<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Bad interaction between hot/cold splitting and stack coloring"

   href="https://bugs.llvm.org/show_bug.cgi?id=39671">39671</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Bad interaction between hot/cold splitting and stack coloring

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Interprocedural Optimizations

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>vsk@apple.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=21121" name="attach_21121" title="Reproduces the stack coloring issue when passed to llc -O3.">attachment 21121</a> <a href="attachment.cgi?id=21121&action=edit" title="Reproduces the stack coloring issue when passed to llc -O3.">[details]</a></span>

Reproduces the stack coloring issue when passed to llc -O3.

With hot/cold splitting enabled, clang miscompiles itself in a stage2

ThinLTO+PGO build. I see this crash when running

test/Transforms/LowerExpectIntrinsic/phi_merge.ll through the stage2 opt

binary:

```

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS

(code=EXC_I386_GPFLT)

  * frame #0: 0x00000001013afaf9

opt`handlePhiDef(llvm::CallInst*)::$_0::operator()(llvm::APInt const&) const +

73

    frame #1: 0x00000001013afff8 opt`lowerExpectIntrinsic(llvm::Function&)

(.cold.13) + 104

    frame #2: 0x00000001013af762 opt`lowerExpectIntrinsic(llvm::Function&) +

1570

```

The problem is that StackColoring merges stack slots which are in-use at the

same time in the outlined function.

Here is the call to the outlined function

("lowerExpectIntrinsic(llvm::Function&) (.cold.13)"):

```

codeRepl209:                                      ; preds =

%_ZN4llvm3isaINS_7PHINodeEPNS_5ValueEEEbRKT0_.exit.i

  call void

@_ZL20lowerExpectIntrinsicRN4llvm8FunctionE.cold.13(%"class.llvm::SmallVector.141"*

%Operations.i, %"class.llvm::Value"* %.in299.i, %"class.llvm::APInt"*

%ref.tmp43.i, %"class.llvm::Value"* %231, %"class.llvm::Value"* %Val.i.i255, [2

x i32]* %ref.tmp2.i, %"class.llvm::APInt"* %237) #14

  br label %cleanup75.i

```

>From -debug-only=stack-coloring output, you can see that the slots for

"ref.tmp2.i" and "Operations.i" are merged together (look for the edges "#5 ->

#2"; "#5 -> #1"), despite the fact that these are both passed in to the

outlined function, and are possibly-used at the same time.

```

********** Function: _ZL20lowerExpectIntrinsicRN4llvm8FunctionE

Found a lifetime start marker for slot #2 with allocation: Operations.i

Found a lifetime start marker for slot #4 with allocation: MDB.i

Found a lifetime start marker for slot #1 with allocation: ref.tmp2.i

Found a lifetime start marker for slot #7 with allocation: MDB.i.i

Found a lifetime start marker for slot #5 with allocation: Weights.i

Found a lifetime start marker for slot #6 with allocation: ref.tmp34.i

...

Merging #5 and slots #2 together. 

Merging #5 and slots #1 together. 

Merging #4 and slots #6 together. 

Merging #4 and slots #7 together.

Merge 4 slots. Saved 72 bytes

```

I verified that disabling stack coloring hides the crash. In fact, with stack

coloring disabled and splitting enabled, the full stage2 run check-{llvm,clang}

succeeds without regressions.

Attachments:

- 661.4.opt.nodbg.ll: Reproduces the stack coloring issue when passed to llc

-O3.

- non-trashy.661.4.opt.nodbg.ll: The same as 661.4.opt.nodbg.ll, but

lifetime.{start, end} markers are stripped out of the caller function

(lowerExpectIntrinsic). This does not crash.

Note: I am testing with <a href="https://reviews.llvm.org/D53887">https://reviews.llvm.org/D53887</a>,

<a href="https://reviews.llvm.org/D54189">https://reviews.llvm.org/D54189</a>, and <a href="https://reviews.llvm.org/D54244">https://reviews.llvm.org/D54244</a> applied to

ToT.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>