<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/64309>64309</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Miscompilation with -fsanitize=undefined,memtag-stack
</td>
</tr>
<tr>
<th>Labels</th>
<td>
backend:AArch64,
miscompilation
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
ostannard
</td>
</tr>
</table>
<pre>
When this code is compiled with UBSan and MTE stack tagging, the generated code hits a breakpoint instruction to report a UBSan failure, despite the lack of UB in the source code:
```c
int g_12[2] = {0, 0};
int g_21 = 0;
void main() {
g_12[1];
int *l_73[3][7] = {{&g_21, &g_21, &g_21, &g_21, &g_21, &g_21},
{&g_21, &g_21, &g_21, &g_21, &g_21, &g_21},
{&g_21, &g_21, &g_21, &g_21, &g_21, &g_21}};
l_73[0][2];
for (int i = 0; i < 2; i++) {
int **l_76[2][2];
l_76[1][0] = &g_21;
l_76[1][0];
}
}
```
Generated code:
```
$ /work/llvm/build/bin/clang --target=aarch64-arm-none-eabi -march=armv8.5-a+memtag -c test.c -o file001051.o -O3 -fsanitize=memtag-stack,undefined -fsanitize-trap=undefined -o - -S
...
main: // @main
.cfi_startproc
// %bb.0: // %entry
.cfi_mte_tagged_frame
sub sp, sp, #208
.cfi_def_cfa_offset 208
.cfi_remember_state
irg x8, sp
adrp x11, g_12
add x11, x11, :lo12:g_12
addg x9, x8, #32, #1
mov x10, x9
cmn x11, #4
mov x11, #160 // =0xa0
stg x10, [x10], #16
.LBB0_1: // %entry
// =>This Inner Loop Header: Depth=1
sub x11, x11, #32
st2g x10, [x10], #32
cbnz x11, .LBB0_1
// %bb.2: // %entry
st2g x8, [x8]
b.eq .LBB0_10
// %bb.3: // %cont4
adrp x10, .L__const.main.l_73
add x10, x10, :lo12:.L__const.main.l_73
cmn x9, #17
ldp q0, q1, [x10, #128]
ldp q2, q3, [x10, #64]
stp q0, q1, [sp, #160]
ldp q1, q0, [x10, #96]
stp q2, q3, [sp, #96]
ldp q2, q3, [x10]
stp q1, q0, [sp, #128]
ldp q1, q0, [x10, #32]
stp q2, q3, [sp, #32]
ldr x11, [x10, #160]
stp q1, q0, [sp, #64]
str x11, [sp, #192]
b.hi .LBB0_10
// %bb.4: // %cont10
cmn x8, #17
//APP
//NO_APP
b.hi .LBB0_10
// %bb.5: // %cont10.split
cmn x8, #16
b.eq .LBB0_9
// %bb.6: // %for.body.preheader
mov x9, sp
mov w0, wzr
mov x8, #192 // =0xc0
stg x9, [x9], #16
.LBB0_7: // %for.body.preheader
// =>This Inner Loop Header: Depth=1
sub x8, x8, #32
st2g x9, [x9], #32
cbnz x8, .LBB0_7
// %bb.8: // %for.body.preheader
add sp, sp, #208
.cfi_def_cfa_offset 0
ret
.LBB0_9: // %for.body.us31
.cfi_restore_state
adrp x8, g_21
add x8, x8, :lo12:g_21
str x8, [sp, #16]
.LBB0_10: // %trap1
brk #0x5513
.Lfunc_end0:
...
```
The breakpoint is hit because the first branch to LBB0_10 is taken. It looks like this is trying to check that the address of g_12[1] is not null, but an MTE tag setting loop has been inserted between the check and the branch, clobbering CPSR.
This is a regression caused by:
https://github.com/llvm/llvm-project/issues/61830
https://reviews.llvm.org/D148508
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUWF-P4jgS_zTmxSJyHALJAw9Ns9ytNHs7upnVPSInriQ-Epu2TXfPfPqTnRASCP3n5mkRIiauql_9ddlmxohSAqxRvEHxdsZOtlJ6rYxlUjLNZ5niP9b_qUBiWwmDc8UB-2dzFDVw_CJshf_afGMSM8nxH99_w8ay_IAtK0shS0Qfsa0AlyBBMwu8FVEJazDDmQZ2OCohLRbSWH3KrVASW4U1HJW2mHWyCybqkwYnjYM5Cgteau2QVIH_2mAh_RujTjoHD4KiB0S2iJx_l6T95u1_B1ruQ4riDUXxFqNoi9FqQxwGQastijZDQhp6CtK_bn-fleC4YUIimiCaOgntBD4LD1G8vWLC2MlE9KHeryIUbyJHEm9WAzXcly4drNPn_xmutog-nvEmPn8ThEEgMO78RVp_0SnPFkpjRBOfUn3E_PARUz9EdOO_o2D1IWmjsjyLv0JxhN102E6TPmidzm-TXqadZa3m_eCcoUOL_jEqnEtOX9HSBUZ096L0AdFdXT83iO6yk6i5e7rs3OU1kyWezy3TJVgUbRnTebVczJlu5lJJmAPLBJ437rWb1s1zEsRzhuimgcayEs9zbMHYIMdzhQtRAyEhicNA4fmfEZ4XhklhxU9A0bblmPu1ANHHk-RQCAl8QDW3mh1RtB3MKTzH82-tSUEQtANfXdF0il0lHN0husNoQTxP6-cgL8TeWKbtUav87K6WkMZZFpD3hV_oQVr9Yyi5sbB3ax3wfaFZA-N6MKesfR5dWre_iEaUJEMZHIp9XrC9KgoDFl9mu48n0tBAk4F2ttgrGKFL_3xNOpjRLOP66GdDX1x-Xboi4HhA0D1Q9FCrkKLoYcDBOPdQr6mnTDqDItoNwrHkRj13kv26-pqOp_NG9mg0WtzjPROES_JOgKIteWVdTWBjyyE4ijduFG97aV2ifdlsyD78QIpNp8EHPxcVUfTbd9dMf5cSNP6i1BH_ExgH7VTYwtG68gunE-kqRN7zY0JLyzeMvibPM_lzIPfsi9sqcXnwtgN65OQMnDjcEU0WwNMZhEygRJ-pxVxJu5hI9c704Mt-nytpbOBWg8D3jjtp3yZn57E-7d8V4NIX98XgUmo1Jqi5Lzz85CU_hYOIdAz01kc9k6-pp-iGabm44TF2EqhfcMIluY_jqZ_IDU66vI8z1q3HmWB5w5y70scaXax4y1v3rIjop62YYKm5xoM6GQdxwrnvmTIZw2uIi-HprUZZUAn3fKOaFp-tprOUmwRP7iR4y_7w9evU63_9ub-Z-YDW8ee1DsyxFvY93ZcTa1GvSjqhyfIzmhRKB-60FBw1VO1yPt3O0qkefZ598Zny8vPM3HMll1R4TxfXBHNynVzlAN2lb3qvE64-1QnfM_ujkn6xLSbX25Hb1jRp-t1-mFza4WoiNZJxO3zPC-dW86l94FUINdhhmNI7GpzM9Sas2z4aqzRM7R77_WHSbg9peKdPDp082Bxe0_cLWXLbhvplrF8APlFi7sBwhZXpgxNMXuM4jM6Si5PM9yA56Y9L_WFi8oz1vYLRVYTBlbA4g5ydTHvRUAhtLM40k3mFrcKd8o7UsgPIAP9uca3UweBaHKC9LHGT-oeQpePIK8gP2FbMeoGMcw3GYFUM7wkci1QWy1NdO5dlJ4uZ9Lcq7vxlwFonrna1UTGDMwCJhTSg3QExA_sC0N6DtHBMcv-vVdxJzGuVZaCdlMev3_4djN3QKs2whtJpJ5TE3gccZz96X1bWHo375-NSCludsiBXzeXg6R7zo1b_hdwiuhPGnMAguluGSUSmhGh4FvBiAscYKF0iutuGiyQmyYyvI55GKZvBOlymJCWLaBXNqjWEyYKzLItIEaaEZ-FiwdlykdFVDvEiT2ZiTQmNSELCMI7SKAqWPM-zFS_CPCxiCFO0INAwUfeoM6_oermISDqrWQa18fdilGYsP4DkKHp4ePCHZkTd1gFR2gjT3oUxK5R0r-PtTK-9B7JTadCC1MLYi2kzK2wN6z9GfO012ugA3Z-KEX0cHqZnJ12vfyEEzrj_BQAA___fXAKr">