Bug#1123631: gcc-11: GCC produces wrong code for arm64+sve

[Vladimir Petko]

Package: gcc-11
Version: 11.5.0-7
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu resolute ubuntu-patch

Dear Maintainer,

This bug causes data corruption in the ARM64 code compiled with Scalable Vector
Extensions (SVE) enabled for the 256-bit SVE processor but executed on 128-bit
SVE processors.
Example is AWS workload built for Graviton3, but executed on Graviton4.

When the compiler was compiling the ~ConstA (Not ConstA) expression to compute
the index into the vector it was actually computing -ConstA (minus ConstA),
e.g. ~4 instead of -5 produced -4.

Graviton 4 processes a 256-bit vector in two passes. For the second pass it
runs into this bug when computing indices into the second half of the vector
and ends up with {-4, -5, -6, -7}, processing the last element of the first
half twice and never touching the last element of the vector.

This data corruption may cause data loss, failing checksums, and potentially
security issues.

The upstream patch fixes the typo that caused this corruption.

In Ubuntu, the attached patch was applied to achieve the following:

  * d/p/pr118976.diff: Fix memory corruption when executing 256-bit
    Scalable Vector Extensions code on 128-bit CPUs (LP: #2101084).


Thanks for considering the patch.


-- System Information:
Debian Release: forky/sid
  APT prefers questing-updates
  APT policy: (500, 'questing-updates'), (500, 'questing-security'), (500, 
'questing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.17.0-7-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru gcc-11-11.5.0/debian/patches/pr118976.diff 
gcc-11-11.5.0/debian/patches/pr118976.diff
--- gcc-11-11.5.0/debian/patches/pr118976.diff  1970-01-01 12:00:00.000000000 
+1200
+++ gcc-11-11.5.0/debian/patches/pr118976.diff  2025-12-18 15:22:44.000000000 
+1300
@@ -0,0 +1,60 @@
+From: Richard Sandiford <richard.sandif...@arm.com>
+Date: Tue, 4 Mar 2025 10:44:35 +0000
+Subject: Fix folding of BIT_NOT_EXPR for POLY_INT_CST [PR118976]
+
+There was an embarrassing typo in the folding of BIT_NOT_EXPR for
+POLY_INT_CSTs: it used - rather than ~ on the poly_int.  Not sure
+how that happened, but it might have been due to the way that
+~x is implemented as -1 - x internally.
+
+gcc/
+        PR tree-optimization/118976
+        * fold-const.cc (const_unop): Use ~ rather than - for BIT_NOT_EXPR.
+        * config/aarch64/aarch64.cc (aarch64_test_sve_folding): New function.
+        (aarch64_run_selftests): Run it.
+
+Bug-Ubuntu: https://launchpad.net/bugs/2101084
+Origin: backport, 
https://gcc.gnu.org/g:78380fd7f743e23dfdf013d68a2f0347e1511550
+
+diff --git a/src/gcc/config/aarch64/aarch64.c 
b/src/gcc/config/aarch64/aarch64.c
+index 391a93f30..00fc7355a 100644
+--- a/src/gcc/config/aarch64/aarch64.c
++++ b/src/gcc/config/aarch64/aarch64.c
+@@ -26136,6 +26136,16 @@ aarch64_test_fractional_cost ()
+   ASSERT_EQ (cf (1, 2).as_double (), 0.5);
+ }
+
++/* Test SVE arithmetic folding.  */
++
++static void
++aarch64_test_sve_folding ()
++{
++  tree res = fold_unary (BIT_NOT_EXPR, ssizetype,
++                       ssize_int (poly_int64 (1, 1)));
++  ASSERT_TRUE (operand_equal_p (res, ssize_int (poly_int64 (-2, -1))));
++}
++
+ /* Run all target-specific selftests.  */
+
+ static void
+@@ -26143,6 +26153,7 @@ aarch64_run_selftests (void)
+ {
+   aarch64_test_loading_full_dump ();
+   aarch64_test_fractional_cost ();
++  aarch64_test_sve_folding ();
+ }
+
+ } // namespace selftest
+diff --git a/src/gcc/fold-const.c b/src/gcc/fold-const.c
+index 5b4053df5..cb05243bb 100644
+--- a/src/gcc/fold-const.c
++++ b/src/gcc/fold-const.c
+@@ -1791,7 +1791,7 @@ const_unop (enum tree_code code, tree type, tree arg0)
+       if (TREE_CODE (arg0) == INTEGER_CST)
+       return fold_not_const (arg0, type);
+       else if (POLY_INT_CST_P (arg0))
+-      return wide_int_to_tree (type, -poly_int_cst_value (arg0));
++      return wide_int_to_tree (type, ~poly_int_cst_value (arg0));
+       /* Perform BIT_NOT_EXPR on each element individually.  */
+       else if (TREE_CODE (arg0) == VECTOR_CST)
+       {
diff -Nru gcc-11-11.5.0/debian/rules.patch gcc-11-11.5.0/debian/rules.patch
--- gcc-11-11.5.0/debian/rules.patch    2025-09-11 20:33:14.000000000 +1200
+++ gcc-11-11.5.0/debian/rules.patch    2025-12-18 15:22:44.000000000 +1300
@@ -78,6 +78,7 @@
        libphobos-ppc64el \
        gcc-hppa-build-fix \
        libphobos-sparc64 \
+       pr118976 \
 
 # with glibc (>= 2.31)
 ifeq (,$(filter $(distrelease),wheezy jessie stretch buster precise xenial 
bionic))