[LLVMdev] MachineCodeEmitter Patch

Thomas Jablin tjablin at cs.princeton.edu
Sat Nov 22 12:44:44 PST 2008

The following code:


char bigArray[0x1000000];

int main(int argc, char **argv) {
  printf("mem: 0x%x\n", (unsigned) bigArray);
  return 0;

causes lli to silently fail, even though it compiles correctly with 
llc.  The reason is that in JITEmitter.cpp only checks to see if 
CurBufferPtr == BufferEnd at the beginning of the function and not after 
all relocations have been handled. I have fixed this bug by adding an 
additional check after all relocations have been completed. In the 
process of fixing this bug, I happened to look through the code in 
MachineCodeEmitter.h.  The buffer size checks in MachineCodeEmitter.h 
all suffer from an integer overflow bug.  For example in allocateSpace 
the code reads:

    // Allocate the space.
    CurBufferPtr += Size;
     // Check for buffer overflow.
    if (CurBufferPtr >= BufferEnd) {

This is wrong because Size + CurBufferPtr can cause an integer overflow 
and thus appear to be less than BufferEnd.  The correct way to check for 
the end of a buffer is always:

(Size >= BufferEnd-CurBufferPtr)

This integer overflow bug causes the program:

char b = 'b';
char c[0x8000000];

int main(int argc, char **argv) {
  printf("%c\n", c[0]);
  return 0;
to segfault in lli.

Finally, I have changed several instances of intptr_t to uintptr_t to 
avoid dangerous comparisons between signed and unsigned types. Code 
review of the enclosed patch would be greatly appreciated. Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FixEmitter.diff
Type: text/x-patch
Size: 13801 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20081122/eeab4fe0/attachment.bin>

More information about the llvm-dev mailing list