Remove contract system support for RETURN/RETVAL/POSTCONDITION by jkoritzinsky · Pull Request #126610 · dotnet/runtime

jkoritzinsky · 2026-04-07T18:29:27Z

Note

This PR description was created with GitHub Copilot assistance.

The POSTCONDITION(RETVAL) support in the CoreCLR VM required us to use extremely obtuse compiler tricks to enable RETURN xyz; to work like return xyz; in the presence of contracts.

Very few of these post-conditions were actually interesting (most were checking for non-null pointers, may checking for always true conditions).

This PR removes POSTCONDITION support and RETURN/RETVAL support. For cases where the postconditions were actually interesting, the asserts are preserved and inserted before the return statements.

- Convert all POSTCONDITION(expr) checks to _ASSERTE(expr) before return sites where the assertion is safe and meaningful - Remove POSTCONDITION/POSTCONDITION_MSG lines from all contract blocks - Convert CONTRACT(type) and CONTRACT_VOID to CONTRACTL - Convert CONTRACT_END to CONTRACTL_END - Convert RETURN macro to return keyword (all variants: RETURN expr;, RETURN;, RETURN(expr);, RETURN_VOID;, CONTRACT_RETURN, SS_RETURN) - Remove DISABLED(POSTCONDITION(...)) from contract blocks - Fix SHOULD_INJECT_FAULT(RETURN ...) patterns - Remove CheckPointer assertions that don't compile with DAC pointer types Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…sion

dotnet-policy-service · 2026-04-07T18:31:06Z

Tagging subscribers to this area: @agocke
See info in area-owners.md if you want to be subscribed.

Copilot

Pull request overview

Removes CoreCLR’s contract-system support for RETURN/RETVAL/POSTCONDITION and migrates affected code paths to use standard C++ return statements plus explicit _ASSERTE checks where postconditions previously existed.

Changes:

Replaced CONTRACT(...)/CONTRACT_VOID + CONTRACT_END patterns with CONTRACTL + CONTRACTL_END across VM/utilcode/debug components.
Replaced RETURN(...) / RETURN; usages with return ...; / return;, and replaced meaningful POSTCONDITION(...) usages with explicit _ASSERTE(...) near return sites.
Updated contract header wiring (e.g., eecontract.h, DAC contract stubs) to remove the legacy macro hooks.

Reviewed changes

Copilot reviewed 118 out of 118 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/coreclr/vm/zapsig.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/virtualcallstub.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/typestring.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/threadsuspend.cpp	Replace `POSTCONDITION` with `_ASSERTE` near returns.
src/coreclr/vm/syncblk.h	Replace `RETVAL` postconditions with explicit asserts.
src/coreclr/vm/syncblk.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/stublink.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/stubhelpers.cpp	Normalize contract terminator to `CONTRACTL_END`.
src/coreclr/vm/stubcache.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/stackingallocator.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/stackingallocator.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/siginfo.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/runtimecallablewrapper.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/riscv64/stubs.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/reflectclasswriter.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/readytoruninfo.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/proftoeeinterfaceimpl.cpp	Replace contract postconditions with explicit runtime assertions.
src/coreclr/vm/prestub.cpp	Replace `POSTCONDITION` with `_ASSERTE` near returns.
src/coreclr/vm/peimagelayout.inl	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/peimagelayout.cpp	Remove constructor-check contract usage.
src/coreclr/vm/peimage.inl	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/peimage.cpp	Replace postconditions with asserts; convert RETURN to `return`.
src/coreclr/vm/peassembly.inl	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/peassembly.cpp	Replace postconditions with asserts; convert RETURN to `return`.
src/coreclr/vm/olevariant.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/olecontexthelpers.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/nativelibrary.cpp	Replace `RETVAL` postcondition with explicit assert + `return`.
src/coreclr/vm/nativeimage.cpp	Remove constructor-check contract usage.
src/coreclr/vm/mlinfo.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/methodtablebuilder.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/methodtable.inl	Remove `CheckPointer` assert tied to contract usage.
src/coreclr/vm/methodtable.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/method.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/memberload.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/managedmdimport.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/loongarch64/stubs.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/loaderallocator.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/jitinterface.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/invokeutil.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/interoputil.inl	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/interoputil.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/interoplibinterface_shared.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/interoplibinterface_objc.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/interopconverter.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/ilstubresolver.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/ilstubcache.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/ilmarshalers.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/i386/stublinkerx86.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/i386/cgenx86.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/generics.cpp	Replace `RETVAL` postconditions with explicit asserts + `return`.
src/coreclr/vm/genericdict.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/fieldmarshaler.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/fieldmarshaler.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/field.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/eedbginterfaceimpl.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/eecontract.h	Remove legacy `CONTRACT`/`CONTRACT_VOID` EE overrides; keep `CONTRACTL`.
src/coreclr/vm/eeconfig.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/dynamicmethod.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/vm/dynamicinterfacecastable.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/vm/domainassembly.cpp	Remove constructor-check contract usage.
src/coreclr/vm/dllimportcallback.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/dllimportcallback.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/dispatchinfo.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comtoclrcall.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comtoclrcall.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/commtmemberinfomap.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/commtmemberinfomap.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comdelegate.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comconnectionpoints.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comconnectionpoints.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/comcache.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/codeman.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/vm/clrex.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/classhash.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/vm/class.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/vm/cachelinealloc.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/assemblyspec.hpp	Remove constructor-check contract usage.
src/coreclr/vm/assemblynative.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/arraynative.inl	Remove `CheckPointer` asserts tied to contract usage.
src/coreclr/vm/arraynative.cpp	Remove `CheckPointer` asserts tied to contract usage.
src/coreclr/vm/arm64/stubs.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/arm/stubs.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/vm/amd64/cgenamd64.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/webcildecoder.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/sstring_com.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/sbuffer.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/utilcode/loaderheap.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/interleavedloaderheap.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/explicitcontrolloaderheap.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/utilcode/clrconfig.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/inc/cordecoderhelpers.h	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/gc/env/gcenv.base.h	Remove legacy contract macro stubs no longer supported.
src/coreclr/debug/inc/dacdbistructures.inl	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/debug/ee/rcthread.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/debug/ee/functioninfo.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.
src/coreclr/debug/ee/debugger.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/debug/ee/controller.cpp	Replace postconditions with explicit asserts + `return`.
src/coreclr/debug/daccess/daccess.cpp	Convert contract/RETURN usage to `CONTRACTL`/`return`.

Copilot · 2026-04-07T18:36:59Z

src/coreclr/vm/peimage.cpp

    _ASSERTE(pImage->m_pLayouts[IMAGE_FLAT] != NULL);
-    RETURN dac_cast<PTR_PEImage>(pImage.Extract());
+    _ASSERTE(dac_cast<PTR_PEImage>(pImage.Extract())->HasLoadedLayout());
+    return dac_cast<PTR_PEImage>(pImage.Extract());
 }


PEImageHolder::Extract() transfers ownership; calling it twice here means the second Extract() will likely return null / invalid, and the first call may already have detached the object. Capture the extracted PTR_PEImage into a local once, assert on that, then return it.

Copilot · 2026-04-07T18:37:00Z

src/coreclr/vm/proftoeeinterfaceimpl.cpp

 #ifdef PROFILING_SUPPORTED
        PRECONDITION(InterlockedIncrement(&s_generationTableWriterCount) == 1);
-        POSTCONDITION(InterlockedDecrement(&s_generationTableWriterCount) == 0);
 #endif // PROFILING_SUPPORTED
-    } CONTRACT_END;
+    } CONTRACTL_END;


UpdateGenerationBounds uses PRECONDITION(InterlockedIncrement(&s_generationTableWriterCount) == 1) when contracts are enabled, but the corresponding decrement is now only done under #ifdef _DEBUG. In non-_DEBUG builds that still enable contracts (e.g., Checked), the counter will never be decremented and the single-writer assertion will fail on subsequent calls. Ensure the decrement runs whenever ENABLE_CONTRACTS is defined (and on all exit paths).

Copilot · 2026-04-07T18:37:00Z

src/coreclr/debug/ee/debugger.cpp

        if (pModules == NULL)
        {
-            RETURN (E_OUTOFMEMORY);
+            _ASSERTE(m_pModules != NULL);


Debugger::CheckInitModuleTable: in the OOM path (pModules == NULL) the code now asserts m_pModules != NULL before returning E_OUTOFMEMORY. That assertion is not expected to hold on failure and will fire during OOM handling; it should be removed or made conditional on success.

Suggested change

_ASSERTE(m_pModules != NULL);

Copilot · 2026-04-07T18:37:01Z

src/coreclr/vm/proftoeeinterfaceimpl.cpp

        if (s_currentGenerationTable == nullptr)
        {
-            RETURN;
+#ifdef _DEBUG
+            LONG result = InterlockedDecrement(&s_generationTableWriterCount);
+            _ASSERTE(result == 0);


The s_currentGenerationTable == nullptr early-return path decrements s_generationTableWriterCount only under #ifdef _DEBUG, but the increment (via contracts) can still occur in non-_DEBUG builds with ENABLE_CONTRACTS. Mirror the decrement under #ifdef ENABLE_CONTRACTS here too so the writer count is restored even on early return.

jkoritzinsky and others added 7 commits April 6, 2026 16:50

Remove POSTCONDITION and RETURN macro infrastructure

4b7b1f0

Remove tautological and unnecessary asserts from POSTCONDITION conver…

77fde5c

…sion

Address code review findings

989a182

Clean up some asserts a little better than before

97139e7

Make manual adjustments to POSTCONDITION removal

2765a3f

Remove CONSTRUCTOR_CHECK and INSTANCE_CHECK_NULL macros

2ca7ba7

jkoritzinsky requested review from davidwrighton and jkotas April 7, 2026 18:29

jkoritzinsky added the area-VM-coreclr label Apr 7, 2026

Copilot AI review requested due to automatic review settings April 7, 2026 18:29

dotnet-policy-service bot assigned jkoritzinsky Apr 7, 2026

github-project-automation bot added this to AppModel Apr 7, 2026

Copilot started reviewing on behalf of jkoritzinsky April 7, 2026 18:30 View session

Copilot AI reviewed Apr 7, 2026

View reviewed changes

Address PR feedback: fix assert guards and OOM path

2d226ac

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove contract system support for RETURN/RETVAL/POSTCONDITION#126610

Remove contract system support for RETURN/RETVAL/POSTCONDITION#126610
jkoritzinsky wants to merge 8 commits intodotnet:mainfrom
jkoritzinsky:remove-postcondition-return

jkoritzinsky commented Apr 7, 2026

Uh oh!

dotnet-policy-service bot commented Apr 7, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 7, 2026

Uh oh!

Copilot AI Apr 7, 2026

Uh oh!

Copilot AI Apr 7, 2026

Uh oh!

Copilot AI Apr 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

jkoritzinsky commented Apr 7, 2026

Uh oh!

dotnet-policy-service bot commented Apr 7, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants