<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/61114>61114</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [BOLT] Instrumentation clobbers used stack slot
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            BOLT
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          nikic
      </td>
    </tr>
</table>

<pre>
    When instrumenting a PGO-optimized libLLVM.so, the instrumented binary binary crashes in `_ZNK4llvm4Loop18isLoopSimplifyFormEv`. See https://gist.github.com/nikic/e695bd62d1dd40e506f6365b935d417c for the instrumented and uninstrumented assembly of the function.

The problem is that the value spilled by `mov    %r8,-0x10(%rsp)` is later clobbered by the pushes in the instrumentation sequence:
```
   0x00000000075873d9 <+975>:     push   %rax
   0x00000000075873da <+976>:     mov    $0x0,%eax
 0x00000000075873df <+981>:       lahf   
   0x00000000075873e0 <+982>:     push %rax
   0x00000000075873e1 <+983>:     mov    $0x0,%eax
 0x00000000075873e6 <+988>:       seto   %al
   0x00000000075873e9 <+991>:     lock incq 0x57fa3d7(%rip)        # 0xcd817c8
   0x00000000075873f1 <+999>:     add $0x7f,%al
   0x00000000075873f4 <+1002>:    pop    %rax
 0x00000000075873f5 <+1003>:      sahf   
   0x00000000075873f6 <+1004>:    pop %rax
```

I've uploaded the libLLVM.so in question here: https://drive.google.com/file/d/1lAbqukTx7b1aPasrR7rP-p2nsoRQSgUa/view?usp=sharing

I've also included an `opt` binary and a test case which make it possible to test the instrumented/uninstrumented libraries as follows:

```
# Runs fine
LD_LIBRARY_PATH=$PWD valgrind ./opt -S -passes=simple-loop-unswitch < test.ll

# Instrument
mv libLLVM-16-rust-1.69.0-nightly.so libLLVM-16-rust-1.69.0-nightly.so.orig
llvm-bolt -instrument libLLVM-16-rust-1.69.0-nightly.so.orig -o libLLVM-16-rust-1.69.0-nightly.so --instrumentation-file-append-pid

# Produces "Conditional jump or move depends on uninitialised value(s)"
LD_LIBRARY_PATH=$PWD valgrind ./opt -S -passes=simple-loop-unswitch < test.ll
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8Vk1z2zgS_TXQpYssEPw-6GBb0W5qvRuv7ZnUzCUFEk0RMUjQACjL8-unQMqUrcST1ByGpSKLFF736w-8BrdW7nrENUkvSbpZ8dG12qx7-SDrVaXF8_pziz3I3jozdtg72e-Aw82_PgV6cLKTf6AAJavr61__G1pN2BW4Fl-tRwGV7Ll5fnnUhtsWLcgeSEa__P6__yRK7bvkWushKqT1zzvZDUo2z1ttug97ktEQ7hChdW6wJL4gbEvYdietC3fStWMV1rojbDuxJmyLWZlWImMiEiKhmNKsyeIsrco4FUmU19Bo8y1N3gsY-7efrMWuUs-gm2l9M_a1k7oPCd0QejHf71uEwehKYQfSgmu5mxbvuRoR7CCV8kl49uF2eg8AQFhqCsKuAnqIKGGFf7cDYSXJqLehuEMDtdJVhWYGe4vD-JK5t-S55wQWH0fsa_QJmull9PibXgGAHujLladFHosSSHxF2GWZpyT-MCFL7-XIkR_eh_IFmi3QJbyEHihhV4SluNj4xkLzYqGIFguKt4238J5bpAuIvWX8A74YLcD47_HFbLFQLBYsOj0ni6v3fS9pLl9FqusHkH39CPSQ5g2PRX7sBOk7AY4XYTHQQy2KKK-Ldz00S3RluXjgQsyh5c0c219QbJKjgYjSV4nVA5y3wjfI9IQ8Zdb-oI5NdkIlb_y9dnbWwfP9I2H5HmEclOYCxbQXTgrkd8fjiHbaEi0avx3OhEMYucdwp_VO4VE5GqnQ_0PYNlIX1eP4cH_Iq4jfcGtuc3MTDKy3-vb_d7tfOGHbvcQnEm9HO5B4Y1tuZL_7DkWuJj61GsWkL14B9OD8Jj-KodccDg6tg5pbhKdW1i10_AFBOhi0tbJSCE7Pa841i7DtmWIpWRluJFrgFhqtlH6yJ0H4blJZDLdjb6GRPc6frjdfrj9e3l7c_vbl5uL-3yTeEJbcfN54SdsZ2QsICdvqwUFwB8HgVdL6RHjVxkBpPQRjb5-kq1tf5Yl7qNQbEiyGjwvx-Vu3f6ljEGWBGa0LojArQxr0ctc69ezL-8MVoTbyWAw_V4JKKwfBKUk_aQGCn_AFQXCmwoHvpIAPA_YiGKQ4j_nGaDHWaIEwdqV7IT2IK_g6dgNoA53eIwj0cAu6nwaSdJIraVHMI4WwwvpRwdg_Ua2XZlmJdSzKuOQrXEdZnudJRotk1a5FFJVYNGVeJwI5bYqC5XEi8iSLMCrqZiXXjLKYxpTRIk6SJKwakZd1TNOsYFmOJUkodlyq0Ncr1Ga3ktaOuM6iKEpWileo7HQ-Yezy0_W9DzzdrMx6Lu-4syShSlpnTwacdGo600yAdPOq1-ZheZytFkafV-t4_QBWabcajVqfnzNeHTG8h-MjGIz-irUjbDvxtYRtJ8p_BgAA__8uM8GN">