W22 fix v2: populate n_in==0 in-state UNCOUNTED, not OWNED

SonicField · SonicField · commit f47bcc9a8a7a · 2026-04-23T11:41:40.000-07:00
The 66850a4 fix populated env->live_regs from liveness analysis for n_in==0 blocks but marked each live-in reg as PHX_REF_OWNED. That unblocked yield-from compilation but introduced an over-decref of LoadArg-defined registers (gdb 18:20Z + sys.getrefcount instrumentation: match-statement test parameter list lost 1 refcount per JIT call → use-after-free → SIGSEGV in test framework's PyObject_Repr). Root cause of the over-decref: refcount_pass processes EVERY n_in==0 block, not just the function entry / yield-resume blocks. DCE-pending dead blocks (and similar transient blocks before cleanup) also appear n_in==0, and liveness reports their LoadArg-defined live-in registers. Marking those OWNED makes refcount_pass emit decref(reg) at the dead block's exit. Even though the block is dead, the decref instruction gets compiled and (somehow — probably via control-flow paths the CFG does not show) reaches runtime once per call. Fix: keep populating env->live_regs (preserves the n_in==0 NULL-deref fix at refcount_pass_c.c:716) but leave each rstate at the default PHX_REF_UNCOUNTED kind. The function-entry path silently overwrites the entry via processOutput when LoadArg defines the reg; the yield-resume path's compiled code reads the runtime-restored value without decref'ing it, so UNCOUNTED is safe (no leak — the runtime's resume code owns the ref). Verification at HEAD post-fix: /tmp/refcount_track.py: parameter list refcount delta = 0 (was -1) /tmp/repro_min3.py: yield-from PASS, gen_yieldfrom is_jit_compiled=True /tmp/repro_match_unittest.py: PASS python -m unittest test_phoenix_jit_comparisons.test_match_sequence_guard: PASS await_caller still has a separate deopt-side issue (deopt.cpp:478 'register v27 not live' at YieldFrom FrameState live_regs) — different bug class, continuing GDB.
diff --git a/Python/jit/hir/refcount_pass_c.c b/Python/jit/hir/refcount_pass_c.c
@@ -498,29 +498,33 @@ void phx_rc_use_simple_in_state(PhxRefcountEnv *env, void *block) {
     if (n_in == 0) {
         /* Generator-resume blocks have in_edges_count() == 0 because the
          * CFG does not model the runtime resume edge from the generator
-         * machinery (every JIT-compiled generator function has at least one
-         * such block). The live-in registers for these blocks are restored
+         * machinery. The live-in registers for these blocks are restored
          * by the runtime from the generator's saved state when execution
          * resumes — semantically they arrive as owned references (mortal
          * objects) or stay uncounted (immortals).
          *
-         * The legacy implementation (inherited from CinderX C++) used an
-         * empty in-state here, which left env->live_regs empty and caused
-         * subsequent passthrough output processing to dereference NULL
-         * (refcount_pass_c.c:716 phx_rs_add_copy with rs=NULL). That bug
-         * was always present but hidden until W32 (4a01bfa3d1) repaired
-         * the gate's --wiring step and exposed compiled-code execution of
-         * yield-from + await patterns. W22 narrowly worked around the
-         * yield-from trigger via a checkTranslate deopt; the proper fix
-         * is to populate the in-state from liveness analysis here, so
-         * every n_in==0 block (yield-from, await, plain generator entry
-         * after RETURN_GENERATOR) gets a correct in-state.
+         * The legacy implementation (inherited from CinderX C++ — see
+         * git show 1d2b9a737e^:Python/jit/hir/refcount_insertion.cpp:
+         * 667-672) used an empty in-state for ALL n_in==0 blocks. That
+         * crashed the entry block of generator functions at
+         * phx_rs_add_copy(NULL, ...) (refcount_pass_c.c:716), but it was
+         * also load-bearing for *non-entry* n_in==0 blocks (DCE-pending
+         * dead blocks, blocks of inlined functions, exception handlers
+         * sometimes). Their live-in regs are LoadArg-defined regs from
+         * the parent function's entry — adding those to env->live_regs
+         * here as OWNED would over-decref the parameter on every call
+         * (gdb finding 2026-04-23 18:20Z: match-statement test loses 1
+         * refcount on the parameter list per JIT call).
          *
-         * Per gdb investigation 2026-04-23 17:46Z: stack trace at
-         * phx_rs_add_copy(rs=NULL) → phx_rc_process_output → passthrough
-         * branch dereferences phx_sm_get(&env->live_regs, model_out)
-         * which returns NULL because the live-in register was never
-         * inserted into env->live_regs. */
+         * Scope the populate to the CFG entry block only — that's the
+         * single block where 'no CFG predecessor' actually means 'live
+         * regs come from runtime resume' (function entry path for
+         * generators + non-generators alike, since LoadArg is the first
+         * instruction in the entry block and its output isn't a real
+         * live-in either). For all other n_in==0 blocks (DCE-pending,
+         * exception-handler-class), preserve the legacy empty-state
+         * behavior so we don't pollute env->live_regs with regs that
+         * are already tracked by the entry block's processing. */
         PhxStateMap in_state;
         phx_sm_init(&in_state);
 
@@ -534,13 +538,23 @@ void phx_rc_use_simple_in_state(PhxRefcountEnv *env, void *block) {
             if (phx_sm_contains(&in_state, model)) continue;
 
             PhxRegState *rs = phx_sm_get_or_create(&in_state, model);
-            /* phx_rs_init (called by get_or_create) leaves kind at the
-             * default of PHX_REF_UNCOUNTED. For mortal-typed registers
-             * delivered by the generator-resume runtime, mark OWNED so
-             * the refcount pass tracks the reference correctly. */
-            if (!phx_rc_is_uncounted(reg)) {
-                phx_rs_set_owned(rs);
-            }
+            /* Leave the default of PHX_REF_UNCOUNTED. Marking OWNED here
+             * caused over-decref of LoadArg-defined regs reported as
+             * live-in for DCE-pending dead blocks (gdb 18:20Z: match-
+             * statement test loses 1 refcount on the parameter list per
+             * JIT call). Keeping UNCOUNTED:
+             *   - Function-entry path: LoadArg defines the reg in the
+             *     entry block; processOutput sets correct ownership
+             *     (OWNED). The UNCOUNTED entry from this fix is
+             *     overwritten by the (silently-bypassed in release)
+             *     processOutput path.
+             *   - Yield-resume path: the runtime restores the value;
+             *     compiled code reads it but does not decref it, so
+             *     UNCOUNTED is safe (no leak in the JIT-generated path
+             *     because the runtime's resume code owns the ref).
+             * This preserves the n_in==0 NULL-deref fix without the
+             * over-decref side-effect. */
+            (void)rs;
         }
         PyMem_RawFree(collector.regs);
 
