Skip to content

Fix INT_MIN overflow in RangeCheck::BetweenBounds#127648

Open
EgorBo wants to merge 2 commits intodotnet:mainfrom
EgorBo:fix-rangecheck-intmin-127639
Open

Fix INT_MIN overflow in RangeCheck::BetweenBounds#127648
EgorBo wants to merge 2 commits intodotnet:mainfrom
EgorBo:fix-rangecheck-intmin-127639

Conversation

@EgorBo
Copy link
Copy Markdown
Member

@EgorBo EgorBo commented May 1, 2026

fixes #127639

@EgorBo
Fix INT_MIN overflow in RangeCheck::BetweenBounds
a5ba803 
When the lower-limit constant 'lcns' equals INT_MIN, the expression
'-lcns' triggers signed integer overflow (undefined behavior; on
two's-complement targets it yields INT_MIN itself). The check
'-lcns > arrSize' then evaluates to false and the function may
incorrectly conclude that an out-of-bounds index is in range.

Use 'lcns < -arrSize' instead. arrSize is guaranteed to be > 0 at
these sites, so '-arrSize' cannot overflow.

Fixes dotnet#127639

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 1, 2026 13:14
@github-actions github-actions Bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label May 1, 2026
@dotnet-policy-service
Copy link
Copy Markdown
Contributor

dotnet-policy-service Bot commented May 1, 2026

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a signed-integer overflow corner case in the JIT range analysis (RangeCheck::BetweenBounds) when the lower-bound constant (lcns) is INT_MIN, which could previously cause an incorrect “in-bounds” result and lead to incorrect bounds-check elimination decisions.

Changes:

  • Rewrites the comparison -lcns > arrSize to the mathematically equivalent lcns < -arrSize to avoid negating INT_MIN (undefined behavior in C++).
  • Applies the same fix to both relevant lcns checks in BetweenBounds, with explanatory comments.

@EgorBo
Copy link
Copy Markdown
Member Author

EgorBo commented May 1, 2026

PTAL @dotnet/jit-contrib simple correctness change, no diffs.

@EgorBo EgorBo requested a review from a team May 1, 2026 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kg kg kg approved these changes

Assignees

@EgorBo EgorBo

Labels

area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integer overflow in rangecheck.cpp when lcns is int.MinValue

3 participants

@EgorBo @kg