<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/116583>116583</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [CodeGen][WinEH] Miscompilation due to inlining of inalloca functions
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          MuellerMP
      </td>
    </tr>
</table>

<pre>
    For the Microsoft C++ ABI call parameters may be attributed inalloca https://llvm.org/docs/InAlloca.html.
The lifetime of an inalloca parameter is bound to the call, even if the call is inlined.
Thus inlined InAlloca allocas always lower to dynamic allocas which modify the stack pointer.
For WinEH we safe the stack pointer in fs[0]-4 which will we reloaded by the c runtime when unwinding.
Dynamic allocas, as is the case for inalloca allocas, modify the stack pointer thus breaking stack access after unwinding.
This can be shown with the following C++ code: 
```C++
// can be compiled with clang-cl -target i386-pc-windows-msvc /EHs /O2
// O2 is required for inlining and EHs enabled basic c++ exceptions
#include "stdio.h"

struct Foo { int a{123};int b{2}; Foo(){}; ~Foo(){}; Foo(const Foo &){} __declspec(noinline) void bar(int a, int b) {}};

int g(Foo foo) {
  try {
        throw 1;
  } catch(...) {
  }
  foo.bar(0, 1); // overwrites the inalloca stack buffer with params
  printf("%d %d\n", foo.a, foo.b); // prints '0 1'
  return 0;
}

int main(int argc, char**) {
    return g(Foo());
}
```

Since godbolt doesn't provide access to microsoft C/STL headers here is a simplified version which visualizes generated code:
https://llvm.godbolt.org/z/TPq4Pnxch

We see that esp is moved to -28(%ebp) and -24(%ebp) is moved to %fs:0 which represents the typical 32bit WinEH Prolog.
Afterwards there are two pushes and then a call to alwaysthrows. 
This means that in our catch block our esp will we rewound to its value before the pushes.
This also means any following pushes will overwrite the foo members.

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJx0Vl-P26oT_TTkZZTIxnb-PORhs2l-rfRbdaWu1McKwzjmFoMLOG76cD_7FRgn2d5eKUpiGM45MwwHM-fkWSPuSXUg1XHBBt8au38ZUCm0L6-L2ojr_mQs-BbhRXJrnGk8PBN6IPQAT4dPwJlS0DPLOvRoHXTsCjUC897KevAoQGqmlOEMWu97R4onQk-EnpS6dCtjz4SehOGO0NMn_RQDV63v1IpkR5I9vbUISjboZYdgGmD6jndjBemgNoMW4E2UGkQR-gx4QQ2yuY2FQKmV1Chu-MNtCGYBMBE4YGpkVwfKjGgDtrhq1kl-mx9byVvojJDNNZI4z_h36I3UHm2iCPX7KvWHjzAiONbgvyNBamgcqQ4ZqY7LMuGOUqmwxqIyTKCAeiLhYAcdCzK2qGHQo9RC6nPiO74XGerAXMh8qoJDaIy9V_Eh7L8SAR-qVFtk36U-pznGOToHrAkBv2t4a6UDznRoBdeaUcMofRuRG6OUGQPO3EbcCCTFE0xLyTqbPmk6jcaemSG56XqpUEyoXDF9XnIFS8_sGT3IYrte9nwZNJnRLTt34UDo6cNHF34-03eYn2kojsUfg7QoUnGU1EEi0wLCKtSsDnw1c5IDT8LxJ8feS6PdDFhIzdUgEAilzgtpVi2hM138dt4O3MPJGCCbA0jtgZHNIacF2RxJcQgDNdkc6PQYAgndErojm0Ma-vsPY9MQN9olbLq-zcO3bwK5cj1yQrfaTO1O6A4uRoacLKHbSQh9hkkA3UECj_iPGYSAM6HbQNME2ik0zgF4e70_kmznW2tGyG8YAEERZ563hG5Xq9Vv6wNf-tsYs5rEZUFYHhIqDpC2zVzQjlZ6nBr71s9Td9ZD06Cd-iP6hJtReyu1b2L9KKGVgPBFqmcdn58jK5v_1O8549rQQ5ssyNnMmBb9YDVk90rNWdxL1jGp5zrbMw8MvA3ZPcXPuyLcEFOd025HLb8TzMflke-L1BzhbERtlAdh0GlCNx56ay5S4Hx2vYHu0dRPX97-Dy0yEYy8RYvhYDBwsuuVbCQKuKB10uhkUBfpBqbkL3RwRo2WBbtPp3kS8gfLT6qS9f8i9PT2-qN81T95-5jCVwSHwSqZB3R9UNKZC0aLX4ZybAmtsO5D5cIpXdLy3dhjPKFVE1RkSbfF3qLDsJWhdfy1l5wpKGgtfbLqV2uUmd3sKXjcyKyI8RaBWQQ_GugH16KL_D5YMZtuGW_SzRGb363gwRQ7ZNpNaUkNZrDTWYBaGf49Pods79Y_zvea9A4uTA0INTbGTrfIJODRdJlyJpEwfX1w26Q1It_OTnLksKKr0c5IC7EvxK7YsQXu802R7_JqXdJFuxcNLepd09SC73BdYlln5bqgm5KyulhTXMg9zWiZ5_k225RZSVdlXuc5o8W2ztd5s2akzLBjUq3m-38hnRtwn-fralssFKtRufhCQqnGEeJsOJrVcWH3YdGyHs6OlJmSzrs7jJdexTeZZyPwf6hJdSTVIe4mqY7wIt10a7Bg2CAGjEWdjd40dwdpBs2jqy8Gq_bvW_gsfTvUK2661M_pZ9lb8xdyT-gpKg7vMymly57-EwAA__-8Zvou">