<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - x86_64 codegen checks branch conditions in the wrong order"
href="https://bugs.llvm.org/show_bug.cgi?id=32604">32604</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>x86_64 codegen checks branch conditions in the wrong order
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>4.0
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>LLVM Codegen
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>dan@su-root.co.uk
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=18262" name="attach_18262" title="Example program that clang++ miscompiles on x86_64">attachment 18262</a> <a href="attachment.cgi?id=18262&action=edit" title="Example program that clang++ miscompiles on x86_64">[details]</a></span>
Example program that clang++ miscompiles on x86_64
Clang 3.9.0 and 4.0 incorrectly compiles the attached program.
The problem is this branch
```
bool not_initialized;
int a = 5;
int b = 5;
int c = 5;
if (xxx(&c, &a, &b, not_initialized) && not_initialized) {
printf("true\n");
} else {
printf("false\n");
}
```
The function `xxx()` is not guaranteed to initialize the `bool` variable
`not_initialized`. In this program `a`, `b`, and `c` are set up so that
`not_initialized` never gets initialized. However this should not be a problem
because the function `xxx` returns false in this case so the value of
`not_initialized` should never be read.
However the code generated by clang at -O1 does the wrong thing. It branches on
the value of `not_initialized` first before trying to branch on the return
value of `xxx()`. This is wrong because the order of the `&&` operator in the
if condition is not being respected.
Here is the output of `objdump -d --no-show-raw-insn`
```
0000000000400530 <_Z3foov>:
400530: sub $0x18,%rsp
400534: movl $0x5,0x14(%rsp)
40053c: movl $0x5,0x10(%rsp)
400544: movl $0x5,0xc(%rsp)
40054c: lea 0xc(%rsp),%rdi
400551: lea 0x14(%rsp),%rsi
400556: lea 0x10(%rsp),%rdx
40055b: lea 0xb(%rsp),%rcx
400560: callq 400510 <_Z3xxxPiS_S_Rb>
400565: cmpb $0x0,0xb(%rsp)
40056a: je 400577 <_Z3foov+0x47>
40056c: xor $0x1,%al
40056e: jne 400577 <_Z3foov+0x47>
400570: mov $0x400637,%edi
400575: jmp 40057c <_Z3foov+0x4c>
400577: mov $0x400631,%edi
40057c: callq 400400 <puts@plt>
400581: add $0x18,%rsp
400585: retq
400586: nopw %cs:0x0(%rax,%rax,1)
```
You can see that after `callq 400510 <_Z3xxxPiS_S_Rb>` the next instruction
`cmpb $0x0,0xb(%rsp)` which is doing a comparison on a stack location which
is the `not_initialized` bool and then a few instructions later a comparison is
done on the return value of the call (`xor $0x1,%al`). This is the wrong
order.
You can tell that `0xb(%rsp)` is the `not_initialized` variable because we can
see it being passed as the forth parameter ( `lea 0xb(%rsp),%rcx` ) to the
function call.
For convenience here's a link to the problematic program on godbolt
<a href="https://godbolt.org/g/piH3yO">https://godbolt.org/g/piH3yO</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>