<div dir="ltr"><div class="gmail_quote"><div>Should probably pull this into the release as it fixes something that could miscompile in the future with a new host compiler.</div><div dir="ltr"><br></div><div dir="ltr">On Mon, Aug 3, 2015 at 5:49 PM Chandler Carruth <<a href="mailto:chandlerc@gmail.com">chandlerc@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: chandlerc<br>
Date: Mon Aug 3 19:44:07 2015<br>
New Revision: 243927<br>
<br>
URL: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__llvm.org_viewvc_llvm-2Dproject-3Frev-3D243927-26view-3Drev&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=mQ4LZ2PUj9hpadE3cDHZnIdEwhEBrbAstXeMaFoB9tg&m=z842n7IJ2ngTMwEdTMXxv-2XPPvqXfCD03PHmU9htv8&s=Cyym-SBLbVOCdRbKXvxMLTsQ06a_2Lis7bbeuTMALG8&e=" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=243927&view=rev</a><br>
Log:<br>
[UB] Fix a nasty place where we would pass null pointers to memcpy.<br>
<br>
This happens to work, but is not guaranteed to work. Indeed, most memcpy<br>
interfaces in Linux-land annotate these arguments as nonnull, and GCC<br>
and LLVM both can and do optimized based upon that. When they do so,<br>
they might legitimately have miscompiled code calling this routine with<br>
two valid iterators, 'nullptr' and 'nullptr'. There was even code doing<br>
precisely this because StringRef().begin() and StringRef().end() both<br>
produce null pointers.<br>
<br>
This was found by UBSan.<br>
<br>
Modified:<br>
llvm/trunk/include/llvm/ADT/SmallVector.h<br>
<br>
Modified: llvm/trunk/include/llvm/ADT/SmallVector.h<br>
URL: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__llvm.org_viewvc_llvm-2Dproject_llvm_trunk_include_llvm_ADT_SmallVector.h-3Frev-3D243927-26r1-3D243926-26r2-3D243927-26view-3Ddiff&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=mQ4LZ2PUj9hpadE3cDHZnIdEwhEBrbAstXeMaFoB9tg&m=z842n7IJ2ngTMwEdTMXxv-2XPPvqXfCD03PHmU9htv8&s=xKowCGlCBdZoUnHUuSee4dkvNS5p0hnYe6wXfMSlDi0&e=" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/include/llvm/ADT/SmallVector.h?rev=243927&r1=243926&r2=243927&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/include/llvm/ADT/SmallVector.h (original)<br>
+++ llvm/trunk/include/llvm/ADT/SmallVector.h Mon Aug 3 19:44:07 2015<br>
@@ -315,8 +315,10 @@ protected:<br>
T2>::value>::type * = nullptr) {<br>
// Use memcpy for PODs iterated by pointers (which includes SmallVector<br>
// iterators): std::uninitialized_copy optimizes to memmove, but we can<br>
- // use memcpy here.<br>
- memcpy(Dest, I, (E-I)*sizeof(T));<br>
+ // use memcpy here. Note that I and E are iterators and thus might be<br>
+ // invalid for memcpy if they are equal.<br>
+ if (I != E)<br>
+ memcpy(Dest, I, (E - I) * sizeof(T));<br>
}<br>
<br>
/// Double the size of the allocated memory, guaranteeing space for at<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@cs.uiuc.edu" target="_blank">llvm-commits@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>
</blockquote></div></div>