<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - trunk clang miscompiles sqlite after 21dadd774"
href="https://bugs.llvm.org/show_bug.cgi?id=46194">46194</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>trunk clang miscompiles sqlite after 21dadd774
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hans@chromium.org
</td>
</tr>
<tr>
<th>CC</th>
<td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org, spatel+llvm@rotateright.com
</td>
</tr></table>
<p>
<div>
<pre>OSSFuzz flagged an issue in SQLite that really appears to be a miscompile due
to an llvm bug:
<a href="https://sqlite.org/forum/forumpost/e7e828bb6f">https://sqlite.org/forum/forumpost/e7e828bb6f</a>
It appears that in this code:
c = pMem->flags;
sqlite3VdbeMemRelease(pMem);
pMem->flags = MEM_Str|MEM_Term|(c&(MEM_AffMask|MEM_Subtype));
the load of pMem->flags is moved from before the call to sqlite3VdbeMemRelease
to afterwards, even though the call may affect the flags.
The suspect transformation can be observed with:
$ wget <a href="https://www.sqlite.org/2020/sqlite-amalgamation-3320100.zip">https://www.sqlite.org/2020/sqlite-amalgamation-3320100.zip</a>
$ unzip sqlite-amalgamation-3320100.zip
$ build.release/bin/clang -fno-omit-frame-pointer -DSQLITE_DEBUG=1 -c -O1
sqlite-amalgamation-3320100/sqlite3.c -o sqlite3.o && objdump -dr sqlite3.o |
grep -A500 '<sqlite3VdbeMemTranslate>:' | grep -B30 retq
2ee89: 41 80 fe 01 cmp $0x1,%r14b
2ee8d: 0f 94 c0 sete %al
2ee90: c6 01 00 movb $0x0,(%rcx)
2ee93: 49 63 4d 0c movslq 0xc(%r13),%rcx
2ee97: ba 02 00 00 00 mov $0x2,%edx
2ee9c: 29 c2 sub %eax,%edx
2ee9e: 48 01 ca add %rcx,%rdx
2eea1: 49 39 d1 cmp %rdx,%r9
2eea4: 0f 8c de 00 00 00 jl 2ef88
<sqlite3VdbeMemTranslate+0x688>
2eeaa: 4c 89 ef mov %r13,%rdi
2eead: e8 ee 8c fd ff callq 7ba0 <sqlite3VdbeMemRelease>
2eeb2: b8 3d 80 ff ff mov $0xffff803d,%eax
2eeb7: 41 23 45 08 and 0x8(%r13),%eax
2eebb: 0d 02 02 00 00 or $0x202,%eax
2eec0: 66 41 89 45 08 mov %ax,0x8(%r13)
2eec5: 45 88 75 0a mov %r14b,0xa(%r13)
2eec9: 4d 89 7d 10 mov %r15,0x10(%r13)
2eecd: 4d 89 7d 18 mov %r15,0x18(%r13)
2eed1: 49 8b 7d 28 mov 0x28(%r13),%rdi
2eed5: 4c 89 fe mov %r15,%rsi
2eed8: e8 c3 44 fd ff callq 33a0 <sqlite3DbMallocSize>
2eedd: 41 89 45 20 mov %eax,0x20(%r13)
2eee1: 31 c0 xor %eax,%eax
2eee3: 48 83 c4 08 add $0x8,%rsp
2eee7: 5b pop %rbx
2eee8: 41 5c pop %r12
2eeea: 41 5d pop %r13
2eeec: 41 5e pop %r14
2eeee: 41 5f pop %r15
2eef0: 5d pop %rbp
2eef1: c3 retq
Bisection shows that the behaviour changed at
commit 21dadd774f56778ef68c1ce307205dfbdacc793a
Author: Sanjay Patel <<a href="mailto:spatel@rotateright.com">spatel@rotateright.com</a>>
Date: Fri May 29 09:31:11 2020 -0400
[DAGCombiner] avoid unnecessary indirection from SDNode/SDValue; NFCI
Before that, the generated code looks like this:
2ee89: 41 80 fe 01 cmp $0x1,%r14b
2ee8d: 0f 94 c0 sete %al
2ee90: c6 01 00 movb $0x0,(%rcx)
2ee93: 49 63 4d 0c movslq 0xc(%r13),%rcx
2ee97: ba 02 00 00 00 mov $0x2,%edx
2ee9c: 29 c2 sub %eax,%edx
2ee9e: 48 01 ca add %rcx,%rdx
2eea1: 49 39 d1 cmp %rdx,%r9
2eea4: 0f 8c df 00 00 00 jl 2ef89
<sqlite3VdbeMemTranslate+0x689>
2eeaa: bb 3d 80 ff ff mov $0xffff803d,%ebx
2eeaf: 41 23 5d 08 and 0x8(%r13),%ebx <----- c =
pMem->flags & (MEM_AffMask|MEM_Subtype)
2eeb3: 4c 89 ef mov %r13,%rdi
2eeb6: e8 e5 8c fd ff callq 7ba0 <sqlite3VdbeMemRelease>
2eebb: 81 cb 02 02 00 00 or $0x202,%ebx
2eec1: 66 41 89 5d 08 mov %bx,0x8(%r13) <-----
pMem->flags = ...
2eec6: 45 88 75 0a mov %r14b,0xa(%r13)
2eeca: 4d 89 7d 10 mov %r15,0x10(%r13)
2eece: 4d 89 7d 18 mov %r15,0x18(%r13)
2eed2: 49 8b 7d 28 mov 0x28(%r13),%rdi
2eed6: 4c 89 fe mov %r15,%rsi
2eed9: e8 c2 44 fd ff callq 33a0 <sqlite3DbMallocSize>
2eede: 41 89 45 20 mov %eax,0x20(%r13)
2eee2: 31 c0 xor %eax,%eax
2eee4: 48 83 c4 08 add $0x8,%rsp
2eee8: 5b pop %rbx
2eee9: 41 5c pop %r12
2eeeb: 41 5d pop %r13
2eeed: 41 5e pop %r14
2eeef: 41 5f pop %r15
2eef1: 5d pop %rbp
2eef2: c3 retq</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>