[llvm-branch-commits] [llvm] release/22.x: [CoroSplit] Never collect allocas used by catchpad into frame (PR #194531)
Weibo He via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Thu Apr 30 01:59:24 PDT 2026
https://github.com/NewSigma updated https://github.com/llvm/llvm-project/pull/194531
>From effe71d1ceef696096852b30fe09bf57a2525961 Mon Sep 17 00:00:00 2001
From: Weibo He <NewSigma at 163.com>
Date: Wed, 25 Mar 2026 10:37:31 +0800
Subject: [PATCH 1/3] [CoroSplit] Never collect allocas used by catchpad into
frame (#186728)
Windows EH requires exception objects allocated on stack. But there is
no reliable way to identify them. CoroSplit employs a best-effort
algorithm to determine whether allocas persist on the stack or the
frame, which may result in miscompilation when Windows exceptions are
used.
This patch proposes that we treat allocas used by catchpad as exception
objects and never place them on the frame. A verifier check is added to
enforce that operands of catchpad are either constants or allocas.
Close #143235 Close #153949 Close #182584
---
llvm/docs/Coroutines.rst | 3 +
llvm/docs/LangRef.rst | 5 +-
llvm/lib/FuzzMutate/RandomIRBuilder.cpp | 5 ++
llvm/lib/IR/Verifier.cpp | 7 ++
llvm/lib/Transforms/Coroutines/SpillUtils.cpp | 7 ++
.../Transforms/Coroutines/coro-alloca-10.ll | 66 +++++++++++++++++++
llvm/unittests/FuzzMutate/StrategiesTest.cpp | 3 +-
7 files changed, 93 insertions(+), 3 deletions(-)
create mode 100644 llvm/test/Transforms/Coroutines/coro-alloca-10.ll
diff --git a/llvm/docs/Coroutines.rst b/llvm/docs/Coroutines.rst
index 0e6b49c84acee..9fa403e68e13b 100644
--- a/llvm/docs/Coroutines.rst
+++ b/llvm/docs/Coroutines.rst
@@ -2252,4 +2252,7 @@ Areas Requiring Attention
#. Make required changes to make sure that coroutine optimizations work with
LTO.
+#. In Windows EH, exception objects must be allocated on the stack (see :ref:wineh for details).
+ We identify an exception object as an alloca that has `catchpad` users.
+
#. More tests, more tests, more tests
diff --git a/llvm/docs/LangRef.rst b/llvm/docs/LangRef.rst
index be752b42ea412..1e0293f67e833 100644
--- a/llvm/docs/LangRef.rst
+++ b/llvm/docs/LangRef.rst
@@ -13825,8 +13825,9 @@ ensures that each ``catchpad`` has exactly one predecessor block, and it always
terminates in a ``catchswitch``.
The ``args`` correspond to whatever information the personality routine
-requires to determine if this is an appropriate handler for the exception. Control
-will transfer to the ``catchpad`` if this is the first appropriate handler for
+requires to determine if this is an appropriate handler for the exception.
+Each operand must be an alloca or a constant.
+Control will transfer to the ``catchpad`` if this is the first appropriate handler for
the exception.
The ``resultval`` has the type :ref:`token <t_token>` and is used to match the
diff --git a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
index 8b034137e4702..87392c2e69299 100644
--- a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
+++ b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
@@ -332,6 +332,11 @@ static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,
return false;
return !Callee->hasParamAttribute(OperandNo, Attribute::ImmArg);
}
+ case Instruction::CatchPad:
+ // Argument operand must be alloca or constant
+ if (!isa<Constant>(Replacement) && !isa<AllocaInst>(Replacement))
+ return false;
+ break;
default:
break;
}
diff --git a/llvm/lib/IR/Verifier.cpp b/llvm/lib/IR/Verifier.cpp
index bb552861130d2..bdca6800eddfe 100644
--- a/llvm/lib/IR/Verifier.cpp
+++ b/llvm/lib/IR/Verifier.cpp
@@ -4911,6 +4911,13 @@ void Verifier::visitCatchPadInst(CatchPadInst &CPI) {
Check(&*BB->getFirstNonPHIIt() == &CPI,
"CatchPadInst not the first non-PHI instruction in the block.", &CPI);
+ Check(llvm::all_of(CPI.arg_operands(),
+ [](Use &U) {
+ auto *V = U.get();
+ return isa<Constant>(V) || isa<AllocaInst>(V);
+ }),
+ "Argument operand must be alloca or constant.", &CPI);
+
visitEHPadPredecessors(CPI);
visitFuncletPadInst(CPI);
}
diff --git a/llvm/lib/Transforms/Coroutines/SpillUtils.cpp b/llvm/lib/Transforms/Coroutines/SpillUtils.cpp
index 81fe0c9acd413..05abccf0f9a97 100644
--- a/llvm/lib/Transforms/Coroutines/SpillUtils.cpp
+++ b/llvm/lib/Transforms/Coroutines/SpillUtils.cpp
@@ -180,6 +180,13 @@ struct AllocaUseVisitor : PtrUseVisitor<AllocaUseVisitor> {
handleAlias(I);
}
+ void visitCatchPadInst(CatchPadInst &I) {
+ // Windows EH requires exception objects allocated on the stack,
+ // shortcut the traversal and keep it on stack.
+ ShouldLiveOnFrame = false;
+ Base::Worklist.clear();
+ }
+
void visitInsertElementInst(InsertElementInst &I) {
enqueueUsers(I);
handleAlias(I);
diff --git a/llvm/test/Transforms/Coroutines/coro-alloca-10.ll b/llvm/test/Transforms/Coroutines/coro-alloca-10.ll
new file mode 100644
index 0000000000000..12e2a921aa769
--- /dev/null
+++ b/llvm/test/Transforms/Coroutines/coro-alloca-10.ll
@@ -0,0 +1,66 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 6
+; Test that catchpad is specially handled. Do not collect exception object into coroutine frame.
+; RUN: opt < %s -passes='coro-split,simplifycfg,early-cse' -S | FileCheck %s
+
+define void @fn() presplitcoroutine personality i32 0 {
+; CHECK-LABEL: define void @fn() personality i32 0 {
+; CHECK-NEXT: [[ENTRY:.*:]]
+; CHECK-NEXT: [[EXCEPTION_OBJ_RELOAD_ADDR:%.*]] = alloca ptr, align 8
+; CHECK-NEXT: [[ID:%.*]] = call token @llvm.coro.id(i32 16, ptr null, ptr null, ptr @fn.resumers)
+; CHECK-NEXT: [[MEM:%.*]] = call noalias nonnull ptr @malloc(i64 24)
+; CHECK-NEXT: [[HDL:%.*]] = call noalias nonnull ptr @llvm.coro.begin(token [[ID]], ptr [[MEM]])
+; CHECK-NEXT: store ptr @fn.resume, ptr [[HDL]], align 8
+; CHECK-NEXT: [[DESTROY_ADDR:%.*]] = getelementptr inbounds i8, ptr [[HDL]], i64 8
+; CHECK-NEXT: store ptr @fn.destroy, ptr [[DESTROY_ADDR]], align 8
+; CHECK-NEXT: store ptr null, ptr [[EXCEPTION_OBJ_RELOAD_ADDR]], align 8
+; CHECK-NEXT: [[INDEX_ADDR4:%.*]] = getelementptr inbounds i8, ptr [[HDL]], i64 16
+; CHECK-NEXT: store i1 false, ptr [[INDEX_ADDR4]], align 1
+; CHECK-NEXT: ret void
+;
+entry:
+ %exception.obj = alloca ptr, align 8
+ %id = call token @llvm.coro.id(i32 16, ptr null, ptr null, ptr null)
+ %size = call i64 @llvm.coro.size.i64()
+ %mem = call noalias nonnull ptr @malloc(i64 %size)
+ %hdl = call ptr @llvm.coro.begin(token %id, ptr %mem)
+ store ptr null, ptr %exception.obj, align 8
+ br label %while
+
+while:
+ %save = call token @llvm.coro.save(ptr null)
+ %suspend = call i8 @llvm.coro.suspend(token %save, i1 false)
+ switch i8 %suspend, label %coro.ret [
+ i8 0, label %await.ready
+ ]
+
+await.ready:
+ invoke void @throw()
+ to label %unreachable unwind label %catch.dispatch
+
+catch.dispatch:
+ %switch = catchswitch within none [label %catch] unwind label %ehcleanup
+
+catch:
+ %pad = catchpad within %switch [ptr null, i32 8, ptr %exception.obj]
+ invoke void @use(ptr %exception.obj) [ "funclet"(token %pad) ]
+ to label %catch.ret unwind label %ehcleanup
+
+catch.ret:
+ catchret from %pad to label %while
+
+ehcleanup:
+ %cleanup = cleanuppad within none []
+ call void @llvm.coro.end(ptr null, i1 true, token none) [ "funclet"(token %cleanup) ]
+ cleanupret from %cleanup unwind to caller
+
+coro.ret:
+ call void @llvm.coro.end(ptr null, i1 false, token none)
+ ret void
+
+unreachable:
+ unreachable
+}
+
+declare ptr @malloc(i64)
+declare void @throw()
+declare void @use(ptr)
diff --git a/llvm/unittests/FuzzMutate/StrategiesTest.cpp b/llvm/unittests/FuzzMutate/StrategiesTest.cpp
index fd91066b994a5..278cce20119c6 100644
--- a/llvm/unittests/FuzzMutate/StrategiesTest.cpp
+++ b/llvm/unittests/FuzzMutate/StrategiesTest.cpp
@@ -733,11 +733,12 @@ TEST(AllStrategies, SkipEHPad) {
StringRef Source = "\n\
define void @f(i32 %x) personality ptr @__CxxFrameHandler3 { \n\
entry: \n\
+ %I = alloca i32, align 4 \n\
invoke void @g() to label %try.cont unwind label %catch.dispatch \n\
catch.dispatch: \n\
%0 = catchswitch within none [label %catch] unwind to caller \n\
catch: \n\
- %1 = catchpad within %0 [ptr null, i32 64, ptr null] \n\
+ %1 = catchpad within %0 [ptr null, i32 64, ptr %I] \n\
catchret from %1 to label %try.cont \n\
try.cont: \n\
ret void \n\
>From 6f8b9239869d27faf9286ca09314e59d7b42b609 Mon Sep 17 00:00:00 2001
From: NewSigma <NewSigma at 163.com>
Date: Tue, 28 Apr 2026 10:47:06 +0800
Subject: [PATCH 2/3] Update test
---
llvm/test/Transforms/Coroutines/coro-alloca-10.ll | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/llvm/test/Transforms/Coroutines/coro-alloca-10.ll b/llvm/test/Transforms/Coroutines/coro-alloca-10.ll
index 12e2a921aa769..a5fb67d59edd1 100644
--- a/llvm/test/Transforms/Coroutines/coro-alloca-10.ll
+++ b/llvm/test/Transforms/Coroutines/coro-alloca-10.ll
@@ -10,10 +10,10 @@ define void @fn() presplitcoroutine personality i32 0 {
; CHECK-NEXT: [[MEM:%.*]] = call noalias nonnull ptr @malloc(i64 24)
; CHECK-NEXT: [[HDL:%.*]] = call noalias nonnull ptr @llvm.coro.begin(token [[ID]], ptr [[MEM]])
; CHECK-NEXT: store ptr @fn.resume, ptr [[HDL]], align 8
-; CHECK-NEXT: [[DESTROY_ADDR:%.*]] = getelementptr inbounds i8, ptr [[HDL]], i64 8
+; CHECK-NEXT: [[DESTROY_ADDR:%.*]] = getelementptr inbounds nuw [[FN_FRAME:%.*]], ptr [[HDL]], i32 0, i32 1
; CHECK-NEXT: store ptr @fn.destroy, ptr [[DESTROY_ADDR]], align 8
; CHECK-NEXT: store ptr null, ptr [[EXCEPTION_OBJ_RELOAD_ADDR]], align 8
-; CHECK-NEXT: [[INDEX_ADDR4:%.*]] = getelementptr inbounds i8, ptr [[HDL]], i64 16
+; CHECK-NEXT: [[INDEX_ADDR4:%.*]] = getelementptr inbounds nuw [[FN_FRAME]], ptr [[HDL]], i32 0, i32 2
; CHECK-NEXT: store i1 false, ptr [[INDEX_ADDR4]], align 1
; CHECK-NEXT: ret void
;
>From f8746b4abb70c0a2d04796f04efe0a54e0208f5d Mon Sep 17 00:00:00 2001
From: NewSigma <NewSigma at 163.com>
Date: Thu, 30 Apr 2026 16:53:27 +0800
Subject: [PATCH 3/3] Revert verifiler change
---
llvm/docs/LangRef.rst | 5 ++---
llvm/lib/FuzzMutate/RandomIRBuilder.cpp | 5 -----
llvm/lib/IR/Verifier.cpp | 7 -------
llvm/unittests/FuzzMutate/StrategiesTest.cpp | 3 +--
4 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/llvm/docs/LangRef.rst b/llvm/docs/LangRef.rst
index 1e0293f67e833..be752b42ea412 100644
--- a/llvm/docs/LangRef.rst
+++ b/llvm/docs/LangRef.rst
@@ -13825,9 +13825,8 @@ ensures that each ``catchpad`` has exactly one predecessor block, and it always
terminates in a ``catchswitch``.
The ``args`` correspond to whatever information the personality routine
-requires to determine if this is an appropriate handler for the exception.
-Each operand must be an alloca or a constant.
-Control will transfer to the ``catchpad`` if this is the first appropriate handler for
+requires to determine if this is an appropriate handler for the exception. Control
+will transfer to the ``catchpad`` if this is the first appropriate handler for
the exception.
The ``resultval`` has the type :ref:`token <t_token>` and is used to match the
diff --git a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
index 87392c2e69299..8b034137e4702 100644
--- a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
+++ b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
@@ -332,11 +332,6 @@ static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,
return false;
return !Callee->hasParamAttribute(OperandNo, Attribute::ImmArg);
}
- case Instruction::CatchPad:
- // Argument operand must be alloca or constant
- if (!isa<Constant>(Replacement) && !isa<AllocaInst>(Replacement))
- return false;
- break;
default:
break;
}
diff --git a/llvm/lib/IR/Verifier.cpp b/llvm/lib/IR/Verifier.cpp
index bdca6800eddfe..bb552861130d2 100644
--- a/llvm/lib/IR/Verifier.cpp
+++ b/llvm/lib/IR/Verifier.cpp
@@ -4911,13 +4911,6 @@ void Verifier::visitCatchPadInst(CatchPadInst &CPI) {
Check(&*BB->getFirstNonPHIIt() == &CPI,
"CatchPadInst not the first non-PHI instruction in the block.", &CPI);
- Check(llvm::all_of(CPI.arg_operands(),
- [](Use &U) {
- auto *V = U.get();
- return isa<Constant>(V) || isa<AllocaInst>(V);
- }),
- "Argument operand must be alloca or constant.", &CPI);
-
visitEHPadPredecessors(CPI);
visitFuncletPadInst(CPI);
}
diff --git a/llvm/unittests/FuzzMutate/StrategiesTest.cpp b/llvm/unittests/FuzzMutate/StrategiesTest.cpp
index 278cce20119c6..fd91066b994a5 100644
--- a/llvm/unittests/FuzzMutate/StrategiesTest.cpp
+++ b/llvm/unittests/FuzzMutate/StrategiesTest.cpp
@@ -733,12 +733,11 @@ TEST(AllStrategies, SkipEHPad) {
StringRef Source = "\n\
define void @f(i32 %x) personality ptr @__CxxFrameHandler3 { \n\
entry: \n\
- %I = alloca i32, align 4 \n\
invoke void @g() to label %try.cont unwind label %catch.dispatch \n\
catch.dispatch: \n\
%0 = catchswitch within none [label %catch] unwind to caller \n\
catch: \n\
- %1 = catchpad within %0 [ptr null, i32 64, ptr %I] \n\
+ %1 = catchpad within %0 [ptr null, i32 64, ptr null] \n\
catchret from %1 to label %try.cont \n\
try.cont: \n\
ret void \n\
More information about the llvm-branch-commits
mailing list