<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - [SSP] llc crashes on llvm.stackprotectorcheck() call when the argument is a complicated expression"

   href="https://llvm.org/bugs/show_bug.cgi?id=27043">27043</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[SSP] llc crashes on llvm.stackprotectorcheck() call when the argument is a complicated expression

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Common Code Generator Code

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>timshen91@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=16075" name="attach_16075" title="Input that crashes trunk llc">attachment 16075</a> <a href="attachment.cgi?id=16075&action=edit" title="Input that crashes trunk llc">[details]</a></span>

Input that crashes trunk llc

llvm.stackprotectorcheck works only when its argument is a "simple" expression,

e.g. global variable access. If user manages to load an address and pass it

into it, llc crashes.

The reason behind this is SelectionDAG handles llvm.stackprotectorcheck in both

SelectBasicBlock and FinishBasicBlock.

llvm.stackprotectorcheck call is intentionally not handled in

SelectionBasicBlock, because we like to pick up tail call update later in

FinishBasicBlock. However, the user code that's calculating its argument gets

generated in SelectionBasicBlock and eliminated in DAG combining (because it's

not used). Later in FinishBasicBlock SSP handler refers to a register that is

populated by no one.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>