[llvm-bugs] [Bug 183092] ASan crashes on byval scalable vector args due to TypeSize-to-uint64_t conversion

Tue, 24 Feb 2026 08:13:29 -0800

Issue 183092
Summary ASan crashes on byval scalable vector args due to TypeSize-to-uint64_t conversion
Labels compiler-rt:asan, tools:opt, crash-on-invalid
Assignees
Reporter yijan4845 
    Compiler explorer: [https://godbolt.org/z/5d4zc88zc](https://godbolt.org/z/5d4zc88zc)

## Vulnerable code location(s)

[llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp:3372](https://github.com/llvm/llvm-project/blob/9f7af289728002487b032a8278bc2c540a02ff59/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp#L3372)

## Vulnerable code analysis

`FunctionStackPoisoner::copyArgsPassedByValToAllocas()` unconditionally converts `TypeSize` to `uint64_t` at line 3372:

```cpp
uint64_t AllocSize = DL.getTypeAllocSize(Ty);
```

`Ty` is obtained from `Arg.getParamByValType()` (line 3361) with no guard against scalable vector types. When `Ty` is a scalable vector (e.g., `<vscale x 4 x i32>`), `getTypeAllocSize()` returns a `TypeSize` with `isScalable() == true`, and the implicit conversion to `uint64_t` triggers an assertion failure: `"Invalid size request on a scalable vector."`

This is reachable on any target supporting scalable vectors (AArch64/SVE, RISC-V/V) when ASan is enabled with `byval` scalable vector parameters, which is valid IR per existing tests (e.g., `llvm/test/Transforms/MemCpyOpt/vscale-crashes.ll`).

## PoC

```
define void @test(ptr byval(<vscale x 4 x i32>) %arg) sanitize_address {
  ret void
}
```

Stack dump:

```
LLVM ERROR: Cannot implicitly convert a scalable size to a fixed-width size in `TypeSize::operator ScalarTy()`
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace and instructions to reproduce the bug.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-trunk/bin/opt -o /app/output.s -S -passes=asan <source>
1.	Running pass "asan<>" on module "<source>"
 #0 0x00000000053aa9e8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-trunk/bin/opt+0x53aa9e8)
 #1 0x00000000053a7b24 SignalHandler(int, siginfo_t*, void*) Signals.cpp:0:0
 #2 0x0000756d3da42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #3 0x0000756d3da969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #4 0x0000756d3da42476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #5 0x0000756d3da287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #6 0x0000000000832dbf llvm::json::operator==(llvm::json::Value const&, llvm::json::Value const&) (.cold) JSON.cpp:0:0
 #7 0x00000000052dc209 (/opt/compiler-explorer/clang-trunk/bin/opt+0x52dc209)
 #8 0x00000000031d94d4 (anonymous namespace)::FunctionStackPoisoner::runOnFunction() AddressSanitizer.cpp:0:0
 #9 0x00000000031db726 (anonymous namespace)::AddressSanitizer::instrumentFunction(llvm::Function&, llvm::TargetLibraryInfo const*, llvm::TargetTransformInfo const*) AddressSanitizer.cpp:0:0
#10 0x00000000031dcf90 llvm::AddressSanitizerPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x31dcf90)
#11 0x0000000002ce6b3e llvm::detail::PassModel<llvm::Module, llvm::AddressSanitizerPass, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x2ce6b3e)
#12 0x000000000511d947 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x511d947)
#13 0x0000000000981b2a llvm::runPassPipeline(llvm::StringRef, llvm::Module&, llvm::TargetMachine*, llvm::TargetLibraryInfoImpl*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::StringRef, llvm::ArrayRef<llvm::PassPlugin>, llvm::ArrayRef<std::function<void (llvm::PassBuilder&)>>, llvm::opt_tool::OutputKind, llvm::opt_tool::VerifierKind, bool, bool, bool, bool, bool, bool, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/opt+0x981b2a)
#14 0x00000000009750bf optMain (/opt/compiler-explorer/clang-trunk/bin/opt+0x9750bf)
#15 0x0000756d3da29d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#16 0x0000756d3da29e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#17 0x000000000096d8a5 _start (/opt/compiler-explorer/clang-trunk/bin/opt+0x96d8a5)
Program terminated with signal: SIGSEGV
Compiler returned: 139
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to