[release/10.0] JIT: disable stack allocation for sites in CEA cloned regions #121860
+129
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…#121771) Our escape analysis assumes each stack allocation candidate node has a unique temp that has that allocation as its only assigned value. Conditional escape analysis may clone these nodes, creating a second allocation site assigning to the associated temp. This breaks the 1-1 assumption noted above. If those allocations do not escape then the JIT will stack allocate them, creating two distinct stack locals. In subsequent IR rewriting the JIT will then use the address of just one of the locals for all appearances of the temp, which is incorrect, and leads to the generated code possibly reading uninitialized stack slots. To fix this we disallow stack allocation for sites in blocks that were cloned, or their clones. (We can actually handle this case with better bookkeeping, but that is more involved). Fixes dotnet#121736.
Member
Author
|
PTAL @dotnet/jit-contrib |
Contributor
|
Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch |
Copilot finished reviewing on behalf of
AndyAyersMS
November 20, 2025 21:30
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR is a backport of #121771 to fix a JIT issue where conditional escape analysis (CEA) could silently generate incorrect code. The fix disables stack allocation for blocks that were cloned or are clones, as these violate the single-assignment assumption used by escape analysis.
Key changes:
- Adds tracking to distinguish original blocks from cloned blocks using
m_initialMaxBlockID - Implements
BlockIsCloneOrWasCloned()to identify problematic blocks - Updates
MorphAllocObjNodeHelper()to prevent stack allocation at cloned sites
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/tests/JIT/opt/ObjectStackAllocation/Runtime_121736.csproj | Test project for the regression case |
| src/tests/JIT/opt/ObjectStackAllocation/Runtime_121736.cs | Regression test using LINQ operations that trigger the CEA cloning scenario |
| src/coreclr/jit/objectalloc.h | Adds m_initialMaxBlockID field and BlockIsCloneOrWasCloned() method declaration |
| src/coreclr/jit/objectalloc.cpp | Implements the fix: captures initial block ID, adds clone detection logic, and prevents stack allocation for cloned blocks |
Member
Author
|
Failures look like #120577 |
Member
Author
|
There was a fix in #120736 but maybe this is a new case? |
Member
Author
|
/ba-g seeing recurrence of a supposedly fixed error |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #121771 to release/10.0
/cc @AndyAyersMS
Customer Impact
Reported by customer in #121736
Regression
An issue in a new optimization in .NET 10.
Escape analysis assumes each stack allocation candidate node has a unique temp that has that allocation as its only assigned value. Conditional escape analysis may clone these nodes, creating a second allocation site assigning to the same temp. This breaks the 1-1 assumption noted above and can lead to silent bad codegen.
To fix this we disallow stack allocation for sites in blocks that were cloned, or their clones.
Testing
Verified on the test case from the issue.
Risk
Low. Disables an optimization. No diffs for this in our SPMI testing.