Description
| Bugzilla Link | 48824 |
| Version | trunk |
| OS | All |
| CC | @LebedevRI,@zygoloid |
Extended Description
This was found in a downstream compiler for an out-of-tree target using randomized testing, but is reproduced on tip of tree using an in-tree target. Two simple minimized reproducers show this crash.
It appears that the indices or address calculations expressed in these samples are not properly checked for maximum representation limits for the target? That seems to be why this is only reproducible for a 16-bit target like the msp430.
clang command line
clang -c -fsanitize=undefined --target=msp430-unknown test.c
Two test cases show this ...
case 1
a;
_Complex b[][1];
c() { b[a][8920]; }
case 2
int **a[];
int main() {
(*a)[28001000];
}
Relevant backtrace (edited)
clang: /clang/lib/CodeGen/CGExprScalar.cpp:4980: llvm::Value* clang::CodeGen::CodeGenFunction::EmitCheckedInBoundsGEP(llvm::Value*, llvm::ArrayRefllvm::Value*, bool, bool, clang::SourceLocation, const llvm::Twine&): Assertion `(!isallvm::Constant(EvaluatedGEP.TotalOffset) || EvaluatedGEP.OffsetOverflows == Builder.getFalse()) && "If the offset got constant-folded, we don't expect that there was an " "overflow."' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff4ff6387 in raise () from /lib64/libc.so.6
(gdb) bt
#4 0x0000000005b2abee in clang::CodeGen::CodeGenFunction::EmitCheckedInBoundsGEP (this=0x7fffffff6a30, Ptr=0x123f99a0, IdxList=..., SignedIndices=true, IsSubtraction=false, Loc=..., Name=...)
at /clang/lib/CodeGen/CGExprScalar.cpp:4980
#5 0x0000000005ad7a65 in emitArraySubscriptGEP (CGF=..., ptr=0x123f99a0, indices=..., inbounds=true, signedIndices=true, loc=..., name=...) at /clang/lib/CodeGen/CGExpr.cpp:3577
#6 0x0000000005ad7f45 in emitArraySubscriptGEP (CGF=..., addr=..., indices=..., eltType=..., inbounds=true, signedIndices=true, loc=..., arrayType=0x7fffffff5750, Base=0x123b2918, name=...)
at /clang/lib/CodeGen/CGExpr.cpp:3674
#7 0x0000000005ad92bd in clang::CodeGen::CodeGenFunction::EmitArraySubscriptExpr (this=0x7fffffff6a30, E=0x123b2930, Accessed=true) at /clang/lib/CodeGen/CGExpr.cpp:3839
#8 0x0000000005aca6c9 in clang::CodeGen::CodeGenFunction::EmitCheckedLValue (this=0x7fffffff6a30, E=0x123b2930, TCK=clang::CodeGen::CodeGenFunction::TCK_Load)
at /clang/lib/CodeGen/CGExpr.cpp:1252
#9 0x0000000005b1311b in (anonymous namespace)::ScalarExprEmitter::EmitCheckedLValue (this=0x7fffffff6550, E=0x123b2930, TCK=clang::CodeGen::CodeGenFunction::TCK_Load)
at /clang/lib/CodeGen/CGExprScalar.cpp:245
#10 0x0000000005b133c6 in (anonymous namespace)::ScalarExprEmitter::EmitLoadOfLValue (this=0x7fffffff6550, E=0x123b2930) at /clang/lib/CodeGen/CGExprScalar.cpp:294
#11 0x0000000005b199bd in (anonymous namespace)::ScalarExprEmitter::VisitArraySubscriptExpr (this=0x7fffffff6550, E=0x123b2930) at /clang/lib/CodeGen/CGExprScalar.cpp:1705
#12 0x0000000005b2c02a in clang::StmtVisitorBase<std::add_pointer, (anonymous namespace)::ScalarExprEmitter, llvm::Value*>::Visit (this=0x7fffffff6550, S=0x123b2930) at tools/clang/include/clang/AST/StmtNodes.inc:635
#13 0x0000000005b136c2 in (anonymous namespace)::ScalarExprEmitter::Visit (this=0x7fffffff6550, E=0x123b2930) at /clang/lib/CodeGen/CGExprScalar.cpp:409
#14 0x0000000005b1bd41 in (anonymous namespace)::ScalarExprEmitter::VisitCastExpr (this=0x7fffffff6550, CE=0x123b2950) at /clang/lib/CodeGen/CGExprScalar.cpp:2191
#15 0x0000000005b2ddc3 in clang::StmtVisitorBase<std::add_pointer, (anonymous namespace)::ScalarExprEmitter, llvm::Value*>::VisitImplicitCastExpr (this=0x7fffffff6550, S=0x123b2950)
at tools/clang/include/clang/AST/StmtNodes.inc:919