JIT: Fix invalid containment of vector broadcasts (#92371)

github-actions[bot] · jakobbotsch · web-flow · commit d365be87223a · 2023-09-21T15:37:09.000-07:00
The containment checks for vector broadcasts were missing a size check, meaning that a uint broadcast could contain a ubyte/ushort indirection. That would lead to out-of-bounds reads. Fix #83387 Co-authored-by: Jakob Botsch Nielsen <jakob.botsch.nielsen@gmail.com>
diff --git a/src/coreclr/jit/gentree.cpp b/src/coreclr/jit/gentree.cpp
@@ -19639,8 +19639,8 @@ GenTree* Compiler::gtNewSimdBinOpNode(
     }
     else
     {
-        assert(op2->TypeIs(type, simdBaseType, genActualType(simdBaseType)) ||
-               (op2->TypeIs(TYP_SIMD12) && type == TYP_SIMD16));
+        assert((genActualType(op2) == genActualType(type)) || (genActualType(op2) == genActualType(simdBaseType)) ||
+               (op2->TypeIs(TYP_SIMD12) && (type == TYP_SIMD16)));
     }
 
     NamedIntrinsic intrinsic = NI_Illegal;
diff --git a/src/coreclr/jit/lowerxarch.cpp b/src/coreclr/jit/lowerxarch.cpp
@@ -7956,6 +7956,9 @@ bool Lowering::IsContainableHWIntrinsicOp(GenTreeHWIntrinsic* parentNode, GenTre
                         // The memory form of this already takes a pointer and should be treated like a MemoryLoad
                         supportsGeneralLoads = !childNode->OperIsHWIntrinsic();
                     }
+
+                    supportsGeneralLoads =
+                        supportsGeneralLoads && (genTypeSize(childNode) >= genTypeSize(parentNode->GetSimdBaseType()));
                     break;
                 }
 
diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_83387/Runtime_83387.cs b/src/tests/JIT/Regression/JitBlue/Runtime_83387/Runtime_83387.cs
@@ -0,0 +1,19 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Runtime.CompilerServices;
+using System.Runtime.Intrinsics;
+using Xunit;
+
+public class Runtime_83387
+{
+    [MethodImpl(MethodImplOptions.NoOptimization)]
+    [Fact]
+    public static int TestEntryPoint()
+    {
+        (ushort A, ushort R) c = (1, 65535);
+        Vector128<uint> v1 = Vector128.Create((uint)100);
+        v1 = v1 * c.A;
+        return (int)v1.ToScalar();
+    }
+}
diff --git a/src/tests/JIT/Regression/JitBlue/Runtime_83387/Runtime_83387.csproj b/src/tests/JIT/Regression/JitBlue/Runtime_83387/Runtime_83387.csproj
@@ -0,0 +1,8 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <Optimize>True</Optimize>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="$(MSBuildProjectName).cs" />
+  </ItemGroup>
+</Project>

Original file line number	Diff line number	Diff line change
`@@ -19639,8 +19639,8 @@ GenTree* Compiler::gtNewSimdBinOpNode(`
`19639`	`19639`	`}`
`19640`	`19640`	`else`
`19641`	`19641`	`{`
`19642`		`- assert(op2->TypeIs(type, simdBaseType, genActualType(simdBaseType)) \|\|`
`19643`		`- (op2->TypeIs(TYP_SIMD12) && type == TYP_SIMD16));`
	`19642`	`+ assert((genActualType(op2) == genActualType(type)) \|\| (genActualType(op2) == genActualType(simdBaseType)) \|\|`
	`19643`	`+ (op2->TypeIs(TYP_SIMD12) && (type == TYP_SIMD16)));`
`19644`	`19644`	`}`
`19645`	`19645`
`19646`	`19646`	`NamedIntrinsic intrinsic = NI_Illegal;`
Original file line number	Diff line number	Diff line change
`@@ -7956,6 +7956,9 @@ bool Lowering::IsContainableHWIntrinsicOp(GenTreeHWIntrinsic* parentNode, GenTre`
`7956`	`7956`	`// The memory form of this already takes a pointer and should be treated like a MemoryLoad`
`7957`	`7957`	`supportsGeneralLoads = !childNode->OperIsHWIntrinsic();`
`7958`	`7958`	`}`
	`7959`	`+`
	`7960`	`+ supportsGeneralLoads =`
	`7961`	`+ supportsGeneralLoads && (genTypeSize(childNode) >= genTypeSize(parentNode->GetSimdBaseType()));`
`7959`	`7962`	`break;`
`7960`	`7963`	`}`
`7961`	`7964`