Skip to content

JIT: fix AV caused by JIT#120575

Merged
AndyAyersMS merged 1 commit intodotnet:mainfrom
AndyAyersMS:Fix120522
Oct 14, 2025
Merged

JIT: fix AV caused by JIT#120575
AndyAyersMS merged 1 commit intodotnet:mainfrom
AndyAyersMS:Fix120522

Conversation

@AndyAyersMS
Copy link
Member

@AndyAyersMS AndyAyersMS commented Oct 9, 2025

The JIT attempts to deduce a class handle for the return type of TYP_REF calls, and almost always succeeds. However System.Array.Clone is special cased to return the type of its argument, and this argument may be a byref indir without a known managed type, so this deduction may fail.

This causes the JIT to pass a null handle into the VM.

Cope with this by setting the type instead of updating the type, if we discover it later via inlining.

Closes #120522.

@AndyAyersMS
JIT: fix AV caused by JIT
f7b415a 
The JIT attempts to deduce a class handle for the return type of TYP_REF calls,
and almost always succeeds. However System.Array.Clone is special cased to return
the type of its argument, and this argument may be a byref indir without a known
managed type, so this deduction may fail.

This causes the JIT to pass a null handle into the VM.

Cope with this by setting the type instead of updating the type, if we discover
it later via inlining.

Closes dotnet#120522.
Copilot AI review requested due to automatic review settings October 9, 2025 19:55
Copilot AI reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes an access violation (AV) in the JIT compiler caused by a null class handle being passed to the VM. The issue occurs when the JIT tries to deduce the return type of System.Array.Clone() calls where the argument is a byref indir without a known managed type.

  • Adds defensive logging when class handle deduction fails in the spill return expression helper
  • Updates the inlining logic to properly handle cases where class handles are initially unknown by setting the type instead of updating it
  • Includes a regression test that reproduces the original crash scenario

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
src/tests/JIT/Regression/JitBlue/Runtime_120522/Runtime_120522.csproj Test project file for the regression test
src/tests/JIT/Regression/JitBlue/Runtime_120522/Runtime_120522.cs Regression test that reproduces the AV scenario with Array.Clone()
src/coreclr/jit/importercalls.cpp Adds defensive logging when class handle deduction fails
src/coreclr/jit/fginline.cpp Fixes the core issue by checking for NO_CLASS_HANDLE and using lvaSetClass instead of lvaUpdateClass

@github-actions github-actions bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Oct 9, 2025
@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Oct 9, 2025

@EgorBo PTAL
cc @dotnet/jit-contrib

No diffs expected.

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Oct 9, 2025

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

@build-analysis build-analysis bot mentioned this pull request Oct 9, 2025
Closed
@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Oct 10, 2025

@dotnet/jit-contrib ping, this is a fairly straightforward fix. No diffs.

@AndyAyersMS AndyAyersMS merged commit bb66d72 into dotnet:main Oct 14, 2025
117 of 119 checks passed
@dotnet-maestro dotnet-maestro bot mentioned this pull request Oct 15, 2025
Merged
@AndyAyersMS
Copy link
Member Author

AndyAyersMS commented Nov 10, 2025

/backport to release/10.0

@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2025

Started backporting to release/10.0 (link to workflow run)

@github-actions github-actions bot mentioned this pull request Nov 10, 2025
Merged
4 tasks
steveisok pushed a commit that referenced this pull request Nov 12, 2025
@github-actions @AndyAyersMS
[release/10.0] JIT: fix AV caused by JIT (#121499)
d8c1745 
Backport of #120575 to release/10.0

/cc @AndyAyersMS

## Customer Impact

- [x] Customer reported
- [ ] Found internally

Reported by customer in #120522

## Regression

- [ ] Yes
- [x] No

Similar problem exists in .NET 8 and .NET 9. I intend to backport this
fix there if we fix this in .NET 10.

## Testing

Verified on the test case from the issue.

## Risk

Low. The JIT special cases return type deductions for `Array.Clone`, and
this issue only triggers if the argument to `Array.Clone` is a byref.
The fix is a bit more general but is mainly defensive, handling cases
where return type deductions fail.

Co-authored-by: Andy Ayers <andya@microsoft.com>
@github-actions github-actions bot locked and limited conversation to collaborators Dec 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@EgorBo EgorBo EgorBo approved these changes

@JulieLeeMSFT JulieLeeMSFT JulieLeeMSFT approved these changes

Assignees

@AndyAyersMS AndyAyersMS

Labels

area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AV occurs during JIT compilation with dynamic PGO for TYP_REF

4 participants

@AndyAyersMS @EgorBo @JulieLeeMSFT