New jit compiler in .Net 4.6 contains serious bug for web applications
The RyuJIT compiler in the latest version of .Net appears to have a serious bug, which in some cases causes functions to be called with the wrong values. The bug only occurs when applying certain optimizations in release mode.
Developers of the StackOverflow website discovered the bug. In release mode, certain optimizations are applied when the code is run. The optimization of tail calls leads to problems in .Net 4.6. In some cases, this causes function call parameters to be filled with seemingly arbitrary values.
Tail calling is an optimization where a called function, which is the last of a string, is not executed on a new stack frame, but uses the frame of its caller. The parameters of functions executed as tail calls can be filled with apparently arbitrary values. The bug affects web apps hosted by IIS, but not applications running in the command prompt.
The bug does not appear to be directly exploitable, but may indirectly pose a security risk. For example, users could inadvertently gain more options within an application. In addition, the reduced stability could be a problem. A pull request with a solution has been posted on GitHub. It is not yet known when Microsoft will release an update.