commit 6f572b7adbbfca19f978cb188f46fb8ad9d880de
author Florian Mayer <fmayer@google.com> Mon Jan 10 13:03:57 2022 -0800
committer Florian Mayer <fmayer@google.com> Tue Jan 11 17:04:41 2022 +0000
tree 99cffbe02e9b6b1f69d5e8d43f20bf9e51698117
parent 14d071c03b3aea353e21bd9ccd4f89337c38bd76

Fix out of range in art compiler.

We didn't check for zero offset before, and also we decremented by 4
INSTRUCTIONS rather than 4 bytes (= one instruction), because we
decremented the pointer of type Instruction*.

Test: run 550-checker-multiply-accumulate
      fails without this change under flame_hwasan
      passes with this change

Bug: 213931282
Change-Id: I51021e75de844b7126d503d562258887550430f8

compiler/optimizing/code_generator_arm64.cc

diff --git a/compiler/optimizing/code_generator_arm64.cc b/compiler/optimizing/code_generator_arm64.cc
index 6272276..1002f2c 100644
--- a/compiler/optimizing/code_generator_arm64.cc
+++ b/compiler/optimizing/code_generator_arm64.cc
@@ -2530,9 +2530,9 @@
   if (instr->GetType() == DataType::Type::kInt64 &&
       codegen_->GetInstructionSetFeatures().NeedFixCortexA53_835769()) {
     MacroAssembler* masm = down_cast<CodeGeneratorARM64*>(codegen_)->GetVIXLAssembler();
-    vixl::aarch64::Instruction* prev =
-        masm->GetCursorAddress<vixl::aarch64::Instruction*>() - kInstructionSize;
-    if (prev->IsLoadOrStore()) {
+    ptrdiff_t off = masm->GetCursorOffset();
+    if (off >= static_cast<ptrdiff_t>(kInstructionSize) &&
+        masm->GetInstructionAt(off - static_cast<ptrdiff_t>(kInstructionSize))->IsLoadOrStore()) {
       // Make sure we emit only exactly one nop.
       ExactAssemblyScope scope(masm, kInstructionSize, CodeBufferCheckScope::kExactSize);
       __ nop();