[LLVMbugs] [Bug 20863] New: fast-isel call lowering bail-out can destroy inalloca arg passing

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Fri Sep 5 16:58:37 PDT 2014 

http://llvm.org/bugs/show_bug.cgi?id=20863

            Bug ID: 20863
           Summary: fast-isel call lowering bail-out can destroy inalloca
                    arg passing
           Product: clang
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P
         Component: LLVM Codegen
          Assignee: unassignedclangbugs at nondot.org
          Reporter: hans at chromium.org
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

To reproduce:

$ clang -cc1 -triple i686-pc-win32 -O0 -S -o - a.cc

  struct S {
    ~S();
    int x;
  };

  __declspec(dllimport) S g(int, int, int);

  void f(S s, int i);

  int main() {
    f(g(1, 2, 3), 42);
    return 0;
  }

When lowering the call to g, FastISel will bail out when noticing the dllimport
function address. However, it leaves the arguments pushed on the stack, and we
end up with another set of arguments *pushed on top of the inalloca frame* when
the call is lowered again.


_main:
        pushl   %ebp
        movl    %esp, %ebp
        pushl   %edi
        pushl   %esi
        subl    $28, %esp
        movl    $1, %eax
        movl    $2, %ecx
        movl    $3, %edx
        movl    $0, -12(%ebp)
        movl    %esp, %esi
        movl    $8, %edi
        movl    %eax, -20(%ebp)
        movl    %edi, %eax
        movl    %esi, -24(%ebp)
        movl    %ecx, -28(%ebp)
        movl    %edx, -32(%ebp)
        calll   __chkstk
        movl    %esp, %eax
        andl    $-8, %eax
        movl    %eax, %esp
        movl    -24(%ebp), %ecx
        movl    %ecx, -16(%ebp)
        subl    $16, %esp
        movl    %eax, (%esp)
        movl    $1, 4(%esp)
        movl    $2, 8(%esp)
        movl    $3, 12(%esp)
        subl    $16, %esp <-- FastISel has bailed; pushing a frame on top of
inalloca range!
        movl    %esp, %edx
        movl    %eax, (%edx)
        movl    $3, 12(%edx)
        movl    $2, 8(%edx)
        movl    $1, 4(%edx)
        movl    "__imp_?g@@YA?AUS@@HHH at Z", %edx
        movl    %eax, -36(%ebp)
        calll   *%edx
        addl    $16, %esp
        movl    -36(%ebp), %eax  <-- %eax is the inalloca stack
        movl    $42, 4(%eax)     <-- Trying to pass 42 as 2nd argument
        calll   "?f@@YAXUS@@H at Z" <-- But the inalloca stack isn't on top
anymore!
        addl    $8, %esp
        xorl    %eax, %eax
        movl    -24(%ebp), %ecx
        movl    %ecx, %esp
        leal    -8(%ebp), %esp
        popl    %esi
        popl    %edi
        popl    %ebp
        retl



When FastISel bails out from a call instruction, maybe it should consult
MachineFrameInfo to see if the function has dynamic allocations, and if so bail
out from fast-isel for the whole basic block?

Or maybe it could just fall back more gracefully, removing the argument pushing
instructions that it generated before falling back to selectiondag-isel.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20140905/ba19641b/attachment.html>

More information about the llvm-bugs mailing list