[clang] Fix crash in __builtin_strncmp and other related builtin functions

The implementation of __builtin_strncmp and other related builtins function use
getExtValue() to evaluate the size argument. This can cause a crash when the
value does not fit into an int64_t value, which is can be expected since the
type of the argument is size_t.

The fix is to switch to using getZExtValue().

This fixes: #64876

Differential Revision: https://reviews.llvm.org/D158557

Author: shafik

clang/docs/ReleaseNotes.rst

@@ -179,6 +179,9 @@ Bug Fixes in This Version
 - Clang now prints unnamed members in diagnostic messages instead of giving an
   empty ''. Fixes
   (`#63759 <https://github.com/llvm/llvm-project/issues/63759>`_)
+- Fix crash in __builtin_strncmp and related builtins when the size value
+  exceeded the maximum value representable by int64_t. Fixes
+  (`#64876 <https://github.com/llvm/llvm-project/issues/64876>`_)
 
 Bug Fixes to Compiler Builtins
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

clang/lib/AST/ExprConstant.cpp

@@ -9361,7 +9361,7 @@ bool PointerExprEvaluator::VisitBuiltinCallExpr(const CallExpr *E,
       APSInt N;
       if (!EvaluateInteger(E->getArg(2), N, Info))
         return false;
-      MaxLength = N.getExtValue();
+      MaxLength = N.getZExtValue();
     }
     // We cannot find the value if there are no candidates to match against.
     if (MaxLength == 0u)
@@ -12385,7 +12385,7 @@ bool IntExprEvaluator::VisitBuiltinCallExpr(const CallExpr *E,
       APSInt N;
       if (!EvaluateInteger(E->getArg(2), N, Info))
         return false;
-      MaxLength = N.getExtValue();
+      MaxLength = N.getZExtValue();
     }
 
     // Empty substrings compare equal by definition.

clang/test/CodeGen/gh64876.cpp

@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -triple x86_64 -S -emit-llvm -disable-llvm-passes -o - %s | FileCheck %s
+
+void f(const char* C, const wchar_t *WC) {
+  int x1 = __builtin_strncmp(C, "b", 0xffffffffffffffff);
+// CHECK: {{.*}}= call i32 @strncmp{{.*}}i64 noundef -1
+  int x2 = __builtin_memcmp(C, "b", 0xffffffffffffffff);
+// CHECK: {{.*}}= call i32 @memcmp{{.*}}i64 noundef -1
+  int x3 = __builtin_bcmp(C, "b", 0xffffffffffffffff);
+// CHECK: {{.*}}= call i32 @bcmp{{.*}}i64 noundef -1
+  int x4 = __builtin_wmemcmp(WC, L"b", 0xffffffffffffffff);
+// CHECK: {{.*}}= call i32 @wmemcmp{{.*}}i64 noundef -1
+  auto x5 = __builtin_memchr(C, (int)'a', 0xffffffffffffffff);
+// CHECK: {{.*}}= call ptr @memchr{{.*}}i64 noundef -1
+  auto x6 = __builtin_wmemchr(WC, (int)'a', 0xffffffffffffffff);
+// CHECK: {{.*}}= call ptr @wmemchr{{.*}}i64 noundef -1
+}

clang/test/SemaCXX/constexpr-string.cpp

@@ -676,3 +676,24 @@ namespace MemcpyEtc {
   }
   static_assert(test_address_of_incomplete_struct_type()); // expected-error {{constant}} expected-note {{in call}}
 }
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wconstant-conversion"
+namespace GH64876 {
+void f() {
+  __builtin_strncmp(0, 0, 0xffffffffffffffff);
+  __builtin_memcmp(0, 0, 0xffffffffffffffff);
+  __builtin_bcmp(0, 0, 0xffffffffffffffff);
+  __builtin_wmemcmp(0, 0, 0xffffffffffffffff);
+  __builtin_memchr((const void*)0, 1, 0xffffffffffffffff);
+  __builtin_wmemchr((const wchar_t*)0, 1, 0xffffffffffffffff);
+
+  __builtin_strncmp(0, 0, -511LL);
+  __builtin_memcmp(0, 0, -511LL);
+  __builtin_bcmp(0, 0, -511LL);
+  __builtin_wmemcmp(0, 0, -511LL);
+  __builtin_memchr((const void*)0, 1, -511LL);
+  __builtin_wmemchr((const wchar_t*)0, 1, -511LL);
+}
+}
+#pragma clang diagnostic pop