<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/55844>55844</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
clang-cl emits movaps with incorrectly-aligned argument when compiling with optimizations
</td>
</tr>
<tr>
<th>Labels</th>
<td>
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
ts826848
</td>
</tr>
</table>
<pre>
This program crashes when compiled by clang-cl with optimizations for Windows (preprocessed versions attached as [minimal-crash.cpp.i.txt](https://github.com/llvm/llvm-project/files/8827962/minimal-crash.cpp.i.txt). Uncomment the commented lines for an "interactive" version that lets you attach a debugger first):
```cpp
// #include <iostream>
// #include <string>
#include <vector>
int main() {
// std::string s;
// std::getline(std::cin, s);
try {
throw std::vector<double>{};
} catch (std::vector<double> errors) {
throw errors;
}
}
```
I think this is conforming (albeit somewhat unusual) C++, so a crash is unexpected. Visual Studio shows the following when debugging the crash (from the interactive version of the crashing program):
Exception thrown at 0x00007FF7982110BE in crash.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.
But I think the actual cause may be an unaligned argument for a `movaps` instruction.
----
The following script was used to preprocess the program, compile the preprocessed source, and run the crashing executable:
```shell
#!/bin/sh
set -e
mkdir -p build
rm -f crash.cpp.i build/crash.cpp.obj build/crash.exe build/crash.pdb
"C:\\PROGRA~1\\MIB055~1\\2022\\COMMUN~1\\VC\\Tools\\Llvm\\x64\\bin\\clang-cl.exe" \
-cc1 \
-E \
-internal-isystem "C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\VC\\Tools\\MSVC\\14.32.31326\\include" \
-internal-isystem "C:\\Program Files (x86)\\Windows Kits\\10\\include\\10.0.20348.0\\ucrt" \
-fms-extensions \
-o crash.cpp.i \
crash.cpp
"C:\\PROGRA~1\\MIB055~1\\2022\\COMMUN~1\\VC\\Tools\\Llvm\\x64\\bin\\clang-cl.exe" \
-cc1 \
-emit-obj \
--dependent-lib=msvcrt \
-fcxx-exceptions \
-fexceptions \
-fdiagnostics-format msvc \
-gno-column-info \
-gcodeview \
-debug-info-kind=constructor \
-O1 \
-fms-extensions \
-fms-compatibility-version=19.32.31329 \
-std=c++14 \
-vectorize-slp \
-mllvm \
-opt-bisect-limit=8750 \
-o "build/crash.cpp.obj" \
-x c++ \
crash.cpp.i
# Required for crash: -fexceptions, -O1, -vectorize-slp
# For crash with minimal example program: -opt-bisect-limit=2097
# For crash with interactive example program: -opt-bisect-limit=8750
# Program will not crash with -opt-bisect-limit 1 lower
"C:\PROGRA~1\MIB055~1\2022\COMMUN~1\VC\Tools\Llvm\x64\bin\lld-link.exe" \
build/crash.cpp.obj \
-out:build/crash.exe \
-pdb:build/crash.pdb \
-machine:x64 \
-debug \
-libpath:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.20348.0\um\x64" \
-libpath:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.20348.0\ucrt\x64" \
-libpath:"C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.32.31326\lib\x64"
./build/crash.exe
```
Here's a slice of the bisect output near where passes started being skipped:
```
BISECT: running pass (2092) LoopLoadEliminationPass on main
BISECT: running pass (2093) InstCombinePass on main
BISECT: running pass (2094) SimplifyCFGPass on main
BISECT: running pass (2095) SLPVectorizerPass on main
BISECT: running pass (2096) VectorCombinePass on main
BISECT: running pass (2097) InstCombinePass on main
BISECT: NOT running pass (2098) LoopUnrollPass on main
BISECT: NOT running pass (2099) WarnMissedTransformationsPass on main
BISECT: NOT running pass (2100) InstCombinePass on main
BISECT: NOT running pass (2101) LoopSimplifyPass on main
BISECT: NOT running pass (2102) LCSSAPass on main
```
This script was run on an MSYS2 terminal on Windows 10 21H2, using Clang 13.0.1, the MSVC v143 latest tools, and the Windows 10 SDK 10.0.20348.0 from Visual Studio 2022 17.2.1. MSYS2 is probably not necessary, though; just need to translate the arguments to a format powershell/cmd would accept.
Clang 14.0.0 version 1:14.0-55~exp2 from Ubuntu 22.04 using the same MSVC tools and Windows SDK through [WinMsvc.cmake](https://github.com/llvm/llvm-project/blob/main/llvm/cmake/platforms/WinMsvc.cmake) also produces a crashing executable when built using a `CMAKE_BUILD_TYPE` of `Release`, `RelWithDebInfo`, or `MinSizeRel`. I didn't grab the precise command line invocation, though I suspect it would be similar.
Building the program using MSVC (with the above tool and Windows SDK versions) produces a program that does not crash. A version of the program built natively for macOS (Apple Clang 12.0.0, Clang 14.0.0, and GCC 11.3.0 on macOS 10.15.7) does not crash, either.
ASan, UBSan, `-Weverything`, and clang-tidy yielded no relevant errors, so if it's something obvious it wasn't caught by those. In addition, changing `throw errors` to `throw` or removing the surrounding `try`/`catch` entirely result in the program no longer crashing.
Here is disassembly output from the Visual Studio debugger, working on an "interactive" version of the executable:
```
try {
throw std::vector<double>{};
00007FF7B3FD1070 xorps xmm0,xmm0 ; Breakpoint on throw expression stops here
00007FF7B3FD1073 movaps xmmword ptr [rbp-60h],xmm0
00007FF7B3FD1077 mov qword ptr [rbp-50h],0
00007FF7B3FD107F lea rdx,[_TI1?AV?$vector@NV?$allocator@N@std@@@std@@ (07FF7B3FD5348h)]
00007FF7B3FD1086 lea rcx,[rbp-60h]
00007FF7B3FD108A call _CxxThrowException (07FF7B3FD2E80h)
00007FF7B3FD108F jmp main+91h (07FF7B3FD1091h)
00007FF7B3FD1091 int 3
00007FF7B3FD1092 nop word ptr cs:[rax+rax]
00007FF7B3FD109C nop dword ptr [rax]
00007FF7B3FD10A0 mov qword ptr [rsp+10h],rdx ; Control resumes here after the call to _CxxThrowException
00007FF7B3FD10A5 push rbp
00007FF7B3FD10A6 push rsi
00007FF7B3FD10A7 sub rsp,28h
00007FF7B3FD10AB lea rbp,[rdx+80h]
} catch (std::vector<double> errors) {
throw errors;
00007FF7B3FD10B2 mov rax,qword ptr [rbp+18h]
00007FF7B3FD10B6 mov qword ptr [rbp+18h],0
00007FF7B3FD10BE movaps xmm0,xmmword ptr [errors] ; Access violation here. errors is rbp+8
```
Register values immediately before executing the crashing instruction:
```
XMM0 | 0000000000003F6E-0000000000000000
RAX | 0000000000000000
RDX | 000000463F8FFD80
RBP | 000000463F8FFE00
```
Since `errors` is `rbp+8`, the faulting address given by Visual Studio (`0xFFFFFFFFFFFFFFFF`) seems nonsensical. The only explanation I can come up with is that this is how a crash due to an insufficiently-aligned argument is reported, as `movaps` needs to be aligned to 16 bytes, but `errors` is located at `rbp+8`, which is aligned to 8 bytes (I think?).
If `rbp` is being used as the frame pointer, I think it's guaranteed to be aligned to 16 bytes under these circumstances. Microsoft states [^0]:
> The stack will always be maintained 16-byte aligned, except within the prolog (for example, after the return address is pushed), and except where indicated in [Function Types](https://docs.microsoft.com/en-us/cpp/build/stack-usage?view=msvc-170#function-types=) for a certain class of frame functions.
And under Function Types:
> If a frame function does not call another function then it is not required to align the stack (referenced in Section Stack Allocation).
Since there's an otherwise-upcoming call to `_CxxThrowException`, and I don't think this is part of the function prologue, I think the stack is required to be aligned here, so unless `rbp` is being used as a free register I think it is guaranteed to be aligned to 16 bytes, so a `movaps` from `rbp+8` would be guaranteed to crash.
[^0]: https://docs.microsoft.com/en-us/cpp/build/stack-usage?view=msvc-170
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzVWlt32rgW_jXJixZetrk_5IFLmMmaZtpV0nbmqUvYAtTYlseSCcyvP9-WbLCBZNqeMw-HRQLWZWvfb2Kl4sPd01ZqlhdqU_CURQXXW6HZy1ZkLFJpLhMRs9WBRQnPNp0oYS_SbJnKjUzl39xIlWm2VgX7IrNYvWh2E47yQgBcJLTG1p0otF3EjeHRFiMci_rTVGYy5UnHHuhFee5Jz-zNTX8OCFtjcn3TndyEC7w3OLFcecAGD0myqz86OOWbiAwe10BT43M0CofjQYhvr8EPxx77lAFWKjLDzFaw6jswS2QmHDU8AyGhxGjBIyN3Ak81KdjEDUuE0eygyoouxlksVuVmIwq2loWmg4gAf37j1_8HvnsDmWrEkoeTujKLkjIW7KY7k0qbQvD0pnv_xiqskdmmsaY5uQNTVHGcBBks5TIDY4EVuxlO3ThjFWhtYsK1O3FQGVj_6pKNMMQmwDoORQR6hl1E8nGjKQ7NozCwLdTLCVCN5CxW5SoRhC1WD-fNs4dzFnED7jaPu9zIRFGoQp8RV59YTbbAVlw7fqlF05TXA_bL7Jn-a4Z3pDKoRkoMAjo8WQlpmFapeCF9KLNSlzwhHGY34dS-wRMFxbAqSBDKTOxzYC9ij32WtJwtTRlLxfSWbIe0ca2SRL3QIdYEnVLRo1VVCwmnrwuV2pGGih71U61Pi2lnZduXGkk8ut9HIjdOrcGtDPrM_L2P13CxGI5HYRD403uc4-B5Yg-OT7Bk5ttXn54mEVk720mVWJfAoMAxHZ2oyA34-8XZy2tiMi0NO_FbMFBE3Il4qQV098BWgmyyzHgiNxk5kWJTWgu21sogulTtOJzGwAeu0OMyonNbh3Twaj4_tdito0Lmhr3APZXkuIxiJ0dmkTrycVZ7xmq44e60KotI0BKexawos7YowL2oNNyq7XXnAO-bJEejvgkDWN-KDGyht25YC8M6ork5fY5lwTo5W5Uyid1YkbLOmjW8XzUZLk5javXtbBT4nY3k8aqFZxjOCPX-DO8PH9__8hFWdB-458eHqd_vn55DPwzdt9n7x8dPv59mPs_c55NSiXZf35Fjt9_2g577QnTbL3XwsdoHT0yjFVLjThQF7YH79qM1EShOR-qDNiJlbRqqwLewEcSRIaNCabU2bSO9oAlxo8ykObxK0uOyHgx6Xjf0ukE3HLiByltfEPMDyJIf2I8GZNZ2so7Av0lTnR_47cOqQc_3Qr_bG3nVdBkV5gKRdao7Ym9E5qJ3a0619Ko5dRz_f9MZkUrTIXtojXZikYsshp_pJHJ1052negdmnXEq2u_BqsqNnrFq_epELPkmQ6yXke5QXIHfJejtVVjRiVRSphk0Y63OJiMVi50UL-1hGzLs8s4zVAJYI3I5jwhf2Vr6Pvh-odMcuT3485VMoPadKt7ggGBcq_e4vckG7XnkAmLQa0-6QC7_Fh2d5O2plPK7M6XLTWclNfZAFpAW4I6Gff9cMyHqq47uQgX2rELrugJ7sq3CXfZR_FXKAj6eQo5dR6GvKWFy--Cp_WgRdwKyqPe6PLrKUhEXeJonpxBDgK8QHPrj4auwmqnAd8IjBp7g1d7lRSYJy5RpAr_YzQIE9xdRXDf0lpW3TLyy75Zxf26adWXTzqCdNSdJjEOz52umfD2qtZWiBK2Ty0DXWkRx7nwRxs7UEpk-Jb_dCdC7YnXtIbgMWMvW1jFHxrzqwc_ct_Xd7-B0Ljx2WbPnXKP_rfMoPPzkiW9G01oVGnG0pQlV-GzHzsSi6JBp6p5HedK5iN_I7n8VBXRpiLqU6URGos6anY4z6EyOnDQTvKBEvIApcSR4GvULL6hWRPZPSeOzzHMRv5bMVcntw_J-9kQ2iHwwsxk5YJEwYM8hVQzvlMrfKR7fk2llNmP-QEuQONvC7Z_BdAnMA9w8uAmjET-4vUfblxI-Q64Ps8UvP7i9b7e_-_C5dnrFDwIgnWRu988RMPwB-n9__3QNxKiWxKesQFXwExDGBOELL7JHScXAU8Ez7UI7RYcfBhj4_n9LVeAHNVW1dH8ChtPR2XI5udx81bhsS6lRUFEdhF2o4B6Xfy5DhkBFep7QYO2HAp-Fwa8hBc9SEwIzSuBY0IUzsiGVrJNcAtsFvS5DoSm0QZVGvqIqt2hFA9xy_htr-jJmq-Z24U0-iAVDL_QCj1XYuXbYClXawYbBTFBxx4uDw0KVG3i8KftWappzpaIhWRNOrnytqlNNU5xV6V1O8dLVd_BRacxeVJmglI0of2hVqhXpPeDuH8v6ABKioY6NpWKfh46gT6syMyULQ8_vVawjHDRPK35ZHlkG1cwhzlC5D0qoF4fhR6SeXpTyZ_GTHbhVolbUdrN9pnqNAxgucnCGmEAtuvZhUCyeaCq1VVyCzXW7pF0su14IuXdTUWhL_tnj5Lf7r9NPD-_mX5_-_HBPxT_cOD4-ikRwLUgtITM38AVEzMXqAYlxNU7p8MB_lNkSLgsr8OCxBxbLGDQMDUMcW9UlfoS4YFuFxEfqgCHf2lXdjZNeYLcuNfV4GFIkJ98VZAG3nvDirOWBYFULq26_OuKs1CAEm3lZfVopJHUkxwsx1v1V4mSDiTVA26uMFcaOCZ3HJuetonq14zAFoJ2A8lOii5Tn_ZKQmeSUUFaaGZJmEtlNTa3N8JfZjAWBB8N1roIAwA6Dvme9dBsb2iRAp2hzZ7Lklq2fptUXyKbzRQDvA3WJNpUE6ThX6BkZH9hBiiSGQWaKFdCAHc_MsTdom3FyDbnYsE-NOwuJqdVOqlJbgXHtJB9xCNNQ3xty1QJaAe8Vx7KWdrTFmbYTOPBbXUZoIEy-HrUKWQCXVO2OdlliZZnF9W64FaJlQY1h6nXSHrgOVBqQQCF0CYnIrCUmkJeojFrNta1456kNObFYaspZUvJjVT5z7Bu2vWDduibSXlTxbNmSvd0Fr1Tnnzta_7OGcN2UnHYX88Af-oztVZFr5l77NCWVoA_2-osc97QQ_DlX1Bav254gAzauLWHaKAClnO_qsV3GXKvxeCw4FrPcUG09LVZ5Z-BvrRO1uFyFMbQwjkj9dQ6hX0O4vn3BGNzbcXsR77EUW78-PSBILCaf8e8m7FUM7fm_VwM8sf1YN4Y_Yn3Pd-_jd7L142F9BM6trRfm1zAZDc4wiSpMGmy4tg3ij4BMve3rbL9_IjGcmtFNJML7kW-RuAYKvPiW5kcMXPyZjoNtC0TgY-QVEOOAUe18BNG9uihkMLvTOUeJRTZKgmIO0u3_6zSPZ20AcUvmr26b-G-pis6prVIrC_TgQtdnKjPIZq0jSYVTa8bXsGjXmCYpwGFdSuAqMn3G8lJvj-Je5VeXDc6WaXl1GaxAl6uT8hA1M6QeVxdPzzRtlVeaRso_HTV07V-6N2rjMw3bcrHin50bMkln9JoVTAdve4HT5lf8wPT-whVVHrAJqSKjPz_TjIs7G1INr6KawodDYfRGmv9RbKQmVdrxpIRyyTQVsUQSnNCFDbKHOjy07q_ooXFF83bY-OPxER5pOGN-49VdDO47_tmrQmnyB7tY35iet6Z7g-5itFjMR_X09MOV6ft691UmLGUWCYrkpwwAzMNHzT-Xqdi7PY5gbrPXOKZowzaIqRllGe1wTBe1A__yysyCGjMtREoZVKapUQsT9hhdZakMbEccQzrkBPoAI7CX-IKVedUj1C4jrO80t9Dz-oIyLoUtVzKSTrley0giD0kOnYs7N1IOkSvqg9gkTLfv36gmspUPXdpVe_EUDECpETYVWyEXOWeZjU10jLnk3stWRhb7BryRA0fcqq4ObZQbt3Khh3UNzB3i2jb2go9XF64FFUo2HXAJUH0PWSWKm5KjtjNVnXedJIZ8znlUKhJkEZWpNhx6oT126n9hyOLbn970730y7DPVh0ciQWJd9Oy6sDx54QfC2gY2gz8cHAw6dGqNiM2grdu2Mj7liomyN9WUxVf9YCuto_MvhCmL7KiMVPbCaxPAcZ1b13Bt2EDVIZ2IcAaoWJSZtWD2dMip1XdZN8Yq0l5aM6CqH0XWKakQpFuiU8_OEo0JvoFnXtCtRnXd0gmGUIHuujqsY-xh3TlZgrv8jURBnKFCgLoT60qk9Q7dLixAlZPWGfqXsoDu8DNYjeKFIifHty394qOeNlSnSmshtKiorwzIrkhargKw8gWzCrEGX6EmlqNL4WAs7fQkSY7VZVulncMx22MDE7k4Pb2gQu2UOZhMKl5Hduj9leB-qp5Q7ipX87R_7ZDzwtQ5_pE8p1SlaJrJiSLrFk4EN0zF4WorsDJLSNneMEriuSDtrILLyR5p7feY4_GXFy23ZGuflmc5FehtqK5MbqlD02bZv6Pkt_FdNx53x_zWSJOIu-MvruhuUteRvrrqiVRRQF-ueefGT7fsz0gufq91WxbJ3Q83eKTWpf2NVb8_6vVut3ci8sPeOOLhOh7G6zAcihC5dJ9Haz7qRlH3NuErkeg7y7v5rbyjXps_wL8wGIaBN1wH3ViseSiGfBSuu6g9BLxc4tHBnio2t8WdxQG1qcZkAnXQp0nYOhEuavi8RKle3Bk9Cgej3ujW4ntnkf0P_irQqw">