[llvm-bugs] [Bug 185358] [MC][AArch64] Clang crashes when assembling Apple AArch64 `scvtf`/`ucvtf` and `ext` with symbol as immediate operand

Sun, 08 Mar 2026 23:53:14 -0700

Issue 185358
Summary [MC][AArch64] Clang crashes when assembling Apple AArch64 `scvtf`/`ucvtf` and `ext` with symbol as immediate operand
Labels clang
Assignees
Reporter venkyqz 
    

## Summary

`llvm-mc` (debug build) crashes with assertion failures when assembling AArch64 fixed-point conversion instructions (`scvtf`, `ucvtf`) or the `ext` SIMD extract instruction with a register-name symbol as an immediate operand, using Apple AArch64 target triples. The release build silently succeeds and emits instructions with wrong bit-patterns.

---

## Reproduction

### `scvtf` / `ucvtf` Fixed-Point Conversion
**Godbolt Link**
+ https://godbolt.org/z/8r4casbqv

**Commands:**

```bash
# Debug Build - Crashes with assertion
echo ".text; scvtf s0, w0, f0" | llvm-mc - \
 --arch=aarch64 --triple=arm64-apple-macosx12.0 --filetype=obj -o /dev/null
# Exit 134, Assertion failed

# Release Build - Silent miscompilation
echo ".text; scvtf s0, w0, f0" | llvm-mc - \
  --arch=aarch64 --triple=arm64-apple-macosx12.0 --filetype=obj -o /dev/null
# Exit 0, emits wrong encoding
```

### `ext` SIMD Vector Extract

```bash
# Debug Build - Crashes with assertion
echo ".text; ext v0.8b, v1.8b, v2.8b, f0" | llvm-mc - \
  --arch=aarch64 --triple=arm64-apple-macosx12.0 --filetype=obj -o /dev/null
# Exit 134, Assertion failed
```

**Debug Build Output:**

```
llvm-mc: llvm/lib/Target/AArch64/MCTargetDesc/AArch64MCCodeEmitter.cpp:500:
uint32_t {anonymous}::AArch64MCCodeEmitter::getFixedPointScaleOpValue(...) const:
Assertion `MO.isImm() && "Expected an immediate value for the scale amount!"' failed.
```

---

## Root Cause

The AArch64 assembler operand types `fixedpoint_recip_i32` and `fixedpoint_recip_i64` have no `ParserMatchClass` in `AArch64InstrFormats.td`, so the parser accepts any symbol (like floating-point register name `f0`) as the fixed-point scale immediate. When the MCCodeEmitter encodes the instruction, `getFixedPointScaleOpValue` asserts `MO.isImm()`, which fails because the operand is an `MCSymbolRefExpr`.

For `ext`, the immediate byte-index operand (`i32imm` type) similarly lacks validation to reject symbol references before they reach `getMachineOpValue`, which asserts "did not expect relocated _expression_".

**Vulnerable Code (`AArch64MCCodeEmitter.cpp`):**

```cpp
// Line 500 - getFixedPointScaleOpValue
assert(MO.isImm() && "Expected an immediate value for the scale amount!");

// Line 239 - getMachineOpValue (for ext)
assert(!MO.isExpr() && "did not expect relocated _expression_");
```

---

## Impact

| Build Type | Behavior | Security Risk |
|------------|----------|---------------|
| Debug | Assertion failure (Exit 134) | Detectable |
| Release | Silent miscompilation (Exit 0) | **Undetectable in CI/CD** |

**Affected Instructions:**

| Instruction | Triple | Debug | Release |
|-------------|--------|-------|---------|
| `scvtf s0, w0, f0` | `arm64-apple-macosx*` | 134 | 0 |
| `scvtf d0, w0, f0` | `arm64-apple-macosx*` | 134 | 0 |
| `ucvtf s0, w0, f0` | `arm64-apple-macosx*` | 134 | 0 |
| `ucvtf d0, x0, f0` | `arm64-apple-macosx*` | 134 | 0 |
| `ext v0.8b, v1.8b, v2.8b, f0` | `arm64-apple-macosx*` | 134 | 0 |
| `ext v0.16b, v1.16b, v2.16b, f0` | `arm64-apple-macosx*` | 134 | 0 |

**Affected Apple Triples:**
- `arm64-apple-macosx*`
- `arm64-apple-ios*`
- `arm64-apple-tvos*`
- `arm64-apple-watchos*`

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to