100211 – [11/12/13/14 Regression] aarch64: OOB accesses in aarch64_{save,restore}_callee_saves

Bug 100211 - [11/12/13/14 Regression] aarch64: OOB accesses in aarch64_{save,restore}_callee_saves

Summary: [11/12/13/14 Regression] aarch64: OOB accesses in aarch64_{save,restore}_call...

Status:	NEW

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	target (show other bugs)
Version:	11.0

Importance:	P2 normal
Target Milestone:	11.5
Assignee:	Not yet assigned to anyone

URL:
Keywords:	internal-improvement

Depends on:
Blocks:	ubsan
	Show dependency tree / graph

Reported:	2021-04-22 14:28 UTC by Alex Coplan
Modified:	2023-07-07 10:39 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:	aarch64
Build:
Known to work:	6.0
Known to fail:	11.0
Last reconfirmed:	2021-07-19 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Coplan 2021-04-22 14:28:57 UTC

Bootstrapping on aarch64 --with-build-config=bootstrap-ubsan shows OOB accesses in aarch64_{save,restore}_callee_saves with the following SVE testcase (reduced from gcc.target/aarch64/sve/acle/general/cpy_1.c).

$ cat sve_test.c
#include <arm_sve.h>
svuint64_t a() {
  register svbool_t b asm("p15");
  asm("" : "=Upa"(b));
}
$ gcc/xgcc -B gcc sve_test.c -c -march=armv8.2-a+sve
/home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:7754:57: runtime error: index 83 out of bounds for type 'bool [83]'
    #0 0x2de50e4 in aarch64_save_callee_saves /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:7754
    #1 0x2e25d48 in aarch64_expand_prologue() /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:8776
    #2 0x3bdfad4 in gen_prologue() /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.md:852
    #3 0x2da1610 in target_gen_prologue /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.md:7444
    #4 0x11d210c in make_prologue_seq /home/alecop01/toolchain/src/gcc/gcc/function.c:5801
    #5 0x11d27bc in thread_prologue_and_epilogue_insns() /home/alecop01/toolchain/src/gcc/gcc/function.c:6019
    #6 0x11d4a24 in rest_of_handle_thread_prologue_and_epilogue /home/alecop01/toolchain/src/gcc/gcc/function.c:6510
    #7 0x11d4a24 in execute /home/alecop01/toolchain/src/gcc/gcc/function.c:6586
    #8 0x1b5ec1c in execute_one_pass(opt_pass*) /home/alecop01/toolchain/src/gcc/gcc/passes.c:2567
    #9 0x1b623b8 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2656
    #10 0x1b623f0 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2657
    #11 0x1b623f0 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2657
    #12 0x1b624d4 in execute_pass_list(function*, opt_pass*) /home/alecop01/toolchain/src/gcc/gcc/passes.c:2667
    #13 0xc7b2a4 in cgraph_node::expand() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:1830
    #14 0xc7fa90 in output_in_order /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2137
    #15 0xc7fa90 in symbol_table::compile() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2355
    #16 0xc8b81c in symbol_table::compile() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2271
    #17 0xc8b81c in symbol_table::finalize_compilation_unit() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2539
    #18 0x1f97478 in compile_file /home/alecop01/toolchain/src/gcc/gcc/toplev.c:482
    #19 0x68d9b0 in do_compile /home/alecop01/toolchain/src/gcc/gcc/toplev.c:2201
    #20 0x68d9b0 in toplev::main(int, char**) /home/alecop01/toolchain/src/gcc/gcc/toplev.c:2340
    #21 0x6910d0 in main /home/alecop01/toolchain/src/gcc/gcc/main.c:39
    #22 0xffff881b66dc in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x206dc)
    #23 0x691b2c  (/data/alecop01/builds/bstrap-ubsan/gcc/cc1+0x691b2c)

/home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:7855:57: runtime error: index 83 out of bounds for type 'bool [83]'
    #0 0x2de26e8 in aarch64_restore_callee_saves /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:7855
    #1 0x2de363c in aarch64_expand_epilogue(bool) /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.c:8888
    #2 0x3bdfb4c in gen_epilogue() /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.md:861
    #3 0x2da14bc in target_gen_epilogue /home/alecop01/toolchain/src/gcc/gcc/config/aarch64/aarch64.md:7193
    #4 0x11d2338 in make_epilogue_seq /home/alecop01/toolchain/src/gcc/gcc/function.c:5938
    #5 0x11d27c4 in thread_prologue_and_epilogue_insns() /home/alecop01/toolchain/src/gcc/gcc/function.c:6020
    #6 0x11d4a24 in rest_of_handle_thread_prologue_and_epilogue /home/alecop01/toolchain/src/gcc/gcc/function.c:6510
    #7 0x11d4a24 in execute /home/alecop01/toolchain/src/gcc/gcc/function.c:6586
    #8 0x1b5ec1c in execute_one_pass(opt_pass*) /home/alecop01/toolchain/src/gcc/gcc/passes.c:2567
    #9 0x1b623b8 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2656
    #10 0x1b623f0 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2657
    #11 0x1b623f0 in execute_pass_list_1 /home/alecop01/toolchain/src/gcc/gcc/passes.c:2657
    #12 0x1b624d4 in execute_pass_list(function*, opt_pass*) /home/alecop01/toolchain/src/gcc/gcc/passes.c:2667
    #13 0xc7b2a4 in cgraph_node::expand() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:1830
    #14 0xc7fa90 in output_in_order /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2137
    #15 0xc7fa90 in symbol_table::compile() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2355
    #16 0xc8b81c in symbol_table::compile() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2271
    #17 0xc8b81c in symbol_table::finalize_compilation_unit() /home/alecop01/toolchain/src/gcc/gcc/cgraphunit.c:2539
    #18 0x1f97478 in compile_file /home/alecop01/toolchain/src/gcc/gcc/toplev.c:482
    #19 0x68d9b0 in do_compile /home/alecop01/toolchain/src/gcc/gcc/toplev.c:2201
    #20 0x68d9b0 in toplev::main(int, char**) /home/alecop01/toolchain/src/gcc/gcc/toplev.c:2340
    #21 0x6910d0 in main /home/alecop01/toolchain/src/gcc/gcc/main.c:39
    #22 0xffff881b66dc in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x206dc)
    #23 0x691b2c  (/data/alecop01/builds/bstrap-ubsan/gcc/cc1+0x691b2c)

Comment 1 Andrew Pinski 2021-07-19 07:51:10 UTC

The loop does:
  for (regno = aarch64_next_callee_save (start, limit);
       regno <= limit;
       regno = aarch64_next_callee_save (regno + 1, limit))



Really this:
bool reg_is_wrapped_separately[LAST_SAVED_REGNUM];

Should be:
bool reg_is_wrapped_separately[LAST_SAVED_REGNUM + 1];

In aarch64.h.  It has been wrong since r7-5127 .

Comment 2 Richard Biener 2022-05-27 09:45:09 UTC

GCC 9 branch is being closed

Comment 3 Jakub Jelinek 2022-06-28 10:44:38 UTC

GCC 10.4 is being released, retargeting bugs to GCC 10.5.

Comment 4 Richard Biener 2023-07-07 10:39:36 UTC

GCC 10 branch is being closed.