<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - EFLAGS can end up as a live-out and crash stackmaps"
href="http://llvm.org/bugs/show_bug.cgi?id=21265">21265</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>EFLAGS can end up as a live-out and crash stackmaps
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Common Code Generator Code
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kmod@dropbox.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvmbugs@cs.uiuc.edu
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=13198" name="attach_13198" title="Test code -- run "llc eflags.ll" to reproduce">attachment 13198</a> <a href="attachment.cgi?id=13198&action=edit" title="Test code -- run "llc eflags.ll" to reproduce">[details]</a></span>
Test code -- run "llc eflags.ll" to reproduce
I've run into a situation where EFLAGS can end up as a live-out; here's a
snippet of the code before doing a block-merging optimization in
BranchFolding.cpp:
BB#1: derived from LLVM BB %1
Live Ins: %RBP
Predecessors according to CFG: BB#0
%EAX<def> = MOV32r0 %EFLAGS<imp-def,dead>
TEST8rr %AL, %AL, %EFLAGS<imp-def>, %EAX<imp-use,kill>
JNE_4 <BB#4>, %EFLAGS<imp-use,kill>
JMP_4 <BB#4>
Successors according to CFG: BB#4(1048576)
BB#4: derived from LLVM BB %5
Live Ins: %RBP
Predecessors according to CFG: BB#1
PATCHPOINT 30702560, 13, 8383728, 0, 0, <regmask>, %RSP<imp-def>,
%RAX<imp-def,dead>, ...
%RBP<def> = POP64r %RSP<imp-def>, %RSP<imp-use>
RETQ
First we remove the extraneous JNE and JMP in BB#1:
BB#1: derived from LLVM BB %1
Live Ins: %RBP
Predecessors according to CFG: BB#0
%EAX<def> = MOV32r0 %EFLAGS<imp-def,dead>
TEST8rr %AL, %AL, %EFLAGS<imp-def>, %EAX<imp-use,kill>
Successors according to CFG: BB#4(1048576)
BB#4: derived from LLVM BB %5
Live Ins: %RBP
Predecessors according to CFG: BB#1
PATCHPOINT 30702560, 13, 8383728, 0, 0, <regmask>, %RSP<imp-def>,
%RAX<imp-def,dead>, ...
%RBP<def> = POP64r %RSP<imp-def>, %RSP<imp-use>
RETQ
Then BB#4 gets merged in, resulting in this:
BB#1: derived from LLVM BB %1
Live Ins: %RBP
Predecessors according to CFG: BB#0
%EAX<def> = MOV32r0 %EFLAGS<imp-def,dead>
TEST8rr %AL, %AL, %EFLAGS<imp-def>, %EAX<imp-use,kill>
PATCHPOINT 30702560, 13, 8383728, 0, 0, <regmask>, %RSP<imp-def>,
%RAX<imp-def,dead>, ...
%RBP<def> = POP64r %RSP<imp-def>, %RSP<imp-use>
RETQ
In the removing of the JNE, we got rid of the instruction that kills EFLAGS,
without changing the TEST8rr instruction to mark it as a dead def. Then when
we calculate liveness for the patchpoint, it looks like EFLAGS is supposed to
be alive there, tripping an assert in the stackmaps code. I'm not sure if
anything else is affected by this, since it happens pretty late in the
pipeline.
Not sure if this is related to <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - Missing %EFLAGS<kill> flag on CMOV causes suboptimal code"
href="show_bug.cgi?id=11132">http://llvm.org/bugs/show_bug.cgi?id=11132</a> --
seems like a similar result but might happen differently?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>