https://github.com/nataliakokoromyti updated https://github.com/llvm/llvm-project/pull/175402
>From 937c71377b4a6858c107ef351cd3bb968939dc4b Mon Sep 17 00:00:00 2001 From: Natalia Kokoromyti <[email protected]> Date: Sat, 10 Jan 2026 16:29:17 -0800 Subject: [PATCH 1/2] [clang][bytecode] Fix crash on arrays with excessive size The bytecode interpreter was crashing when encountering arrays with sizes that exceed Descriptor::MaxArrayElemBytes. The bounds check in Program::createDescriptor was using std::numeric_limits<unsigned>::max() instead of the correct limit Descriptor::MaxArrayElemBytes. This caused the check to pass for sizes that would later fail the assertion in the Descriptor constructor. Fixes #175293 --- clang/lib/AST/ByteCode/Program.cpp | 4 ++-- clang/test/AST/ByteCode/huge-array-size.cpp | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 clang/test/AST/ByteCode/huge-array-size.cpp diff --git a/clang/lib/AST/ByteCode/Program.cpp b/clang/lib/AST/ByteCode/Program.cpp index d96934071cb60..a9ed47df89a86 100644 --- a/clang/lib/AST/ByteCode/Program.cpp +++ b/clang/lib/AST/ByteCode/Program.cpp @@ -411,7 +411,7 @@ Descriptor *Program::createDescriptor(const DeclTy &D, const Type *Ty, if (OptPrimType T = Ctx.classify(ElemTy)) { // Arrays of primitives. unsigned ElemSize = primSize(*T); - if (std::numeric_limits<unsigned>::max() / ElemSize <= NumElems) { + if (Descriptor::MaxArrayElemBytes / ElemSize < NumElems) { return {}; } return allocateDescriptor(D, *T, MDSize, NumElems, IsConst, IsTemporary, @@ -424,7 +424,7 @@ Descriptor *Program::createDescriptor(const DeclTy &D, const Type *Ty, if (!ElemDesc) return nullptr; unsigned ElemSize = ElemDesc->getAllocSize() + sizeof(InlineDescriptor); - if (std::numeric_limits<unsigned>::max() / ElemSize <= NumElems) + if (Descriptor::MaxArrayElemBytes / ElemSize < NumElems) return {}; return allocateDescriptor(D, Ty, ElemDesc, MDSize, NumElems, IsConst, IsTemporary, IsMutable); diff --git a/clang/test/AST/ByteCode/huge-array-size.cpp b/clang/test/AST/ByteCode/huge-array-size.cpp new file mode 100644 index 0000000000000..2425aedcdad4a --- /dev/null +++ b/clang/test/AST/ByteCode/huge-array-size.cpp @@ -0,0 +1,10 @@ +// RUN: %clang_cc1 -fexperimental-new-constant-interpreter -fsyntax-only %s +// RUN: %clang_cc1 -fsyntax-only %s + +// This test checks that we don't crash when encountering arrays with +// sizes that exceed the bytecode interpreter's limits. +// See: https://github.com/llvm/llvm-project/issues/175293 + +char q[-2U]; + +void foo() { char *p = q + 1; } >From 738d200b563b6ddb322e2f24703c881e06c0909f Mon Sep 17 00:00:00 2001 From: nataliakokoromyti <[email protected]> Date: Sun, 11 Jan 2026 03:34:14 -0800 Subject: [PATCH 2/2] add parentheses --- clang/lib/AST/ByteCode/Program.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clang/lib/AST/ByteCode/Program.cpp b/clang/lib/AST/ByteCode/Program.cpp index a9ed47df89a86..edc6e11a842df 100644 --- a/clang/lib/AST/ByteCode/Program.cpp +++ b/clang/lib/AST/ByteCode/Program.cpp @@ -411,7 +411,7 @@ Descriptor *Program::createDescriptor(const DeclTy &D, const Type *Ty, if (OptPrimType T = Ctx.classify(ElemTy)) { // Arrays of primitives. unsigned ElemSize = primSize(*T); - if (Descriptor::MaxArrayElemBytes / ElemSize < NumElems) { + if ((Descriptor::MaxArrayElemBytes / ElemSize) < NumElems) { return {}; } return allocateDescriptor(D, *T, MDSize, NumElems, IsConst, IsTemporary, _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
