestub with the decl method and then fix either ShouldCallPrestub/DoPrestub or its callers.
There was a problem hiding this comment.
You may want to consider and fix these cases too when devising the fix.
I have added test for that case and it is already handled with the current change.
There was a problem hiding this comment.
We should decide whether it is ok to call
ShouldCallPrestubandDoPrestubwith the decl method and then fix eitherShouldCallPrestub/DoPrestubor its callers.
Is the updated change fine or do you prefer to explore this path as well? I can continue with it tomorrow.
There was a problem hiding this comment.
I have added test for that case and it is already handled with the current change.
I do not think the test is testing what I tried to highlight. PrepareMethod(methodHandle) is expected to JIT the code that is going to be executed when you call that method. I do think it is happening currently.
Your test is only verifying that we will end up executing the correct method once you actually try to call it. It is not verifying that the method was JITed upfront.
It is a bit involved to write tests for PrepareMethod. You would have to listed to JITed method event via EventSource (that we do not have enabled on wasm yet). I am not asking that you write a test for the PrepareMethod as part of this PR.
Test RuntimeHelpers.PrepareMethod on a method whose vtable slot has been remapped by a .override directive (scenario from jkotas review comment). Verifies that PrepareMethod correctly prepares the overriding method's body, and that subsequent virtual, non-virtual, and direct calls all execute the override. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace the post-DoPrestub retry with an upfront MapMethodDeclToMethodImpl call, so we compile the correct (overriding) method body on the first attempt. Cache the result on the original MethodDesc so callers that check IsInterpreterCodeInitialized don't re-resolve. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Not testing anything interesting per review feedback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Tests that .override on generic methods (B<T> overriding A<T>) works correctly for both reference types (string) and value types (int32), via virtual and non-virtual calls. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
🤖 Copilot Code Review — PR #126124Note This review was generated by Copilot. Holistic AssessmentMotivation: The PR addresses a real interpreter crash on WASM (PortableEntryPoints) when a Approach: After extensive review iteration, the current approach takes Summary: Detailed Findings✅ Correctness —
|
Fix interpreter crash with
.overrideon PortableEntryPoints.On WASM, when a
.overridedirective remaps a virtual method's vtable slot, the overriding method's PortableEntryPoint occupies the slot. This causesSetNativeCodeInterlockedCAS to fail for the overridden method, soSetInterpreterCodeis never reached andGetInterpreterCodereturns NULL, leading to a crash.Changes:
ShouldCallPrestubto use the method's own PortableEntryPoint instead of the remapped vtable slot, which belongs to a different method and returns incorrect compilation state.PrepareInterpreterCode, whenGetInterpreterCodereturns NULL and the vtable slot points to a different method due to.override, follow the redirect to the overriding method's interpreter code.Delegate.CreateDelegate.