JIT: fix bug in loop cloning with down-counting loops#126770
Merged
AndyAyersMS merged 1 commit intodotnet:mainfrom Apr 14, 2026
Merged
JIT: fix bug in loop cloning with down-counting loops#126770AndyAyersMS merged 1 commit intodotnet:mainfrom
AndyAyersMS merged 1 commit intodotnet:mainfrom
Conversation
We were not creating proper cloning conditions, so the fast path might execute in cases where it shouldn't. We need to always verify for down counting that the initial value is strictly less than the array length(s).
github-actions
Bot
added
the
area-CodeGen-coreclr
Member
Author
|
@jakobbotsch PTAL |
Contributor
|
Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch |
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes an issue in CoreCLR JIT loop cloning where down-counting loops could generate overly-permissive fast-path conditions, allowing bounds-check removal when the initial index equals the array/span length.
Changes:
- Tighten loop cloning limit condition derivation for down-counting loops to require the initial iterator value be strictly less than the relevant length.
- Add new JIT regression tests covering down-counting loops that start at
Lengthfor both arrays and spans. - Add a dedicated test project for the new regression test.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/coreclr/jit/loopcloning.cpp | Adjusts derived cloning condition operator so down-counting loops require init < length rather than allowing init == length. |
| src/tests/JIT/opt/Cloning/DownCounted.cs | Adds regression coverage for array and span down-counting loops that should throw on a[Length] unless cloning conditions are correct. |
| src/tests/JIT/opt/Cloning/DownCounted.csproj | Adds a minimal test project definition consistent with other tests in the directory. |
Comments suppressed due to low confidence (1)
src/tests/JIT/opt/Cloning/DownCounted.cs:73
- There are extra blank lines (including whitespace-only lines) at the end of the file. Please trim trailing whitespace / remove the extra blank lines to keep diffs clean and comply with typical repo formatting rules.
}
EgorBo
approved these changes
Apr 10, 2026
This was referenced Apr 11, 2026
Open
Member
Author
|
The SPMI report is empty because we're just changing a branch condition, so the binary sizes are the same. |
jakobbotsch
approved these changes
Apr 14, 2026
Member
Author
|
/backport to release/10.0 |
Contributor
|
Started backporting to |
4 tasks
Member
Author
|
/backport to release/9.0 |
Contributor
|
Started backporting to |
4 tasks
Member
Author
|
/backport to release/9.0-staging |
Contributor
|
Started backporting to |
Member
Author
|
/backport to release/8.0-staging |
Contributor
|
Started backporting to |
This was referenced Apr 14, 2026
JulieLeeMSFT
pushed a commit
that referenced
this pull request
Apr 15, 2026
… loops (#126914) Backport of #126770 to release/8.0-staging /cc @AndyAyersMS ## Customer Impact - [x] Customer reported - [ ] Found internally JIT optimizations can cause certain down-counting loops to bypass a bounds check. Code that normally would throw index out of bounds exceptions on an array store might instead corrupt the heap. In particular the loop must have unknown upper bound and have a shape like: ```c# for (int i = N; i > 0; i--) { a[i] = ...; } ``` and then be invoked in a context where `N` is exactly `a.Length`. The loop exiting predicate must be `>` and not `>=`. In such cases the code will write to `a[N]` which is beyond the extent of `a`. Customer impact is likely low. Correct behavior here is to throw an exception. ## Regression - [x] Yes - [ ] No Introduced in .NET 7 with #67930. ## Testing Verified fix on repro case. SPMI had 132 method contexts with diffs from the fix change. Inspected a few and most either had redundant guards beforehand or else were only reading from the arrays. ## Risk Low, changes the code that decides at runtime if execution can use a "cloned" loop that omits bounds checks; now we are correctly cautious about running the fully checked loop.. Co-authored-by: Andy Ayers <andya@microsoft.com>
JulieLeeMSFT
pushed a commit
that referenced
this pull request
Apr 15, 2026
… loops (#126913) Backport of #126770 to release/9.0-staging /cc @AndyAyersMS ## Customer Impact - [x] Customer reported - [ ] Found internally JIT optimizations can cause certain down-counting loops to bypass a bounds check. Code that normally would throw index out of bounds exceptions on an array store might instead corrupt the heap. In particular the loop must have unknown upper bound and have a shape like: ```c# for (int i = N; i > 0; i--) { a[i] = ...; } ``` and then be invoked in a context where `N` is exactly `a.Length`. The loop exiting predicate must be `>` and not `>=`. In such cases the code will write to `a[N]` which is beyond the extent of `a`. Customer impact is likely low. Correct behavior here is to throw an exception. ## Regression - [x] Yes - [ ] No Introduced in .NET 7 with #67930. ## Testing Verified fix on repro case. SPMI had 132 method contexts with diffs from the fix change. Inspected a few and most either had redundant guards beforehand or else were only reading from the arrays. ## Risk Low, changes the code that decides at runtime if execution can use a "cloned" loop that omits bounds checks; now we are correctly cautious about running the fully checked loop. Co-authored-by: Andy Ayers <andya@microsoft.com>
JulieLeeMSFT
pushed a commit
that referenced
this pull request
Apr 15, 2026
…126885) Backport of #126770 to release/10.0 /cc @AndyAyersMS ## Customer Impact - [x] Customer reported - [ ] Found internally JIT optimizations can cause certain down-counting loops to bypass a bounds check. Code that normally would throw index out of bounds exceptions on an array store might instead corrupt the heap. In particular the loop must have unknown upper bound and have a shape like: ```c# for (int i = N; i > 0; i--) { a[i] = ...; } ``` and then be invoked in a context where `N` is exactly `a.Length`. The loop exiting predicate must be `>` and not `>=`. In such cases the code will write to `a[N]` which is beyond the extent of `a`. Customer impact is likely low. Correct behavior here is to throw an exception. ## Regression - [x] Yes - [ ] No Introduced in .NET 7 with #67930. ## Testing Verified fix on repro case. SPMI had 132 method contexts with diffs from the fix change. Inspected a few and most either had redundant guards beforehand or else were only reading from the arrays. ## Risk Low, changes the code that decides at runtime if execution can use a "cloned" loop that omits bounds checks; now we are correctly cautious about running the fully checked loop. Co-authored-by: Andy Ayers <andya@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We were not creating proper cloning conditions, so the fast path might execute in cases where it shouldn't.
We need to always verify for down counting that the initial value is strictly less than the array length(s).