JIT: fix profile likelihood and overflow UB in optimizebools

Andrew Ayers · Copilot · Andrew Ayers · commit 4ab214c05fc2 · 2026-06-03T07:52:41.000-07:00
Fix two issues in optOptimizeBoolsUpdateTrees and GetIntersection:

1. The !sameTarget branch likelihood formula was computing
   (1-p1) + p1*p2_false = 1 - p1*p2_true, but the correct
   probability of reaching B2's true target is
   (1-p1) * p2_true (B1 falls through, then B2 jumps).
   Also fixed the misleading comment.

2. The normalize lambda in GetIntersection could overflow
   when cns == SSIZE_T_MAX and cmp == GT_GT (signed overflow
   is UB in C++). Added an explicit guard and made the lambda
   return bool to signal failure.

3. Updated a stale comment referencing the nonexistent
   GTF_BOOLEAN flag in optIsBoolComp.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/coreclr/jit/optimizebools.cpp b/src/coreclr/jit/optimizebools.cpp
@@ -448,23 +448,30 @@ static bool GetIntersection(var_types  type,
     }
 
     // Convert to a canonical form with GT_GE or GT_LE (inclusive).
-    auto normalize = [](genTreeOps* cmp, ssize_t* cns) {
+    auto normalize = [](genTreeOps* cmp, ssize_t* cns) -> bool {
         if (*cmp == GT_GT)
         {
             // "X > cns" -> "X >= cns + 1"
+            if (*cns == SSIZE_T_MAX)
+            {
+                return false;
+            }
             *cns = *cns + 1;
             *cmp = GT_GE;
         }
         if (*cmp == GT_LT)
         {
             // "X < cns" -> "X <= cns - 1"
+            // cns is non-negative (checked above), so cns - 1 >= -1 and cannot underflow.
             *cns = *cns - 1;
             *cmp = GT_LE;
         }
-        // whether these overflow or not is checked below.
+        return true;
     };
-    normalize(&cmp1, &cns1);
-    normalize(&cmp2, &cns2);
+    if (!normalize(&cmp1, &cns1) || !normalize(&cmp2, &cns2))
+    {
+        return false;
+    }
 
     if (cmp1 == cmp2)
     {
@@ -1234,8 +1241,8 @@ void OptBoolsDsc::optOptimizeBoolsUpdateTrees()
         }
         else
         {
-            // We originally reached B2's true target via
-            // B1 false OR B1 true B2 false.
+            // We originally reached B2's true target only via
+            // B1 false, then B2 true.
             //
             // We will now reach via B1 true.
             // Modify flow for true side of B1
@@ -1244,7 +1251,7 @@ void OptBoolsDsc::optOptimizeBoolsUpdateTrees()
             origB1TrueEdge->setHeuristicBased(origB2TrueEdge->isHeuristicBased());
 
             newB1TrueLikelihood =
-                (1.0 - origB1TrueLikelihood) + origB1TrueLikelihood * origB2FalseEdge->getLikelihood();
+                (1.0 - origB1TrueLikelihood) * origB2TrueEdge->getLikelihood();
         }
 
         // Fix B1 true edge likelihood
@@ -1412,9 +1419,9 @@ GenTree* OptBoolsDsc::optIsBoolComp(OptTestInfo* pOptTest)
     ssize_t ival2 = opr2->AsIntCon()->gtIconVal;
 
     // Is the value a boolean?
-    // We can either have a boolean expression (marked GTF_BOOLEAN) or a constant 0/1.
+    // Currently we only recognize constant 0/1.
 
-    if (opr1->OperIs(GT_CNS_INT) && (opr1->IsIntegralConst(0) || opr1->IsIntegralConst(1)))
+    if (opr1->IsIntegralConst(0) || opr1->IsIntegralConst(1))
     {
         pOptTest->isBool = true;
     }

Original file line number	Diff line number	Diff line change
`@@ -448,23 +448,30 @@ static bool GetIntersection(var_types type,`
`448`	`448`	`}`
`449`	`449`
`450`	`450`	`// Convert to a canonical form with GT_GE or GT_LE (inclusive).`
`451`		`- auto normalize = [](genTreeOps* cmp, ssize_t* cns) {`
	`451`	`+ auto normalize = [](genTreeOps* cmp, ssize_t* cns) -> bool {`
`452`	`452`	`if (*cmp == GT_GT)`
`453`	`453`	`{`
`454`	`454`	`// "X > cns" -> "X >= cns + 1"`
	`455`	`+ if (*cns == SSIZE_T_MAX)`
	`456`	`+ {`
	`457`	`+ return false;`
	`458`	`+ }`
`455`	`459`	`cns = cns + 1;`
`456`	`460`	`*cmp = GT_GE;`
`457`	`461`	`}`
`458`	`462`	`if (*cmp == GT_LT)`
`459`	`463`	`{`
`460`	`464`	`// "X < cns" -> "X <= cns - 1"`
	`465`	`+ // cns is non-negative (checked above), so cns - 1 >= -1 and cannot underflow.`
`461`	`466`	`cns = cns - 1;`
`462`	`467`	`*cmp = GT_LE;`
`463`	`468`	`}`
`464`		`- // whether these overflow or not is checked below.`
	`469`	`+ return true;`
`465`	`470`	`};`
`466`		`- normalize(&cmp1, &cns1);`
`467`		`- normalize(&cmp2, &cns2);`
	`471`	`+ if (!normalize(&cmp1, &cns1) \|\| !normalize(&cmp2, &cns2))`
	`472`	`+ {`
	`473`	`+ return false;`
	`474`	`+ }`
`468`	`475`
`469`	`476`	`if (cmp1 == cmp2)`
`470`	`477`	`{`
`@@ -1234,8 +1241,8 @@ void OptBoolsDsc::optOptimizeBoolsUpdateTrees()`
`1234`	`1241`	`}`
`1235`	`1242`	`else`
`1236`	`1243`	`{`
`1237`		`- // We originally reached B2's true target via`
`1238`		`- // B1 false OR B1 true B2 false.`
	`1244`	`+ // We originally reached B2's true target only via`
	`1245`	`+ // B1 false, then B2 true.`
`1239`	`1246`	`//`
`1240`	`1247`	`// We will now reach via B1 true.`
`1241`	`1248`	`// Modify flow for true side of B1`
`@@ -1244,7 +1251,7 @@ void OptBoolsDsc::optOptimizeBoolsUpdateTrees()`
`1244`	`1251`	`origB1TrueEdge->setHeuristicBased(origB2TrueEdge->isHeuristicBased());`
`1245`	`1252`
`1246`	`1253`	`newB1TrueLikelihood =`
`1247`		`- (1.0 - origB1TrueLikelihood) + origB1TrueLikelihood * origB2FalseEdge->getLikelihood();`
	`1254`	`+ (1.0 - origB1TrueLikelihood) * origB2TrueEdge->getLikelihood();`
`1248`	`1255`	`}`
`1249`	`1256`
`1250`	`1257`	`// Fix B1 true edge likelihood`
`@@ -1412,9 +1419,9 @@ GenTree* OptBoolsDsc::optIsBoolComp(OptTestInfo* pOptTest)`
`1412`	`1419`	`ssize_t ival2 = opr2->AsIntCon()->gtIconVal;`
`1413`	`1420`
`1414`	`1421`	`// Is the value a boolean?`
`1415`		`- // We can either have a boolean expression (marked GTF_BOOLEAN) or a constant 0/1.`
	`1422`	`+ // Currently we only recognize constant 0/1.`
`1416`	`1423`
`1417`		`- if (opr1->OperIs(GT_CNS_INT) && (opr1->IsIntegralConst(0) \|\| opr1->IsIntegralConst(1)))`
	`1424`	`+ if (opr1->IsIntegralConst(0) \|\| opr1->IsIntegralConst(1))`
`1418`	`1425`	`{`
`1419`	`1426`	`pOptTest->isBool = true;`
`1420`	`1427`	`}`