<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ARC optimization reorders the pair of retain and release"
href="https://bugs.llvm.org/show_bug.cgi?id=49078">49078</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ARC optimization reorders the pair of retain and release
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Macintosh
</td>
</tr>
<tr>
<th>OS</th>
<td>MacOS X
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kyulee.llvm@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=24492" name="attach_24492" title="This is the zip file including a build script and input files">attachment 24492</a> <a href="attachment.cgi?id=24492&action=edit" title="This is the zip file including a build script and input files">[details]</a></span>
This is the zip file including a build script and input files
Sorry about the large repro.zip. I was not sure how to cut it down due to some
interactions with inlining.
To repro, unzip it and run `repro.sh` on OSX. This repros with `Apple clang
version 12.0.0 (Clang 10)`, but it appears the same behavior is observed in the
current upstream Clang.
This is the problematic assembly from the repro and my comments with the arrow.
```
___ZN16StructuredLogger44ios_feed_privacy_invalidation_polling_funnelIZ67-[FBNewsFeedPrivacyInvalidationPollingCoordinator
initWithSession:]E3$_1EEvRNSt3__110shared_ptrI18FBStructuredLoggerEEOT_26FBStructuredLogEventConfig_block_invoke:
…
Lloh331:
ldr x1, [x8, _OBJC_SELECTOR_REFERENCES_.206@PAGEOFF]
add x2, sp, #24 ; =24
add x3, sp, #8 ; =8
mov w4, #2
bl _objc_msgSend
; InlineAsm Start
mov x29, x29 ; marker for objc_retainAutoreleaseReturnValue
; InlineAsm End
bl _objc_retainAutoreleasedReturnValue
mov x21, x0
bl _objc_release ; <-- Release a temporary dictionary object
passed in `setExtras`)
mov x0, x21
bl _objc_retain. ; <-- Crash on retaining on the object that has
been released above!!
...
```
Looking at ObjC ARC optimization in a Clang pass, it appears the pair of
retain/release are moved (or switched).
Here is the relevant source where a temporary dictionary is passed to
`setExtras`.
```
logger, [&] {
return
StructuredLogger::IosFeedPrivacyInvalidationPollingFunnelEventBuilder()
.setEvent(StructuredLogger::IosfeedprivacyinvalidationpollingfunneleventEnum::SL_ENUM_INVALIDATION_POLLING_COORDINATOR_INIT)
.setExtras(
@{
@"edge_check_time_seconds" : @(_edgeCheckTimeSeconds),
@"edge_polling_interval_seconds" : @(_edgePollingIntervalSeconds)
}
)
.build();
}
```
The above assembly is actually was inlined from
```
_ZZ67-[FBNewsFeedPrivacyInvalidationPollingCoordinator
initWithSession:]ENK3$_1clEv_ZZ67-[FBNewsFeedPrivacyInvalidationPollingCoordinator
initWithSession:]ENK3$_1clEv
```
which was inlined from
```
_ZN16StructuredLogger52_IosFeedPrivacyInvalidationPollingFunnelEventBuilderILy1EE9setExtrasIvvEERDaP12NSDictionaryIP8NSStringS6_E_ZN16StructuredLogger52_IosFeedPrivacyInvalidationPollingFunnelEventBuilderILy1EE9setExtrasIvvEERDaP12NSDictionaryIP8NSStringS6_E
```</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>