JIT: Fix KnownBits bounds-check width and drop dead include

EgorBo · Copilot · EgorBo · commit 85f24256ebfb · 2026-06-07T18:30:32.000+02:00
The bounds-check consumer hardcoded width=32 in EvalRelop, which is unsound on
64-bit targets where fgMorphIndexAddr (morph.cpp:2995-3015) widens the bounds
check to TYP_I_IMPL when the index is native int. With a TYP_LONG index whose
low 32 bits are provably small but whose high 32 bits are unknown, the fold
could prove (uint)idx &lt; (uint)len using only the low half and incorrectly drop
a required bounds check (memory corruption).

Derive the width from the operand type, matching the other two consumers.
Caught by Opus 4.7 (xhigh), Opus 4.8, and GPT-5.5 in parallel review.

Also drop the now-dead #include "knownbits.h" from rangecheck.cpp left over
from the previous cleanup commit.

libraries.pmi: -13,920 bytes (was -14,515; ~600 byte loss is the correctness
recovery -- those wins were unsound TYP_LONG bounds-check drops).

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/coreclr/jit/assertionprop.cpp b/src/coreclr/jit/assertionprop.cpp
@@ -5572,10 +5572,15 @@ GenTree* Compiler::optAssertionProp_BndsChk(ASSERT_VALARG_TP assertions, GenTree
     };
 
     // Known-bits elimination: redundant if (uint)index is provably < (uint)length. Catches masked
-    // indices and bit patterns the range-based paths cannot express.
+    // indices and bit patterns the range-based paths cannot express. On 64-bit targets the index
+    // and length can both be TYP_I_IMPL (see fgMorphIndexAddr), so derive the width from the actual
+    // operand type instead of hardcoding 32 -- otherwise we'd discard the high 32 bits of a native-int
+    // index and could prove a (uint)idx < (uint)len fact that doesn't hold for the full value.
+    assert(genActualType(arrBndsChk->GetIndex()) == genActualType(arrBndsChk->GetArrayLength()));
+    const unsigned  width = genTypeSize(genActualType(arrBndsChk->GetIndex())) * BITS_PER_BYTE;
     const KnownBits kbIdx = KnownBits::Compute(this, vnCurIdx, assertions);
     const KnownBits kbLen = KnownBits::Compute(this, vnCurLen, assertions);
-    if (KnownBitsOps::EvalRelop(GT_LT, /* isUnsigned */ true, kbIdx, kbLen, 32) == 1)
+    if (KnownBitsOps::EvalRelop(GT_LT, /* isUnsigned */ true, kbIdx, kbLen, width) == 1)
     {
         return dropBoundsCheck(INDEBUG("known bits prove (uint)index < (uint)length"));
     }
diff --git a/src/coreclr/jit/rangecheck.cpp b/src/coreclr/jit/rangecheck.cpp
@@ -5,7 +5,6 @@
 
 #include "jitpch.h"
 #include "rangecheck.h"
-#include "knownbits.h"
 
 //------------------------------------------------------------------------
 // rangeCheckPhase: optimize bounds checks via range analysis
