[Analysis] improve function signature checking for snprintf

The check for size_t parameter 1 was already here for snprintf_chk, but it wasn't applied to regular snprintf. This could lead to mismatching and eventually crashing as shown in: https://llvm.org/PR50885 (cherry picked from commit 7f55557)
llvm · Aug 3, 2021 · d6974c0 · d6974c0
1 parent 60c388a
commit d6974c0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/llvm/lib/Analysis/TargetLibraryInfo.cpp b/llvm/lib/Analysis/TargetLibraryInfo.cpp
@@ -893,9 +893,10 @@ bool TargetLibraryInfoImpl::isValidProtoForLibFunc(const FunctionType &FTy,
            FTy.getReturnType()->isIntegerTy(32);
 
   case LibFunc_snprintf:
-    return (NumParams == 3 && FTy.getParamType(0)->isPointerTy() &&
-            FTy.getParamType(2)->isPointerTy() &&
-            FTy.getReturnType()->isIntegerTy(32));
+    return NumParams == 3 && FTy.getParamType(0)->isPointerTy() &&
+           IsSizeTTy(FTy.getParamType(1)) &&
+           FTy.getParamType(2)->isPointerTy() &&
+           FTy.getReturnType()->isIntegerTy(32);
 
   case LibFunc_snprintf_chk:
     return NumParams == 5 && FTy.getParamType(0)->isPointerTy() &&

diff --git a/llvm/test/Transforms/InstCombine/simplify-libcalls.ll b/llvm/test/Transforms/InstCombine/simplify-libcalls.ll
@@ -217,6 +217,18 @@ define double @fake_ldexp_16(i16 %x) {
   ret double %z
 }
 
+; PR50885 - this would crash in ValueTracking.
+
+declare i32 @snprintf(i8*, double, i32*)
+
+define i32 @fake_snprintf(i32 %buf, double %len, i32 * %str) {
+; CHECK-LABEL: @fake_snprintf(
+; CHECK-NEXT:    [[CALL:%.*]] = call i32 @snprintf(i8* undef, double [[LEN:%.*]], i32* [[STR:%.*]])
+; CHECK-NEXT:    ret i32 [[CALL]]
+;
+  %call = call i32 @snprintf(i8* undef, double %len, i32* %str)
+  ret i32 %call
+}
 
 attributes #0 = { nobuiltin }
 attributes #1 = { builtin }