<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/83775>83775</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
llvm-mca hits sanitizer error in cycleEnd
</td>
</tr>
<tr>
<th>Labels</th>
<td>
tools:llvm-mca,
crash-on-valid
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
arsenm
</td>
</tr>
</table>
<pre>
f0484e08bdcf64106592808e3ca80404937b4657 was reverted in 31295bbe83c3ea9d8a3372efe34342a299d1018a due to breaking the sanitizer bot.
Reduced testcase:
```
# RUN: llvm-mca -mtriple=amdgcn -mcpu=gfx940 --timeline --iterations=1 --timeline-max-cycles=0 < %s | FileCheck %s
# CHECK: Iterations: 1
# CHECK: Instructions: 71
# CHECK: Total Cycles: 562
# CHECK: Total uOps: 77
# CHECK: Resources:
# CHECK: [0] - HWBranch
# CHECK: [1] - HWExport
# CHECK: [2] - HWLGKM
# CHECK: [3] - HWSALU
# CHECK: [4] - HWVALU
# CHECK: [5] - HWVMEM
# CHECK: [6] - HWXDL
v_pk_mov_b32 v[0:1], v[2:3], v[4:5]
v_pk_add_f32 v[0:1], v[0:1], v[0:1]
v_pk_mul_f32 v[0:1], v[0:1], v[0:1]
v_add_co_u32 v5, s[0:1], v1, v2
v_sub_co_u32 v5, s[0:1], v1, v2
v_add_u32 v5, v1, v2
v_sub_u32 v5, v1, v2
# CHECK: [0] [1] [2] [3] [4] [5] [6] Instructions:
# CHECK-NEXT: - - - - 1.00 - - v_pk_mov_b32 v[0:1], v[2:3], v[4:5]
# CHECK-NEXT: - - - - 1.00 - - v_pk_add_f32 v[0:1], v[0:1], v[0:1]
# CHECK-NEXT: - - - - 1.00 - - v_pk_mul_f32 v[0:1], v[0:1], v[0:1]
# CHECK-NEXT: - - - 1.00 1.00 - - v_add_co_u32_e64 v5, s[0:1], v1, v2
# CHECK-NEXT: - - - 1.00 1.00 - - v_sub_co_u32_e64 v5, s[0:1], v1, v2
# CHECK-NEXT: - - - - 1.00 - - v_add_u32_e32 v5, v1, v2
# CHECK-NEXT: - - - - 1.00 - - v_sub_u32_e32 v5, v1, v2
```
```
=================================================================
==28215==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107d0149c at pc 0x000100e8afe8 bp 0x00016f97ade0 sp 0x00016f97add8
READ of size 1 at 0x000107d0149c thread T0
#0 0x100e8afe4 in llvm::mca::InOrderIssueStage::updateCarriedOver() InOrderIssueStage.cpp:327
#1 0x100e8b458 in llvm::mca::InOrderIssueStage::cycleStart() InOrderIssueStage.cpp:395
#2 0x100e7b194 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:60
#3 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
#4 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
#5 0x10048afe0 in main llvm-mca.cpp:750
#6 0x185c6d0dc (<unknown module>)
0x000107d0149c is located 540 bytes inside of 608-byte region [0x000107d01280,0x000107d014e0)
freed by thread T0 here:
#0 0x1056e952c in wrap__ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x6152c)
#1 0x100e7f89c in llvm::SmallVectorImpl<std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>>>::erase(std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>> const*, std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>> const*) SmallVector.h:775
#2 0x100e7f66c in llvm::mca::EntryStage::cycleEnd() EntryStage.cpp:78
#3 0x100e7b420 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:78
#4 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
#5 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
#6 0x10048afe0 in main llvm-mca.cpp:750
#7 0x185c6d0dc (<unknown module>)
previously allocated by thread T0 here:
#0 0x1056e90ec in wrap__Znwm+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x610ec)
#1 0x100e7ed88 in llvm::mca::EntryStage::getNextInstruction() EntryStage.cpp:40
#2 0x100e7b2f8 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:69
#3 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
#4 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
#5 0x10048afe0 in main llvm-mca.cpp:750
#6 0x185c6d0dc (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free InOrderIssueStage.cpp:327 in llvm::mca::InOrderIssueStage::updateCarriedOver()
Shadow bytes around the buggy address:
0x000107d01200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x000107d01280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x000107d01480: fd fd fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa
0x000107d01500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x000107d01580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x000107d01700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28215==ABORTING
```
cycleEnd is erasing a subset of the Instructions vector, but that vector is later read in updateCarriedOver
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzsWVtv47gV_jXKy4EDitT1IQ-O7cwEOzckM9ttXwxKPLLZyJRKUk4yv76gLNmyY2cnl0VboIGgWOTH7xyS50aJGyMXCvHCCy-9cHrGG7us9AXXBtXqLKvE40VBgiRAkmQiL6LAJ1GY0oQkyHKekIAEKYuzIApjuOcGNK5RWxQgFTCfpmGWYcJyhjwVCWcsplggC1hAOU1T4RM_4SAaBFtBppHfSbUAu0QwXEkrf6KGrLLn4JGpR8ab-w2KJkcBFo3NuUGPjYfdXkS6a_NIGdz8-OKxMZTlejVa5RxGK6tlXaLHpnwlFrmC0SqvG49NF8VDGhAYjaxcYSkVwmgkLWpuZaWMx6b-oG-04g-j_DEv0fUQ8NgEPBoa8OIJXMkSJ0vM79qmPQUpg8nH2eQ3p9P1gHwM_jGEMlY3-RbT_sXHkN8ry0uYdAp1yDCiJ6HN13oHBIjjk2reoKkanbe8R7q98JJ44RQARvDxb5eaq3x5HObvYLOHutL2OIzuYJ8-_Pb5OIjtQLfjTz-Og4Id6PeToHAA-jw7IS7agf6Yftpbqva-ntd381W1nmeMwrpdEjZ28_XopH2mHhuzwXPgsbGTPBjOhZgXJ4affB5Ib8pXD3ei82reuOGhA5nDQX57p_0A02QvG-Ak7NDH6E71nrTLneENjGtgQAMzGRjDYMsHG3voaQfiRl9mf3x3Mkcbbzn2zz8n5EnjG-3ilQoMZL_eqJ6R_avzfrVF_tq8O8knFNjZ9Byj4JfM9JVie4k7p3hHic8ucudVczzlO0foX2C7nVuepj9It89kYjb9n78GE6EJ9cPNz9nNzdcbt7JjITQac9sXL65tibweNQZHvLCoR4VGhEoB30CBPBBCfBIL4gdpDtxCnfeNBBNeYAJZ3bVERRpzgQTMfotIutJoNp5CVYCRPxF8R3ZAb5cauYDv3Za0AZAyAuShlxa40s1VSi4CsvEq55sf1-qrFqivjWnw1vIFbpqbWnCLE661RPF1jdqjiUdTeAI_z-vaxTka74n2e9FZECYvE91WXreWa_tnMtOwk-lRRjuBceanp-b6TdZtgbd50o1qa6pOSt_ZkUf7S8l6ep4E-a_SH2cO2B5zsGEOUhoz4ph1o7ZMNHlODo0cfV_-9qtCkj3-sON3RtDyr3in_mBQHO5PN3KDkjCPBBG5a0k8NmnUnaruFawq0bgie-bRdBgXDmxSGiirnLtTQxgQyB4tGpDKSIHOliOSjFwbaFzISrUpf0dAE-LRyZARyVac8zUB2ePO7GGJendg2DP_MMI0pO2e3Wtez-f_EOW3tUcvyUMcuJmVMstLrhZzbc-54WpemYe5eFR8JfNz8VjKzGNjrldRgO2oyA9pvtXlwN7jIkkP7ON2xcvyd8xtpa9XdemxibFi0zWf-527KfmvBue11R6bHHWVbQnTJp4nBAIL3pR2LrBEi39Owmb95XpQu_MWTf5bFIO8UsZ6dHyc8z-uVAqDTT1fOgeKwz172IajIopOxYuZsvrxMPDNlOjCxq67d9LkeEjKAkreIeId0Ad_WcQL_-KIF70m4sWviXi1xrWsGlM-Ai_7YPeCuERwGJfU_epNYYng6bCEIjmVhg_NcIH2Cz7YPSc6bpABOW7zGS1OCXtRCk7_n4JfaJC3Pz5_Ht_8_SU16zMV3buUjJ1iSy6q-64I4LpqlGjfB2bNYvHYF80DRxmWAsSdsaDgL7qOESUbIvGi6wgRI28gGvK8RaFhbfQGfdqTzmxItq-UF1662_Qkz5MlH3CFb9m6Ic87LVT0ThsXvZM-8Rv0GXgUlLhAJVyMqBSCGfRorDUaVNZAAryuS5m3r6U3nujcc-tzXcDgmQss25fHAEC2gekb11bystx6bA8mPhAKhAEJgIRAIiAx9KM-Iq-hxMKCRvGzUgP6nZ9etTW9C1DdgWAA2vrgreX53XGqwt8HraQ4Io7ug7RcLJ9QFWwf1MZK0GgbvVOqCPdBjcEOaPKqbrmKbRL4UFYZL5-q43jSA5BU0kLl4utA7agDfaukqdSmxmjMEALF9vw9qZTlUqGGao26KKv7ndZ5DxprzR8hr6o7ebDbwLega2U1hyr7J-aHq5RlW6ZbrkAqi1rxsp039l2f3EZtCqPDyefbjb9p9-ApKs9OvJUZX369-X795cNzr6QG976qdudRd86RagEcTJMZtO4c6rLQ8A0xrNuq3h0cssaCXXLbNbUnWr4xBt5-CnuS8s7EBRMpS_kZXvgxSUMWBml0trygERc8LtIIMQ6jIhVpQEmEWZElLBAZnskLSmhAGAlIFCZ-dB4UEU-jCOM8CnNKQy8guOKyPHcZ-bzSizPpEvBFwuI4PCt5hqVpP_dRaquqdMm0rzA8Sj068SjNNTfLUaVGa15K4ZrD6Zm-aHFZszBeQEpprNnJsNKWeLH9wraU1gy-4aHWblkU9It81ujyYmlt-_3Jo1cevVpIu2yy87xaefSqrSY2_0a1rpxhefSqnYjx6FU7l38HAAD__1sA7oQ">