[llvm-bugs] [Bug 26600] New: Loop vectorization creates an unsafe out-of-bounds load
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Feb 12 17:59:30 PST 2016
https://llvm.org/bugs/show_bug.cgi?id=26600
Bug ID: 26600
Summary: Loop vectorization creates an unsafe out-of-bounds
load
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Loop Optimizer
Assignee: unassignedbugs at nondot.org
Reporter: eugeni.stepanov at gmail.com
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
Created attachment 15898
--> https://llvm.org/bugs/attachment.cgi?id=15898&action=edit
badly vectorized IR
See C++ test case below. When built with -O2, this crashes on Android/ARM due
to a 4-byte right OOB access (caught by ASan, btw).
$ bin/clang++ 1.cc --sysroot $TOOLCHAIN/sysroot/ -B$TOOLCHAIN -target
armv7-linux-android -O2 -fPIC -pie
#include <stdio.h>
#include <sys/mman.h>
#include <new>
struct A {
int a, b;
};
struct S {
char pad[4096 - sizeof(A) * 20];
A a[20];
};
__attribute__((noinline))
int f(A *a, int len) {
int sum = 0;
for (int i = 0; i < len; ++i)
sum += a[i].b;
return sum;
}
int main() {
char *p = (char *)mmap(0, 4096 * 2, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
mprotect(p + 4096, 4096, PROT_NONE);
S *s = new(p) S();
int n = f(s->a, sizeof(s->a) / sizeof(s->a[0]));
fprintf(stderr, "done %d\n", n);
}
Vectorized code (attached) does 32-byte loads starting at
a[0].b, a[4].b, a[8].b, a[12].b, a[16].b
The last one overflows 4 bytes to the right.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160213/7dfdd4b3/attachment.html>
More information about the llvm-bugs
mailing list