<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Coroutine miscompilation on arm64 leading to invalid memory access"

   href="https://bugs.llvm.org/show_bug.cgi?id=52501">52501</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Coroutine miscompilation on arm64 leading to invalid memory access

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>13.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Other

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>C++2a

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedclangbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ztlpn@vectorized.io

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>blitzrakete@gmail.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, richard-llvm@metafoo.co.uk

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=25449" name="attach_25449" title="test case source code">attachment 25449</a> <a href="attachment.cgi?id=25449&action=edit" title="test case source code">[details]</a></span>

test case source code

Hi, the bug is best described by the (very simple) attached test case: there is

a coroutine do_run with an infinite loop containing a suspension point.

Variable val is created on the stack inside the loop. Address of this variable

is then taken, stuck into the args struct and passed to the func function which

dereferences the pointer and returns the result. We then check that the

returned value is equal to the original value of val. The code in main() simply

resumes a coroutine a few times.

When compiled on arm64 this results in invalid memory accesses by the program

(bogus values returned from func/use-of-uninitialized-value under MSan).

Checked this with clang-13 downloaded from <a href="https://apt.llvm.org/focal/">https://apt.llvm.org/focal/</a> although

earlier versions exhibit the same behavior.

Compilation command: clang++-13 -std=c++20 -stdlib=libc++ -fcoroutines-ts -O2

test_coro.cc

Here is the compiler explorer link (compiled with a slightly older clang):

<a href="https://godbolt.org/z/sxraMMvP5">https://godbolt.org/z/sxraMMvP5</a>

AFAICT miscompilation is already present in the generated LLVM IR

(<a href="https://gist.github.com/ztlpn/453b1f906e5f838fa6e47434b03c65e6">https://gist.github.com/ztlpn/453b1f906e5f838fa6e47434b03c65e6</a>): the args

struct is placed into the coroutine frame and args.value_ is incorrectly

initialized with a pointer to memory allocated in the stack frame of the

coroutine entry function (line 27, 38). By contrast, if I compile on x86_64,

memory for val is correctly allocated in the stack frame of the coroutine

resume function and the program doesn't crash.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>