Author: Timm Baeder Date: 2025-08-21T15:09:08+02:00 New Revision: f09ac1bf86e91b4b852a120d6a86383d657ee5eb
URL: https://github.com/llvm/llvm-project/commit/f09ac1bf86e91b4b852a120d6a86383d657ee5eb DIFF: https://github.com/llvm/llvm-project/commit/f09ac1bf86e91b4b852a120d6a86383d657ee5eb.diff LOG: [clang][bytecode] Fix an out-of-bounds access with ia32_pmul* (#154750) ... builtins. We used to access the I'th index of the output vector, but that doesn't work since the output vector is only half the size of the input vector. Added: Modified: clang/lib/AST/ByteCode/InterpBuiltin.cpp Removed: ################################################################################ diff --git a/clang/lib/AST/ByteCode/InterpBuiltin.cpp b/clang/lib/AST/ByteCode/InterpBuiltin.cpp index 93661d8e2ddf8..2cbebaf7b630e 100644 --- a/clang/lib/AST/ByteCode/InterpBuiltin.cpp +++ b/clang/lib/AST/ByteCode/InterpBuiltin.cpp @@ -2683,9 +2683,10 @@ static bool interp__builtin_ia32_pmul(InterpState &S, CodePtr OpPC, const auto *VT = Call->getArg(0)->getType()->castAs<VectorType>(); PrimType ElemT = *S.getContext().classify(VT->getElementType()); unsigned SourceLen = VT->getNumElements(); - SmallVector<APValue, 4> ResultElements; - ResultElements.reserve(SourceLen / 2); + PrimType DstElemT = *S.getContext().classify( + Call->getType()->castAs<VectorType>()->getElementType()); + unsigned DstElem = 0; for (unsigned I = 0; I != SourceLen; I += 2) { APSInt Elem1; APSInt Elem2; @@ -2699,16 +2700,19 @@ static bool interp__builtin_ia32_pmul(InterpState &S, CodePtr OpPC, case clang::X86::BI__builtin_ia32_pmuludq128: case clang::X86::BI__builtin_ia32_pmuludq256: case clang::X86::BI__builtin_ia32_pmuludq512: - Result = APSInt(llvm::APIntOps::muluExtended(Elem1, Elem2), true); + Result = APSInt(llvm::APIntOps::muluExtended(Elem1, Elem2), + /*IsUnsigned=*/true); break; case clang::X86::BI__builtin_ia32_pmuldq128: case clang::X86::BI__builtin_ia32_pmuldq256: case clang::X86::BI__builtin_ia32_pmuldq512: - Result = APSInt(llvm::APIntOps::mulsExtended(Elem1, Elem2), false); + Result = APSInt(llvm::APIntOps::mulsExtended(Elem1, Elem2), + /*IsUnsigned=*/false); break; } - INT_TYPE_SWITCH_NO_BOOL(ElemT, - { Dst.elem<T>(I) = static_cast<T>(Result); }); + INT_TYPE_SWITCH_NO_BOOL(DstElemT, + { Dst.elem<T>(DstElem) = static_cast<T>(Result); }); + ++DstElem; } Dst.initializeAllElements(); @@ -3204,6 +3208,7 @@ bool InterpretBuiltin(InterpState &S, CodePtr OpPC, const CallExpr *Call, case clang::X86::BI__builtin_ia32_pmuldq512: case clang::X86::BI__builtin_ia32_pmuludq128: case clang::X86::BI__builtin_ia32_pmuludq256: + case clang::X86::BI__builtin_ia32_pmuludq512: return interp__builtin_ia32_pmul(S, OpPC, Call, BuiltinID); case Builtin::BI__builtin_elementwise_fma: return interp__builtin_elementwise_fma(S, OpPC, Call); _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
