[clang] [clang][bytecode] Check memcmp builtin for one-past-the-end pointers (PR #170097)

Timm Baeder via cfe-commits cfe-commits at lists.llvm.org
Mon Dec 1 02:53:08 PST 2025 

https://github.com/tbaederr created https://github.com/llvm/llvm-project/pull/170097

We can't read from those and will run into an assertion sooner or later.

Fixes https://github.com/llvm/llvm-project/issues/170031

>From 7c06ab9982df94bb3253fa34a924c8621509d749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timm=20B=C3=A4der?= <tbaeder at redhat.com>
Date: Mon, 1 Dec 2025 11:51:58 +0100
Subject: [PATCH] [clang][bytecode] Check memcmp builtin for one-past-the-end
 pointers

We can't read from those and will run into an assertion sooner or later.

Fixes https://github.com/llvm/llvm-project/issues/170031
---
 clang/lib/AST/ByteCode/InterpBuiltin.cpp      | 4 ++++
 clang/test/AST/ByteCode/builtin-functions.cpp | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/clang/lib/AST/ByteCode/InterpBuiltin.cpp b/clang/lib/AST/ByteCode/InterpBuiltin.cpp
index 8496b58105c7a..971fce541bb88 100644
--- a/clang/lib/AST/ByteCode/InterpBuiltin.cpp
+++ b/clang/lib/AST/ByteCode/InterpBuiltin.cpp
@@ -1921,6 +1921,10 @@ static bool interp__builtin_memcmp(InterpState &S, CodePtr OpPC,
   if (PtrA.isDummy() || PtrB.isDummy())
     return false;
 
+  if (!CheckRange(S, OpPC, PtrA, AK_Read) ||
+      !CheckRange(S, OpPC, PtrB, AK_Read))
+    return false;
+
   // Now, read both pointers to a buffer and compare those.
   BitcastBuffer BufferA(
       Bits(ASTCtx.getTypeSize(ElemTypeA) * PtrA.getNumElems()));
diff --git a/clang/test/AST/ByteCode/builtin-functions.cpp b/clang/test/AST/ByteCode/builtin-functions.cpp
index 4a53cb66b2fdd..3076b5239ebbe 100644
--- a/clang/test/AST/ByteCode/builtin-functions.cpp
+++ b/clang/test/AST/ByteCode/builtin-functions.cpp
@@ -1545,6 +1545,13 @@ namespace Memcmp {
 
   int unknown;
   void foo(void) { unknown *= __builtin_memcmp(0, 0, 2); }
+
+  constexpr int onepasttheend(char a) {
+    __builtin_memcmp(&a, &a + 1, 1); // both-note {{read of dereferenced one-past-the-end pointer}}
+    return 1;
+  }
+  static_assert(onepasttheend(10)); // both-error {{not an integral constant expression}} \
+                                    // both-note {{in call to}}
 }
 
 namespace Memchr {

More information about the cfe-commits mailing list