Fix CS9361 stackalloc unsafe context in X25519DiffieHellmanCng

[Copilot]

The new Roslyn shipped in #127944 (5.7.0-1.26257.113) introduced CS9361, which requires an unsafe context for stackalloc without an initializer when [SkipLocalsInit] is in effect (assembly-wide for NetCoreAppLibrary projects via src/libraries/Directory.Build.targets). This broke the build of System.Security.Cryptography on X25519DiffieHellmanCng.DeriveRawSecretAgreementCore, recently added in fe45871.

Description

• In X25519DiffieHellmanCng.Windows.cs, declare publicKeyBuffer as scoped Span<byte> and wrap only the stackalloc in a narrowly-scoped unsafe block, rather than marking the whole method unsafe:

  scoped Span<byte> publicKeyBuffer;
  
  unsafe
  {
      publicKeyBuffer = stackalloc byte[PublicKeySizeInBytes * 2];
  }

  The scoped modifier preserves the safe ref-safety semantics of the original Span<byte> publicKeyBuffer = stackalloc ... declaration so no unsafe modifier is required on the partial method itself.

• Audited other Span<T> = stackalloc T[N] sites in projects with global SkipLocalsInit. CS9361 only fires on this one site; existing call sites are either already on unsafe methods (e.g. AesImplementation.GenerateKey, Aes.Rfc3394Wrap) or are not flagged by Roslyn under current configuration. The CI logs for Optimize Enumerable Min/Max final reduction with shuffles #127995 confirm a single failing location.

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[EgorBo]

@copilot fix X25519DiffieHellmanCng.Windows.cs

[Copilot]

@copilot fix X25519DiffieHellmanCng.Windows.cs

Replaced the awkward unsafe { ... } block with an unsafe modifier on the partial DeriveRawSecretAgreementCore method (declaration in X25519DiffieHellmanCng.cs, Windows impl, and Cng.NotSupported.cs impl). Built successfully for windows. (84b0c3b)

[Copilot]

Pull request overview

This PR fixes a build break in System.Security.Cryptography caused by compiler error CS9361 when using uninitialized stackalloc in a project with assembly-wide [SkipLocalsInit]. The change keeps the method itself in safe code while placing only the stackalloc expression into a narrowly-scoped unsafe block, preserving the original span ref-safety via scoped.

Changes:

• Replaces Span<byte> publicKeyBuffer = stackalloc ... with a scoped Span<byte> local.
• Wraps the uninitialized stackalloc assignment in a minimal unsafe { ... } block to satisfy CS9361.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X25519DiffieHellmanCng.Windows.cs	Moves the stackalloc into an unsafe block and uses scoped Span<byte> to retain safe ref-safety while fixing CS9361 under [SkipLocalsInit].

Copilot's findings

• Files reviewed: 1/1 changed files
• Comments generated: 0

[vcsjones]

/ba-g browser-wasm leg timed out. This change does not affect browser wasm, only windows, and all Windows legs passed. Merging to fix build break.

[vcsjones]

Okay, /ba-g doesn’t seem to be working (also seeing in other PRs). Going to try to re-run the failed leg, but a repo admin should feel free to merge if possible.

[vcsjones]

/ba-g