JIT: unpin locals fed by non-GC typed values by AndyAyersMS · Pull Request #130002 · dotnet/runtime

AndyAyersMS · 2026-06-29T21:28:58Z

Treat a non-GC typed def (eg a native int reinterpreted as a byref, as in a Span built from a pointer) as non-movable, so the pinned local can be unpinned. Fixes #129993.

Treat a non-GC typed def (eg a native int reinterpreted as a byref, as in a Span built from a pointer) as non-movable, so the pinned local can be unpinned. Fixes dotnet#129993. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

dotnet-policy-service · 2026-06-29T21:30:31Z

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

AndyAyersMS · 2026-06-29T21:36:46Z

@EgorBo PTAL
50-60 methods with diffs.

Copilot

Pull request overview

This PR updates the JIT’s “no-GC definition” classification used by pinned-local unpinning so that locals fed by certain non-GC-typed values can be treated as non-movable, enabling pin elision in more cases.

Changes:

Expands GenTree::IsNotGcDef() to early-return true when the node’s TypeGet() is not GC-typed.

+        // A non-GC typed value (eg native int reinterpreted as byref) cannot designate a movable object.
+        if (!varTypeIsGC(TypeGet()))
+        {
+            return true;
+        }


+        // A non-GC typed value (eg native int reinterpreted as byref) cannot designate a movable object.
+        if (!varTypeIsGC(TypeGet()))
+        {
+            return true;
+        }


EgorBo · 2026-06-29T21:40:11Z

    bool IsNotGcDef() const
    {
+        // A non-GC typed value (eg native int reinterpreted as byref) cannot designate a movable object.
+        if (!varTypeIsGC(TypeGet()))


I assume this sort of marks any untracked GC pointer as UB even if previously it worked, like

fixed (... = Unsafe.AsPointer(gcRef))

cc @dotnet/jit-contrib in case if you see any concern

any concern

This is a breaking change. I don't see how it can be justified, since the pinned state of a value is a dynamic property. Here we only know that the value is pinned at the def point, but we need to know that it "would be" pinned for at least the lifetime the caller is concerned about.

ECMA spec explicitly talks about "Start GC tracking" and "Stop GC tracking" for conversions.

Yes this is too broad.

Seem like though that a non-gc parameter could possibly be handled here. If the parameter actually referred to GC memory whoever passed the argument would need to have pinned or they'd already be broken.

If the parameter actually referred to GC memory whoever passed the argument would need to have pinned or they'd already be broken.

I don't think parameters are special in any way. The pinning state can be dynamically altered for them just as for normal variables (through opaque means such as calls, inter-thread sync, GC handles, aliased pointers, etc).

It seems to me the analysis is also reliant on the "global" (or at least per-method) perspective, since a "true" return value is treated as representing a value that can't be made movable 'no matter what'. It would require a very sophisticated analysis indeed to prove that the pinned state of a value [that may be movable] doesn't change beyond its use in a def, in the general case.

As others have seemingly already mentioned here 😅: #129993 (comment)

The global analysis is flow insensitive so def vs use ordering shouldn't matter?

The global analysis is flow insensitive so def vs use ordering shouldn't matter?

What I meant is basically this:

void* p = GetPin(); // 'p' pinned here via e. g. a handle, the virtual 'pin ref count' increases: 0 -> 1 pinned j = p; // It increases again: 1 -> 2 Unpin(p); // Decreases: 2 -> 1 // ... // 'j's value still pinned here // ... return; // Decreases again: 1 -> 0, unpinned.

as the situation where the pinned state (analogous to a ref count) "changes beyond its use in a def [here the j = p def]". We know that the value represented by p at the point of the def must be pinned [otherwise we have UB], but beyond that point it must be proven by some other means.

Thanks all. Didn't appreciate that we have these non-lexical pinning mechanisms which makes any kind of local inference unsound.

MichalPetryka · 2026-06-29T21:58:12Z

@MihuBot -nuget

Copilot AI review requested due to automatic review settings June 29, 2026 21:28

github-actions Bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Jun 29, 2026

Copilot started reviewing on behalf of AndyAyersMS June 29, 2026 21:29 View session

dotnet-policy-service Bot assigned AndyAyersMS Jun 29, 2026

AndyAyersMS requested a review from EgorBo June 29, 2026 21:36

Copilot AI reviewed Jun 29, 2026

View reviewed changes

EgorBo reviewed Jun 29, 2026

View reviewed changes

MihuBot mentioned this pull request Jun 29, 2026

[JitDiff X64] [AndyAyersMS] JIT: unpin locals fed by non-GC typed values MihuBot/runtime-utils#2054

Open

AndyAyersMS closed this Jun 30, 2026

Uh oh!

Conversation

AndyAyersMS commented Jun 29, 2026

Uh oh!

dotnet-policy-service Bot commented Jun 29, 2026

Uh oh!

AndyAyersMS commented Jun 29, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

SingleAccretion Jun 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

MichalPetryka commented Jun 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

SingleAccretion Jun 29, 2026 •

edited

Loading