<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [AVR] Interrupt stack pointer and register corruption"
href="https://bugs.llvm.org/show_bug.cgi?id=47253">47253</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[AVR] Interrupt stack pointer and register corruption
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hi@andrewcou.ch
</td>
</tr>
<tr>
<th>CC</th>
<td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>I have identified a reliable corruption of the stack pointer in interrupts on
the AVR platform. Compiling any interrupt handler with a non-zero frame size
produces the bug.
A minimal Rust reproduction can be found on the original Rust issue where I
identified the bug: <a href="https://github.com/rust-lang/rust/issues/75504">https://github.com/rust-lang/rust/issues/75504</a> I believe
the following IR will produce the issue, though I haven't yet tested it as I'm
running into toolchain issues.
define avr_signalcc void @__vector_0() unnamed_addr addrspace(1) #0 {
start:
%item = alloca i8, align 1
ret void
}
attributes #0 = { nounwind writeonly }
The end of the assembler generated by a problematic ISR is:
pop r29
pop r28
pop r25
pop r24
pop r0
out 63, r0
adiw r28, 1
in r0, 63
cli
out 62, r29
out 63, r0
out 61, r28
pop r1
pop r0
reti
Note that the callee-saved registers are popped BEFORE restoring the stack
pointer, so the wrong value will be used in the calculation, and we corrupt r0,
r28, and r29 in the process.
The bug seems to be in AVRFrameLowering::emitEpilogue. That routine first
inserts machine instructions to restore R0, R1, and SREG (lines 157-161), then
attempts to skip the callee-saved pop instructions (lines 170-176). However,
it immediately sees the AVR::OUTARr (out 63, r0) that was inserted a few lines
above. It stops there, presuming this to be the end of the callee-saved
register pop sequence, and inserts the frame pointer code AFTER the relevant
registers have already been restored, rather than before.
The tip commit is currently 445739826567e5402b558f2c130d76dc916c82ec. The
relevant sections of the code have not been modified since
192405a31a8125ec4454ec5471b2506aaef5b81e.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>