| commit | cd095a44db262351b09ea144a44b76e22d62c77a | |
| author | Quentin Carbonneaux <quentin@c9x.me> | |
| Mon, 8 Nov 2021 09:46:20 +0000 (8 10:46 +0100) | ||
| committer | Quentin Carbonneaux <quentin@c9x.me> | |
| Mon, 8 Nov 2021 10:29:36 +0000 (8 11:29 +0100) | ||
| tree | ab9489f2084a5ebced26504b03c85ec104369708 | treesnapshot (tar.gz zip) |
| parent | 0d68986b6f6aa046ab13776f39cc37b67b3477ba | commitdiff |
fix for sloppy reg->mem in arm64 abi
Michael found a bug where some copies
from registers to memory in the arm64
abi clobber the stack. The test case
is:
type :T = { w }
function w $f() {
@start
%p =:T call $g()
%x =w loadw %p
ret %x
}
qbe will write 4 bytes out of bounds
when pulling the result struct from
its register. The same bug can be
observed if :T's definition is {w 3};
in this case qbe writes 16 bytes in
a slot of 12 bytes.
This patch changes stkblob() to use
the rounded argument size if it is
going to be restored from registers.
Relatedly, mem->reg loads for structs
with size < 16 and != 8, are treated
a bit sloppily both in the arm64 and
in the sysv abis. That is much less
harmful than the present bug.
Michael found a bug where some copies
from registers to memory in the arm64
abi clobber the stack. The test case
is:
type :T = { w }
function w $f() {
@start
%p =:T call $g()
%x =w loadw %p
ret %x
}
qbe will write 4 bytes out of bounds
when pulling the result struct from
its register. The same bug can be
observed if :T's definition is {w 3};
in this case qbe writes 16 bytes in
a slot of 12 bytes.
This patch changes stkblob() to use
the rounded argument size if it is
going to be restored from registers.
Relatedly, mem->reg loads for structs
with size < 16 and != 8, are treated
a bit sloppily both in the arm64 and
in the sysv abis. That is much less
harmful than the present bug.
| arm64/abi.c | diffblobblamehistory |