-Wframe-larger-than in drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.c with ARCH=loongarch allmodconfig

[nathanchance]

Our continuous integration started seeing the following warning starting with Linux 6.9-rc1 and LLVM tip of tree (19.0.0):

$ make -skj"$(nproc)" ARCH=loongarch LLVM=1 allmodconfig drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.o
drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.c:1526:12: error: stack frame size (2400) exceeds limit (2048) in 'vdec_vp9_slice_update_prob' [-Werror,-Wframe-larger-than]
 1526 | static int vdec_vp9_slice_update_prob(struct vdec_vp9_slice_instance *instance,
      |            ^
1 error generated.

The Linux commit that "causes" this is 918327e9b7ff ("ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL"), which explains one of the factors for triggering this (it is specifically -fsanitize=array-bounds). cvise helped deduce that this is also exacerbated by -mstrict-align. I decided to bisect LLVM for why this is not visible with LLVM 18 and landed on llvm/llvm-project@90ba330 (that commit just keeps on giving :/), which somewhat makes sense I suppose.

For a "trivial" reproducer, cvise spits out:

enum { false, true } __read_overflow2_field(long, long);
struct v4l2_vp9_frame_context {
  char coef[4][2][2][6][6][3];
  char inter_mode[7][3][2];
  char partition[16][3];
};
struct mtk_vcodec_mem {
  void *va;
};
struct vdec_vp9_slice_frame_ctx {
  struct {
    char probs[6][3];
  } coef_probs[4][2][2][16];
  char partition_prob[16][4];
  char inter_mode_probs[][4];
} *vdec_vp9_slice_framectx_map_helper_frame_ctx;
struct {
  char intra_only;
} *vdec_vp9_slice_update_prob_vsi;
struct {
  struct mtk_vcodec_mem prob;
  struct mtk_vcodec_mem counts;
  struct vdec_vp9_slice_frame_ctx frame_ctx[4];
  struct v4l2_vp9_frame_context frame_ctx_helper;
  char dirty[4];
  int counts_helper;
} *vdec_vp9_slice_update_prob_instance;
long vdec_vp9_slice_framectx_map_helper___p_size_field;
_Bool vdec_vp9_slice_framectx_map_helper___trans_tmp_2,
    vdec_vp9_slice_helper_map_framectx___trans_tmp_9;
char vdec_vp9_slice_update_prob_uh_0;
int vdec_vp9_slice_update_prob_uh_4;
extern inline __attribute__((__gnu_inline__)) _Bool
fortify_memcpy_chk(unsigned q_size_field) {
  long size = 0;
  if (q_size_field)
    __read_overflow2_field(q_size_field, size);
  return 0;
}
static void vdec_vp9_slice_framectx_map_helper(
    struct v4l2_vp9_frame_context *frame_ctx_helper) {
  _Bool __trans_tmp_1,
      __ret_do_once = vdec_vp9_slice_framectx_map_helper___trans_tmp_2;
  int i;
  for (i = 0; i < sizeof(frame_ctx_helper); i++) {
    long __fortify_size = sizeof(frame_ctx_helper), size = __fortify_size;
    int p_size_field = vdec_vp9_slice_framectx_map_helper___p_size_field,
        q_size_field = __read_overflow2_field(p_size_field, size);
    if (__builtin_constant_p(p_size_field))
      __read_overflow2_field(q_size_field, size);
    __trans_tmp_1 = 0;
    _Bool __ret_do_once = __trans_tmp_1, __ret_cond = __ret_do_once;
    static _Bool __already_done;
    if (__builtin_expect(__ret_cond && __already_done, 0))
      ;
    __builtin_memcpy(
        frame_ctx_helper->inter_mode[i],
        vdec_vp9_slice_framectx_map_helper_frame_ctx->inter_mode_probs[i],
        __fortify_size);
  }
  long __fortify_size = sizeof(frame_ctx_helper);
  for (i = 0; i; i++) {
    static _Bool __already_done;
    _Bool __ret_cond = __ret_do_once;
    if (__builtin_expect(__ret_cond && __already_done, 0)) {
    }
  }
  for (; i < sizeof(frame_ctx_helper->partition) /
                 sizeof(frame_ctx_helper->partition)[0];
       i++)
    __builtin_memcpy(
        frame_ctx_helper->partition[i],
        vdec_vp9_slice_framectx_map_helper_frame_ctx->partition_prob[i],
        __fortify_size);
}
static void vdec_vp9_slice_helper_map_framectx(
    struct v4l2_vp9_frame_context *frame_ctx_helper,
    struct vdec_vp9_slice_frame_ctx *frame_ctx) {
  int i, j, k;
  for (i = 0;
       i < sizeof(frame_ctx_helper->coef) / sizeof(frame_ctx_helper->coef)[0];
       i++)
    for (j = 0; j < sizeof(frame_ctx_helper); j++)
      for (k = 0; k < sizeof(frame_ctx_helper->coef[0][0]) /
                          sizeof(frame_ctx_helper->coef[0][0])[0];
           k++) {
        int __trans_tmp_3 = i, __trans_tmp_4 = j, __trans_tmp_5 = k, l, m;
        struct vdec_vp9_slice_frame_ctx *__trans_tmp_6 = frame_ctx;
        struct v4l2_vp9_frame_context *__trans_tmp_7 = frame_ctx_helper;
        frame_ctx = __trans_tmp_6;
        frame_ctx_helper = __trans_tmp_7;
        for (l = 0; l < sizeof(frame_ctx_helper->coef[0][0][0]) /
                            sizeof(frame_ctx_helper->coef[0][0][0])[0];
             l++)
          for (m = 0; m < l; m++) {
            long __fortify_size = sizeof(frame_ctx_helper),
                 __q_size_field =
                     __builtin_dynamic_object_size(frame_ctx_helper, 1);
            _Bool __ret_do_once = fortify_memcpy_chk(__q_size_field),
                  __ret_cond = __ret_do_once;
            static _Bool __already_done;
            if (__builtin_expect(__ret_cond && __already_done, 0))
              ;
            __builtin_memcpy(
                frame_ctx
                    ->coef_probs[__trans_tmp_3][__trans_tmp_4][__trans_tmp_5][l]
                    .probs[m],
                frame_ctx_helper
                    ->coef[__trans_tmp_3][__trans_tmp_4][__trans_tmp_5][l][m],
                __fortify_size);
          }
      }
  for (i = 0; i < sizeof(frame_ctx_helper); i++) {
    long __fortify_size = sizeof(frame_ctx_helper), size = __fortify_size;
    int p_size_field = 0,
        q_size_field = __read_overflow2_field(p_size_field, size);
    __read_overflow2_field(q_size_field, size);
    __builtin_memcpy(frame_ctx->inter_mode_probs[i],
                     frame_ctx_helper->inter_mode[i], __fortify_size);
  }
  long __fortify_size = sizeof(frame_ctx_helper);
  _Bool __ret_do_once = vdec_vp9_slice_helper_map_framectx___trans_tmp_9;
  for (i = 0; i < sizeof(frame_ctx_helper->partition) /
                      sizeof(frame_ctx_helper->partition)[0];
       i++) {
    long __q_size_field = __builtin_dynamic_object_size(frame_ctx_helper, 1);
    fortify_memcpy_chk(__q_size_field);
    static _Bool __already_done;
    _Bool __ret_cond = __ret_do_once;
    if (__builtin_expect(__ret_cond && __already_done, 0))
      ;
    __builtin_memcpy(frame_ctx->partition_prob[i],
                     frame_ctx_helper->partition[i], __fortify_size);
  }
}
int vdec_vp9_slice_update_prob() {
  struct vdec_vp9_slice_frame_ctx *pre_frame_ctx;
  struct v4l2_vp9_frame_context *pre_frame_ctx_helper;
  _Bool frame_is_intra;
  pre_frame_ctx = &vdec_vp9_slice_update_prob_instance
                       ->frame_ctx[vdec_vp9_slice_update_prob_uh_4];
  pre_frame_ctx_helper = &vdec_vp9_slice_update_prob_instance->frame_ctx_helper;
  frame_is_intra = vdec_vp9_slice_update_prob_uh_0 ||
                   vdec_vp9_slice_update_prob_vsi->intra_only;
  if (vdec_vp9_slice_update_prob_instance
          ->dirty[vdec_vp9_slice_update_prob_uh_4])
    vdec_vp9_slice_framectx_map_helper(pre_frame_ctx_helper);
  else
    vdec_vp9_slice_framectx_map_helper(pre_frame_ctx_helper);
  if (frame_is_intra)
    vdec_vp9_slice_helper_map_framectx(pre_frame_ctx_helper, pre_frame_ctx);
  {
    _Bool __ret_do_once = fortify_memcpy_chk(0);
    if (({
          static _Bool __already_done;
          _Bool __ret_cond = __ret_do_once;
          _Bool __ret_once = false;
          if (__builtin_expect(__ret_cond && !__already_done, 0))
            __ret_once = true;
          __builtin_expect(__ret_once, 0);
        }))
      asm("");
  }
  return 0;
}

which I think confirms this is also related to the fortified string routines that are enabled with CONFIG_FORTIFY_SOURCE, since they show up in the reproducer.

With GCC 13.2.0, there is a very small different with or without -mstrict-align:

$ loongarch64-linux-gcc -O2 -Wall -Wframe-larger-than=1 -c -o /dev/null vdec_vp9_req_lat_if.i
vdec_vp9_req_lat_if.i: In function 'vdec_vp9_slice_update_prob':
vdec_vp9_req_lat_if.i:165:1: warning: the frame size of 64 bytes is larger than 1 bytes [-Wframe-larger-than=]
  165 | }
      | ^

$ loongarch64-linux-gcc -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -mstrict-align
vdec_vp9_req_lat_if.i: In function 'vdec_vp9_slice_update_prob':
vdec_vp9_req_lat_if.i:165:1: warning: the frame size of 80 bytes is larger than 64 bytes [-Wframe-larger-than=]
  165 | }
      | ^

GCC does not have -fsanitize=array-bounds but there is no difference with -fsanitize=bounds, which is a close approximation.

$ loongarch64-linux-gcc -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=bounds
vdec_vp9_req_lat_if.i: In function 'vdec_vp9_slice_update_prob':
vdec_vp9_req_lat_if.i:165:1: warning: the frame size of 80 bytes is larger than 64 bytes [-Wframe-larger-than=]
  165 | }
      | ^

$ loongarch64-linux-gcc -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=bounds -mstrict-align
vdec_vp9_req_lat_if.i: In function 'vdec_vp9_slice_update_prob':
vdec_vp9_req_lat_if.i:165:1: warning: the frame size of 80 bytes is larger than 64 bytes [-Wframe-larger-than=]
  165 | }
      | ^

With LLVM @ llvm/llvm-project@98509c7 (the direct parent of the blamed LLVM commit), there is a slight increase in frame size when adding -mstrict-align

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (192) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (224) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
vdec_vp9_req_lat_if.i:40:13: warning: stack frame size (96) exceeds limit (64) in 'vdec_vp9_slice_framectx_map_helper' [-Wframe-larger-than]
   40 | static void vdec_vp9_slice_framectx_map_helper(
      |             ^
2 warnings generated.

but there is an even larger difference once -fsanitize=array-bounds is added to the mix.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (608) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (1536) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

llvm/llvm-project@90ba330 does not really change much without -fsanitize=array-bounds (it actually improves the -mno-strict-align case)

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (176) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (224) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
vdec_vp9_req_lat_if.i:40:13: warning: stack frame size (96) exceeds limit (64) in 'vdec_vp9_slice_framectx_map_helper' [-Wframe-larger-than]
   40 | static void vdec_vp9_slice_framectx_map_helper(
      |             ^
2 warnings generated.

but the difference of -fsanitize=array-bounds is made even worse, pushing it above the 2048 limit for 64-bit platforms in Linux.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (576) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=loongarch64-linux-gnusf -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (2080) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

This behavior does not reproduce with AArch64 or ARM on the bad revision, so I suspect this is something up with the LoongArch backend in LLVM.

$ clang --target=aarch64-linux-gnu -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (144) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=aarch64-linux-gnu -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (160) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=aarch64-linux-gnu -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (128) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=aarch64-linux-gnu -O2 -Wall -Wframe-larger-than=64 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (128) exceeds limit (64) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=arm-linux-gnueabi -O2 -Wall -Wframe-larger-than=32 -c -o /dev/null vdec_vp9_req_lat_if.i
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (56) exceeds limit (32) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=arm-linux-gnueabi -O2 -Wall -Wframe-larger-than=32 -c -o /dev/null vdec_vp9_req_lat_if.i -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (56) exceeds limit (32) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=arm-linux-gnueabi -O2 -Wall -Wframe-larger-than=32 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (80) exceeds limit (32) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

$ clang --target=arm-linux-gnueabi -O2 -Wall -Wframe-larger-than=32 -c -o /dev/null vdec_vp9_req_lat_if.i -fsanitize=array-bounds -mstrict-align
vdec_vp9_req_lat_if.i:136:5: warning: stack frame size (80) exceeds limit (32) in 'vdec_vp9_slice_update_prob' [-Wframe-larger-than]
  136 | int vdec_vp9_slice_update_prob() {
      |     ^
1 warning generated.

cc @heiher @xen0n

[heiher]

Thank you for pointing this out.

I added two always_inline to the replayer above and compiled it into LLVM IR. Then I compiled this LLVM IR into assembly for AArch64 and LoongArch64. Whether unaligned access is allowed will indeed show noticeable differences:

Arch	Allow unaligned	Disallow unaligned
LoongArch64	288	1248
AArch64	144	144

; llc --mtriple loongarch64 -o t.s t.ll --mattr="+ual"
; warning: <unknown>:0:0: stack frame size (288) exceeds limit (64) in function 'vdec_vp9_slice_update_prob'
; llc --mtriple loongarch64 -o t.s t.ll --mattr="-ual"
; warning: <unknown>:0:0: stack frame size (1248) exceeds limit (64) in function 'vdec_vp9_slice_update_prob'

; llc --mtriple aarch64 -o t.s t.ll --mattr="-strict-align"
; warning: <unknown>:0:0: stack frame size (144) exceeds limit (64) in function 'vdec_vp9_slice_update_prob'
; llc --mtriple aarch64 -o t.s t.ll --mattr="+strict-align"
; warning: <unknown>:0:0: stack frame size (144) exceeds limit (64) in function 'vdec_vp9_slice_update_prob'

; ModuleID = 't.c'
source_filename = "t.c"

%struct.vdec_vp9_slice_frame_ctx = type { [4 x [2 x [2 x [16 x %struct.anon.0]]]], [16 x [4 x i8]], [0 x [4 x i8]] }
%struct.anon.0 = type { [6 x [3 x i8]] }

@vdec_vp9_slice_update_prob_instance = dso_local local_unnamed_addr global ptr null, align 8
@vdec_vp9_slice_update_prob_uh_4 = dso_local local_unnamed_addr global i32 0, align 4
@vdec_vp9_slice_update_prob_uh_0 = dso_local local_unnamed_addr global i8 0, align 1
@vdec_vp9_slice_update_prob_vsi = dso_local local_unnamed_addr global ptr null, align 8
@vdec_vp9_slice_framectx_map_helper_frame_ctx = dso_local local_unnamed_addr global ptr null, align 8
@vdec_vp9_slice_framectx_map_helper___p_size_field = dso_local local_unnamed_addr global i64 0, align 8
@vdec_vp9_slice_framectx_map_helper___trans_tmp_2 = dso_local local_unnamed_addr global i8 0, align 1
@vdec_vp9_slice_helper_map_framectx___trans_tmp_9 = dso_local local_unnamed_addr global i8 0, align 1

; Function Attrs: nounwind
define dso_local noundef signext i32 @vdec_vp9_slice_update_prob() local_unnamed_addr #0 {
  %1 = load ptr, ptr @vdec_vp9_slice_update_prob_instance, align 8, !tbaa !4
  %2 = getelementptr inbounds i8, ptr %1, i64 16
  %3 = load i32, ptr @vdec_vp9_slice_update_prob_uh_4, align 4, !tbaa !8
  %4 = sext i32 %3 to i64
  %5 = getelementptr inbounds [4 x %struct.vdec_vp9_slice_frame_ctx], ptr %2, i64 0, i64 %4
  %6 = getelementptr inbounds i8, ptr %1, i64 18704
  %7 = load i8, ptr @vdec_vp9_slice_update_prob_uh_0, align 1, !tbaa !10
  %8 = icmp eq i8 %7, 0
  br i1 %8, label %9, label %13

9:                                                ; preds = %0
  %10 = load ptr, ptr @vdec_vp9_slice_update_prob_vsi, align 8, !tbaa !4
  %11 = load i8, ptr %10, align 1, !tbaa !11
  %12 = icmp ne i8 %11, 0
  br label %13

13:                                               ; preds = %9, %0
  %14 = phi i1 [ true, %0 ], [ %12, %9 ]
  %15 = getelementptr inbounds i8, ptr %1, i64 20522
  %16 = getelementptr inbounds [4 x i8], ptr %15, i64 0, i64 %4
  %17 = load i8, ptr %16, align 1, !tbaa !10
  %18 = icmp eq i8 %17, 0
  %19 = getelementptr inbounds i8, ptr %1, i64 20432
  br i1 %18, label %84, label %20

20:                                               ; preds = %13
  %21 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %22 = shl i64 %21, 32
  %23 = ashr exact i64 %22, 32
  %24 = tail call signext i32 @__read_overflow2_field(i64 noundef %23, i64 noundef 8) #2
  %25 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %26 = getelementptr inbounds i8, ptr %25, i64 4672
  %27 = load i64, ptr %26, align 1
  store i64 %27, ptr %19, align 1
  %28 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %29 = shl i64 %28, 32
  %30 = ashr exact i64 %29, 32
  %31 = tail call signext i32 @__read_overflow2_field(i64 noundef %30, i64 noundef 8) #2
  %32 = getelementptr inbounds i8, ptr %1, i64 20438
  %33 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %34 = getelementptr inbounds i8, ptr %33, i64 4676
  %35 = load i64, ptr %34, align 1
  store i64 %35, ptr %32, align 1
  %36 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %37 = shl i64 %36, 32
  %38 = ashr exact i64 %37, 32
  %39 = tail call signext i32 @__read_overflow2_field(i64 noundef %38, i64 noundef 8) #2
  %40 = getelementptr inbounds i8, ptr %1, i64 20444
  %41 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %42 = getelementptr inbounds i8, ptr %41, i64 4680
  %43 = load i64, ptr %42, align 1
  store i64 %43, ptr %40, align 1
  %44 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %45 = shl i64 %44, 32
  %46 = ashr exact i64 %45, 32
  %47 = tail call signext i32 @__read_overflow2_field(i64 noundef %46, i64 noundef 8) #2
  %48 = getelementptr inbounds i8, ptr %1, i64 20450
  %49 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %50 = getelementptr inbounds i8, ptr %49, i64 4684
  %51 = load i64, ptr %50, align 1
  store i64 %51, ptr %48, align 1
  %52 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %53 = shl i64 %52, 32
  %54 = ashr exact i64 %53, 32
  %55 = tail call signext i32 @__read_overflow2_field(i64 noundef %54, i64 noundef 8) #2
  %56 = getelementptr inbounds i8, ptr %1, i64 20456
  %57 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %58 = getelementptr inbounds i8, ptr %57, i64 4688
  %59 = load i64, ptr %58, align 1
  store i64 %59, ptr %56, align 1
  %60 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %61 = shl i64 %60, 32
  %62 = ashr exact i64 %61, 32
  %63 = tail call signext i32 @__read_overflow2_field(i64 noundef %62, i64 noundef 8) #2
  %64 = getelementptr inbounds i8, ptr %1, i64 20462
  %65 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %66 = getelementptr inbounds i8, ptr %65, i64 4692
  %67 = load i64, ptr %66, align 1
  store i64 %67, ptr %64, align 1
  %68 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %69 = shl i64 %68, 32
  %70 = ashr exact i64 %69, 32
  %71 = tail call signext i32 @__read_overflow2_field(i64 noundef %70, i64 noundef 8) #2
  %72 = getelementptr inbounds i8, ptr %1, i64 20468
  %73 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %74 = getelementptr inbounds i8, ptr %73, i64 4696
  %75 = load i64, ptr %74, align 1
  store i64 %75, ptr %72, align 1
  %76 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %77 = shl i64 %76, 32
  %78 = ashr exact i64 %77, 32
  %79 = tail call signext i32 @__read_overflow2_field(i64 noundef %78, i64 noundef 8) #2
  %80 = getelementptr inbounds i8, ptr %1, i64 20474
  %81 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %82 = getelementptr inbounds i8, ptr %81, i64 4700
  %83 = load i64, ptr %82, align 1
  store i64 %83, ptr %80, align 1
  br label %148

84:                                               ; preds = %13
  %85 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %86 = shl i64 %85, 32
  %87 = ashr exact i64 %86, 32
  %88 = tail call signext i32 @__read_overflow2_field(i64 noundef %87, i64 noundef 8) #2
  %89 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %90 = getelementptr inbounds i8, ptr %89, i64 4672
  %91 = load i64, ptr %90, align 1
  store i64 %91, ptr %19, align 1
  %92 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %93 = shl i64 %92, 32
  %94 = ashr exact i64 %93, 32
  %95 = tail call signext i32 @__read_overflow2_field(i64 noundef %94, i64 noundef 8) #2
  %96 = getelementptr inbounds i8, ptr %1, i64 20438
  %97 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %98 = getelementptr inbounds i8, ptr %97, i64 4676
  %99 = load i64, ptr %98, align 1
  store i64 %99, ptr %96, align 1
  %100 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %101 = shl i64 %100, 32
  %102 = ashr exact i64 %101, 32
  %103 = tail call signext i32 @__read_overflow2_field(i64 noundef %102, i64 noundef 8) #2
  %104 = getelementptr inbounds i8, ptr %1, i64 20444
  %105 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %106 = getelementptr inbounds i8, ptr %105, i64 4680
  %107 = load i64, ptr %106, align 1
  store i64 %107, ptr %104, align 1
  %108 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %109 = shl i64 %108, 32
  %110 = ashr exact i64 %109, 32
  %111 = tail call signext i32 @__read_overflow2_field(i64 noundef %110, i64 noundef 8) #2
  %112 = getelementptr inbounds i8, ptr %1, i64 20450
  %113 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %114 = getelementptr inbounds i8, ptr %113, i64 4684
  %115 = load i64, ptr %114, align 1
  store i64 %115, ptr %112, align 1
  %116 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %117 = shl i64 %116, 32
  %118 = ashr exact i64 %117, 32
  %119 = tail call signext i32 @__read_overflow2_field(i64 noundef %118, i64 noundef 8) #2
  %120 = getelementptr inbounds i8, ptr %1, i64 20456
  %121 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %122 = getelementptr inbounds i8, ptr %121, i64 4688
  %123 = load i64, ptr %122, align 1
  store i64 %123, ptr %120, align 1
  %124 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %125 = shl i64 %124, 32
  %126 = ashr exact i64 %125, 32
  %127 = tail call signext i32 @__read_overflow2_field(i64 noundef %126, i64 noundef 8) #2
  %128 = getelementptr inbounds i8, ptr %1, i64 20462
  %129 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %130 = getelementptr inbounds i8, ptr %129, i64 4692
  %131 = load i64, ptr %130, align 1
  store i64 %131, ptr %128, align 1
  %132 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %133 = shl i64 %132, 32
  %134 = ashr exact i64 %133, 32
  %135 = tail call signext i32 @__read_overflow2_field(i64 noundef %134, i64 noundef 8) #2
  %136 = getelementptr inbounds i8, ptr %1, i64 20468
  %137 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %138 = getelementptr inbounds i8, ptr %137, i64 4696
  %139 = load i64, ptr %138, align 1
  store i64 %139, ptr %136, align 1
  %140 = load i64, ptr @vdec_vp9_slice_framectx_map_helper___p_size_field, align 8, !tbaa !13
  %141 = shl i64 %140, 32
  %142 = ashr exact i64 %141, 32
  %143 = tail call signext i32 @__read_overflow2_field(i64 noundef %142, i64 noundef 8) #2
  %144 = getelementptr inbounds i8, ptr %1, i64 20474
  %145 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %146 = getelementptr inbounds i8, ptr %145, i64 4700
  %147 = load i64, ptr %146, align 1
  store i64 %147, ptr %144, align 1
  br label %148

148:                                              ; preds = %20, %84
  %149 = getelementptr inbounds i8, ptr %1, i64 20474
  %150 = load ptr, ptr @vdec_vp9_slice_framectx_map_helper_frame_ctx, align 8, !tbaa !4
  %151 = getelementptr inbounds i8, ptr %150, i64 4608
  %152 = load i64, ptr %151, align 1
  store i64 %152, ptr %149, align 1
  %153 = getelementptr inbounds i8, ptr %1, i64 20477
  %154 = getelementptr inbounds i8, ptr %150, i64 4612
  %155 = load i64, ptr %154, align 1
  store i64 %155, ptr %153, align 1
  %156 = getelementptr inbounds i8, ptr %1, i64 20480
  %157 = getelementptr inbounds i8, ptr %150, i64 4616
  %158 = load i64, ptr %157, align 1
  store i64 %158, ptr %156, align 1
  %159 = getelementptr inbounds i8, ptr %1, i64 20483
  %160 = getelementptr inbounds i8, ptr %150, i64 4620
  %161 = load i64, ptr %160, align 1
  store i64 %161, ptr %159, align 1
  %162 = getelementptr inbounds i8, ptr %1, i64 20486
  %163 = getelementptr inbounds i8, ptr %150, i64 4624
  %164 = load i64, ptr %163, align 1
  store i64 %164, ptr %162, align 1
  %165 = getelementptr inbounds i8, ptr %1, i64 20489
  %166 = getelementptr inbounds i8, ptr %150, i64 4628
  %167 = load i64, ptr %166, align 1
  store i64 %167, ptr %165, align 1
  %168 = getelementptr inbounds i8, ptr %1, i64 20492
  %169 = getelementptr inbounds i8, ptr %150, i64 4632
  %170 = load i64, ptr %169, align 1
  store i64 %170, ptr %168, align 1
  %171 = getelementptr inbounds i8, ptr %1, i64 20495
  %172 = getelementptr inbounds i8, ptr %150, i64 4636
  %173 = load i64, ptr %172, align 1
  store i64 %173, ptr %171, align 1
  %174 = getelementptr inbounds i8, ptr %1, i64 20498
  %175 = getelementptr inbounds i8, ptr %150, i64 4640
  %176 = load i64, ptr %175, align 1
  store i64 %176, ptr %174, align 1
  %177 = getelementptr inbounds i8, ptr %1, i64 20501
  %178 = getelementptr inbounds i8, ptr %150, i64 4644
  %179 = load i64, ptr %178, align 1
  store i64 %179, ptr %177, align 1
  %180 = getelementptr inbounds i8, ptr %1, i64 20504
  %181 = getelementptr inbounds i8, ptr %150, i64 4648
  %182 = load i64, ptr %181, align 1
  store i64 %182, ptr %180, align 1
  %183 = getelementptr inbounds i8, ptr %1, i64 20507
  %184 = getelementptr inbounds i8, ptr %150, i64 4652
  %185 = load i64, ptr %184, align 1
  store i64 %185, ptr %183, align 1
  %186 = getelementptr inbounds i8, ptr %1, i64 20510
  %187 = getelementptr inbounds i8, ptr %150, i64 4656
  %188 = load i64, ptr %187, align 1
  store i64 %188, ptr %186, align 1
  %189 = getelementptr inbounds i8, ptr %1, i64 20513
  %190 = getelementptr inbounds i8, ptr %150, i64 4660
  %191 = load i64, ptr %190, align 1
  store i64 %191, ptr %189, align 1
  %192 = getelementptr inbounds i8, ptr %1, i64 20516
  %193 = getelementptr inbounds i8, ptr %150, i64 4664
  %194 = load i64, ptr %193, align 1
  store i64 %194, ptr %192, align 1
  %195 = getelementptr inbounds i8, ptr %1, i64 20519
  %196 = getelementptr inbounds i8, ptr %150, i64 4668
  %197 = load i64, ptr %196, align 1
  store i64 %197, ptr %195, align 1
  br i1 %14, label %198, label %384

198:                                              ; preds = %148, %381
  %199 = phi i64 [ %382, %381 ], [ 0, %148 ]
  br label %313

200:                                              ; preds = %381
  %201 = getelementptr inbounds i8, ptr %5, i64 4672
  %202 = getelementptr inbounds i8, ptr %1, i64 20432
  %203 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %204 = sext i32 %203 to i64
  %205 = tail call signext i32 @__read_overflow2_field(i64 noundef %204, i64 noundef 8) #2
  %206 = load i64, ptr %202, align 1
  store i64 %206, ptr %201, align 1
  %207 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %208 = sext i32 %207 to i64
  %209 = tail call signext i32 @__read_overflow2_field(i64 noundef %208, i64 noundef 8) #2
  %210 = getelementptr inbounds i8, ptr %5, i64 4676
  %211 = getelementptr inbounds i8, ptr %1, i64 20438
  %212 = load i64, ptr %211, align 1
  store i64 %212, ptr %210, align 1
  %213 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %214 = sext i32 %213 to i64
  %215 = tail call signext i32 @__read_overflow2_field(i64 noundef %214, i64 noundef 8) #2
  %216 = getelementptr inbounds i8, ptr %5, i64 4680
  %217 = getelementptr inbounds i8, ptr %1, i64 20444
  %218 = load i64, ptr %217, align 1
  store i64 %218, ptr %216, align 1
  %219 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %220 = sext i32 %219 to i64
  %221 = tail call signext i32 @__read_overflow2_field(i64 noundef %220, i64 noundef 8) #2
  %222 = getelementptr inbounds i8, ptr %5, i64 4684
  %223 = getelementptr inbounds i8, ptr %1, i64 20450
  %224 = load i64, ptr %223, align 1
  store i64 %224, ptr %222, align 1
  %225 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %226 = sext i32 %225 to i64
  %227 = tail call signext i32 @__read_overflow2_field(i64 noundef %226, i64 noundef 8) #2
  %228 = getelementptr inbounds i8, ptr %5, i64 4688
  %229 = getelementptr inbounds i8, ptr %1, i64 20456
  %230 = load i64, ptr %229, align 1
  store i64 %230, ptr %228, align 1
  %231 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %232 = sext i32 %231 to i64
  %233 = tail call signext i32 @__read_overflow2_field(i64 noundef %232, i64 noundef 8) #2
  %234 = getelementptr inbounds i8, ptr %5, i64 4692
  %235 = getelementptr inbounds i8, ptr %1, i64 20462
  %236 = load i64, ptr %235, align 1
  store i64 %236, ptr %234, align 1
  %237 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %238 = sext i32 %237 to i64
  %239 = tail call signext i32 @__read_overflow2_field(i64 noundef %238, i64 noundef 8) #2
  %240 = getelementptr inbounds i8, ptr %5, i64 4696
  %241 = getelementptr inbounds i8, ptr %1, i64 20468
  %242 = load i64, ptr %241, align 1
  store i64 %242, ptr %240, align 1
  %243 = tail call signext i32 @__read_overflow2_field(i64 noundef 0, i64 noundef 8) #2
  %244 = sext i32 %243 to i64
  %245 = tail call signext i32 @__read_overflow2_field(i64 noundef %244, i64 noundef 8) #2
  %246 = getelementptr inbounds i8, ptr %5, i64 4700
  %247 = getelementptr inbounds i8, ptr %1, i64 20474
  %248 = load i64, ptr %247, align 1
  store i64 %248, ptr %246, align 1
  %249 = getelementptr inbounds i8, ptr %1, i64 20474
  %250 = getelementptr inbounds i8, ptr %5, i64 4608
  %251 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %252 = load i64, ptr %249, align 1
  store i64 %252, ptr %250, align 1
  %253 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %254 = getelementptr inbounds i8, ptr %5, i64 4612
  %255 = getelementptr inbounds i8, ptr %1, i64 20477
  %256 = load i64, ptr %255, align 1
  store i64 %256, ptr %254, align 1
  %257 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %258 = getelementptr inbounds i8, ptr %5, i64 4616
  %259 = getelementptr inbounds i8, ptr %1, i64 20480
  %260 = load i64, ptr %259, align 1
  store i64 %260, ptr %258, align 1
  %261 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %262 = getelementptr inbounds i8, ptr %5, i64 4620
  %263 = getelementptr inbounds i8, ptr %1, i64 20483
  %264 = load i64, ptr %263, align 1
  store i64 %264, ptr %262, align 1
  %265 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %266 = getelementptr inbounds i8, ptr %5, i64 4624
  %267 = getelementptr inbounds i8, ptr %1, i64 20486
  %268 = load i64, ptr %267, align 1
  store i64 %268, ptr %266, align 1
  %269 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %270 = getelementptr inbounds i8, ptr %5, i64 4628
  %271 = getelementptr inbounds i8, ptr %1, i64 20489
  %272 = load i64, ptr %271, align 1
  store i64 %272, ptr %270, align 1
  %273 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %274 = getelementptr inbounds i8, ptr %5, i64 4632
  %275 = getelementptr inbounds i8, ptr %1, i64 20492
  %276 = load i64, ptr %275, align 1
  store i64 %276, ptr %274, align 1
  %277 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %278 = getelementptr inbounds i8, ptr %5, i64 4636
  %279 = getelementptr inbounds i8, ptr %1, i64 20495
  %280 = load i64, ptr %279, align 1
  store i64 %280, ptr %278, align 1
  %281 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %282 = getelementptr inbounds i8, ptr %5, i64 4640
  %283 = getelementptr inbounds i8, ptr %1, i64 20498
  %284 = load i64, ptr %283, align 1
  store i64 %284, ptr %282, align 1
  %285 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %286 = getelementptr inbounds i8, ptr %5, i64 4644
  %287 = getelementptr inbounds i8, ptr %1, i64 20501
  %288 = load i64, ptr %287, align 1
  store i64 %288, ptr %286, align 1
  %289 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %290 = getelementptr inbounds i8, ptr %5, i64 4648
  %291 = getelementptr inbounds i8, ptr %1, i64 20504
  %292 = load i64, ptr %291, align 1
  store i64 %292, ptr %290, align 1
  %293 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %294 = getelementptr inbounds i8, ptr %5, i64 4652
  %295 = getelementptr inbounds i8, ptr %1, i64 20507
  %296 = load i64, ptr %295, align 1
  store i64 %296, ptr %294, align 1
  %297 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %298 = getelementptr inbounds i8, ptr %5, i64 4656
  %299 = getelementptr inbounds i8, ptr %1, i64 20510
  %300 = load i64, ptr %299, align 1
  store i64 %300, ptr %298, align 1
  %301 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %302 = getelementptr inbounds i8, ptr %5, i64 4660
  %303 = getelementptr inbounds i8, ptr %1, i64 20513
  %304 = load i64, ptr %303, align 1
  store i64 %304, ptr %302, align 1
  %305 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %306 = getelementptr inbounds i8, ptr %5, i64 4664
  %307 = getelementptr inbounds i8, ptr %1, i64 20516
  %308 = load i64, ptr %307, align 1
  store i64 %308, ptr %306, align 1
  %309 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %310 = getelementptr inbounds i8, ptr %5, i64 4668
  %311 = getelementptr inbounds i8, ptr %1, i64 20519
  %312 = load i64, ptr %311, align 1
  store i64 %312, ptr %310, align 1
  br label %384

313:                                              ; preds = %198, %378
  %314 = phi i64 [ 0, %198 ], [ %379, %378 ]
  br label %315

315:                                              ; preds = %315, %313
  %316 = phi i1 [ true, %313 ], [ false, %315 ]
  %317 = phi i64 [ 0, %313 ], [ 1, %315 ]
  %318 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 1
  %319 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %320 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 1, i64 0
  %321 = load i64, ptr %320, align 1
  store i64 %321, ptr %318, align 1
  %322 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 2
  %323 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %324 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 2, i64 0
  %325 = load i64, ptr %324, align 1
  store i64 %325, ptr %322, align 1
  %326 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %327 = getelementptr inbounds i8, ptr %322, i64 3
  %328 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 2, i64 1
  %329 = load i64, ptr %328, align 1
  store i64 %329, ptr %327, align 1
  %330 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 3
  %331 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %332 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 3, i64 0
  %333 = load i64, ptr %332, align 1
  store i64 %333, ptr %330, align 1
  %334 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %335 = getelementptr inbounds i8, ptr %330, i64 3
  %336 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 3, i64 1
  %337 = load i64, ptr %336, align 1
  store i64 %337, ptr %335, align 1
  %338 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %339 = getelementptr inbounds i8, ptr %330, i64 6
  %340 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 3, i64 2
  %341 = load i64, ptr %340, align 1
  store i64 %341, ptr %339, align 1
  %342 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 4
  %343 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %344 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 4, i64 0
  %345 = load i64, ptr %344, align 1
  store i64 %345, ptr %342, align 1
  %346 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %347 = getelementptr inbounds i8, ptr %342, i64 3
  %348 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 4, i64 1
  %349 = load i64, ptr %348, align 1
  store i64 %349, ptr %347, align 1
  %350 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %351 = getelementptr inbounds i8, ptr %342, i64 6
  %352 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 4, i64 2
  %353 = load i64, ptr %352, align 1
  store i64 %353, ptr %351, align 1
  %354 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %355 = getelementptr inbounds i8, ptr %342, i64 9
  %356 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 4, i64 3
  %357 = load i64, ptr %356, align 1
  store i64 %357, ptr %355, align 1
  %358 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 5
  %359 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %360 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i64 0
  %361 = load i64, ptr %360, align 1
  store i64 %361, ptr %358, align 1
  %362 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %363 = getelementptr inbounds i8, ptr %358, i64 3
  %364 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i64 1
  %365 = load i64, ptr %364, align 1
  store i64 %365, ptr %363, align 1
  %366 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %367 = getelementptr inbounds i8, ptr %358, i64 6
  %368 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i64 2
  %369 = load i64, ptr %368, align 1
  store i64 %369, ptr %367, align 1
  %370 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %371 = getelementptr inbounds i8, ptr %358, i64 9
  %372 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i64 3
  %373 = load i64, ptr %372, align 1
  store i64 %373, ptr %371, align 1
  %374 = tail call signext i32 @__read_overflow2_field(i64 noundef 4294967295, i64 noundef 0) #2
  %375 = getelementptr inbounds [4 x [2 x [2 x [16 x %struct.anon.0]]]], ptr %5, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i32 0, i64 4
  %376 = getelementptr inbounds [4 x [2 x [2 x [6 x [6 x [3 x i8]]]]]], ptr %6, i64 0, i64 %199, i64 %314, i64 %317, i64 5, i64 4
  %377 = load i64, ptr %376, align 1
  store i64 %377, ptr %375, align 1
  br i1 %316, label %315, label %378, !llvm.loop !15

378:                                              ; preds = %315
  %379 = add nuw nsw i64 %314, 1
  %380 = icmp eq i64 %379, 8
  br i1 %380, label %381, label %313, !llvm.loop !17

381:                                              ; preds = %378
  %382 = add nuw nsw i64 %199, 1
  %383 = icmp eq i64 %382, 4
  br i1 %383, label %200, label %198, !llvm.loop !18

384:                                              ; preds = %200, %148
  ret i32 0
}

declare signext i32 @__read_overflow2_field(i64 noundef, i64 noundef) local_unnamed_addr #1

attributes #0 = { nounwind "no-trapping-math"="true" "stack-protector-buffer-size"="8" "warn-stack-size"="64" }
attributes #1 = { "no-trapping-math"="true" "stack-protector-buffer-size"="8" }
attributes #2 = { nounwind }

!llvm.module.flags = !{!0, !1, !2}
!llvm.ident = !{!3}

!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 8, !"PIC Level", i32 2}
!2 = !{i32 7, !"PIE Level", i32 2}
!3 = !{!"clang version 19.0.0git (https://github.com/llvm/llvm-project 71eda17a0674317b05975be79ed4a2c8ee99c43c)"}
!4 = !{!5, !5, i64 0}
!5 = !{!"any pointer", !6, i64 0}
!6 = !{!"omnipotent char", !7, i64 0}
!7 = !{!"Simple C/C++ TBAA"}
!8 = !{!9, !9, i64 0}
!9 = !{!"int", !6, i64 0}
!10 = !{!6, !6, i64 0}
!11 = !{!12, !6, i64 0}
!12 = !{!"", !6, i64 0}
!13 = !{!14, !14, i64 0}
!14 = !{!"long", !6, i64 0}
!15 = distinct !{!15, !16}
!16 = !{!"llvm.loop.mustprogress"}
!17 = distinct !{!17, !16}
!18 = distinct !{!18, !16}

// clang --target=loongarch64-linux-gnu -O2 -Wall -Wframe-larger-than=64 -o t.ll t.c -emit-llvm

enum { false, true } __read_overflow2_field(long, long);
struct v4l2_vp9_frame_context {
  char coef[4][2][2][6][6][3];
  char inter_mode[7][3][2];
  char partition[16][3];
};
struct mtk_vcodec_mem {
  void *va;
};
struct vdec_vp9_slice_frame_ctx {
  struct {
    char probs[6][3];
  } coef_probs[4][2][2][16];
  char partition_prob[16][4];
  char inter_mode_probs[][4];
} *vdec_vp9_slice_framectx_map_helper_frame_ctx;
struct {
  char intra_only;
} *vdec_vp9_slice_update_prob_vsi;
struct {
  struct mtk_vcodec_mem prob;
  struct mtk_vcodec_mem counts;
  struct vdec_vp9_slice_frame_ctx frame_ctx[4];
  struct v4l2_vp9_frame_context frame_ctx_helper;
  char dirty[4];
  int counts_helper;
} *vdec_vp9_slice_update_prob_instance;
long vdec_vp9_slice_framectx_map_helper___p_size_field;
_Bool vdec_vp9_slice_framectx_map_helper___trans_tmp_2,
    vdec_vp9_slice_helper_map_framectx___trans_tmp_9;
char vdec_vp9_slice_update_prob_uh_0;
int vdec_vp9_slice_update_prob_uh_4;
extern inline __attribute__((__gnu_inline__)) _Bool
fortify_memcpy_chk(unsigned q_size_field) {
  long size = 0;
  if (q_size_field)
    __read_overflow2_field(q_size_field, size);
  return 0;
}
static __attribute__((always_inline)) void vdec_vp9_slice_framectx_map_helper(
    struct v4l2_vp9_frame_context *frame_ctx_helper) {
  _Bool __trans_tmp_1,
      __ret_do_once = vdec_vp9_slice_framectx_map_helper___trans_tmp_2;
  int i;
  for (i = 0; i < sizeof(frame_ctx_helper); i++) {
    long __fortify_size = sizeof(frame_ctx_helper), size = __fortify_size;
    int p_size_field = vdec_vp9_slice_framectx_map_helper___p_size_field,
        q_size_field = __read_overflow2_field(p_size_field, size);
    if (__builtin_constant_p(p_size_field))
      __read_overflow2_field(q_size_field, size);
    __trans_tmp_1 = 0;
    _Bool __ret_do_once = __trans_tmp_1, __ret_cond = __ret_do_once;
    static _Bool __already_done;
    if (__builtin_expect(__ret_cond && __already_done, 0))
      ;
    __builtin_memcpy(
        frame_ctx_helper->inter_mode[i],
        vdec_vp9_slice_framectx_map_helper_frame_ctx->inter_mode_probs[i],
        __fortify_size);
  }
  long __fortify_size = sizeof(frame_ctx_helper);
  for (i = 0; i; i++) {
    static _Bool __already_done;
    _Bool __ret_cond = __ret_do_once;
    if (__builtin_expect(__ret_cond && __already_done, 0)) {
    }
  }
  for (; i < sizeof(frame_ctx_helper->partition) /
                 sizeof(frame_ctx_helper->partition)[0];
       i++)
    __builtin_memcpy(
        frame_ctx_helper->partition[i],
        vdec_vp9_slice_framectx_map_helper_frame_ctx->partition_prob[i],
        __fortify_size);
}
static __attribute__((always_inline)) void vdec_vp9_slice_helper_map_framectx(
    struct v4l2_vp9_frame_context *frame_ctx_helper,
    struct vdec_vp9_slice_frame_ctx *frame_ctx) {
  int i, j, k;
  for (i = 0;
       i < sizeof(frame_ctx_helper->coef) / sizeof(frame_ctx_helper->coef)[0];
       i++)
    for (j = 0; j < sizeof(frame_ctx_helper); j++)
      for (k = 0; k < sizeof(frame_ctx_helper->coef[0][0]) /
                          sizeof(frame_ctx_helper->coef[0][0])[0];
           k++) {
        int __trans_tmp_3 = i, __trans_tmp_4 = j, __trans_tmp_5 = k, l, m;
        struct vdec_vp9_slice_frame_ctx *__trans_tmp_6 = frame_ctx;
        struct v4l2_vp9_frame_context *__trans_tmp_7 = frame_ctx_helper;
        frame_ctx = __trans_tmp_6;
        frame_ctx_helper = __trans_tmp_7;
        for (l = 0; l < sizeof(frame_ctx_helper->coef[0][0][0]) /
                            sizeof(frame_ctx_helper->coef[0][0][0])[0];
             l++)
          for (m = 0; m < l; m++) {
            long __fortify_size = sizeof(frame_ctx_helper),
                 __q_size_field =
                     __builtin_dynamic_object_size(frame_ctx_helper, 1);
            _Bool __ret_do_once = fortify_memcpy_chk(__q_size_field),
                  __ret_cond = __ret_do_once;
            static _Bool __already_done;
            if (__builtin_expect(__ret_cond && __already_done, 0))
              ;
            __builtin_memcpy(
                frame_ctx
                    ->coef_probs[__trans_tmp_3][__trans_tmp_4][__trans_tmp_5][l]
                    .probs[m],
                frame_ctx_helper
                    ->coef[__trans_tmp_3][__trans_tmp_4][__trans_tmp_5][l][m],
                __fortify_size);
          }
      }
  for (i = 0; i < sizeof(frame_ctx_helper); i++) {
    long __fortify_size = sizeof(frame_ctx_helper), size = __fortify_size;
    int p_size_field = 0,
        q_size_field = __read_overflow2_field(p_size_field, size);
    __read_overflow2_field(q_size_field, size);
    __builtin_memcpy(frame_ctx->inter_mode_probs[i],
                     frame_ctx_helper->inter_mode[i], __fortify_size);
  }
  long __fortify_size = sizeof(frame_ctx_helper);
  _Bool __ret_do_once = vdec_vp9_slice_helper_map_framectx___trans_tmp_9;
  for (i = 0; i < sizeof(frame_ctx_helper->partition) /
                      sizeof(frame_ctx_helper->partition)[0];
       i++) {
    long __q_size_field = __builtin_dynamic_object_size(frame_ctx_helper, 1);
    fortify_memcpy_chk(__q_size_field);
    static _Bool __already_done;
    _Bool __ret_cond = __ret_do_once;
    if (__builtin_expect(__ret_cond && __already_done, 0))
      ;
    __builtin_memcpy(frame_ctx->partition_prob[i],
                     frame_ctx_helper->partition[i], __fortify_size);
  }
}
int vdec_vp9_slice_update_prob() {
  struct vdec_vp9_slice_frame_ctx *pre_frame_ctx;
  struct v4l2_vp9_frame_context *pre_frame_ctx_helper;
  _Bool frame_is_intra;
  pre_frame_ctx = &vdec_vp9_slice_update_prob_instance
                       ->frame_ctx[vdec_vp9_slice_update_prob_uh_4];
  pre_frame_ctx_helper = &vdec_vp9_slice_update_prob_instance->frame_ctx_helper;
  frame_is_intra = vdec_vp9_slice_update_prob_uh_0 ||
                   vdec_vp9_slice_update_prob_vsi->intra_only;
  if (vdec_vp9_slice_update_prob_instance
          ->dirty[vdec_vp9_slice_update_prob_uh_4])
    vdec_vp9_slice_framectx_map_helper(pre_frame_ctx_helper);
  else
    vdec_vp9_slice_framectx_map_helper(pre_frame_ctx_helper);
  if (frame_is_intra)
    vdec_vp9_slice_helper_map_framectx(pre_frame_ctx_helper, pre_frame_ctx);
  {
    _Bool __ret_do_once = fortify_memcpy_chk(0);
    if (({
          static _Bool __already_done;
          _Bool __ret_cond = __ret_do_once;
          _Bool __ret_once = false;
          if (__builtin_expect(__ret_cond && !__already_done, 0))
            __ret_once = true;
          __builtin_expect(__ret_once, 0);
        }))
      asm("");
  }
  return 0;
}

[heiher]

cc @SixWeining @wangleiat

[wangleiat]

To address this issue, there are two LLVM commits related to it：
1: llvm/llvm-project@0822780
2: llvm/llvm-project@8e4b089

[nathanchance]

Can confirm, I do not see this issue anymore with LLVM @ llvm/llvm-project@568368a