<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Out-of-bounds vector access in MipsLongBranch.cpp"
href="https://bugs.llvm.org/show_bug.cgi?id=34975">34975</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Out-of-bounds vector access in MipsLongBranch.cpp
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Backend: MIPS
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>arichardson.kde@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>I was getting crashes compiling pngtran.c from FreeBSD (well actually
<a href="https://github.com/CTSRD-CHERI/cheribsd/blob/master/contrib/libpng/pngrtran.c">https://github.com/CTSRD-CHERI/cheribsd/blob/master/contrib/libpng/pngrtran.c</a>).
MipsLongBranch.cpp accesses a vector at index -1 because
MachineBasicBlock->getNumber() returns -1
After running creduce I get the following reduced test case:
```
; RUN: llc -mtriple=mips64-unknown-freebsd -target-abi n64 -relocation-model
pic -o /dev/null %s -thread-model posix -mattr=-noabicalls
-mips-ssection-threshold=0 -O2 -vectorize-loops -vectorize-slp
; ModuleID =
'/local/scratch/alr48/cheri/llvm/tools/clang/test/CodeGen/cheri-pngtran-crash.c'
source_filename =
"/local/scratch/alr48/cheri/llvm/tools/clang/test/CodeGen/cheri-pngtran-crash.c"
target datalayout = "E-m:e-i8:8:32-i16:16:32-i64:64-n32:64-S128"
target triple = "mips64-unknown-freebsd"
; Generated from the following creduce source code:
; unsigned char *a;
; *b;
; c, d;
; e() {
; for (; c;)
; if (a[d] >= c) {
; int f = a[d];
; g(b[f]);
; }
; }
@c = common local_unnamed_addr global i32 0, align 4, !dbg !0
@a = common local_unnamed_addr global i8* null, align 8, !dbg !6
@d = common local_unnamed_addr global i32 0, align 4, !dbg !15
@b = common local_unnamed_addr global i32* null, align 8, !dbg !11
; Function Attrs: nounwind
define i32 @e() local_unnamed_addr #0 !dbg !22 {
entry:
%0 = load i32, i32* @c, align 4, !dbg !31, !tbaa !32
%tobool8 = icmp eq i32 %0, 0, !dbg !36
br i1 %tobool8, label %for.end, label %for.body.preheader, !dbg !36
for.body.preheader: ; preds = %entry
br label %for.body, !dbg !37
for.body: ; preds =
%for.body.preheader, %if.end
%1 = phi i32 [ %7, %if.end ], [ %0, %for.body.preheader ]
%2 = load i8*, i8** @a, align 8, !dbg !37, !tbaa !38
%3 = load i32, i32* @d, align 4, !dbg !40, !tbaa !32
%idxprom = sext i32 %3 to i64, !dbg !37
%arrayidx = getelementptr inbounds i8, i8* %2, i64 %idxprom, !dbg !37
%4 = load i8, i8* %arrayidx, align 1, !dbg !37, !tbaa !41
%conv = zext i8 %4 to i32, !dbg !37
%cmp = icmp sgt i32 %1, %conv, !dbg !42
br i1 %cmp, label %if.end, label %if.then, !dbg !43
if.then: ; preds = %for.body
tail call void @llvm.dbg.value(metadata i32 %conv, metadata !26, metadata
!DIExpression()), !dbg !44
%5 = load i32*, i32** @b, align 8, !dbg !45, !tbaa !38
%idxprom5 = zext i8 %4 to i64, !dbg !45
%arrayidx6 = getelementptr inbounds i32, i32* %5, i64 %idxprom5, !dbg !45
%6 = load i32, i32* %arrayidx6, align 4, !dbg !45, !tbaa !32
%call = tail call i32 bitcast (i32 (...)* @g to i32 (i32)*)(i32 signext %6)
#3, !dbg !46
%.pre = load i32, i32* @c, align 4, !dbg !31, !tbaa !32
br label %if.end, !dbg !47
if.end: ; preds = %for.body, %if.then
%7 = phi i32 [ %1, %for.body ], [ %.pre, %if.then ], !dbg !31
%tobool = icmp eq i32 %7, 0, !dbg !36
br i1 %tobool, label %for.end, label %for.body, !dbg !36, !llvm.loop !48
for.end: ; preds = %if.end, %entry
ret i32 undef, !dbg !50
}
declare i32 @g(...) local_unnamed_addr #1
; Function Attrs: nounwind readnone speculatable
declare void @llvm.dbg.value(metadata, metadata, metadata) #2
attributes #0 = { nounwind "correctly-rounded-divide-sqrt-fp-math"="false"
"disable-tail-calls"="false" "less-precise-fpmad"="false"
"no-frame-pointer-elim"="false" "no-infs-fp-math"="false"
"no-jump-tables"="false" "no-nans-fp-math"="false"
"no-signed-zeros-fp-math"="false" "no-trapping-math"="false"
"stack-protector-buffer-size"="8" "target-features"="+mips64r2,-noabicalls"
"unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { "correctly-rounded-divide-sqrt-fp-math"="false"
"disable-tail-calls"="false" "less-precise-fpmad"="false"
"no-frame-pointer-elim"="false" "no-infs-fp-math"="false"
"no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false"
"no-trapping-math"="false" "stack-protector-buffer-size"="8"
"target-features"="+mips64r2,-noabicalls" "unsafe-fp-math"="false"
"use-soft-float"="false" }
attributes #2 = { nounwind readnone speculatable }
attributes #3 = { nounwind }
!llvm.dbg.cu = !{!2}
!llvm.module.flags = !{!17, !18, !19, !20}
!llvm.ident = !{!21}
!0 = !DIGlobalVariableExpression(var: !1, expr: !DIExpression())
!1 = distinct !DIGlobalVariable(name: "c", scope: !2, file: !8, line: 8, type:
!14, isLocal: false, isDefinition: true)
!2 = distinct !DICompileUnit(language: DW_LANG_C99, file: !3, producer: "clang
version 6.0.0 (<a href="https://github.com/llvm-mirror/clang.git">https://github.com/llvm-mirror/clang.git</a>
165a8e26e9e20fb1b38c4a1572cf493ad56038ae)
(<a href="https://github.com/llvm-mirror/llvm.git">https://github.com/llvm-mirror/llvm.git</a>
b6680e9e29feb7e0fe92fc607745027ae033797f)", isOptimized: true, runtimeVersion:
0, emissionKind: FullDebug, enums: !4, globals: !5)
!3 = !DIFile(filename:
"/local/scratch/alr48/cheri/llvm/tools/clang/test/CodeGen/<stdin>", directory:
"/local/scratch/alr48/cheri/llvm/cmake-build-debug/tools/clang/test/CodeGen")
!4 = !{}
!5 = !{!6, !11, !0, !15}
!6 = !DIGlobalVariableExpression(var: !7, expr: !DIExpression())
!7 = distinct !DIGlobalVariable(name: "a", scope: !2, file: !8, line: 6, type:
!9, isLocal: false, isDefinition: true)
!8 = !DIFile(filename:
"/local/scratch/alr48/cheri/llvm/tools/clang/test/CodeGen/cheri-pngtran-crash.c",
directory:
"/local/scratch/alr48/cheri/llvm/cmake-build-debug/tools/clang/test/CodeGen")
!9 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !10, size: 64)
!10 = !DIBasicType(name: "unsigned char", size: 8, encoding:
DW_ATE_unsigned_char)
!11 = !DIGlobalVariableExpression(var: !12, expr: !DIExpression())
!12 = distinct !DIGlobalVariable(name: "b", scope: !2, file: !8, line: 7, type:
!13, isLocal: false, isDefinition: true)
!13 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !14, size: 64)
!14 = !DIBasicType(name: "int", size: 32, encoding: DW_ATE_signed)
!15 = !DIGlobalVariableExpression(var: !16, expr: !DIExpression())
!16 = distinct !DIGlobalVariable(name: "d", scope: !2, file: !8, line: 8, type:
!14, isLocal: false, isDefinition: true)
!17 = !{i32 2, !"Dwarf Version", i32 2}
!18 = !{i32 2, !"Debug Info Version", i32 3}
!19 = !{i32 1, !"wchar_size", i32 4}
!20 = !{i32 7, !"PIC Level", i32 2}
!21 = !{!"clang version 6.0.0 (<a href="https://github.com/llvm-mirror/clang.git">https://github.com/llvm-mirror/clang.git</a>
165a8e26e9e20fb1b38c4a1572cf493ad56038ae)
(<a href="https://github.com/llvm-mirror/llvm.git">https://github.com/llvm-mirror/llvm.git</a>
b6680e9e29feb7e0fe92fc607745027ae033797f)"}
!22 = distinct !DISubprogram(name: "e", scope: !8, file: !8, line: 9, type:
!23, isLocal: false, isDefinition: true, scopeLine: 9, isOptimized: true, unit:
!2, variables: !25)
!23 = !DISubroutineType(types: !24)
!24 = !{!14}
!25 = !{!26}
!26 = !DILocalVariable(name: "f", scope: !27, file: !8, line: 12, type: !14)
!27 = distinct !DILexicalBlock(scope: !28, file: !8, line: 11, column: 20)
!28 = distinct !DILexicalBlock(scope: !29, file: !8, line: 11, column: 9)
!29 = distinct !DILexicalBlock(scope: !30, file: !8, line: 10, column: 3)
!30 = distinct !DILexicalBlock(scope: !22, file: !8, line: 10, column: 3)
!31 = !DILocation(line: 10, column: 10, scope: !29)
!32 = !{!33, !33, i64 0}
!33 = !{!"int", !34, i64 0}
!34 = !{!"omnipotent char", !35, i64 0}
!35 = !{!"Simple C/C++ TBAA"}
!36 = !DILocation(line: 10, column: 3, scope: !30)
!37 = !DILocation(line: 11, column: 9, scope: !28)
!38 = !{!39, !39, i64 0}
!39 = !{!"any pointer", !34, i64 0}
!40 = !DILocation(line: 11, column: 11, scope: !28)
!41 = !{!34, !34, i64 0}
!42 = !DILocation(line: 11, column: 14, scope: !28)
!43 = !DILocation(line: 11, column: 9, scope: !29)
!44 = !DILocation(line: 12, column: 11, scope: !27)
!45 = !DILocation(line: 13, column: 9, scope: !27)
!46 = !DILocation(line: 13, column: 7, scope: !27)
!47 = !DILocation(line: 14, column: 5, scope: !27)
!48 = distinct !{!48, !36, !49}
!49 = !DILocation(line: 14, column: 5, scope: !30)
!50 = !DILocation(line: 15, column: 1, scope: !22)
```
I tried the following patch but then I get an assertion later on in
MipsAsmPrinter:
```
diff --git a/lib/Target/Mips/MipsLongBranch.cpp
b/lib/Target/Mips/MipsLongBranch.cpp
index 64904ec..b95597e 100644
--- a/lib/Target/Mips/MipsLongBranch.cpp
+++ b/lib/Target/Mips/MipsLongBranch.cpp
@@ -501,6 +501,11 @@ bool MipsLongBranch::runOnMachineFunction(MachineFunction
&F) {
if (!I->Br || I->HasLongBranch)
continue;
+ // Also skip it if the target basic block is not in a MachineFunction to
+ // avoid accessing MBBInfos at index -1
+ if (getTargetMBB(*I->Br)->getNumber() == -1)
+ continue;
+
int ShVal = STI.inMicroMipsMode() ? 2 : 4;
int64_t Offset = computeOffset(I->Br) / ShVal;
```</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>