W22 root-cause fix: populate refcount in-state from liveness for n_in==0 blocks

SonicField · SonicField · commit 66850a4ba12b · 2026-04-23T10:55:11.000-07:00
GDB investigation 2026-04-23 17:46Z (per Alex 17:45:31Z 'use gdb to find the problem' directive) found the await SIGSEGV root cause at phx_rs_add_copy(rs=NULL) in refcount_pass_c.c:716 (phx_rc_process_output passthrough branch). The same root cause produces the W22 yield-from crash class (SIGABRT 134 'register not live' from deopt.cpp:478). Root cause: phx_rc_use_simple_in_state's n_in==0 branch (legacy from the CinderX C++ refcount_insertion pass — see git show 1d2b9a7^:Python/ jit/hir/refcount_insertion.cpp:667-672) created an empty PhxStateMap in_state for blocks with no CFG predecessors. Generator-resume blocks (yield-from, await, plain generator entry post-RETURN_GENERATOR) all have in_edges_count() == 0 because the runtime resume edge is not modelled in the CFG. The empty in-state left env->live_regs empty; subsequent passthrough output processing called phx_sm_get(&env-> live_regs, model_out) which returned NULL and crashed at phx_rs_add_copy(NULL, ...). The bug was inherited from the C++ refcount_insertion.cpp baseline (R3b port preserved the empty-StateMap behavior verbatim) and was hidden until W32 (4a01bfa) repaired the gate's --wiring step and exposed compiled-code execution of yield-from + await patterns. W22 (d25b2f3 through 4a63c4d) narrowly worked around the yield-from trigger via a pattern-deopt in checkTranslate; this commit fixes the root cause and removes the deopt. Fix: populate the n_in==0 in-state from liveness analysis using the same hir_liveness_foreach_live_in + RegCollector pattern that phx_rc_initialize_in_state uses for multi-predecessor blocks (refcount_pass_c.c:447-462). For each live-in reg, add to in_state with PHX_REF_OWNED kind unless the register's static type is uncounted (matches the regular phx_rc_process_output ownership-default logic at line 723-734). Verification (./python rebuilt with libjit.a relink): /tmp/repro_min3.py (yield-from auto-compile 1100-iter): PASS EXIT=0, is_jit_compiled gen_yieldfrom=True (no deopt fallback needed) /tmp/test_await_autocompile.py: PROGRESSES past the W22 SIGSEGV class (phx_rs_add_copy NULL fixed) but exposes a SEPARATE deopt-side issue (deopt.cpp:478 'register v27 not live') at the YieldFrom HIR instruction's FrameState. Investigation continues. builder.cpp restored to pre-W22 state: the pattern-deopt for YIELD_VALUE+ RESUME-oparg-2 is removed; YIELD_FROM stays in isSupportedOpcode (it is a stub in 3.12 per Python/jit_common/opcode_stubs.h, so the case is dead but harmless). Per Alex 17:45:31Z + supervisor 17:45:52Z: no more bypass framing, investigate via gdb, fix the root cause.
diff --git a/Python/jit/hir/builder.cpp b/Python/jit/hir/builder.cpp
@@ -4899,8 +4899,7 @@ void HIRBuilder::checkTranslate() {
       banned_name_ids.insert(i);
     }
   }
-  BytecodeInstructionBlock bc_block{code_};
-  for (auto& bci : bc_block) {
+  for (auto& bci : BytecodeInstructionBlock{code_}) {
     auto opcode = bci.opcode();
     int oparg = bci.oparg();
     if (!isSupportedOpcode(opcode)) {
@@ -4928,46 +4927,6 @@ void HIRBuilder::checkTranslate() {
             preloader_.fullname(),
             name_at(oparg))};
       }
-    } else if (opcode == YIELD_VALUE) {
-      // W22 yield-from deopt: Alex 2026-04-23 explicit one-case bypass of
-      // feedback_no_workarounds.md. CPython 3.12 desugars 'yield from EXPR'
-      // into GET_YIELD_FROM_ITER + SEND-loop where the loop body is
-      // (YIELD_VALUE 2, RESUME 2, JUMP_BACKWARD_NO_INTERRUPT). The HIR
-      // YieldFrom instruction is emitted in builder_emit_c.c:hir_builder_emit_
-      // yield_value_c when next bytecode is RESUME with oparg==2 (the
-      // RESUME oparg discriminator: 0=function-start, 1=after-plain-yield,
-      // 2=after-yield-from, 3=after-await). Refcount-pass-init n_in==0 on
-      // the generator-resume bb crashes deopt with 'register not live'
-      // assertion (5 architectural fix iterations did not converge cleanly).
-      // Author authority bypass per Alex 14:00:40Z + gatekeeper 13:59:54Z +
-      // theologian 14:15:09Z + supervisor 14:14:50Z concur on (C) pattern-
-      // deopt scope. Plain yield (RESUME oparg==1) and await (RESUME
-      // oparg==3) STAY in the JIT — only the yield-from desugaring pattern
-      // falls back to the interpreter. RULE STANDS for future cases; this
-      // is the ONE explicit exception.
-      //
-      // Bounds check: nextInstrOffset() can go past end of bytecode for the
-      // last instruction (per Python/jit/bytecode.h:57 contract). Guard
-      // before reading the next instruction's opcode/oparg, otherwise
-      // YIELD_VALUE at end-of-bytecode SIGSEGVs reading garbage memory.
-      // (testkeeper 14:34:52Z auto-compile asyncio regression catch.)
-      //
-      // UNIT NOTE: nextInstrOffset() returns BCOffset (bytes); bc_block.size()
-      // returns Py_ssize_t in instruction-count units. Assigning to BCIndex
-      // auto-divides by sizeof(_Py_CODEUNIT) (per bytecode_offsets.h:176),
-      // matching the units of size(). This mirrors the existing 3.11+
-      // bounds-check pattern at builder.cpp:1143. (testkeeper 14:40:22Z
-      // catch on units mismatch in v2.)
-      BCIndex next_idx = bci.nextInstrOffset();
-      if (next_idx < bc_block.size()) {
-        auto next_bc = bci.nextInstr();
-        if (next_bc.opcode() == RESUME && next_bc.oparg() == 2) {
-          throw std::runtime_error{fmt::format(
-              "Cannot compile {} to HIR because it uses 'yield from' "
-              "(W22 deopt: YIELD_VALUE+RESUME-oparg-2 pattern)",
-              preloader_.fullname())};
-        }
-      }
     }
   }
 }
diff --git a/Python/jit/hir/refcount_pass_c.c b/Python/jit/hir/refcount_pass_c.c
@@ -496,10 +496,56 @@ void phx_rc_use_simple_in_state(PhxRefcountEnv *env, void *block) {
     size_t n_in = hir_bb_in_edges_count(bb);
 
     if (n_in == 0) {
-        PhxStateMap empty;
-        phx_sm_init(&empty);
-        phx_rc_use_in_state(env, &empty);
-        phx_sm_destroy(&empty);
+        /* Generator-resume blocks have in_edges_count() == 0 because the
+         * CFG does not model the runtime resume edge from the generator
+         * machinery (every JIT-compiled generator function has at least one
+         * such block). The live-in registers for these blocks are restored
+         * by the runtime from the generator's saved state when execution
+         * resumes — semantically they arrive as owned references (mortal
+         * objects) or stay uncounted (immortals).
+         *
+         * The legacy implementation (inherited from CinderX C++) used an
+         * empty in-state here, which left env->live_regs empty and caused
+         * subsequent passthrough output processing to dereference NULL
+         * (refcount_pass_c.c:716 phx_rs_add_copy with rs=NULL). That bug
+         * was always present but hidden until W32 (4a01bfa3d1) repaired
+         * the gate's --wiring step and exposed compiled-code execution of
+         * yield-from + await patterns. W22 narrowly worked around the
+         * yield-from trigger via a checkTranslate deopt; the proper fix
+         * is to populate the in-state from liveness analysis here, so
+         * every n_in==0 block (yield-from, await, plain generator entry
+         * after RETURN_GENERATOR) gets a correct in-state.
+         *
+         * Per gdb investigation 2026-04-23 17:46Z: stack trace at
+         * phx_rs_add_copy(rs=NULL) → phx_rc_process_output → passthrough
+         * branch dereferences phx_sm_get(&env->live_regs, model_out)
+         * which returns NULL because the live-in register was never
+         * inserted into env->live_regs. */
+        PhxStateMap in_state;
+        phx_sm_init(&in_state);
+
+        RegCollector collector = {NULL, 0, 0};
+        hir_liveness_foreach_live_in(env->liveness_state, block,
+                                      init_in_state_collect_reg, &collector);
+
+        for (size_t i = 0; i < collector.count; i++) {
+            void *reg = collector.regs[i];
+            void *model = model_reg_rc(reg);
+            if (phx_sm_contains(&in_state, model)) continue;
+
+            PhxRegState *rs = phx_sm_get_or_create(&in_state, model);
+            /* phx_rs_init (called by get_or_create) leaves kind at the
+             * default of PHX_REF_UNCOUNTED. For mortal-typed registers
+             * delivered by the generator-resume runtime, mark OWNED so
+             * the refcount pass tracks the reference correctly. */
+            if (!phx_rc_is_uncounted(reg)) {
+                phx_rs_set_owned(rs);
+            }
+        }
+        PyMem_RawFree(collector.regs);
+
+        phx_rc_use_in_state(env, &in_state);
+        phx_sm_destroy(&in_state);
         return;
     }
 
