[PATCH] D106462: [SROA] prevent crash on large memset length (PR50910)

Sanjay Patel via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 21 10:18:31 PDT 2021 

spatel created this revision.
spatel added reviewers: reames, cherry.
Herald added subscribers: hiraditya, mcrosier.
spatel requested review of this revision.
Herald added a project: LLVM.

I don't know much about this pass, but we need a stronger check on the memset length arg to avoid an assert. The current code was added with D59000 <https://reviews.llvm.org/D59000>.
The test is reduced from:
https://llvm.org/PR50910


https://reviews.llvm.org/D106462

Files:
  llvm/lib/Transforms/Scalar/SROA.cpp
  llvm/test/Transforms/SROA/slice-width.ll


Index: llvm/test/Transforms/SROA/slice-width.ll
===================================================================
--- llvm/test/Transforms/SROA/slice-width.ll
+++ llvm/test/Transforms/SROA/slice-width.ll
@@ -4,6 +4,7 @@
 
 declare void @llvm.memcpy.p0i8.p0i8.i32(i8* nocapture, i8* nocapture, i32, i1) nounwind
 declare void @llvm.memset.p0i8.i32(i8* nocapture, i8, i32, i1) nounwind
+declare void @llvm.memset.p0i8.i64(i8* nocapture, i8, i64, i1) nounwind
 
 ; This tests that allocas are not split into slices that are not byte width multiple
 define void @no_split_on_non_byte_width(i32) {
@@ -131,3 +132,16 @@
   %result = call i32 @memcpy_vec3float_helper(%S.vec3float* %tmp2)
   ret i32 %result
 }
+
+; Don't crash on out-of-bounds length.
+
+define void @PR50910() {
+; CHECK-LABEL: @PR50910(
+; CHECK-NEXT:    [[T1:%.*]] = alloca i8, i64 1, align 8
+; CHECK-NEXT:    call void @llvm.memset.p0i8.i64(i8* align 8 [[T1]], i8 0, i64 1, i1 false)
+; CHECK-NEXT:    ret void
+;
+  %t1 = alloca i8, i64 1, align 8
+  call void @llvm.memset.p0i8.i64(i8* align 8 %t1, i8 0, i64 4294967296, i1 false)
+  ret void
+}
Index: llvm/lib/Transforms/Scalar/SROA.cpp
===================================================================
--- llvm/lib/Transforms/Scalar/SROA.cpp
+++ llvm/lib/Transforms/Scalar/SROA.cpp
@@ -2811,10 +2811,11 @@
       if (BeginOffset > NewAllocaBeginOffset ||
           EndOffset < NewAllocaEndOffset)
         return false;
+      // Length must be in range for FixedVectorType.
       auto *C = cast<ConstantInt>(II.getLength());
-      if (C->getBitWidth() > 64)
+      const uint64_t Len = C->getLimitedValue();
+      if (Len > std::numeric_limits<unsigned>::max())
         return false;
-      const auto Len = C->getZExtValue();
       auto *Int8Ty = IntegerType::getInt8Ty(NewAI.getContext());
       auto *SrcTy = FixedVectorType::get(Int8Ty, Len);
       return canConvertValue(DL, SrcTy, AllocaTy) &&


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D106462.360507.patch
Type: text/x-patch
Size: 1934 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210721/1465ab32/attachment.bin>

More information about the llvm-commits mailing list