<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - LLVM overwrites spilled xmm registers in crash handler"
href="https://bugs.llvm.org/show_bug.cgi?id=36103">36103</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>LLVM overwrites spilled xmm registers in crash handler
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Backend: X86
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>smeenai@fb.com
</td>
</tr>
<tr>
<th>CC</th>
<td>compnerd@compnerd.org, david.majnemer@gmail.com, llvm-bugs@lists.llvm.org, rnk@google.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=19754" name="attach_19754" title="Reduced test case">attachment 19754</a> <a href="attachment.cgi?id=19754&action=edit" title="Reduced test case">[details]</a></span>
Reduced test case
See dbl3.ll (in the attached zip). If I assemble this with
% opt -mem2reg -mtriple x86_64-windows-msvc -S -o - dbl3.ll | \
llc -filetype=asm -o - -
the function prologue has
"?z@@YANXZ": # @"\01?z@@YANXZ"
.Lfunc_begin0:
.seh_proc "?z@@YANXZ"
.seh_handler __CxxFrameHandler3, @unwind, @except
# %bb.0: # %entry
pushq %rbp
.seh_pushreg 5
subq $64, %rsp
.seh_stackalloc 64
leaq 64(%rsp), %rbp
.seh_setframe 5, 64
movaps %xmm6, -16(%rbp) # 16-byte Spill
.seh_savexmm 6, 48
.seh_endprologue
and the catch handler prologue has
"?catch$4@?0??z@@YANXZ@4HA":
.seh_proc "?catch$4@?0??z@@YANXZ@4HA"
.seh_handler __CxxFrameHandler3, @unwind, @except
.LBB0_4: # %catch
movq %rdx, 16(%rsp)
pushq %rbp
.seh_pushreg 5
subq $32, %rsp
.seh_stackalloc 32
leaq 64(%rdx), %rbp
movapd %xmm6, -16(%rbp) # 16-byte Spill
.seh_savexmm 6, 48
.seh_endprologue
Note that the catch handler saves xmm6 to the stack to the exact same slot the
function prologue saved it to. In other words, when the catch handler is
entered, the *current* value of xmm6, which has already been overwritten inside
the function, is saved to the stack, overwriting the original value that was
saved in the function prologue. The function epilogue will therefore restore an
incorrect value to xmm6.
dbl.cpp, dbl2.cpp, and dbl3.cpp in the attached zip represent a complete
example demonstrating the problem. If you run
% clang-cl /O1 /EHsc dbl.cpp dbl2.cpp dbl3.cpp
and then execute dbl.exe, the exit code should be 1 rather than 0, because of
xmm6 getting trashed. Compiling with cl and running the compiled program yields
an exit code of 0, as expected.
I've reproduced this with clang 5, clang 6, and trunk, so it seems like it goes
a long way back.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>