[llvm-bugs] [Bug 28124] New: X86 cc11 tail calls can clobber the return address when adjusting the stack pointer
via llvm-bugs
llvm-bugs at lists.llvm.org
Tue Jun 14 07:06:43 PDT 2016
https://llvm.org/bugs/show_bug.cgi?id=28124
Bug ID: 28124
Summary: X86 cc11 tail calls can clobber the return address
when adjusting the stack pointer
Product: tools
Version: 3.8
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: llc
Assignee: unassignedbugs at nondot.org
Reporter: margnus1 at gmail.com
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
Created attachment 16536
--> https://llvm.org/bugs/attachment.cgi?id=16536&action=edit
Reproduces the bug on x86, segfaulting
Hi! I have, while working on bringing the LLVM backend of the HiPE optional
machine code compiler for the Erlang language up to date with the latest
changes to LLVM, discovered a miscompilation bug in LLVM, present in 3.8 as
well as current trunk.
In 3.7 and before, the tail call seqeunce generated is the following
addl $4, %esp
jmp tailcallee # TAILCALL
However, starting with 3.8, the following is generated instead
popl %edi
popl %edi
pushl %eax
jmp tailcallee # TAILCALL
Which clobbers the return address with undefined junk from $eax.
Please see the tail-clobber.ll attachment for a hand-written stand-alone
reproduction case for x86. It is supposed to be compiled with -tailcallopt
-stack-alignment=4
The bug can also be reproduced on x86_64, but due to pure luck, $rax is chosen
as the scratch registers for both pops and pushes, and so manages to not crash.
I have bisected the problem to revision r237977, as well as written a patch,
which I intend to submit for review shortly.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160614/63f18fde/attachment.html>
More information about the llvm-bugs
mailing list