zeux wrote:
Here's a slightly smaller reproducer that just reads one element from the
array. Similarly, this crashes because the compiler generates a load from an
absolute `-1` address. The crash is after the first `printf` call in this case
during the computation of the argument to the second `printf` call. (the code
is fairly non-sensical in this revision, but maybe it helps to analyze this!).
```c++
#include <stdio.h>
#include <stdint.h>
#include <string.h>
class xml_buffered_writer
{
public:
xml_buffered_writer(): bufsize(0)
{
}
__attribute__((noinline))
void write_string(const char* data)
{
// write the part of the string that fits in the buffer
size_t offset = bufsize;
while (*data && offset < bufcapacity)
buffer[offset++] = *data++;
// write the rest
if (offset < bufcapacity)
{
bufsize = offset;
}
else
{
// backtrack a bit if we have split the codepoint
size_t length = offset - bufsize;
const char* data_back = data - length;
printf("length %d\n", int(length));
printf("last char %c\n", data_back[length-1]);
bufsize = offset;
}
}
enum
{
bufcapacity = 16
};
char buffer[bufcapacity];
size_t bufsize;
};
int main()
{
xml_buffered_writer writer;
writer.write_string("abcdefghijklmnopqrstuvwxyz");
printf("\n");
}
```
https://github.com/llvm/llvm-project/pull/107257
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
