<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED --- - Backend can miscompile functions that invoke setjmp()"
href="http://llvm.org/bugs/show_bug.cgi?id=18244">18244</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Backend can miscompile functions that invoke setjmp()
</td>
</tr>
<tr>
<th>Product</th>
<td>tools
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>ASSIGNED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>llc
</td>
</tr>
<tr>
<th>Assignee</th>
<td>mseaborn@chromium.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mseaborn@chromium.org
</td>
</tr>
<tr>
<th>CC</th>
<td>llvmbugs@cs.uiuc.edu
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>The backend needs to avoid reusing spill slots in functions that call setjmp().
It does this correctly if setjmp() is called via a "call" instruction, but not
if it's called via an "invoke" instruction.
Here's an example of a program that is miscompiled as a result:
#include <stdio.h>
typedef char jmp_buf[1000];
extern "C" {
// Declare setjmp() without "__attribute__((nothrow))":
int setjmp(jmp_buf env);
void longjmp(jmp_buf env, int val);
}
static int counter = 0;
__attribute__((noinline))
int f(void) {
return ++counter;
}
__attribute__((noinline))
void g(int x, int expected) {
if (x == expected) {
printf("got %i (ok)\n", x);
} else {
printf("got %i but expected %i: ERROR\n", x, expected);
}
}
// To test for the bug, this must be compiled with optimisation in
// order to run mem2reg and use spill slots. But f() and g() must not
// be inlined.
int main() throw() {
// Keep enough variables live across the setjmp() call that they
// don't all fit in registers and the compiler allocates some spill
// slots.
int a1 = f();
int a2 = f();
int a3 = f();
int a4 = f();
int a5 = f();
int a6 = f();
int a7 = f();
int a8 = f();
jmp_buf buf;
if (setjmp(buf)) {
g(a1, 1);
g(a2, 2);
g(a3, 3);
g(a4, 4);
g(a5, 5);
g(a6, 6);
g(a7, 7);
g(a8, 8);
return 0;
}
// Again, keep enough variables live that they need spill slots. A
// correct compiler will realise that a1...aN are still live (via
// setjmp()+longjmp()), and so not reuse the earlier spill slots.
// An incorrect compiler will think that a1..aN are dead here and
// wrongly reuse the earlier spill slots.
int b1 = f();
int b2 = f();
int b3 = f();
int b4 = f();
int b5 = f();
int b6 = f();
int b7 = f();
int b8 = f();
int start = 8;
g(b1, start + 1);
g(b2, start + 2);
g(b3, start + 3);
g(b4, start + 4);
g(b5, start + 5);
g(b6, start + 6);
g(b7, start + 7);
g(b8, start + 8);
longjmp(buf, 1);
}
On x86-64, when compiled with -O1 or -O2, this program prints:
...
got 14 but expected 6: ERROR
got 15 but expected 7: ERROR
got 16 but expected 8: ERROR
The bug is in Function::callsFunctionThatReturnsTwice(), which checks calls but
not invokes. This is ultimately used by StackSlotColoring.cpp in its
exposesReturnsTwice() call.
This is similar to <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Inliner wrongly inlines functions that invoke setjmp()"
href="show_bug.cgi?id=18206">bug 18206</a>. An "invoke" of setjmp() can occur if:
* setjmp() is called in an exception-handling context, e.g. in C++ a
destructor implicitly declared as "nothrow".
* setjmp() is declared without "nothrow". e.g. glibc's headers declare
setjmp() with "nothrow", but not all headers do.
I'll prepare a fix.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>