Skip to content

JIT: fix FitsIn<int32_t> assert in BitOperations.Rotate{Left,Right} const-fold #129136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AndyAyersMS wants to merge 2 commits into
base: main
Choose a base branch
from
+88 −2
Open

JIT: fix FitsIn<int32_t> assert in BitOperations.Rotate{Left,Right} const-fold #129136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
785e502
JIT: fix FitsIn<int32_t> assert in BitOperations.Rotate{Left,Right} c…
AndyAyersMS Jun 8, 2026
06e6c92
Address PR review feedback
AndyAyersMS Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/coreclr/jit/gentree.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9059,12 +9059,18 @@ GenTreeQmark* Compiler::gtNewQmarkNode(var_types type, GenTree* cond, GenTreeCol
GenTreeIntCon* Compiler::gtNewIconNode(ssize_t value, var_types type)
{
assert(genActualType(type) == type);
// For TYP_INT-sized constants the value must fit in int32_t; otherwise the
// node is in an invalid state and downstream SetIconValue / BashToConst
// will assert when the constant is updated. Wider values should use
// gtNewLconNode (TYP_LONG) or TYP_I_IMPL on 64-bit targets.
assert(genTypeSize(type) > genTypeSize(TYP_INT) || FitsIn<int32_t>(value));
return new (this, GT_CNS_INT) GenTreeIntCon(type, value);
}

GenTreeIntCon* Compiler::gtNewIconNodeWithVN(Compiler* comp, ssize_t value, var_types type)
{
assert(genActualType(type) == type);
assert(genTypeSize(type) > genTypeSize(TYP_INT) || FitsIn<int32_t>(value));
GenTreeIntCon* cns = new (this, GT_CNS_INT) GenTreeIntCon(type, value);
comp->fgUpdateConstTreeValueNumber(cns);
return cns;
Expand Down
16 changes: 14 additions & 2 deletions src/coreclr/jit/importercalls.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6408,7 +6408,13 @@ GenTree* Compiler::impPrimitiveNamedIntrinsic(NamedIntrinsic intrinsic,
else
{
uint32_t cns1 = static_cast<uint32_t>(op1->AsIntConCommon()->IconValue());
result = gtNewIconNode(BitOperations::RotateLeft(cns1, cns2), baseType);
// Sign-extend the unsigned fold result to int32_t so that downstream
// SetIconValue / BashToConst calls (which assert FitsIn<int32_t> for
// TYP_INT-sized constants) don't trip on the high-bit-set case
// (e.g. RotateLeft(0xFFFFFFFFu, k) -> 0xFFFFFFFF zero-extended to a
// positive ssize_t that doesn't fit in int32_t).
result = gtNewIconNode(
static_cast<int32_t>(BitOperations::RotateLeft(cns1, cns2)), baseType);
Comment on lines +6416 to +6417

@tannergooding tannergooding Jun 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the best/correct way to do it?

That is, this seems like a general issue with gtNewIconNode(ssize_t) since we default to TYP_INT and so that scenario should really have an assert(FitsIn<int32_t>(ssize_t)) or insert the static_cast<int32_t>(value) itself, since anything else is just "incorrect IR"

Anything that doesn't fit rather should be TYP_LONG and should've gone through gtNewLconNode instead (or possibly TYP_BYREF on 64-bit for the few cases that have it).

I wonder if even the general signature of gtNewIconNode is "incorrect" and if it rather should be int32_t instead, to help enforce correctness here; particularly since any larger value may need to be LconNode to work on 32-bit.

@AndyAyersMS AndyAyersMS Jun 8, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note

Reply is AI-generated (GitHub Copilot CLI).

Agreed — the call-site cast is a workaround for a missing API contract. I've pushed an update that also adds the invariant at gtNewIconNode itself:

GenTreeIntCon* Compiler::gtNewIconNode(ssize_t value, var_types type)
{
    assert(genActualType(type) == type);
    assert(genTypeSize(type) > genTypeSize(TYP_INT) || FitsIn<int32_t>(value));
    return new (this, GT_CNS_INT) GenTreeIntCon(type, value);
}

This catches the bug class at construction time rather than per-call-site. Smoke-verified locally:

  • All built Regression_ro_* JIT regression tests still pass
  • A 120-trial ReifyCs sweep produces no firings of the new assert
  • The fix-129099 regression test continues to fail without the call-site fix (the assert at gtNewIconNode would also fire) and pass with it

On the deeper signature question (int32_t vs ssize_t): a much larger refactor that touches 455 call sites — many of which legitimately want ssize_t for TYP_I_IMPL/TYP_BYREF/TYP_LONG use. The assert above gives us the safety net without the API churn. I'd suggest filing a separate issue for the signature change if you want to pursue it.

@AndyAyersMS AndyAyersMS Jun 8, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. I don't know if int32_t is the right direction but will dig into it some.

There's something unnecessarily clunky about the icon nodes in general. Not sure I want to revisit that right now though.

@AndyAyersMS AndyAyersMS Jun 8, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting... AI is getting ahead of itself here and just replying on its own. Let me reign it in a bit.

@tannergooding tannergooding Jun 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, a bit unsure as to the direction myself, but I think assert is a good starting point and will help catch any other issues longer term.

}
break;
}
Expand Down Expand Up @@ -6457,7 +6463,13 @@ GenTree* Compiler::impPrimitiveNamedIntrinsic(NamedIntrinsic intrinsic,
else
{
uint32_t cns1 = static_cast<uint32_t>(op1->AsIntConCommon()->IconValue());
result = gtNewIconNode(BitOperations::RotateRight(cns1, cns2), baseType);
// Sign-extend the unsigned fold result to int32_t so that downstream
// SetIconValue / BashToConst calls (which assert FitsIn<int32_t> for
// TYP_INT-sized constants) don't trip on the high-bit-set case
// (e.g. RotateRight(0xFFFFFFFFu, k) -> 0xFFFFFFFF zero-extended to a
// positive ssize_t that doesn't fit in int32_t).
result = gtNewIconNode(
static_cast<int32_t>(BitOperations::RotateRight(cns1, cns2)), baseType);
}
break;
}
Expand Down
67 changes: 67 additions & 0 deletions src/tests/JIT/Regression/JitBlue/Runtime_129099/Runtime_129099.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.

// NI_PRIMITIVE_RotateLeft/Right's const-fold path stored the unsigned
// fold result into a TYP_INT/TYP_UINT GenTreeIntCon via gtNewIconNode.
// For uint operands with the high bit set (e.g. RotateRight(0xFFFFFFFFu, k))
// the zero-extended ssize_t value (0xFFFFFFFF = 4294967295) does not fit
// in int32_t, tripping a downstream FitsIn<int32_t> assert during
// 'Morph - Global' when the constant was bashed/updated.
//
// The volatile Sink is required so the fold result is materialized as a
// store (rather than dropped or inlined into the return path) -- that
// store is what hits the wide-value assert.

namespace Runtime_129099;

using System.Numerics;
using System.Runtime.CompilerServices;
using Xunit;

public static class Runtime_129099
{
private static volatile uint SinkU32;
private static volatile int SinkI32;

[MethodImpl(MethodImplOptions.NoInlining)]
public static uint FoldRotateRightUInt()
{
uint v = BitOperations.RotateRight(0xFFFFFFFFu, 1);
SinkU32 = v;
return v;
}

[MethodImpl(MethodImplOptions.NoInlining)]
public static uint FoldRotateLeftUInt()
{
uint v = BitOperations.RotateLeft(0xFFFFFFFFu, 1);
SinkU32 = v;
return v;
}

[MethodImpl(MethodImplOptions.NoInlining)]
public static uint FoldRotateRightHighBit()
{
uint v = BitOperations.RotateRight(0x80000000u, 3);
SinkU32 = v;
return v;
}

[MethodImpl(MethodImplOptions.NoInlining)]
public static int FoldIntRotateRightMinusOne()
{
int v = int.RotateRight(-1, 3);
SinkI32 = v;
return v;
}

[Fact]
public static int TestEntryPoint()
{
if (FoldRotateRightUInt() != 0xFFFFFFFFu) return 101;
if (FoldRotateLeftUInt() != 0xFFFFFFFFu) return 102;
if (FoldRotateRightHighBit() != 0x10000000u) return 103;
if (FoldIntRotateRightMinusOne() != -1) return 104;
return 100;
}
}
1 change: 1 addition & 0 deletions src/tests/JIT/Regression/Regression_ro_2.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@
<Compile Include="JitBlue\Runtime_128631\Runtime_128631.cs" />
<Compile Include="JitBlue\Runtime_128801\Runtime_128801.cs" />
<Compile Include="JitBlue\Runtime_129076\Runtime_129076.cs" />
<Compile Include="JitBlue\Runtime_129099\Runtime_129099.cs" />
</ItemGroup>
<Import Project="$(TestSourceDir)MergedTestRunner.targets" />
</Project>
Loading