[release/10.0] JIT: fix bug in loop cloning with down-counting loops#126885
Merged
JulieLeeMSFT merged 1 commit intorelease/10.0from Apr 15, 2026
Merged
[release/10.0] JIT: fix bug in loop cloning with down-counting loops#126885JulieLeeMSFT merged 1 commit intorelease/10.0from
JulieLeeMSFT merged 1 commit intorelease/10.0from
Conversation
We were not creating proper cloning conditions, so the fast path might execute in cases where it shouldn't. We need to always verify for down counting that the initial value is strictly less than the array length(s).
github-actions
bot
added
the
area-CodeGen-coreclr
Contributor
|
Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch |
This was referenced Apr 14, 2026
Member
|
@EgorBo PTAL |
EgorBo
approved these changes
Apr 15, 2026
Member
|
@AndyAyersMS, please check the build failure. |
Member
It is a timeout. |
Member
|
/ba-g build timed out |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #126770 to release/10.0
/cc @AndyAyersMS
Customer Impact
JIT optimizations can cause certain down-counting loops to bypass a bounds check. Code that normally would throw index out of bounds exceptions on an array store might instead corrupt the heap.
In particular the loop must have unknown upper bound and have a shape like:
and then be invoked in a context where
Nis exactlya.Length. The loop exiting predicate must be>and not>=.In such cases the code will write to
a[N]which is beyond the extent ofa.Customer impact is likely low. Correct behavior here is to throw an exception.
Regression
Introduced in .NET 7 with #67930.
Testing
Verified fix on repro case. SPMI had 132 method contexts with diffs from the fix change. Inspected a few and most either had redundant guards beforehand or else were only reading from the arrays.
Risk
Low, changes the code that decides at runtime if execution can use a "cloned" loop that omits bounds checks; now we are correctly cautious about running the fully checked loop.