Skip to content

Comments

Don't hoist potentially invalid byrefs#124833

Draft
EgorBo wants to merge 3 commits intodotnet:mainfrom
EgorBo:fix-invalid-byrefs
Draft

Don't hoist potentially invalid byrefs#124833
EgorBo wants to merge 3 commits intodotnet:mainfrom
EgorBo:fix-invalid-byrefs

Conversation

@EgorBo
Copy link
Member

@EgorBo EgorBo commented Feb 24, 2026

Fixes #124807

Copilot AI review requested due to automatic review settings February 24, 2026 23:36
@github-actions github-actions bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Feb 24, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Feb 24, 2026

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a critical GC crash issue where if-conversion was speculatively hoisting potentially invalid managed references (byrefs). The issue occurred when if-conversion transformed ternary operations involving null references (like Unsafe.NullRef<byte>()) into unconditionally evaluated code, leading to GC crashes.

Changes:

  • Added gtTreeMayHaveInvalidByrefs method to detect trees with potentially invalid byrefs
  • Integrated the check into if-conversion logic to skip conversion when invalid byrefs are detected
  • The fix prevents speculative hoisting of GC-typed nodes that could be invalid

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/coreclr/jit/ifconversion.cpp Added check to skip if-conversion when potentially invalid byrefs are detected in then or else branches
src/coreclr/jit/gentree.cpp Implemented gtTreeMayHaveInvalidByrefs method with tree visitor to detect potentially invalid GC-typed nodes
src/coreclr/jit/compiler.h Added declaration for the new static method gtTreeMayHaveInvalidByrefs

EgorBo and others added 2 commits February 25, 2026 03:58
@EgorBo
Update gentree.cpp
dd7799a
@EgorBo
Update src/coreclr/jit/ifconversion.cpp
81b10ba 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 25, 2026 02:58
@build-analysis build-analysis bot mentioned this pull request Feb 25, 2026
Open
3 tasks
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

src/coreclr/jit/ifconversion.cpp
Comment on lines +693 to +698
if (Compiler::gtTreeMayHaveInvalidByrefs(m_compiler, m_thenOperation.node) ||
(m_doElseConversion && Compiler::gtTreeMayHaveInvalidByrefs(m_compiler, m_elseOperation.node)))
{
JITDUMP("Skipping if-conversion that may have invalid byrefs in the then or else block\n");
return false;
}
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The invalid-byref guard only inspects the original then/else statement trees. In the no-else case, if-conversion synthesizes a new GT_LCL_VAR read of the destination local (see later selectTrueInput = gtNewLclVarNode(...)), which can introduce an unconditionally-evaluated byref that wasn’t present before. Consider bailing out when !m_doElseConversion and the destination local is TYP_BYREF, or run the invalid-byref check on the final select inputs (including the synthesized one) before proceeding.

Copilot uses AI. Check for mistakes.
@build-analysis build-analysis bot mentioned this pull request Feb 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@EgorBo EgorBo

Labels

area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ifConversion can hoist invalid managed references.

1 participant

@EgorBo