[cfe-dev] ASAN reporting heap overrun when doing a partial store to extended vector

Akira Hatanaka via cfe-dev cfe-dev at lists.llvm.org
Thu Mar 5 12:56:27 PST 2020


> On Mar 4, 2020, at 7:25 PM, Eli Friedman <efriedma at quicinc.com> wrote:
> 
> Your example is arguably UB, but really, the interesting question is whether we’re allowed to introduce a data race on the unmodified elements.  For the struct case, we aren’t.  clang intentionally diverges from that for vector components.
>  
> One reason clang assumes it’s allowed to write to all the vector elements is that the lowering is a bit dubious otherwise.  For example, we don’t want to be forced to lower “vec->even = 1” on a char16 vector to 8 store instructions.
>  

I guess you can still write to ‘vec->lo' or ‘vec->hi' without touching the unmodified elements using a single store? Although that complicates the rules since we are guaranteeing to the users ‘vec->lo/hi’ won’t touch the unmodified elements while ‘vec->even’ or ‘vec->xz’ can.

> -Eli
>  
> From: ahatanaka at apple.com <ahatanaka at apple.com> 
> Sent: Wednesday, March 4, 2020 6:22 PM
> To: Eli Friedman <efriedma at quicinc.com>
> Cc: cfe-dev at lists.llvm.org
> Subject: [EXT] Re: [cfe-dev] ASAN reporting heap overrun when doing a partial store to extended vector
>  
> It’s possible to create a similar example using structs:
>  
> $ cat test.c
>  
> struct S0 {
>   int a, b;
> };
>  
> typedef struct S0 S0;
>  
> void foo1(void) {
>   // allocate only 4 bytes.
>   void *p = malloc(sizeof(int));
>   S0 *p2 = (S0*)p;
>   p2->a = 1;
> }
>  
> If the code above is correct, I suppose the ext_vector code is correct too.
> 
> 
> On Mar 4, 2020, at 3:47 PM, Eli Friedman <efriedma at quicinc.com <mailto:efriedma at quicinc.com>> wrote:
>  
> Unfortunately, the OpenCL standard doesn’t really state anything explicitly here.
>  
> clang does in fact lower the construct in question to a load+shuffle+store, so it’s likely to fail in practice.
>  
> -Eli
>  
> From: cfe-dev <cfe-dev-bounces at lists.llvm.org <mailto:cfe-dev-bounces at lists.llvm.org>> On Behalf OfAkira Hatanaka via cfe-dev
> Sent: Wednesday, March 4, 2020 2:00 PM
> To: clang developer list <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>>
> Subject: [EXT] Re: [cfe-dev] ASAN reporting heap overrun when doing a partial store to extended vector
>  
> In case it wasn’t clear, malloc is allocating memory that is large enough to contain only the first 16 elements of a vec32. writeVec loads ‘data’ as a vec32, writes ‘value’ to the first 16 elements of the vector, and stores the vec32 vector via pointer ‘data'.
>  
> It's not clear to me whether this is an error in the source code or IRGen.
> 
> 
> 
> On Mar 3, 2020, at 4:56 PM, Akira Hatanaka via cfe-dev <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>> wrote:
>  
> Does the following code have undefined behavior?
>  
> $ cat test.c
> typedef __attribute__((__ext_vector_type__(32))) unsigned short vec32;
> typedef __attribute__((__ext_vector_type__(16))) unsigned short vec16;
>  
> void writeVec(vec32 *data) {
>   vec16 value = 0xffff;
>   data->lo = value;
> }
>  
> void foo1() {
>   vec32 *p = (vec32 *)malloc(sizeof(unsigned short) * 16);
>   writeVec(p);
> }
> 
> 
> 
> The code above causes ASAN to report a heap overrun because clang creates a vector with 32 elements using vector shuffling and writes it back via the pointer passed to writeVec.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200305/bd939009/attachment-0001.html>


More information about the cfe-dev mailing list