<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Hot/cold splitting in ./SingleSource/Regression/C++/EH/Regression-C++-class_hierarchy changes program output"
   href="https://bugs.llvm.org/show_bug.cgi?id=39545">39545</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Hot/cold splitting in ./SingleSource/Regression/C++/EH/Regression-C++-class_hierarchy changes program output
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Interprocedural Optimizations
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>vsk@apple.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=21077" name="attach_21077" title="IR with hot/cold splitting">attachment 21077</a> <a href="attachment.cgi?id=21077&action=edit" title="IR with hot/cold splitting">[details]</a></span>
IR with hot/cold splitting

When running this test program with -hot-cold-split=true (with
<a href="https://reviews.llvm.org/D53887">https://reviews.llvm.org/D53887</a> applied), we’re supposed to see this output:

```
Caught exception: 0: base class
Caught exception: 1: base class
Caught exception: 2: base class
Caught exception: 3: base class
Caught exception: 4: base class
Caught exception: 5: base class
Caught exception: 6: base class
Caught exception: 7: base class
Caught exception: 8: base class
Caught exception: 9: base class
Caught exception: 0: derived class
Caught exception: 1: derived class
Caught exception: 2: derived class
Caught exception: 3: derived class
Caught exception: 4: derived class
Caught exception: 5: derived class
Caught exception: 6: derived class
Caught exception: 7: derived class
Caught exception: 8: derived class
Caught exception: 9: derived class
Caught exception: 0: base class
Caught exception: std::exception
Caught exception: std::exception
Caught unknown exception
Caught unknown exception
```

Instead, we see this:

```
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught unknown exception
Caught exception: 0: derived class
Caught exception: 1: derived class
Caught exception: 2: derived class
Caught exception: 3: derived class
Caught exception: 4: derived class
Caught exception: 5: derived class
Caught exception: 6: derived class
Caught exception: 7: derived class
Caught exception: 8: derived class
Caught exception: 9: derived class
Caught unknown exception
Caught exception: std::exception
Caught exception: std::exception
<segfault>
```

Here’s where we crash:

Regression-C++-class_hierarchy`main.cold.2:
    0x100001d47 <+0>:  pushq  %rbp
    0x100001d48 <+1>:  movq   %rsp, %rbp
    0x100001d4b <+4>:  pushq  %rbx
    0x100001d4c <+5>:  pushq  %rax
    0x100001d4d <+6>:  cmpl   $0x1, %edi
    0x100001d50 <+9>:  jne    0x100001d6c               ; <+37>
    0x100001d52 <+11>: movq   %rsi, %rdi
    0x100001d55 <+14>: callq  0x100001dcc               ; symbol stub for:
__cxa_begin_catch
    0x100001d5a <+19>: movb   0x8(%rax), %cl
    0x100001d5d <+22>: addb   $0x30, %cl
    0x100001d60 <+25>: movq   0x10(%rax), %rdx
->  0x100001d64 <+29>: movb   %cl, (%rdx)

In the outlined catch path, we pass 0x101 (why?) to __cxa_begin_catch:

(lldb) reg read $rdi
     rdi = 0x0000000000000101

__cxa_begin_catch then returns a pointer to:

(lldb) x/8 $rax
0x100202e60: 0x00001f04 0x00000001 0x00000000 0x00000000
0x100202e70: 0x00000000 0x00000000 0x00000000 0x00000000

Clearly [$rax+16] is null, and we crash when we attempt to dereference that.
But something looks like it's gone wrong by the point __cxa_begin_catch is
called.

Looking at the IR before and after outlining, the issue isn't immediately
jumping out at me. I've filed this because I'm worried this isn't just an issue
with D53887, i.e. that there might be a more general problem with how
CodeExtractor handles landingpads. I've attached the IR here.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>