<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/115323>115323</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            `sincos` args may get clobbered after #108401 when passed on the stack
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            compiler-rt:asan,
            llvm:SelectionDAG
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
            MacDue
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          zmodem
      </td>
    </tr>
</table>

<pre>
    Consider this program on 32-bit x86, where arguments are passed on the stack:

```
$ cat /tmp/a.cc
#include <math.h>
#include <stdio.h>

double __attribute__((noinline)) g(double a, double b) { return a + b; }

double __attribute__((noinline)) f(double a) {
 double foo = sin(a);
  double bar = cos(a);
  double z = g(bar + 3.14, foo);
  return z;
}

int main() {
  printf("%f\n", f(3.14));
  return 0;
}
```

After 3073c3c2290a6d9b12fbaefa40dd22eef6312895, it fails under ASan:

```
$ build/bin/clang.bad -target i386-unknown-linux-gnu -lm -fsanitize=address -fno-math-errno -O2 /tmp/a.cc && ASAN_OPTIONS=external_symbolizer_path=$PWD/build/bin/llvm-symbolizer ./a.out
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3898196==ERROR: AddressSanitizer: SEGV on unknown address 0x27eb4300 (pc 0x566160ed bp 0xffab1898 sp 0xffab1470 T0)
==3898196==The signal is caused by a READ memory access.
    #0 0x566160ed in QuickCheckForUnpoisonedRegion /work/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:37:7
 #1 0x566160ed in sincos /work/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5167:12
 #2 0x566b25b1 in f(double) (/work/llvm-project/a.out+0x1085b1)
    #3 0x566b25f3 in main (/work/llvm-project/a.out+0x1085f3)
    #4 0xf7c29b84 (/lib/i386-linux-gnu/libc.so.6+0x23b84) (BuildId: d16f2b0239d79fbec67438094f9a9443121ab72d)
    #5 0xf7c29c47 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x23c47) (BuildId: d16f2b0239d79fbec67438094f9a9443121ab72d)
    #6 0x565c43a6 in _start (/work/llvm-project/a.out+0x1a3a6)

==3898196==Register values:
eax = 0x27eb4300  ebx = 0x27eb4303  ecx = 0x27eb4300  edx = 0x3f5a1819  
edi = 0x07eb4303  esi = 0x07eb4302  ebp = 0xffab1898  esp = 0xffab1470 
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/work/llvm-project/a.out+0x1085b1) in f(double)
==3898196==ABORTING
```

The calls to `sin` and `cos` will get folded to a `sincos` call. After 3073c3c2290a6d9b12fbaefa40dd22eef6312895, the call looks like this:

```
  37:   89 e6                   mov    %esp,%esi
  39: 8d 44 24 18             lea    0x18(%esp),%eax
  3d:   89 44 24 0c mov    %eax,0xc(%esp)    // <-- cos
  41:   8d 46 08 lea    0x8(%esi),%eax
  44:   89 44 24 08             mov %eax,0x8(%esp)    // <-- sin
  48:   f2 0f 11 04 24          movsd %xmm0,(%esp)      // <-- x
  4d:   e8 fc ff ff ff          call   4e <_Z1fd+0x2e>
                        4e: R_386_PLT32 sincos
```

Look at the value of the `sin` argument: it's `0x8(%esi) = 0x8(%esp)` which is the stack slot for `foo` in the following call to `g`. But it's also the stack slot used for `sin` in the `sincos` call. This seems dangerous.

Since it's a 64-bit value, when `sincos` does `*sin = ...` it will clobber both the `sin` and `cos` arguments. ASan happens to notice, because it intercepts `sincos` and checks the validity of the pointers afterwards.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzUWEtv4zrS_TXMpmCBImU9Fl4ocafRQL--JPcb3NkYFEnZnEikQVKJk18_ICU7ttvJ3L6YzRiGbfFx6rBYdVg0c06ttZQLNL9GhHxjfDlIRAiaL6_Y4DfGLl57I2R_1Rjxsrgx2ikhLfiNcrC1Zm1ZD0YDJbNGediVOSI38LyRVgKz66GX2jtgVsKWOSdFGOs3Epxn_BHRGuElwvvPHE_v8ZFkwJkHRG59v0XkliWc77uo0rwbhAREb3rmN8kG0U-XOp0Xyhz3xk9hhqaTsFox761qBi9XK0RKREptlO6UlohUiFSwRqScBrOwsul3E_pQcQ1W-sFqYIDINTSIXgMqln_LUntiKaKPCHubrTGA6BKc0oiUYQyi-yEHXszGMdy4d8e8xhFhYXE0uQaapFlYXGvM6Yxpda-HprPFKe2hZ5HPKWXYWqV9G9sJIvMWzW90_HkTFzparC5awxesnUVG_KxbLy1QXFBOOSEVZrmompS0DZMty7AQhEjZ5jQlZTUPlpWHlqnOwaBDDNf3TP_nEGwG1QlEbpuwzFveMb1OGiZg5pldSw-Klvls0I_aPOtZp_Swm631ALOuh1nrmFZevUpEl0wIK52DWavNLITsTFqrDcx-kNMQB0RyRHKo7-vvqx8_H778-H6P6FLuvLSadSv30jemU6_SrrbMbxBdIpL9_McycDzh2nVP_extNCTRgBn85L-R0P1E0SJaLz_Vy69_3n_5_L3-OnmALv_n30cLoWVVplU-Pny6u_txh2gNFzwB958-_38Qq2lnYb99eEcK2WQUY0Ck3HLAu3mepzmWApot4F3bsiYtqxLc4SkrMDzgEOzvUXkIkqjWmnWgHHA2BKlsXoDB3ad6Cb3sjX0Bxrl0LtnnCwAiFB8TUBr-b1D88WYj-eOtsX_orVHOaCnu5FoZHQLt2djHfXBsrfmX5D7Etem3qpN2ZsNTp5oQK47p6WultJeWy6031q162SvtrdJOcRe0taYFonUxEUOEpmesnNLcuL9lPglhu88ju-Km742-0HRCMVGaI1rP0zwQS8kbMzIya8i8SQOzN9mNChYE6x2OY-qQa7xLcTlv0sN-TjtBD8gtDchBGH8DsKXngFmIn4KTqimzCWj0TJScg9SMzTxxJskjGqFNmU2ruQ6K8EWEiBZp3pIGE1qJomobyfMioyWusrZiVZbRlKSsKYg4pzHf0-BZEda1WgVzK-eZ9aujRf5Fbjwr_nvc8ujzOc8oyyO3yOqvep1Rlr9l5Xu5GVLHhaPmiXWDdIcTQ7JdPEmPFAFkc9ZGASS_ME7s22g7Z2mZVgATqlBTD35DcGdtJFjaTm0HwQHpTtqC7FyWeuBMgzY-VHBPSsigbsorE_VHt2aSmPs_vn2r7_78UCJ_M2N-Sbl33V5f_7h7-PL98wcVQFBNzrrOgTeAchwqoxwD0yI8hRoox_Csug7CQd2aTkgRhrJp8DQiQCTw--WEn8xDZ8yjg049ylgXf1xTAESxBICyApnDr6_ePI3hPZdui8hN_KEOs6swuxSQZUAySMuTuZ1k4Qvv0jLuzAhRTShsd0ARBw4jDubHdtkOkRu848cYY98tIrehrp7NYpE5wWXpBCcgywGXbzwONNQlGll2TqP8xRVHfMoP-YTt3-OWI25LALeQpoAj-jGuEwF51_c4sjrFPUN-4zu5TZbQcmjb6X14xXAAyOLVY_XPtBWj6snD_ePCfsdXJgPy3YqW-ern1wdKpjPzg_D_aswjMB_jMGoTmDY-HKXCdAUL2MojUrjQebYrk2acBkzInI3im1CPHC5s4DoTEskGlHBbyHFI6NDfmq4zz0qvRx-MCblGOU7gevB746xz5hwu1joT5kR7wryQpQ_h3umk7B0IptfSmmFfEE2apTSXB3OQZ_FeGt0z3Uz1Ka4wMjoFkdqFs4wuIUmSyMKP4sE70zTSQmP85ty_J1JzuPAm8W4BG7bdSh3VSRuveGTQyFjeBfRDxeJOKQVUHko4t99bJZR_2W_v1sSJDliQrGdmhUuuxIKKilbsSi7SguKqwmlaXG0WVVMWPMtZRUSTkayljchzWbVNk1e84NWVWhBMsjTFRZrReTpPKOaUUVq0ZUbmpCpRhmXPVJcEdU-MXV8p5wa5SNM5JfSqY43s3PT_wXEdR-uxgiMxv0iYjWh9LzvJw1GzrD9P_zPYRTw3mmHtUIY75bx7s-WV7-Ti1D127aBnL1HVp82RYvRGLD5xmeF03OoL_zpcDbZbbLzfRqGOab5WfjM0CTf9dIj9epbFNTtEbqdlPy3IvwMAAP__s_Di5w">