<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - SystemZ stack temporary overflow"
href="https://bugs.llvm.org/show_bug.cgi?id=49322">49322</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>SystemZ stack temporary overflow
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Backend: SystemZ
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>jistone@redhat.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>This bug was reduced from one of the failures in Rust #80810:
<a href="https://github.com/rust-lang/rust/issues/80810">https://github.com/rust-lang/rust/issues/80810</a>
When a large integer argument on s390x is converted to indirect, but the type
is not a multiple of 64 bits, the writes to the stack are all still in 64-bit
chunks and may clobber neighboring values on the stack.
### arg-i96.ll
target datalayout = "E-m:e-i1:8:16-i8:8:16-i64:64-f128:64-a:8:16-n32:64"
target triple = "s390x-unknown-linux-gnu"
declare hidden void @fn1(i96) unnamed_addr
define hidden i32 @fn2() unnamed_addr {
start:
%0 = alloca i32, align 4
store i32 -1, i32* %0, align 4
call void @fn1(i96 0)
%1 = load i32, i32* %0, align 4
ret i32 %1
}
### llc -O0
.text
.file "arg-i96.ll"
.hidden fn2 # -- Begin function fn2
.globl fn2
.p2align 4
.type fn2,@function
fn2: # @fn2
.cfi_startproc
# %bb.0: # %start
stmg %r14, %r15, 112(%r15)
.cfi_offset %r14, -48
.cfi_offset %r15, -40
aghi %r15, -176
.cfi_def_cfa_offset 336
mvhi 172(%r15), -1
mvghi 168(%r15), 0
mvghi 160(%r15), 0
la %r2, 160(%r15)
brasl %r14, fn1@PLT
l %r2, 172(%r15)
lmg %r14, %r15, 288(%r15)
br %r14
.Lfunc_end0:
.size fn2, .Lfunc_end0-fn2
.cfi_endproc
# -- End function
.hidden fn1
.section ".note.GNU-stack","",@progbits
###
In this reproducer, the 32-bit store to %0 -- mvhi 172(%r15), -1 -- is
immediately overwritten by the overflowing 64-bit store to the end of %1 --
mvghi 168(%r15), 0.
With --print-after-all, you can also see the 12-byte (96-bit) frame allocation
with two 8-byte writes.
# *** IR Dump After Finalize ISel and expand pseudo-instructions ***:
# Machine code for function fn2: IsSSA, TracksLiveness
Frame Objects:
fi#0: size=4, align=4, at location [SP]
fi#1: size=12, align=8, at location [SP]
bb.0.start:
MVHI %stack.0, 0, -1 :: (store 4 into %ir.0)
ADJCALLSTACKDOWN 0, 0
MVGHI %stack.1, 8, 0 :: (store 8 into %stack.1)
MVGHI %stack.1, 0, 0 :: (store 8 into %stack.1)
%0:gr64bit = LA %stack.1, 0, $noreg
$r2d = COPY %0:gr64bit
CallBRASL @fn1, $r2d, <regmask $f8d $f9d $f10d $f11d $f12d $f13d $f14d $f15d
$f8q $f9q $f12q $f13q $f8s $f9s $f10s $f11s $f12s $f13s $f14s $f15s $r6d $r7d
$r8d $r9d $r10d $r11d $r12d $r13d $r14d $r15d $r6h $r7h $r8h and 22 more...>,
implicit-def dead $r14d, implicit-def dead $cc, implicit $fpc
ADJCALLSTACKUP 0, 0
%1:gr32bit = L %stack.0, 0, $noreg :: (dereferenceable load 4 from %ir.0)
$r2l = COPY %1:gr32bit
Return implicit $r2l
# End machine code for function fn2.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>