Don't emit unchecked write barrier for stack-allocated arrays (#112711)

EgorBo · web-flow · commit 451a41d8c706 · 2025-02-20T10:18:35.000+01:00
diff --git a/src/coreclr/jit/assertionprop.cpp b/src/coreclr/jit/assertionprop.cpp
@@ -5193,8 +5193,9 @@ static GCInfo::WriteBarrierForm GetWriteBarrierForm(Compiler* comp, ValueNum vn)
     {
         if (funcApp.m_func == VNF_PtrToArrElem)
         {
-            // Arrays are always on the heap
-            return GCInfo::WriteBarrierForm::WBF_BarrierUnchecked;
+            // Check whether the array is on the heap
+            ValueNum arrayVN = funcApp.m_args[1];
+            return GetWriteBarrierForm(comp, arrayVN);
         }
         if (funcApp.m_func == VNF_PtrToLoc)
         {
diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_112709/Runtime_112709.cs b/src/tests/JIT/Regression/JitBlue/Runtime_112709/Runtime_112709.cs
@@ -0,0 +1,40 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+// Generated by Fuzzlyn v2.4 on 2025-02-19 20:47:50
+// Run on X64 Windows
+// Seed: 12432040051036532696-vectort,vector128,vector256,x86aes,x86avx,x86avx2,x86avx512bw,x86avx512bwvl,x86avx512cd,x86avx512cdvl,x86avx512dq,x86avx512dqvl,x86avx512f,x86avx512fvl,x86avx512fx64,x86bmi1,x86bmi1x64,x86bmi2,x86bmi2x64,x86fma,x86lzcnt,x86lzcntx64,x86pclmulqdq,x86popcnt,x86popcntx64,x86sse,x86ssex64,x86sse2,x86sse2x64,x86sse3,x86sse41,x86sse41x64,x86sse42,x86sse42x64,x86ssse3,x86x86base
+// Reduced from 62.0 KiB to 0.5 KiB in 00:06:15
+// Exits with error:
+// Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
+//    at Program.Main(Fuzzlyn.ExecutionServer.IRuntime)
+//    at Fuzzlyn.ExecutionServer.Program.<RunPairAsync>g__RunAndGetResultAsync|1_0(Byte[], <>c__DisplayClass1_0 ByRef)
+//    at Fuzzlyn.ExecutionServer.Program.RunPairAsync(System.Runtime.Loader.AssemblyLoadContext, Fuzzlyn.ExecutionServer.ProgramPair)
+//    at Fuzzlyn.ExecutionServer.Program+<>c__DisplayClass0_0.<Main>b__0()
+//    at System.Threading.Thread+StartHelper.RunWorker()
+//
+using System;
+using System.Numerics;
+using System.Runtime.Intrinsics;
+using System.Runtime.Intrinsics.X86;
+using Xunit;
+
+public class Runtime_112709
+{
+    [Fact]
+    public static void Problem()
+    {
+        Vector256<byte>[][][] vr0 = default(Vector256<byte>[][][]);
+        vr0 = new Vector256<byte>[][][]
+        {
+            new Vector256<byte>[][]
+            {
+                new Vector256<byte>[]
+                {
+                    Vector256.Create<byte>(0)
+                }
+            }
+        };
+        vr0[0] = vr0[0];
+    }
+}
diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_112709/Runtime_112709.csproj b/src/tests/JIT/Regression/JitBlue/Runtime_112709/Runtime_112709.csproj
@@ -0,0 +1,8 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <Optimize>True</Optimize>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="$(MSBuildProjectName).cs" />
+  </ItemGroup>
+</Project>

Original file line number	Diff line number	Diff line change
`@@ -5193,8 +5193,9 @@ static GCInfo::WriteBarrierForm GetWriteBarrierForm(Compiler* comp, ValueNum vn)`
`5193`	`5193`	`{`
`5194`	`5194`	`if (funcApp.m_func == VNF_PtrToArrElem)`
`5195`	`5195`	`{`
`5196`		`- // Arrays are always on the heap`
`5197`		`- return GCInfo::WriteBarrierForm::WBF_BarrierUnchecked;`
	`5196`	`+ // Check whether the array is on the heap`
	`5197`	`+ ValueNum arrayVN = funcApp.m_args[1];`
	`5198`	`+ return GetWriteBarrierForm(comp, arrayVN);`
`5198`	`5199`	`}`
`5199`	`5200`	`if (funcApp.m_func == VNF_PtrToLoc)`
`5200`	`5201`	`{`