<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/86717>86717</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
AAarch64 backend turning OOB insertelement into OOB store
</td>
</tr>
<tr>
<th>Labels</th>
<td>
backend:AArch64,
llvm:codegen,
miscompilation
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
regehr
</td>
</tr>
</table>
<pre>
this function:
```llvm
define <16 x i8> @f(i32 %0) {
%2 = sub nuw i32 1, %0
%3 = insertelement <16 x i8> zeroinitializer, i8 3, i32 %2
ret <16 x i8> %3
}
```
is getting lowered to this AArch64:
```
_f: ; @f
sub sp, sp, #16
movi.2d v0, #0000000000000000
mov w8, #1 ; =0x1
mov x9, sp
sub w8, w8, w0
mov w10, #3 ; =0x3
orr x8, x9, x8
str q0, [sp]
strb w10, [x8]
ldr q0, [sp], #16
ret
```
I believe this is incorrect. if we pass an argument such as 5 into this function, then we get -4 put into w8, resulting in a nonsense address after we orr -4 with sp.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyMVF2zmyAQ_TX4snMzCH4--GCSZqZP9yd0UFelNWABk_T--g6Sr-behzoOjuzZc9gDrLBWDgqxIumWpPtILG7UpjI44GiiRnd_KjdKC_2iWie1IrwmdE9oTTIa3mk6HcNUh71UCITv4gwuIAvCvwFJaE9YITkDwlJKWAkk34YE8FMMCN-DXRpQyxk8LiZsF8APFF9RUlk0Dic8onIvQh9otFTSSTHJDzSeQxbA128QZ1c-g6-5XuBaVr5_qS_8SgsDOifVAJM-o8EOnIbVmro27Zgln50Jvz96wmv4n4fwbbAr0NDSLo0fZ19DGAnjcXaPH_VJblhHaHmi1yh9eZ6xhJbn4sYS1PieXuIXzKW86v27jJB6HT_xxrcF8Acxv4O0MZ54zQ30l-JB73zwdyBIt3Ym6f452Dzxp9tL8Ryeui9yP_lk0H25Nd-hwUniCcNG-le12hhs3QZkD2eEWVgLQoEww7IeOru0IwgLKUh1OwH3y8F24EZUPnFAB28JzIsLwGCcQbtM6ymSCgQorSwqiyC6zqBX6h0an66N8eln6Uaw8ybqKt6VvBQRVnEex0lB87yMxqpt8rJpG44Za7IS-1Kkbdyn2KQUM562kawYZQnlLIvLuOTlJusEK2ifZjnrkrxvSELxKOS08Rd5o80QSWsXrIosj_NoEg1Odu0OjDWi_YWqI7y-nXnGCNsRxtYmwOtWdziguk8fpW31cZaTCPYw32JM5dFvzTJYktBJWmcf2k66Cau6Fis_XBXBLUZ5197fty9NYDXXT1unDUaLmarRudn668gOhB0G6cal2bT6SNhhXWf4vM1G_8TWEXZYC7aEHdaa_wYAAP__GslsgA">