Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix use of uninitialized memory for Vector3 constants #74857

Merged
merged 5 commits into from
Aug 31, 2022

Conversation

jkotas
Copy link
Member

@jkotas jkotas commented Aug 31, 2022

Found while investigating #72149.

In a good case, it made the size and content of readonly data non-deterministic.
In a bad case, it exposed downstream bugs like #72149 intermittently.

@dotnet-issue-labeler dotnet-issue-labeler bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Aug 31, 2022
@ghost ghost assigned jkotas Aug 31, 2022
@ghost
Copy link

ghost commented Aug 31, 2022

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

null

Author: jkotas
Assignees: -
Labels:

area-CodeGen-coreclr

Milestone: -

@EgorBo
Copy link
Member

EgorBo commented Aug 31, 2022

I wonder if it should always be zero in the first place, it looks like that field is not zero-initialized when GenTreeVecCon is created

GenTreeVecCon(var_types type, CorInfoType simdBaseJitType)
: GenTree(GT_CNS_VEC, type), gtSimdBaseJitType((unsigned char)simdBaseJitType)

and e.g. here it gets a garbage value in the 4th element:

GenTreeVecCon* vecCon = gtNewVconNode(tree->TypeGet(), CORINFO_TYPE_FLOAT);
vecCon->gtSimd12Val = value;
since we create a non-zero initialized veccon tree and set only 12 bytes

@jakobbotsch
Copy link
Member

jakobbotsch commented Aug 31, 2022

It is technically UB to access the inactive union member there, so I think the code should rather be changed to access gtSimd12Val and widen it explicitly. There is a similar occurrence in instr.cpp it seems.

@jkotas
Copy link
Member Author

jkotas commented Aug 31, 2022

I wonder if it should always be zero in the first place, it looks like that field is not zero-initialized when GenTreeVecCon is created

I am not following. The line that you have highlighted is initializing gtSimdBaseJitType field. This PR is fixing uninitialized value of gtSimd*Val field.

jkotas and others added 2 commits August 31, 2022 07:21
Co-authored-by: Jakob Botsch Nielsen <Jakob.botsch.nielsen@gmail.com>
@jakobbotsch
Copy link
Member

This should get the same fix:

case TYP_SIMD12:
case TYP_SIMD16:
{
simd16_t constValue = op->AsVecCon()->gtSimd16Val;
return OperandDesc(emit->emitSimd16Const(constValue));
}

@jkotas
Copy link
Member Author

jkotas commented Aug 31, 2022

/backport to release/7.0

@github-actions
Copy link
Contributor

Started backporting to release/7.0: https://github.com/dotnet/runtime/actions/runs/2965504715

@jkotas jkotas merged commit 02e144e into dotnet:main Aug 31, 2022
@jkotas jkotas deleted the vector3-uninitialized branch August 31, 2022 18:27
@EgorBo
Copy link
Member

EgorBo commented Aug 31, 2022

I am not following. The line that you have highlighted is initializing gtSimdBaseJitType field.

@jkotas That's the point - it doesn't initialize gtSimd32Val there leaving, potentially, garbage in it, does it?

@jkotas
Copy link
Member Author

jkotas commented Aug 31, 2022

it doesn't initialize gtSimd32Val there leaving, potentially, garbage in it, does it?

Right. The type of the tree is TYP_SIMD12, so one can naturally expect that the value is stored in gtSimd12Val field.

I think it would be unnatural to require that the top 4 bytes of gtSimd16Val field have to be initialized for TYP_SIMD12 values.

@ghost ghost locked as resolved and limited conversation to collaborators Sep 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants