[llvm] 6e474d3 - [GlobalOpt][Evaluator] Fix off by one error in bounds check (PR53002)

Nikita Popov via llvm-commits llvm-commits at lists.llvm.org
Wed Jan 5 05:06:11 PST 2022 

Author: Nikita Popov
Date: 2022-01-05T14:06:02+01:00
New Revision: 6e474d330822ee8784d91a7842bba2e7f70b3b79

URL: https://github.com/llvm/llvm-project/commit/6e474d330822ee8784d91a7842bba2e7f70b3b79
DIFF: https://github.com/llvm/llvm-project/commit/6e474d330822ee8784d91a7842bba2e7f70b3b79.diff

LOG: [GlobalOpt][Evaluator] Fix off by one error in bounds check (PR53002)

We should bail out if the index is >= the size, not > the size.

Fixes https://github.com/llvm/llvm-project/issues/53002.

Added: 
    llvm/test/Transforms/GlobalOpt/pr53002.ll

Modified: 
    llvm/lib/Transforms/Utils/Evaluator.cpp

Removed: 
    


################################################################################
diff  --git a/llvm/lib/Transforms/Utils/Evaluator.cpp b/llvm/lib/Transforms/Utils/Evaluator.cpp
index 6725e160cd58b..34f56b1a591d9 100644
--- a/llvm/lib/Transforms/Utils/Evaluator.cpp
+++ b/llvm/lib/Transforms/Utils/Evaluator.cpp
@@ -135,7 +135,7 @@ Constant *Evaluator::MutableValue::read(Type *Ty, APInt Offset,
   while (const auto *Agg = V->Val.dyn_cast<MutableAggregate *>()) {
     Type *AggTy = Agg->Ty;
     Optional<APInt> Index = DL.getGEPIndexForOffset(AggTy, Offset);
-    if (!Index || Index->ugt(Agg->Elements.size()) ||
+    if (!Index || Index->uge(Agg->Elements.size()) ||
         !TypeSize::isKnownLE(TySize, DL.getTypeStoreSize(AggTy)))
       return nullptr;
 
@@ -179,7 +179,7 @@ bool Evaluator::MutableValue::write(Constant *V, APInt Offset,
     MutableAggregate *Agg = MV->Val.get<MutableAggregate *>();
     Type *AggTy = Agg->Ty;
     Optional<APInt> Index = DL.getGEPIndexForOffset(AggTy, Offset);
-    if (!Index || Index->ugt(Agg->Elements.size()) ||
+    if (!Index || Index->uge(Agg->Elements.size()) ||
         !TypeSize::isKnownLE(TySize, DL.getTypeStoreSize(AggTy)))
       return false;
 

diff  --git a/llvm/test/Transforms/GlobalOpt/pr53002.ll b/llvm/test/Transforms/GlobalOpt/pr53002.ll
new file mode 100644
index 0000000000000..f90ca2ccc23c5
--- /dev/null
+++ b/llvm/test/Transforms/GlobalOpt/pr53002.ll
@@ -0,0 +1,24 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --check-globals
+; RUN: opt -S -globalopt < %s | FileCheck %s
+
+; The store here writes into the padding after [5 x i8].
+; Make sure we don't crash.
+
+%T = type { [5 x i8], i16 }
+
+ at g = global %T zeroinitializer
+
+ at llvm.global_ctors = appending global [1 x { i32, void ()*, i8* }] [{ i32, void ()*, i8* } { i32 65535, void ()* @ctor, i8* null }]
+
+;.
+; CHECK: @[[G:[a-zA-Z0-9_$"\\.-]+]] = local_unnamed_addr global [[T:%.*]] zeroinitializer
+; CHECK: @[[LLVM_GLOBAL_CTORS:[a-zA-Z0-9_$"\\.-]+]] = appending global [1 x { i32, void ()*, i8* }] [{ i32, void ()*, i8* } { i32 65535, void ()* @ctor, i8* null }]
+;.
+define internal void @ctor() {
+; CHECK-LABEL: @ctor(
+; CHECK-NEXT:    store i8 0, i8* getelementptr inbounds ([[T:%.*]], %T* @g, i64 0, i32 0, i64 5), align 1
+; CHECK-NEXT:    ret void
+;
+  store i8 0, i8* getelementptr inbounds (%T, %T* @g, i64 0, i32 0, i64 5)
+  ret void
+}

More information about the llvm-commits mailing list