Sometimes, when the address of the passed TCGTemp *ts variable is the same as tcg_ctx, the index calculated in the temp_idx function, i.e., ts - tcg_ctx->temps, can result in a particularly large value, causing overflow in the subsequent array access.
0 0x00007f79590132ac in test_bit (addr=<optimized out>, nr=<optimized out>) at /data/system/jiangzw/release_version/qemu8.2/include/qemu/bitops.h:135 1 init_ts_info (ctx=ctx@entry=0x7f794bffe460, ts=0x7f76fc000e00) at ../tcg/optimize.c:148 2 0x00007f7959014b50 in init_arguments (nb_args=2, op=0x7f76fc0101f8, ctx=0x7f794bffe460) at ../tcg/optimize.c:792 3 fold_call (op=0x7f76fc0101f8, ctx=0x7f794bffe460) at ../tcg/optimize.c:1348 4 tcg_optimize (s=<optimized out>) at ../tcg/optimize.c:2369 5 0x00007f7958ffa136 in tcg_gen_code (s=0x7f76fc000e00, tb=0x7f7904202380, pc_start=140741246462840) at ../tcg/tcg.c:6066 Signed-off-by: Zhiwei Jiang <jian...@tecorigin.com> --- include/tcg/tcg.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h index 05a1912f8a..4b38d2702d 100644 --- a/include/tcg/tcg.h +++ b/include/tcg/tcg.h @@ -629,7 +629,7 @@ static inline size_t temp_idx(TCGTemp *ts) */ static inline TCGTemp *tcgv_i32_temp(TCGv_i32 v) { - return (void *)tcg_ctx + (uintptr_t)v; + return (void *)tcg_ctx->temps + (uintptr_t)v; } #endif @@ -681,7 +681,7 @@ static inline TCGArg tcgv_vec_arg(TCGv_vec v) static inline TCGv_i32 temp_tcgv_i32(TCGTemp *t) { (void)temp_idx(t); /* trigger embedded assert */ - return (TCGv_i32)((void *)t - (void *)tcg_ctx); + return (TCGv_i32)((void *)t - (void *)tcg_ctx->temps); } static inline TCGv_i64 temp_tcgv_i64(TCGTemp *t) -- 2.17.1