[llvm-bugs] [Bug 183672] Attributor crashes on scalable vector array types via implicit TypeSize-to-uint64 conversion

LLVM Bugs via llvm-bugs Thu, 26 Feb 2026 19:14:43 -0800

Issue	183672
Summary	Attributor crashes on scalable vector array types via implicit TypeSize-to-uint64 conversion
Labels	crash-on-invalid, llvm::Attributor, llvm:transforms
Assignees
Reporter	yijan4845

    ## Vulnerable code location(s)

- [llvm/lib/Transforms/IPO/AttributorAttributes.cpp:7624](https://github.com/llvm/llvm-project/blob/9f7af289728002487b032a8278bc2c540a02ff59/llvm/lib/Transforms/IPO/AttributorAttributes.cpp#L7624)
  https://github.com/llvm/llvm-project/blob/9f7af289728002487b032a8278bc2c540a02ff59/llvm/lib/Transforms/IPO/AttributorAttributes.cpp#L7624: `uint64_t PointeeTySize = DL.getTypeStoreSize(PointeeTy);` in `createInitialization`
- [llvm/lib/Transforms/IPO/AttributorAttributes.cpp:7659](https://github.com/llvm/llvm-project/blob/9f7af289728002487b032a8278bc2c540a02ff59/llvm/lib/Transforms/IPO/AttributorAttributes.cpp#L7659)
  https://github.com/llvm/llvm-project/blob/9f7af289728002487b032a8278bc2c540a02ff59/llvm/lib/Transforms/IPO/AttributorAttributes.cpp#L7659: `uint64_t PointeeTySize = DL.getTypeStoreSize(PointeeTy);` in `createReplacementValues`



## Vulnerable code analysis

`AAPrivatizablePtrArgument::createInitialization` and `createReplacementValues` handle `ArrayType` privatizable types by calling `DL.getTypeStoreSize(PointeeTy)` and implicitly converting the returned `TypeSize` to `uint64_t`. When the array element type is a scalable vector (e.g., `<vscale x 4 x i32>`), the `TypeSize` is scalable and this implicit conversion triggers a fatal error in `TypeSize::operator ScalarTy()`.

The `isDenselyPacked` check (line 7420) that guards entry to `manifest` does not reject scalable types — it recurses into the array element type and evaluates the scalar base type without performing any size-to-uint64 conversion, so scalable vector array types pass through unchecked.

A `byval` attribute typed as `[2 x <vscale x 4 x i32>]` on an internal function argument is sufficient to reach the crash site.

## Proof of concept

[https://godbolt.org/z/s5876o8nK](https://godbolt.org/z/s5876o8nK)

```
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"

define internal void @callee(ptr byval([2 x <vscale x 4 x i32>]) %arg) {
entry:
  %val = load [2 x <vscale x 4 x i32>], ptr %arg
  ret void
}

define void @caller() {
entry:
  %a = alloca [2 x <vscale x 4 x i32>]
  call void @callee(ptr byval([2 x <vscale x 4 x i32>]) %a)
  ret void
}
```

Stack trace:
```
LLVM ERROR: Cannot implicitly convert a scalable size to a fixed-width size in `TypeSize::operator ScalarTy()`
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace and instructions to reproduce the bug.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-trunk/bin/opt -o /app/output.s -S -passes=attributor <source>
1.	Running pass "attributor" on module "<source>"
 #0 0x00000000053b18e8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-trunk/bin/opt+0x53b18e8)
 #1 0x00000000053aea24 SignalHandler(int, siginfo_t*, void*) Signals.cpp:0:0
 #2 0x00007dc34b242520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #3 0x00007dc34b2969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
 #4 0x00007dc34b242476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
 #5 0x00007dc34b2287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
 #6 0x0000000000833087 llvm::json::operator==(llvm::json::Value const&, llvm::json::Value const&) (.cold) JSON.cpp:0:0
 #7 0x00000000052e3109 (/opt/compiler-explorer/clang-trunk/bin/opt+0x52e3109)
 #8 0x0000000002ec3d40 (anonymous namespace)::AADereferenceableImpl::initialize(llvm::Attributor&) AttributorAttributes.cpp:0:0
 #9 0x0000000002ec412d (anonymous namespace)::AADereferenceableImpl::initialize(llvm::Attributor&) AttributorAttributes.cpp:0:0
#10 0x0000000002e419c8 llvm::AADereferenceable const* llvm::Attributor::getOrCreateAAFor<llvm::AADereferenceable>(llvm::IRPosition, llvm::AbstractAttribute const*, llvm::DepClassTy, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/opt+0x2e419c8)
#11 0x0000000002e43096 llvm::Attributor::identifyDefaultAbstractAttributes(llvm::Function&) (.part.0) Attributor.cpp:0:0
#12 0x0000000002e9248b (anonymous namespace)::AAIsDeadFunction::initialize(llvm::Attributor&) AttributorAttributes.cpp:0:0
#13 0x0000000002e33c98 llvm::AAIsDead const* llvm::Attributor::getOrCreateAAFor<llvm::AAIsDead>(llvm::IRPosition, llvm::AbstractAttribute const*, llvm::DepClassTy, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/opt+0x2e33c98)
#14 0x0000000002e42bfe llvm::Attributor::identifyDefaultAbstractAttributes(llvm::Function&) (.part.0) Attributor.cpp:0:0
#15 0x0000000002e4f93b runAttributorOnFunctions(llvm::InformationCache&, llvm::SetVector<llvm::Function*, llvm::SmallVector<llvm::Function*, 0u>, llvm::DenseSet<llvm::Function*, llvm::DenseMapInfo<llvm::Function*, void>>, 0u>&, llvm::AnalysisGetter&, llvm::CallGraphUpdater&, bool, bool) (.part.0) Attributor.cpp:0:0
#16 0x0000000002e50235 llvm::AttributorPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x2e50235)
#17 0x0000000002cee87e llvm::detail::PassModel<llvm::Module, llvm::AttributorPass, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x2cee87e)
#18 0x00000000051249f7 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-trunk/bin/opt+0x51249f7)
#19 0x00000000009825ba llvm::runPassPipeline(llvm::StringRef, llvm::Module&, llvm::TargetMachine*, llvm::TargetLibraryInfoImpl*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::StringRef, llvm::ArrayRef<llvm::PassPlugin>, llvm::ArrayRef<std::function<void (llvm::PassBuilder&)>>, llvm::opt_tool::OutputKind, llvm::opt_tool::VerifierKind, bool, bool, bool, bool, bool, bool, bool, bool) (/opt/compiler-explorer/clang-trunk/bin/opt+0x9825ba)
#20 0x0000000000975b4f optMain (/opt/compiler-explorer/clang-trunk/bin/opt+0x975b4f)
#21 0x00007dc34b229d90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#22 0x00007dc34b229e40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#23 0x000000000096e335 _start (/opt/compiler-explorer/clang-trunk/bin/opt+0x96e335)
Program terminated with signal: SIGSEGV
Compiler returned: 139
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 183672] Attributor crashes on scalable vector array types via implicit TypeSize-to-uint64 conversion

Reply via email to