Skip to content

[libc][bug] Fix out of bound write in memcpy w/ software prefetching #90613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

[libc][bug] Fix out of bound write in memcpy w/ software prefetching #90613

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b41ea8e
[libc][bug] Fix out of bound write in memcpy wi software prefetching
gchatelet Apr 30, 2024
2f7a53c
Fix code.
gchatelet May 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions libc/src/string/memory_utils/x86_64/inline_memcpy.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,13 @@ inline_memcpy_x86_sse2_ge64_sw_prefetching(Ptr __restrict dst,
offset += K_THREE_CACHELINES;
}
}
return builtin::Memcpy<32>::loop_and_tail_offset(dst, src, count, offset);
// We don't use 'loop_and_tail_offset' because it assumes at least one
// iteration of the loop.
while (offset + 32 <= count) {
builtin::Memcpy<32>::block_offset(dst, src, offset);
offset += 32;
}
return builtin::Memcpy<32>::tail(dst, src, count);
}

[[maybe_unused]] LIBC_INLINE void
Expand Down Expand Up @@ -139,7 +145,13 @@ inline_memcpy_x86_avx_ge64_sw_prefetching(Ptr __restrict dst,
builtin::Memcpy<K_THREE_CACHELINES>::block_offset(dst, src, offset);
offset += K_THREE_CACHELINES;
}
return builtin::Memcpy<64>::loop_and_tail_offset(dst, src, count, offset);
// We don't use 'loop_and_tail_offset' because it assumes at least one
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is dead code. (return above). I'm surprised this was not caught by tests ?

Copy link
Contributor Author

@gchatelet gchatelet May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code is obvioulsy wrong here. It's actually not fixing the out-of-bound write with software prefetchers for AVX. This code path is not tested because it depends on the LIBC_COPT_MEMCPY_X86_USE_SOFTWARE_PREFETCHING flag that is not activated for tests. We should be testing it but it depends on host runner hardware capabilities and so requires some more scaffolding.

Created #92089 to track this.

// iteration of the loop.
while (offset + 64 <= count) {
builtin::Memcpy<64>::block_offset(dst, src, offset);
offset += 64;
}
return builtin::Memcpy<64>::tail(dst, src, count);
}

[[maybe_unused]] LIBC_INLINE void
Expand Down