<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - InstCombine optimization changes Address Sanitizer instrumentation and alters its behavior"
href="https://llvm.org/bugs/show_bug.cgi?id=27605">27605</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>InstCombine optimization changes Address Sanitizer instrumentation and alters its behavior
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>3.8
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Miscellaneous Instrumentation passes
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>nahk4r@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=16294" name="attach_16294" title="bitcode of code.c from bh benchmark in olden suite.">attachment 16294</a> <a href="attachment.cgi?id=16294&action=edit" title="bitcode of code.c from bh benchmark in olden suite.">[details]</a></span>
bitcode of code.c from bh benchmark in olden suite.
Here's what's going on.
I have a snippet of code:
%59 = load i8, i8* inttoptr (i64 add (i64 lshr (i64 ptrtoint (i32*
getelementptr inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1)
to i64), i64 3), i64 2147450880) to i8*)
%60 = icmp ne i8 %59, 0
br i1 %60, label %61, label %64
; <label>:61: ; preds = %if.else
%62 = icmp sge i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64), i64
7), i64 3) to i8), %59
br i1 %62, label %63, label %64
; <label>:63: ; preds = %61
call void @__asan_report_store4(i64 ptrtoint (i32* getelementptr inbounds
(%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64))
call void asm sideeffect "", ""()
unreachable
; <label>:64: ; preds = %61, %if.else
store i32 %call15, i32* getelementptr inbounds (%struct.anon.0,
%struct.anon.0* @bodytab, i32 0, i32 1), align 8
This is a part of llvmIR inside of "startrun" function, retrieved by compiling
code.c from bh benchmark in olden benchmark suite, by using the following
command:
clang -c -emit-llvm -fsanitize=address code.c -O0
This is basically creating a bitcode of code.c by using address sanitizer and
no optimization.
I have attached the codeInst.bc file. This file is code.bc, but I've added a
few metadata to instructions to easily identify which code has been added by
address sanitizer.
To find the above code, you can search for "!poistartrun11."
The problem is, once I optimize this code with -O3:
opt -disable-inlining -O3 < codeInst.bc > codeInstOpt3.bc
The following is the code I get:
%call15 = tail call i32 @getiparam(i8* nonnull getelementptr inbounds ({ [6 x
i8], [58 x i8] }, { [6 x i8], [58 x i8] }* @.str.24, i64 0, i32 0, i64 0)) #3
%52 = load i8, i8* inttoptr (i64 add (i64 lshr (i64 ptrtoint (i32*
getelementptr inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i64 0, i32 1)
to i64), i64 3), i64 2147450880) to i8*)
%53 = icmp ne i8 %52, 0
%54 = icmp slt i8 %52, 4
%or.cond7 = and i1 %53, %54
br i1 %or.cond7, label %55, label %56
; <label>:55: ; preds = %if.else
tail call void @__asan_report_store4(i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i64 0, i32 1) to i64)) #3
tail call void asm sideeffect "", ""() #3
unreachable
; <label>:56: ; preds = %if.else
store i32 %call15, i32* getelementptr inbounds (%struct.anon.0,
%struct.anon.0* @bodytab, i64 0, i32 1), align 8
The difference is at these lines:
%62 = icmp sge i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64), i64
7), i64 3) to i8), %59
and
%54 = icmp slt i8 %52, 4
For some reason,
i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr inbounds
(%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64)
seems to be translated into the number "4."
I have confirmed that this is causing a problem by compiling "bh" benchmark
using address sanitizer and it ran fine. Once I compile it using address
sanitizer AND O3, address sanitizer threw and exception and exited (basically
jumping to label 55 in the O3 version).
Here are some things that I found about this bug:
1. It is caused by InstCombine. When I only compiled using instcombine pass,
the optimization was present.
2. This is happening in every address sanitizer instrumentation optimization
when "@bodytab, i32 0, i32 1" is in there. You will find multiple instances in
code.bc where such optimization is happening.
3. The version of compilers I used to check this is:
a. clang version 3.9.0 (trunk 259660) (llvm/trunk 259659)
b. clang version 3.8.1 (branches/release_38 265724) (llvm/branches/release_38
265723)
If there are any additional information you need, please let me know.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>