<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Loop vectorization creates an unsafe out-of-bounds load"

   href="https://llvm.org/bugs/show_bug.cgi?id=26600">26600</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Loop vectorization creates an unsafe out-of-bounds load

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Loop Optimizer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>eugeni.stepanov@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=15898" name="attach_15898" title="badly vectorized IR">attachment 15898</a> <a href="attachment.cgi?id=15898&action=edit" title="badly vectorized IR">[details]</a></span>

badly vectorized IR

See C++ test case below. When built with -O2, this crashes on Android/ARM due

to a 4-byte right OOB access (caught by ASan, btw).

$ bin/clang++ 1.cc --sysroot $TOOLCHAIN/sysroot/ -B$TOOLCHAIN -target

armv7-linux-android -O2 -fPIC -pie

#include <stdio.h>

#include <sys/mman.h>

#include <new>

struct A {

  int a, b;

};

struct S {

  char pad[4096 - sizeof(A) * 20];

  A a[20];

};

__attribute__((noinline))

int f(A *a, int len) {

  int sum = 0;

  for (int i = 0; i < len; ++i)

    sum += a[i].b;

  return sum;

}

int main() {

  char *p = (char *)mmap(0, 4096 * 2, PROT_READ | PROT_WRITE,

                         MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);

  mprotect(p + 4096, 4096, PROT_NONE);

  S *s = new(p) S();

  int n = f(s->a, sizeof(s->a) / sizeof(s->a[0]));

  fprintf(stderr, "done %d\n", n);

}

Vectorized code (attached) does 32-byte loads starting at

a[0].b, a[4].b, a[8].b, a[12].b, a[16].b

The last one overflows 4 bytes to the right.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>