<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/69738>69738</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            assertion failure when KMSAN instruments a varargs function for aarch64
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          markjdb
      </td>
    </tr>
</table>

<pre>
    ```
$ cat varargs.c 
#include <stdarg.h>

void
func(int count, ...)
{
        va_list ap;

        va_start(ap, count);
        va_end(ap);
}
$ /usr/local/llvm-devel/bin/clang -target aarch64-unknown-freebsd15.0 -fsanitize=kernel-memory -c varargs.c [25/1366]
Assertion failed: (Addr->getType()->isPointerTy()), function getShadowOriginPtrKernel, file /wrkdirs/usr/ports/devel/llvm-devel/work-default/llvm-project-07d2e90f28e36ac3c0a79d208ab74610f4b98546/llvm/lib/Transforms/Instrumentation/MemorySanitizer.cpp, line 1796.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:        
0. Program arguments: /usr/local/llvm-devel/bin/clang -target aarch64-unknown-freebsd15.0 -fsanitize=kernel-memory -c varargs.c
1. <eof> parser at end of file
2.      Optimizer   
 #0 0x000000082d21d009 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x441d009)
 #1 0x000000082d21b0b5 llvm::sys::RunSignalHandlers() (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x441b0b5)
 #2 0x000000082d15ca94 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x435ca94)
 #3 0x000000082123b58f handle_signal /root/freebsd/lib/libthr/thread/thr_sig.c:0:3
 #4 0x000000082123ab4b thr_sighandler /root/freebsd/lib/libthr/thread/thr_sig.c:245:1
 #5 0x00000008206da2d3 ([vdso]+0x2d3)
 #6 0x000000083298eb4a thr_kill /usr/obj/root/freebsd/amd64.amd64/lib/libc/thr_kill.S:4:0
 #7 0x00000008329073b4 _raise /root/freebsd/lib/libc/gen/raise.c:0:10
 #8 0x00000008329b94c9 abort /root/freebsd/lib/libc/stdlib/abort.c:71:17
 #9 0x00000008328ea741 (/lib/libc.so.7+0x93741)
#10 0x000000082e1b5207 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53b5207)
#11 0x000000082e1b9ce7 (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53b9ce7)
#12 0x000000082e1ada0d llvm::MemorySanitizerPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x53ada0d)
#13 0x00000008252572a2 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x28572a2)
#14 0x000000082d3eb341 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x45eb341)
#15 0x00000008252500a5 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x28500a5)
#16 0x0000000825247cef clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::__1::unique_pt
r<llvm::raw_pwrite_stream, std::__1::default_delete<llvm::raw_pwrite_stream>>) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x2847cef)
#17 0x0000000825644613 (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x2c44613)
#18 0x0000000823f25076 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x1525076)
#19 0x00000008261c8552 clang::FrontendAction::Execute() (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x37c8552)
#20 0x000000082614fc0d clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x374fc0d)
#21 0x000000082624de7c clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x384de7c)
#22 0x0000000000215702 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/llvm-devel/bin/clang+0x215702)
#23 0x0000000000212a5c (/usr/local/llvm-devel/bin/clang+0x212a5c)
#24 0x0000000825db695e (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x33b695e)
#25 0x000000082d15c7a9 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/local/llvm-devel/bin/../lib/libLLVM-18git.so+0x435c7a9)
#26 0x0000000825db6299 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::__1::optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x33b6299)
#27 0x0000000825d7bdbf clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x337bdbf)
#28 0x0000000825d7c0a8 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&, bool) const (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x337c0a8)
#29 0x0000000825d99071 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&) (/usr/local/llvm-devel/bin/../lib/libclang-cpp.so.18git+0x3399071)
#30 0x0000000000212081 clang_main(int, char**, llvm::ToolContext const&) (/usr/local/llvm-devel/bin/clang+0x212081)
#31 0x0000000000220503 main (/usr/local/llvm-devel/bin/clang+0x220503)
#32 0x00000008328dbf5a __libc_start1 /root/freebsd/lib/libc/csu/libc_start1.c:157:2
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)
clang version 18.0.0
Target: aarch64-unknown-freebsd15.0
Thread model: posix
InstalledDir: /usr/local/llvm-devel/bin
clang: note: diagnostic msg: 
********************
```

The problem seems to be that in `VarArgAArch64Helper::finalizeInstrumentation()`, `StackSaveAreaPtr`, `GrRegSaveAreaPtr` and `VrRegSaveAreaPtr` have an integer type rather than a pointer type. Casting them with `IRB.CreateIntToPtr()` fixes the problem and allows the test program to compile, but I am unfamiliar with LLVM internals and am not sure if that's the right solution.

I did not test the latest development version of LLVM but I am fairly sure the problem is still there.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMWVtT5LYS_jXmRcWULd8feDADJJvsnlALldepttWeUbAlH0keIL_-lGQPY3HZTVhSOdQU47Fa3V9_3WrdQGu-FYhnQXoepBcnMJqdVGc9qLs_WH1SS_Z4FmTh_AkvgrAKaEIaMGQPCtRWrxpyeB9z0XQjQxLEa20YqO1qF8SXc7P7v5ecTU_tKJqAFlwY0shRmICuyWq1Cmg5y-fn0wOZ__aw6bg2BIYgPl_qXAhoA8oEtIDBqpv1lk_yC0kUbJY7Ngf5xdHFgF6NWgX0qpMNdPa72_enDPdof9RcBPSq6UBsyakBtUVDAFSzy5LTUdwJeS9OW4VYaxalq5CcthoEN_xPDOKLO1QCu9Mee6keyWmzpDI9p2lAr6I4y4J0hlNpjcpwKUgLvEMWxBUJaFExpk6D-HKL5vZxwIAWAS3tC66vJRcG1e3j9NJ91sRS7tRs0dzsgMn73xTfcnFt1K8OkhPiHVrn79Ud40o_0TBIZeyvAwMeHfdS3Z0ybGHszKFtUPIPbMxpmDOKZdjSAuMMmrgJIS8ZDQuo8ySLwjapyyJNsrmf_eJ1QK9uFQjdStVbq5-ENmrsURiwHgT06otj72ZmVa2awcW84wJJlJfZauLu-vNldXNJ9Fj33BAg9bglCq0zxEiyM2bQQVwF9CqgV1tudmO9amS_wLJwJaBXXOsRLSACgpFDvpsdkkaB3pEamjujoEGLZVA4KNmg1siIlqOaXtueoLVsOBhkRI2C6EbxwcyQbww0d4SN_WADPf9NTeGKXCu5VdATUFvHh56y4V9I1glStLLDHWUbxJdkAKVRETAEBSOyddk0ydHV5Mhvg-G9jdiTUySgcUjCh3D6KyijEQvDkrgQxFUQV_pRTw_XigvjCLqdWC6OQgruN1IbhdAHNLNMczf8iRsE3yfIFp859zpef_78-5fTqNhys9IyoOfhQ5I4WE8VyuKOnuGuwzp9DffXUdzwrYDuZxCsQzuuio-FZi170KgHLUobKJMPsxc7dZ69eGkvonGdFi3ZOXc32vlu01RJacfRnG5LK2ZnQZmdQmDTg-22aoK4CoO4io-WkmeWoE5qMstPBtW7TdEkDeIqOhpLl8bCjAFlsaMxPd8zLW2RtoxQFntsZItuMS0LrBNwGO941x3Hq6z_eA0p9CxLVu7_Enczg7U6VjdBXCWOnCejuW80zOM6IRsFXOO3CbGKt2gj74SfSI8WygtfeV0mTUmgtpX0u7q1YdNvJ-_U55HVnx_1l57-AiFPojlfj7pWWq5yR3gZ50l0XC3QOPJqCEZ1SsP8oxI-jZ06z170zF7Z4Efas-o8e9S3BwxCtqg1zybEa9Bz7VGj8OrkF8nGDucSeXxdCegeNddfQMAWVRCvX3SJL12vDytbaeyc8Lz0ykhK05wCfZ89N-GdNsNgk8bZnUZq4XR6Rr2KwmKs4yRaUGO5_AYt76DRfv6_Y5OkjgWPpvRZbMIQ0o-OjdXpGc18o0neYEtc_8n_y56bc2juULDfRjOMdv2_aL7gsBVSG97oS7Hl4kDuQuRnBIbqBu2SyC5PpNCkkUKbl6JryfAnFN-RunVrrO8IfQaxfU3kGNkbo7jYfsXWf33IkeqZwpmEqplWyMsun4RRo-Z7_IrtWphr46fQvp1LxRXv8OZRG-xdPq2JNmxq2Wyi6WEU_L8jbgYzRchXZJdgw73iBjeHhdhrOuadwoZhhwa_o2EaLe9N7DcTzeWRl2i5l2hZkmRR_LFGG6fTM7qcVWnc0jTMs2VQr-2Kurq59ZP6BnuY06WWsjt-fyxLUerweICX0zTNoqZIU7oEfKWkMMc0nIboAzajwR9Z876BMM4dgCVCGvoIk7YJmT-G-4F3qOyeEkSDHsbD6CnedukHyuybXjiQnhfe6iKjCcO88crehPfozF428BL7C2dt2fhg9IUD56FfrFXCMKRRmoeUNE206YH7M16lFDzaGhevmx2oQyms5gLkv6Nr4k6Q_pYTExtuADocHtD4GVAKafMexbafp9hbUqSszsoUP5b22On0jKbP93w5LLfRawV69xUbuUf1uLZJ_WCO-1NosXv0YnM4MNooFx9LPZlPlH6gJL--ncyh9FzJnvNHy3KZ_0zxvV0JOb_W0Vr2PQj2vN68mmcvJyTp5mHovKnoOP3OU9BrU1kNmjd2quIWmEvh1wVty8Yo4EYf5N7SCZ3l0ki1ELSy1bHOu_x3w-LDc4qWfiD8aZHlNavbNwPhqg28qPyH6Hil6VlHK_DWWukbopU3D_4zpDifPVKKZ6Q0IRR_l5RfZK3fZuQXWX_m2ry1NOyh637Hxkj1qR-6V5N6AG4ziE9n63-VzTnX_nlOLWUep6XPaVmGefQW7IvFszcTvjIFvhWLf4PTD555Y0fSksXlSeo0oYXFzOJh7j2Ad6WqmsvKkYZbKbt5blgk37tmW2vbAxf54GiYhjGxsN6h3XX2tFP_BInVbQpks7H8TTdD0fdPqho9zj_mLu6wKkrzIK7oZOoQdYJK2RpdTfSSdl4mkmaO_3RbQ-652RF84JZOhiSK3THsqJGc7omRRCMSvli-lQszZI9KcylIVKzC1XwaN20vreFvnOLPou6Mk_SSYWc7DFLzh6nJrQi7DtkFV3_tDsH3Xki7dasIe9pgk167lkNEfuAzaXh28Th7hGRQsu6wt8z12lJYIzE7MMQmUhb-DqpS26py3PyM3XAYmC0X0PE_8cVtkitEWWgHQpCF7n7hBvZYKQS7V35q-Ul9xa3f4q5zrNFXmnawRwKCcGFwi4qYxwGJArOzzzsQBMgw3dS5phVZgzZcbInZYT_lTZCFn76er9YKweAnYW6l1X0ATFr-gNrdPx04cbdLXSfvp9cGtbFt7s7ISJubdj_gqvtoyCcCPRlFCz3vOKjJpl2gOcxKQKcnjb2NN9GjQsJbR3ZA88mE4tudIVp2oyVztQzWJ8I4cz0dDivdgXt0eSUHG4OnHJftZPoJWAtcdY-T1aWPXBNteNfZlwpXJ-wsZmVcwgmeRVmZF1FJy-xkd9ZEGUBelG2RQpJmSYyY1k1UhDWryzzHE35GQxpHIQ2jjBZRtoooFmHaZknIohoLCJIQe-Ddyg6GlVTbE3cDeJaVeVycdFBjp93dOaUC74lrDCgN0osTdeYGUD1udZCEHddGH7UYbjo8A-9i13p5v0NBfv1yU_2H8Kck1QQOt27HO9xWqsPwPxlVd_b-q0zny_8CAAD__10lnOA">