[compiler-rt] [compiler-rt] [sanitizer] avoid UB in allocator (PR #126977)

[Florian Mayer via llvm-commits]

https://github.com/fmayer updated https://github.com/llvm/llvm-project/pull/126977

>From b8a0b70808c852341176ff4d0f5e89cc13fd2524 Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer at google.com>
Date: Wed, 12 Feb 2025 13:48:58 -0800
Subject: [PATCH 1/3] =?UTF-8?q?[=F0=9D=98=80=F0=9D=97=BD=F0=9D=97=BF]=20in?=
 =?UTF-8?q?itial=20version?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Created using spr 1.3.4
---
 .../lib/sanitizer_common/sanitizer_allocator_local_cache.h   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
index e495c56f03775..b67529fdeb5ff 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
@@ -166,7 +166,10 @@ struct SizeClassAllocator32LocalCache {
       DCHECK_GT(c->count, 0);
     }
     void *res = c->batch[--c->count];
-    PREFETCH(c->batch[c->count - 1]);
+    // By not doing pointer arithmetic, we avoid the OOB if c->count = 0.
+    // We just prefetch the previous member of the PerClass struct, which
+    // doesn't do harm.
+    PREFETCH(reinterpret_cast<uptr>(c->batch) + sizeof(c->batch[0])* (c->count - 1));
     stats_.Add(AllocatorStatAllocated, c->class_size);
     return res;
   }

>From 52862060ca0fdb60b19b41b54ab36bb7a699bbde Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer at google.com>
Date: Wed, 12 Feb 2025 13:49:47 -0800
Subject: [PATCH 2/3] fmt

Created using spr 1.3.4
---
 .../lib/sanitizer_common/sanitizer_allocator_local_cache.h     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
index b67529fdeb5ff..6e54e3a47f9ad 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
@@ -169,7 +169,8 @@ struct SizeClassAllocator32LocalCache {
     // By not doing pointer arithmetic, we avoid the OOB if c->count = 0.
     // We just prefetch the previous member of the PerClass struct, which
     // doesn't do harm.
-    PREFETCH(reinterpret_cast<uptr>(c->batch) + sizeof(c->batch[0])* (c->count - 1));
+    PREFETCH(reinterpret_cast<uptr>(c->batch) +
+             sizeof(c->batch[0]) * (c->count - 1));
     stats_.Add(AllocatorStatAllocated, c->class_size);
     return res;
   }

>From 9fe1aff2c86a90bf59c37d372cc73e88f345636f Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer at google.com>
Date: Wed, 12 Feb 2025 15:04:35 -0800
Subject: [PATCH 3/3] be less fancy

Created using spr 1.3.4
---
 .../lib/sanitizer_common/sanitizer_allocator_local_cache.h  | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
index 6e54e3a47f9ad..6e54c4852fbb6 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_allocator_local_cache.h
@@ -166,11 +166,7 @@ struct SizeClassAllocator32LocalCache {
       DCHECK_GT(c->count, 0);
     }
     void *res = c->batch[--c->count];
-    // By not doing pointer arithmetic, we avoid the OOB if c->count = 0.
-    // We just prefetch the previous member of the PerClass struct, which
-    // doesn't do harm.
-    PREFETCH(reinterpret_cast<uptr>(c->batch) +
-             sizeof(c->batch[0]) * (c->count - 1));
+    PREFETCH(c->batch[c->count > 0 ? c->count - 1 : 0]);
     stats_.Add(AllocatorStatAllocated, c->class_size);
     return res;
   }