Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AArch64 SelectionDAG crashes when lowering shufflevector if Mask is undef #57326

Closed
DataCorrupted opened this issue Aug 24, 2022 · 2 comments
Closed

AArch64 SelectionDAG crashes when lowering shufflevector if Mask is undef #57326

DataCorrupted opened this issue Aug 24, 2022 · 2 comments
Labels
backend:AArch64 llvm:crash

Comments

@DataCorrupted
Copy link
Member

DataCorrupted commented Aug 24, 2022
edited by VoltrexKeyva
Loading

When shufflevector's mask is undef, AArch64 will have out of bound read on the latest commit cfd2c5ce
You can check it out here: https://llvm.godbolt.org/z/9xEPWa76c

On LLVM14, it reports as Invalid shufflevector operands! and treated undef as a uninitialized vector.

It seems problem starts at AArch64ISelLowering.cpp:13391 where the Mask(undef) is taken and used without any sanity check.

Below is a sample input and corresponding stack trace.

; ModuleID = 'PoC.ll'
source_filename = "M"

define void @f() {
BB:
  %A2 = alloca <32 x i16>, align 64
  %B = urem <32 x i16> <i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1>, <i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1, i16 -1>
  %S = shufflevector <32 x i16> %B, <32 x i16> %B, <32 x i32> undef
  store <32 x i16> %S, <32 x i16>* %A2, align 64
  ret void
}
llc: /home/peter/aflplusplus-isel/llvm-project/llvm/include/llvm/ADT/ArrayRef.h:256: const T &llvm::ArrayRef<int>::operator[](size_t) const [T = int]: Assertion `Index < Length && "Invalid index!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: /home/peter/aflplusplus-isel/llvm-project/build-debug/bin/llc -mtriple=aarch64 PoC.ll
1.      Running pass 'Function Pass Manager' on module 'PoC.ll'.
2.      Running pass 'Interleaved Access Pass' on function '@f'
 #0 0x00000000030fa65a llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/Support/Unix/Signals.inc:569:11
 #1 0x00000000030fa80b PrintStackTraceSignalHandler(void*) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/Support/Unix/Signals.inc:636:1
 #2 0x00000000030f8e56 llvm::sys::RunSignalHandlers() /home/peter/aflplusplus-isel/llvm-project/llvm/lib/Support/Signals.cpp:103:5
 #3 0x00000000030faf35 SignalHandler(int) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/Support/Unix/Signals.inc:407:1
 #4 0x00007f315691a980 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x12980)
 #5 0x00007f315580ae87 raise /build/glibc-uZu3wS/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
 #6 0x00007f315580c7f1 abort /build/glibc-uZu3wS/glibc-2.27/stdlib/abort.c:81:0
 #7 0x00007f31557fc3fa __assert_fail_base /build/glibc-uZu3wS/glibc-2.27/assert/assert.c:89:0
 #8 0x00007f31557fc472 (/lib/x86_64-linux-gnu/libc.so.6+0x30472)
 #9 0x00000000010f1ef9 llvm::ArrayRef<int>::operator[](unsigned long) const /home/peter/aflplusplus-isel/llvm-project/llvm/include/llvm/ADT/ArrayRef.h:0:7
#10 0x000000000142a4fd llvm::AArch64TargetLowering::lowerInterleavedStore(llvm::StoreInst*, llvm::ShuffleVectorInst*, unsigned int) const /home/peter/aflplusplus-isel/llvm-project/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp:13418:42
#11 0x0000000001d26493 (anonymous namespace)::InterleavedAccess::lowerInterleavedStore(llvm::StoreInst*, llvm::SmallVector<llvm::Instruction*, 32u>&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/CodeGen/InterleavedAccessPass.cpp:511:7
#12 0x0000000001d2580a (anonymous namespace)::InterleavedAccess::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/CodeGen/InterleavedAccessPass.cpp:541:18
#13 0x00000000025a2256 llvm::FPPassManager::runOnFunction(llvm::Function&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1430:23
#14 0x00000000025a7082 llvm::FPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1476:16
#15 0x00000000025a2b29 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1545:23
#16 0x00000000025a269d llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:16
#17 0x00000000025a7361 llvm::legacy::PassManager::run(llvm::Module&) /home/peter/aflplusplus-isel/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1672:3
#18 0x0000000000c744b0 compileModule(char**, llvm::LLVMContext&) /home/peter/aflplusplus-isel/llvm-project/llvm/tools/llc/llc.cpp:737:41
#19 0x0000000000c72832 main /home/peter/aflplusplus-isel/llvm-project/llvm/tools/llc/llc.cpp:418:13
#20 0x00007f31557edc87 __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:344:0
#21 0x0000000000c7203a _start (/home/peter/aflplusplus-isel/llvm-project/build-debug/bin/llc+0xc7203a)
Aborted
@llvmbot
Copy link
Member

llvmbot commented Aug 24, 2022

@llvm/issue-subscribers-backend-aarch64

@DataCorrupted
Copy link
Member Author

DataCorrupted commented Aug 25, 2022
edited
Loading

I tried to fix it with a simple check, submitted a patch here, but failed the check in other places. @fhahn Would you mind help me out with this? Sorry I am not super familiar with AArch64 backend.

veselypeta pushed a commit to veselypeta/cherillvm that referenced this issue May 27, 2024
@DataCorrupted @veselypeta
[AArch64] Add index check before lowerInterleavedStore() uses Shuffle…
e4a309e 
…VectorInst's mask

This commit fixes llvm/llvm-project#57326.

Currently we would take a Mask out and directly use it by doing
auto Mask = SVI->getShuffleMask();
However, if the mask is undef, this Mask is not initialized. It might be
a vector of -1 or random integers.
This would cause an Out-of-bound read later when trying to find a
StartMask.

This change checks if all indices in the Mask is in the allowed range,
and fixes the out-of-bound accesses.

Differential Revision: https://reviews.llvm.org/D132634
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend:AArch64 llvm:crash
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fhahn @EugeneZelenko @DataCorrupted @llvmbot