handle dynamic indexes properly, even out of bounds, for array gep lookups; fixes #865

2 files changed, 39 insertions, 10 deletions

diff --git a/src/parseTools.js b/src/parseTools.js
index f30883b5..8639ba35 100644
--- a/src/parseTools.js
+++ b/src/parseTools.js
@@ -129,9 +129,13 @@ function isPointerType(type) {
   return type[type.length-1] == '*';
 }
 
+function isArrayType(type) {
+  return /^\[\d+\ x\ (.*)\]/.test(type);
+}
+
 function isStructType(type) {
   if (isPointerType(type)) return false;
-  if (/^\[\d+\ x\ (.*)\]/.test(type)) return true; // [15 x ?] blocks. Like structs
+  if (isArrayType(type)) return true;
   if (/<?{ ?[^}]* ?}>?/.test(type)) return true; // { i32, i8 } etc. - anonymous struct types
   // See comment in isStructPointerType()
   return type[0] == '%';
@@ -1754,10 +1758,11 @@ function getGetElementPtrIndexes(item) {
       indexes.push(getFastValue(Runtime.getNativeTypeSize(type), '*', offset, 'i32'));
     }
   }
-  item.params.slice(2, item.params.length).forEach(function(arg) {
+  item.params.slice(2, item.params.length).forEach(function(arg, i) {
     var curr = arg;
     // TODO: If index is constant, optimize
     var typeData = Types.types[type];
+    assert(typeData || i == item.params.length - 3); // can be null, when we get to the end (a basic type)
     if (isStructType(type) && typeData.needsFlattening) {
       if (typeData.flatFactor) {
         indexes.push(getFastValue(curr, '*', typeData.flatFactor, 'i32'));
@@ -1773,16 +1778,15 @@ function getGetElementPtrIndexes(item) {
         indexes.push(curr);
       }
     }
-    if (!isNumber(curr) || parseInt(curr) < 0) {
-      // We have a *variable* to index with, or a negative number. In both
-      // cases, in theory we might need to do something dynamic here. FIXME?
-      // But, most likely all the possible types are the same, so do that case here now...
-      for (var i = 1; i < typeData.fields.length; i++) {
-        assert(typeData.fields[0] === typeData.fields[i]);
+    if (typeData) {
+      if (isArrayType(type)) {
+        type = typeData.fields[0]; // all the same, so accept even out-of-bounds this way
+      } else {
+        assert(isNumber(curr)); // cannot be dynamic
+        type = typeData.fields[curr];
       }
-      curr = 0;
+      assert(type);
     }
-    type = typeData && typeData.fields[curr] ? typeData.fields[curr] : '';
   });
 
   var ret = getFastValues(indexes, '+', 'i32');
diff --git a/tests/cases/oob_ta2.ll b/tests/cases/oob_ta2.ll
new file mode 100644
index 00000000..3c94c13c
--- /dev/null
+++ b/tests/cases/oob_ta2.ll
@@ -0,0 +1,25 @@
+; ModuleID = 'tests/hello_world.bc'
+target datalayout = "e-p:32:32:32-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:32:64-f32:32:32-f64:32:64-v64:64:64-v128:128:128-a0:0:64-f80:32:32-n8:16:32-S128"
+target triple = "i386-pc-linux-gnu"
+
+%structy = type { [2 x [10 x i8]] }
+
+@.str1 = private unnamed_addr constant [10 x i8] c"1234567890", align 1
+@.str2 = private unnamed_addr constant [10 x i8] c"wakawaka\0A\00", align 1
+@.stry = private unnamed_addr constant [2 x %structy] { %structy { [10 x i8] @.str1, [10 x i8] @.str2 }, %structy { [10 x i8] @.str1, [10 x i8] @.str2 } }
+
+@.str = private unnamed_addr constant [15 x i8] c"hello, world!\0A\00", align 1 ; [#uses=1 type=[15 x i8]*]
+
+; [#uses=0]
+define i32 @main(i32 %argc, i8** %argv) {
+entry:
+  %retval = alloca i32, align 4                   ; [#uses=1 type=i32*]
+  store i32 0, i32* %retval
+  %ind = add i32 %argc, 13
+  %call = call i32 (i8*, ...)* @printf(i8* getelementptr inbounds ([2 x %structy]* @.stry, i32 0, i32 2, i32 0, i32 %ind))
+  %call2 = call i32 (i8*, ...)* @printf(i8* getelementptr inbounds ([15 x i8]* @.str, i32 0, i32 0)) ; [#uses=0 type=i32]
+  ret i32 1  ret i32 1
+}
+
+; [#uses=1]
+declare i32 @printf(i8*, ...)