[LLVMbugs] [Bug 12046] New: Out-of-bounds access on a stack allocation on ARM

[bugzilla-daemon at llvm.org]

http://llvm.org/bugs/show_bug.cgi?id=12046

             Bug #: 12046
           Summary: Out-of-bounds access on a stack allocation on ARM
           Product: clang
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: LLVM Codegen
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: eugeni.stepanov at gmail.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified


Created attachment 8082
  --> http://llvm.org/bugs/attachment.cgi?id=8082
the reproducer

See 1.ii in the attachment.

# ./Release+Asserts/bin/clang -target arm-eabi -S -O2 -emit-llvm 1.ii -o -

[...]

%struct.B = type { i8* }
%struct.S = type { %struct.A, %struct.B }
%struct.A = type { i8*, i8*, i8* }

define i32 @_Z2ffv() {
entry:
  %zz = alloca %struct.B, align 4
  %agg.tmp = alloca i96, align 8
  %tmpcast = bitcast i96* %agg.tmp to %struct.S*
  %p = getelementptr inbounds %struct.B* %zz, i32 0, i32 0
  %0 = load volatile i8** %p, align 4, !tbaa !0
  %1 = ptrtoint i8* %0 to i32
  store i96 0, i96* %agg.tmp, align 8
  %2 = getelementptr inbounds %struct.S* %tmpcast, i32 0, i32 1, i32 0
  store i8* %0, i8** %2, align 4
  call void @_Z10zzz_insert1S(%struct.S* %tmpcast)
  ret i32 %1
}

[...]

Note that %agg.tmp is allocated as a 12-byte temp, and bitcasted to a 16-byte
sized aggregate. Then the last store in the function writes to bytes 12-16.

This results in a false positive in AddressSanitizer.

Omitting -eabi in the target triple avoids the issue (%agg.tmp is properly
allocated as %struct.S then).

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.