<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Instcombine optimization f5df5cd55 causes miscompile in CFI code for Android"
href="https://bugs.llvm.org/show_bug.cgi?id=47980">47980</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Instcombine optimization f5df5cd55 causes miscompile in CFI code for Android
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Scalar Optimizations
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>pirama@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>eugeni.stepanov@gmail.com, lebedev.ri@gmail.com, llvm-bugs@lists.llvm.org, srhines@google.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=24101" name="attach_24101" title="repro">attachment 24101</a> <a href="attachment.cgi?id=24101&action=edit" title="repro">[details]</a></span>
repro
<a href="https://github.com/llvm/llvm-project/commit/f5df5cd5586ae9cfb2d9e53704dfc76f47aff149">https://github.com/llvm/llvm-project/commit/f5df5cd5586ae9cfb2d9e53704dfc76f47aff149</a>
causes a miscompile for __cfi_slowpath_diag in
<a href="https://android.googlesource.com/platform/bionic/+/refs/heads/master/libdl/libdl_cfi.cpp">https://android.googlesource.com/platform/bionic/+/refs/heads/master/libdl/libdl_cfi.cpp</a>.
The optimization in f5df5cd5586 fires for the following lines:
uintptr_t p = aligned_addr - (static_cast<uintptr_t>(v -
CFIShadow::kRegularShadowMin)
<< CFIShadow::kCfiCheckGranularity);
The optimization seems valid but it somehow triggers a downstream miscompile.
With f5df5cd5586, the trailing end of cfi_slowpath_diag looks like this:
...
a8: b002 add sp, #8
aa: bdd0 pop {r4, r6, r7, pc}
ac: 2400 movs r4, #0
ae: f6cf 74fc movt r4, #65532 ; 0xfffc
b2: f504 3e7c add.w lr, r4, #258048 ; 0x3f000
b6: 4614 mov r4, r2
b8: f36f 0411 bfc r4, #0, #18
bc: fb0c 440e mla r4, ip, lr, r4
c0: f504 2484 add.w r4, r4, #270336 ; 0x42000
c4: 3401 adds r4, #1
c6: b002 add sp, #8
c8: e8bd 40d0 ldmia.w sp!, {r4, r6, r7, lr}
cc: 4720 bx r4
ce: bf00 nop
d0: 00000044 andeq r0, r0, r4, asr #32
Note that the value in $r4 from address 42 is clobbered by the ldmia in 46 but
is still used as the branch target in 4a.
With f5df5cd5586 reverted,
...
a0: b002 add sp, #8
a2: bdd0 pop {r4, r6, r7, pc}
a4: f502 2e80 add.w lr, r2, #262144 ; 0x40000
a8: f44f 5400 mov.w r4, #8192 ; 0x2000
ac: f364 0e11 bfi lr, r4, #0, #18
b0: 2400 movs r4, #0
b2: f6cf 74fc movt r4, #65532 ; 0xfffc
b6: f504 347c add.w r4, r4, #258048 ; 0x3f000
ba: fb0c e404 mla r4, ip, r4, lr
be: f044 0c01 orr.w ip, r4, #1
c2: b002 add sp, #8
c4: e8bd 40d0 ldmia.w sp!, {r4, r6, r7, lr}
c8: 4760 bx ip
ca: bf00 nop
cc: 00000048 andeq r0, r0, r8, asr #32
cc: R_ARM_REL32 _ZL19shadow_base_storage
Note that the address is computed in $ip instead of $r4.
To reproduce, build the attached source with the following command:
$ clang++ -c -mthumb -O2 -target armv7a-linux-androideabi -o libdl_cfi.o
libdl_cfi.ii
Note that this doesn't reproduce without -mthumb.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>