<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - localrecover accessing incorrect stack offset"

   href="https://bugs.llvm.org/show_bug.cgi?id=37169">37169</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>localrecover accessing incorrect stack offset

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Backend: X86

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>smeenai@fb.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>compnerd@compnerd.org, david.majnemer@gmail.com, llvm-bugs@lists.llvm.org, rnk@google.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=20199" name="attach_20199" title="Reduced IR">attachment 20199</a> <a href="attachment.cgi?id=20199&action=edit" title="Reduced IR">[details]</a></span>

Reduced IR

The reduced IR attached has an @llvm.localrecover for an @llvm.localescape that

lives in the same stack frame. I'm fairly sure the IR itself is valid; the

@llvm.localrecover was originally from an outlined __finally which was then

inlined (which is why we end up with the localescape/localrecover in the first

place).

If I run llc on the reduced IR, the output is

_i:                                     # @i

Lfunc_begin0:

# %bb.0:

        pushl   %ebp

        movl    %esp, %ebp

        pushl   %ebx

        pushl   %edi

        pushl   %esi

        andl    $-8, %esp

        subl    $56, %esp

        movl    %esp, %esi

        movl    %ebp, 32(%esi)

Li$frame_escape_0 = 4

... (nothing in here changes ebp or esi)

        calll   _f

        movl    %eax, 4(%esi)

... (nothing in here changes ebp or esi)

        movl    Li$frame_escape_0(%ebp), %eax

        movl    $0, 48(%esi)

        pushl   %eax

        calll   _h

...

Note that %esp is moved to %ebp, then we perform more stack adjustments, then

%esp is moved to %esi, so %esi != %ebp. The localescape stores to 4(%esi), but

the localrecover loads from 4(%ebp), so it'll end up reading the wrong value

(most likely resulting in a crash).

I'm unable to reproduce this on x86-64; the localescape always goes through

%ebp on that architecture.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>