<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/109279>109279</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Miscompilation of tail call on x86_64: RSP is erroneously increased
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          cypheon
      </td>
    </tr>
</table>

<pre>
    In some cases, when calling a tailcc function in tail position, `rsp` is increased in a branch where it has never been decreased. This leads to corrupted stack pointer (and probably a segfault) in the following function.

Repro:
```llvm
declare tailcc void @f2()
declare tailcc void @f1(ptr, i64, ptr, i8, ptr, ptr, ptr, ptr, ptr, ptr)

define tailcc void @repro(i64 %0) {
  %cond = icmp ugt i64 %0, 0
  br i1 %cond, label %a, label %b
a:
  musttail call tailcc void @f1(ptr null, i64 16, ptr null, i8 1, ptr null, ptr null, ptr null, ptr null, ptr null, ptr null)
  ret void
b:
  musttail call tailcc void @f2()
  ret void
}
```

Resulting assembly:
```asm
repro:                                  # @repro
# %bb.0:
        test    rdi, rdi
        je      .LBB0_2
# %bb.1: # %a
        sub     rsp, 32
        xorps xmm0, xmm0
        movaps  xmmword ptr [rsp + 8], xmm0
        mov rax, qword ptr [rsp + 32]
        movaps  xmmword ptr [rsp + 24], xmm0
 mov     qword ptr [rsp], rax
        mov     esi, 16
        xor edi, edi
        xor     edx, edx
        mov     ecx, 1
 xor     r8d, r8d
        xor     r9d, r9d
        jmp     f1@PLT # TAILCALL
.LBB0_2:                                # %b
        add     rsp, 32  # <- rsp should not be increased here, as it is only decreased in branch "%a"
        jmp     f2@PLT # TAILCALL
                                        # -- End function
```
https://godbolt.org/z/ze7r8j67o

As far as I can see, the issue does not occur on aarch64. There the stack pointer is decremented right at the beginning (before the branch), so the increment before the tail call is correct.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJycVttu4zYTfhr6ZhBDomRZutBFbP8GFsgPLLZ7v6CoscWUIlWSSuI-fTGUvD5k07Qlkkw4J87hI0fCe3U0iDVbbdhqtxBj6Kyr5Wno0JpFY9tT_cWAtz2CFB4941t47dCAFForcwQBQSgtJRxGI4OyBpSJLBisV8QgE1Ykzg-sSEB5UEY6FB5bUhXQOGFkR14dggrQCQ8GX9BBg2igxVl7Cd875UGjaD0EC9I6Nw4BW_BByN9hsMoEdMB4KUwLg7ONaPQJBHg8HsSoA-NVjK5DOFit7SslcI57yZIdSx6nv99wcJZl844VyfSj9Us_sVqUWjg8J_9iVQssTw6c8ZLx6u-VUsbLITgqjCpyIuddebX5lFTXEbd4UObdUS7mwUtV5MD4KqEKsPVmMgFiSWtaYNkOlOwHGI8BLrpbSM6ajQOVnvVJokWDmhjiZtdMBuJn7QD60YcICILMR7UAM2o9FwTSYs7xwi0hvef99_-rc2gOQ4xk2jf_OOibLt-7YevdHWxukeVHHeLN8R77Rp_ew0z4GWVuhiF8uhjPLv2evBGHr5pmmVzlNa2APhB1raLKELmRP-NEl0-bTfKD3ztMKaR5K24t_dhESredbyHjt-I36wYPb30f0RXpjby3L2LwQJJX69rYM7baOD8A4xso2Wr3oSE48UbCP35lmXEy_Tdn8fz9YXQKrfsjZk0K4F1UtNDHOqfFu2oATi3A-xaQLJq2b5P8I9cyytNZejZzZbylRH7p1lWTvLqTP_dDpIeU5cnXp--xzd8fvzxtH5-eJtUzKD6H5Rkxt0eItr2FyKyYbR-IB76zo27B2AANXg0Lmg9kIDxNCeXBGn26jAd62edRwjifHib-QXL8w-Q-S-k6tYcH-J9pfw6QX176LoTB0_3je8b3R9s2VoeldUfG93_SL65d-Vys7fUb8ejhIBwl-gWkMOAxJk5zS3k_IrQWfSyQlXJ0YA0I4WRX5DQjaYyS6u1UVH4qVY-GRqZTxy6ACFGzwaMyht4kxssGD3b2MJWTHjq-BW-nAMzsBK4ULy-l8nEuowzLRVtnbZVVYoF1uubFepUWWbbo6irHtGwaxEwUMimLNFnnxSEp2zRrV2VaLFTNE54nVVqlWZqt-FLmJa5RyGxV8iqtBMsT7IXSSxrIVM1FrEudJhVfV4s4jXz8puHc4OtUNYLDardwNRk9NOPRszzRygd_cRNU0Fj_X3lp-0FpET9o7OEqQWvgrSx-FDnh_9tvXyljdM4atKPXpwteF6PT9V37VejGZiltz_g-fktM5GFw9hllYHwfI_WM7-dUXmr-VwAAAP__gLHETA">