From 92f717d825d598b1f149a9b65590f1b50421ccea Mon Sep 17 00:00:00 2001
From: Lars-Peter Clausen <lars@metafoo.de>
Date: Sun, 31 May 2026 21:17:41 -0700
Subject: [PATCH] Fix out-of-bounds write for missing queue method arguments

When a method argument is missing, the error path stores a nullptr in the
argument vector for that missing slot. The vector was sized from the number of
arguments that were present in the source, so calls such as `q.push_back()` or
`q.insert(0)` wrote those nullptr placeholders past the end of the vector.

Size the vector from the number of arguments required by the queue method
instead. This gives the error path slots for the missing arguments while
leaving valid calls unchanged.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
---
 elaborate.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/elaborate.cc b/elaborate.cc
index 03a9f4a18..ba327a815 100644
--- a/elaborate.cc
+++ b/elaborate.cc
@@ -4101,7 +4101,8 @@ NetProc* PCallTask::elaborate_queue_method_(Design*des, NetScope*scope,
 	    des->errors += 1;
       }
       ivl_type_t element_type = net->queue_type()->element_type();
-      vector<NetExpr*>argv (nparms+1);
+      unsigned expected_nparms = method_name == "insert" ? 2 : 1;
+      vector<NetExpr*>argv (expected_nparms+1);
       argv[0] = sig;
 
       auto args = map_named_args(des, parm_names, parms_);