<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/145180>145180</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [llvm-mc] crashes with SIGSEGV when asked to assemble certain BPF instructions with mismatched registers
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          jcttrll
      </td>
    </tr>
</table>

<pre>
    Due to the unusual representation of some BPF instructions in pseudo-C, the instruction register appears twice (for example, `r0` in the below code):

```
r0 = atomic_fetch_add((u64*)(r2 + 0), r0)
```

A mismatch between the two register names (for example, `r0` and `r1`), is, of course, invalid, since there is no such BPF instruction:

```
r0 = atomic_fetch_add((u64*)(r2 + 0), r1)
```

Instead of reporting a syntax error, `llvm-mc` crashes with SIGSEGV when fed such an instruction (observed in a release build of version 19.1.7):

```
$ echo 'r0 = atomic_fetch_add((u64*)(r2 + 0), r1)' | llvm-mc --arch bpf --filetype null

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: llvm-mc --arch bpf --filetype null
#0 0x00007fef52043539 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib64/libLLVM.so.19.1+0xa43539)
#1 0x00007fef52040ac0 llvm::sys::RunSignalHandlers() (/usr/lib64/libLLVM.so.19.1+0xa40ac0)
#2 0x00007fef52043d1b SignalHandler(int) (/usr/lib64/libLLVM.so.19.1+0xa43d1b)
#3 0x00007fef50e57980 __restore_rt (/lib64/libc.so.6+0x57980)
#4 0x00007fef54c2c9b2 (anonymous namespace)::BPFAsmParser::convertToMapAndConstraints(unsigned int, llvm::SmallVectorImpl<std::unique_ptr<llvm::MCParsedAsmOperand, std::default_delete<llvm::MCParsedAsmOperand>>> const&) (/usr/lib64/libLLVM.so.19.1+0x362c9b2)
#5 0x00005559f966d750 
Segmentation fault (core dumped)
```

A debug build from the GitHub `main` branch (at 0c47628515dc80bd50599f936614da07943572a4) provides more insight:

```
$ echo 'r0 = atomic_fetch_add((u64*)(r2 + 0), r1)' | ../../bin/llvm-mc --arch bpfel --filetype null

Unknown match type detected!
UNREACHABLE executed at /llvm-project/llvm/lib/Target/BPF/AsmParser/BPFAsmParser.cpp:352!
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: ../../bin/llvm-mc --arch bpfel --filetype null
 #0 0x00000000006bb83c llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:804:0
 #1 0x00000000006bbcfd PrintStackTraceSignalHandler(void*) /llvm-project/llvm/lib/Support/Unix/Signals.inc:888:0
 #2 0x00000000006b95e1 llvm::sys::RunSignalHandlers() /llvm-project/llvm/lib/Support/Signals.cpp:105:0
 #3 0x00000000006bb1f7 SignalHandler(int, siginfo_t*, void*) /llvm-project/llvm/lib/Support/Unix/Signals.inc:418:0
 #4 0x00007fbd5e257980 __restore_rt (/lib64/libc.so.6+0x57980)
 #5 0x00007fbd5e2a949c __pthread_kill_implementation /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/nptl/pthread_kill.c:44:76
 #6 0x00007fbd5e2578c2 gsignal /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/signal/../sysdeps/posix/raise.c:27:6
 #7 0x00007fbd5e23f64f abort /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/stdlib/abort.c:81:7
 #8 0x00000000006326bd bindingsErrorHandler(void*, char const*, bool) /llvm-project/llvm/lib/Support/ErrorHandling.cpp:242:0
 #9 0x000000000042f672 (anonymous namespace)::BPFAsmParser::matchAndEmitInstruction(llvm::SMLoc, unsigned int&, llvm::SmallVectorImpl<std::unique_ptr<llvm::MCParsedAsmOperand, std::default_delete<llvm::MCParsedAsmOperand>>>&, llvm::MCStreamer&, unsigned long&, bool) /llvm-project/llvm/lib/Target/BPF/AsmParser/BPFAsmParser.cpp:313:0
#10 0x00000000005879d6 (anonymous namespace)::AsmParser::parseAndMatchAndEmitTargetInstruction((anonymous namespace)::ParseStatementInfo&, llvm::StringRef, llvm::AsmToken, llvm::SMLoc) /llvm-project/llvm/lib/MC/MCParser/AsmParser.cpp:2311:0
#11 0x0000000000587349 (anonymous namespace)::AsmParser::parseStatement((anonymous namespace)::ParseStatementInfo&, llvm::MCAsmParserSemaCallback*) /llvm-project/llvm/lib/MC/MCParser/AsmParser.cpp:2244:0
#12 0x00000000005815fb (anonymous namespace)::AsmParser::Run(bool, bool) /llvm-project/llvm/lib/MC/MCParser/AsmParser.cpp:979:0
#13 0x000000000040a13e AssembleInput(char const*, llvm::Target const*, llvm::SourceMgr&, llvm::MCContext&, llvm::MCStreamer&, llvm::MCAsmInfo&, llvm::MCSubtargetInfo&, llvm::MCInstrInfo&, llvm::MCTargetOptions const&) /llvm-project/llvm/tools/llvm-mc/llvm-mc.cpp:348:0
#14 0x000000000040bba7 main /llvm-project/llvm/tools/llvm-mc/llvm-mc.cpp:596:0
#15 0x00007fbd5e240eec __libc_start_call_main /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#16 0x00007fbd5e240fb5 call_init /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/csu/../csu/libc-start.c:128:20
#17 0x00007fbd5e240fb5 __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-150600.14.14.2.x86_64/csu/../csu/libc-start.c:347:5
#18 0x00000000004097b1 _start /home/abuild/rpmbuild/BUILD/glibc-2.38/csu/../sysdeps/x86_64/start.S:117:0
Aborted (core dumped)
```

The [`switch` in `BPFAsmParser::matchAndEmitInstruction`](https://github.com/llvm/llvm-project/blob/0c47628515dc80bd50599f936614da07943572a4/llvm/lib/Target/BPF/AsmParser/BPFAsmParser.cpp#L319) is apparently missing a `case Match_InvalidTiedOperand`to handle various `Constraints` in `BPFInstrInfo.td`, such as [on line 946](https://github.com/llvm/llvm-project/blob/0c47628515dc80bd50599f936614da07943572a4/llvm/lib/Target/BPF/BPFInstrInfo.td#L946). This causes the crash when encountering the following (and possibly more) illegal instructions with mismatched registers:

```
r0 = bswap16 r1
r0 = bswap32 r1
r0 = bswap64 r1
r0 = atomic_fetch_add((u64*)(r2 + 0), r1)
r0 = atomic_fetch_and((u64*)(r2 + 0), r1)
r0 = atomic_fetch_or((u64*)(r2 + 0), r1)
r0 = atomic_fetch_xor((u64*)(r2 + 0), r1)
w0 = xchg32_32(r2 + 0, w1)
r0 = xchg_64(r2 + 0, r1)
```


</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzUWV9T4zgS_zTiRUVKlv8_8BACmaUKbqkJO68pWWon2rElnyQT-PZXkh1wAswAM3e1R6WCI1vdv_51q7stMWvlRgGcofQcpRcnrHdbbc7-5s6ZpjmptHg8u-gBO43dFnCvetuzBhvoDFhQjjmpFdY1troFfH67xFJZZ3ruxy2WCncWeqFPF4gugojJfWxgI60Dg1nXATMWu53kgBEtam0wPLC2a8BPRBkxBGXEC_RCKmj0DnMtANESxXNEwicj44fMDcEovsDM6VbydQ2Ob9dMCEQLRIs-SxCd-6m0MBQjeo5J-LXAJlwcykJkPsettC1zfIsrcDuAAYfb6WcjFGvB_gg8UyL8iLzYQZ20_lvXmOve2PC4VPeskcJfWqk4eEUGsLRYaWx7vj2m-ffaH71q_5WyDpjwSA102jipNphh-6gce8BgjDajqU1z35623NvLDbNbsHgn3Ravrr6sLr98w7stKFyDGExh6iAgEC10ZcHcg_CuZthAA8wCrnrZBO33YKx_Mipn0Sx_y_uIJhj4VmNE819jguYY5Qs8WoVPT5nxMdDV-PS0lg24xw6w6ptmAHF7fTlfXWLbV610mOGq34yE-SW0da6zHjBdIrrcSLftqxnXLaJLr2D8d9oZ_Tdwh-hSWtuDRXQZYkcq3vQiBMTALa4Y_-4M4zBDZL5yjH_Hom-7gRMyw-Hv1uiNYS1mZtO3oJxH8E6DaEwweSCEkLyGOqUkidO4DJO9jnhuH-1wcWukcgHBnceDaPH8kGG7tbbOAGsRzYYYd4iWOPhg2VvjLZeV94X_f3397WZm9cz7GNFz8sCC2jEwaRwdYSKMk9cwfe3VSm4Ua_5gSjRgbND3EbVe8pNaekyFiCp8oADR4uOWiah6UhFPVRBI87IgeL02YJ02sDZuFDwRyb28LAgLjz_JSqayEk55WfkAL5jS6rHVvR0SVhe8VQ6Mnd8u57a9ZcaCGUa4Vvdg3J2-Yd1ciYX2q5VJH0W06FWoHmLw52Lig1XLmuYbcKfNVds1KF5YJ4ZbvZL_7mHdOYPixfOMm0VQK-a2_bMDw9SQAfezBNSsb9xaQAMOfjYzvhw-mHu8Ieje75M4C1w9EZmORKZpWtZllok8JdivN9i0TyUwoPMquDYQFiGINyqJAJ8VhoxWG92G9fxFuj_6yifQlknls2dlmOLb4DGHCU_yjBZplApekEqkJC3LuoyzLEoEI3mZxGlOWeLt7Iy-lwIsbj0U6X20df-bNDmbIboMX5VU-3R2kGWgeT1x_qW-K71TeKix4aYAB9x5GiP_wL--Xs4Xf8zPry8xPADvHQjMPOXHSXOfSmWF6PKOmQ340fNbn3OfozuMPP2c8c5nzTilg7b_mzz-ScbxJLUPf1lVFTH_jan9h25Z9Z0nE9HlX0o--IGQR-1MKo7ieUESFM_JCDQ6BsprgY9QHefhe-1bqPlvgFIUEyj0CEqZQvSx0vNOLHsQQ1xGJJ2AiI_5iOr89ULkW8iNVLVeu0DGAv82XpJoystzsalECvTzhQtPEu4ojJVJyfF63bmtASbW32XTrKXvrp_T71Nit4Yjugwp1i9Nr-eUzuLiNEpJRsgsSvyHzh6KbB2QqM41iC6nwmfBPh-BeTZCyo7tKzjFGxsY-QXlg4D9CraPVkDn00SnbaDcMGkhwKE5iud7NPkhmrjOkhqzSgeaP43FicHxQVBQWkSeg1FpcRh1Mc0qgSuphFQbe-nfAF5ZfQvMt8zsy3AYqLRuPhR-z7Kl2owLgiZ0En3lAbSE1ln-iVYnlJ65EpetdFeT16tpvlvdXGvurThsfbJ_ZPfzAtfNYhVStfdRdmBFo9VmHHunfz5YWKN49JfP54eVJy3yUmQ_89eRszp_PVfiZuK0AdKh634iNYhcOeZCLrlStX7pTGek2nyF-nB4bts7_R3U0cNDfPyUvZtF-Hqi7JgvGkfRhLDomLA4KT9D2JOlv4WZm8WTjhW0bMGaxjcy7ysvP2WAJsmEAXrEQJTW1QcZ-Nr7gBjC-91h_jOYZV5OUB5W5oSwKAY8txbaqoEr1fWe-BcZ8ZnRIYLfuLnSveFwszGvOGKhlYOHl5noxYo_8t4bfl31lRsX06v3wxp7495gw5_dsAN4-AL2BtVO68Y-N6_PV_vskRQTkpMjkquK5di_NX1eQVpmEwVH_UdCAHz_4Uvo2jpm3JqzplnvVX6y3nLbvyz8YzfymqrZ1hdjvybiEWd2jLOuUhyel0r-SiswgTZchikBT-gLIur9Qfd85a_hOOArvNMm5Mv11fliTWd0lv4X0cWJ75XSEVxxFC1lXkV4gOUxbHULoefxr-O-4-ra_eX5X1fXFweQ3vLapIfyIFaeoigfI2ru2ykQ79kbuNsCRuk5yojdSce34443ysj7u5WMoPQC0eLD76hVo33Ce_9Ow-f7ARpfx1HpU4K0mHUdM6Bc84hbae2wsYwywpkFHMr7-mrYEr-TIPY9Tkb8e3hoOPE9M9JXAJSR6f7UlLynhDVzIuy-L8b9Z-sJ1wo3UgEuk-wfQd4xYBpfe2i0nOG7rbSYs96CnewfhE11UFz3yoFvV8K9WjeN3vlfoVAK3GlrZeWJ1gYC_U0DG9YcHtqE7fr9cQeIpwMO-6ODhsruWBdl2ERHYzF9OZYlB2OfPqR4db76tfna_NL0hw_M3w3zH_h2E9N1TA-eXODdoRr_WMgyBw-9cV5zIs5iUcYlO4GzKE9JSss8z062ZylkCeQQR5BDIWpe0irKywqyoq7LHMiJPKOEpiSjUVREWZTNahbVLEmjOq6iOk0oSgi0TDYzH8EzbTYnYXfrLErSqCAnDaugseE8kVIFOxzuIkpRenFizsK6qfqNRQlppHX2WYyTrgkHkfsqnV784AiJ2e8gsNOYje0V5mCcL8kvTiHfDOiT3jRnn9_MGy2-P6P_CQAA___lutrw">