<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Miscompilation leading to SIGFPE in div"
href="http://llvm.org/bugs/show_bug.cgi?id=15320">15320</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Miscompilation leading to SIGFPE in div
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Register Allocator
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>samsonov@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>chandlerc@gmail.com, kcc@google.com, lhames@gmail.com, llvmbugs@cs.uiuc.edu
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=10051" name="attach_10051" title="Bitcode for failing test case">attachment 10051</a> <a href="attachment.cgi?id=10051&action=edit" title="Bitcode for failing test case">[details]</a></span>
Bitcode for failing test case
The following code fails after
r175688 - Kill of TransferDeadFlag - Dead copies and subreg-to-reg instructions
should just be turned into kills on the spot.
by lhames.
$ cat tmp/div/div.cc
#include <stdint.h>
#include <stdio.h>
uint8_t xxx0;
int64_t xxx1;
int64_t xxx2;
uint8_t *minsn;
uint8_t *lr;
void foo() {
const int64_t adv_address = (xxx0 / *lr) * *minsn;
const int64_t adv_line = (xxx0 % *lr) - 5;
xxx1 += adv_address;
xxx2 += adv_line;
}
int main() {
minsn = new uint8_t;
*minsn = 1;
lr = new uint8_t;
*lr = 14;
xxx0 = 129;
foo();
printf("%ld %ld\n", xxx1, xxx2);
return 0;
}
$ bin/clang++ -fsanitize=address -O1 tmp/div/div.cc && ./a.out
Floating point exception (core dumped)
Note that bug reproduces only under -fsanitize=address, although looks like the
problem is not ASan-related.
Assembler dump of the crash point:
Dump of assembler code for function _Z3foov:
0x000000000041bba0 <+0>: push %rax
0x000000000041bba1 <+1>: mov 0x2d70cd8(%rip),%rdi
0x000000000041bba8 <+8>: mov %rdi,%rax
0x000000000041bbab <+11>: shr $0x3,%rax
0x000000000041bbaf <+15>: mov 0x7fff8000(%rax),%cl
0x000000000041bbb5 <+21>: mov 0x2d70bc5(%rip),%al <-- %al is
initialized
0x000000000041bbbb <+27>: test %cl,%cl
0x000000000041bbbd <+29>: je 0x41bbc8 <_Z3foov+40>
0x000000000041bbbf <+31>: mov %edi,%edx
0x000000000041bbc1 <+33>: and $0x7,%edx
0x000000000041bbc4 <+36>: cmp %cl,%dl
0x000000000041bbc6 <+38>: jge 0x41bc23 <_Z3foov+131>
0x000000000041bbc8 <+40>: movzbl %al,%ecx
0x000000000041bbcb <+43>: mov (%rdi),%r8b
=> 0x000000000041bbce <+46>: div %r8b <-------- %ax is divided by %r8b
Here the "div" instruction divides %ax by %r8b, but only the %al stores the
sane value, while %ah may contain arbitrary garbage.
Attaching the LLVM bitcode.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>