Skip to content

JIT: SpanHelpers.Fill may escape its last argument #122902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndyAyersMS merged 1 commit into from
Jan 6, 2026
Merged

JIT: SpanHelpers.Fill may escape its last argument #122902

AndyAyersMS merged 1 commit into from
Jan 6, 2026

Conversation

@AndyAyersMS
Copy link
Member

@AndyAyersMS AndyAyersMS commented Jan 5, 2026

Fixes #122879.

Copilot AI review requested due to automatic review settings January 5, 2026 22:35
@github-actions github-actions bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Jan 5, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 5, 2026

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Jan 5, 2026

@EgorBo PTAL
cc @dotnet/jit-contrib

We will want to backport this to .NET 10.

@AndyAyersMS AndyAyersMS requested a review from EgorBo January 5, 2026 22:36
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a critical bug in the JIT compiler's object stack allocation optimization where the SpanHelpers.Fill<T> intrinsic was incorrectly treating all its arguments as non-escaping, when in fact the last argument (the value of type T) can escape if T is a reference type. This caused stack-allocated objects passed as the value parameter to be incorrectly optimized, leading to heap corruption and NullReferenceExceptions.

Key changes:

  • Updated the escape analysis in objectalloc.cpp to correctly identify that only the first argument (byref to span data) of SpanHelpers.Fill doesn't escape
  • Added a regression test that reproduces the original issue

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/coreclr/jit/objectalloc.cpp Fixed escape analysis for SpanHelpers.Fill to only mark the first argument (byref span) as non-escaping, allowing the value parameter to escape
src/tests/JIT/opt/ObjectStackAllocation/Runtime_122879.cs Added regression test that reproduces the bug by using Span.Fill with a reference type and stack trashing
src/tests/JIT/opt/ObjectStackAllocation/Runtime_122879.csproj Test project configuration with optimization enabled

EgorBo
EgorBo reviewed Jan 5, 2026
View reviewed changes
@EgorBo
Copy link
Member

EgorBo commented Jan 5, 2026

{7388CE23-EC54-465A-917D-C2F6E04FF437}

Do we need the same for the MEMSET helper call? which is the same Fill or only because Fill is generic and allows ref typed values?

@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Jan 5, 2026

because Fill is generic and allows ref typed values?

Yeah, it's the fact that the filled value may be a GC ref that causes problems.

This was referenced Jan 6, 2026
Open
Open
@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Jan 6, 2026

/ba-g IOS dead letter

@AndyAyersMS AndyAyersMS merged commit 25a64f0 into dotnet:main Jan 6, 2026
130 of 135 checks passed
@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Jan 6, 2026

/backport to release/10.0

@github-actions
Copy link
Contributor

github-actions bot commented Jan 6, 2026

Started backporting to release/10.0 (link to workflow run)

@github-actions github-actions bot mentioned this pull request Jan 6, 2026
Merged
4 tasks
jeffhandley pushed a commit that referenced this pull request Jan 8, 2026
@github-actions @AndyAyersMS
[release/10.0] JIT: SpanHelpers.Fill may escape its last argument (#1…
b50a77a 
…22919)

Backport of #122902 to release/10.0

/cc @AndyAyersMS

## Customer Impact

- [X] Customer reported
- [ ] Found internally

Customer reported in #122879

Silent bad code in some cases involving calls to `SpanHelpers.Fill`
where the fill value is a GC ref coming from a locally allocated object.

## Regression

- [ ] Yes
- [x] No

This is a bug in a new optimization in .NET 10.

## Testing

Verified fix on customer reported case; also added this as regression
test. Bug was an oversight; the first argument to `SpanHelpers.Fill`
does not escape, but the other two might. The JIT was assuming none of
the arguments escaped.

## Risk

Low, we now disable stack allocation in this case.

Co-authored-by: Andy Ayers <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamperlin adamperlin adamperlin left review comments

Copilot code review Copilot Copilot left review comments

@kg kg kg approved these changes

@EgorBo EgorBo EgorBo approved these changes

Assignees

@AndyAyersMS AndyAyersMS

Labels

area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unexpected NullReferenceException (potentially escaped stack allocation)

4 participants

@AndyAyersMS @EgorBo @kg @adamperlin