[LLVMbugs] [Bug 15320] New: Miscompilation leading to SIGFPE in div

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Thu Feb 21 03:19:38 PST 2013 

http://llvm.org/bugs/show_bug.cgi?id=15320

            Bug ID: 15320
           Summary: Miscompilation leading to SIGFPE in div
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Register Allocator
          Assignee: unassignedbugs at nondot.org
          Reporter: samsonov at google.com
                CC: chandlerc at gmail.com, kcc at google.com, lhames at gmail.com,
                    llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 10051
  --> http://llvm.org/bugs/attachment.cgi?id=10051&action=edit
Bitcode for failing test case

The following code fails after

r175688 - Kill of TransferDeadFlag - Dead copies and subreg-to-reg instructions
should just be turned into kills on the spot.

by lhames.

$ cat tmp/div/div.cc
#include <stdint.h>
#include <stdio.h>

uint8_t xxx0;
int64_t xxx1;
int64_t xxx2;

uint8_t *minsn;
uint8_t *lr;

void foo() {
  const int64_t adv_address = (xxx0 / *lr) * *minsn;
  const int64_t adv_line = (xxx0 % *lr) - 5;
  xxx1 += adv_address;
  xxx2 += adv_line;
}

int main() {
  minsn = new uint8_t;
  *minsn = 1;
  lr = new uint8_t;
  *lr = 14;
  xxx0 = 129;
  foo();
  printf("%ld %ld\n", xxx1, xxx2);
  return 0;
}
$ bin/clang++ -fsanitize=address -O1 tmp/div/div.cc && ./a.out
Floating point exception (core dumped)

Note that bug reproduces only under -fsanitize=address, although looks like the
problem is not ASan-related. 

Assembler dump of the crash point:
Dump of assembler code for function _Z3foov:
   0x000000000041bba0 <+0>:    push   %rax
   0x000000000041bba1 <+1>:    mov    0x2d70cd8(%rip),%rdi
   0x000000000041bba8 <+8>:    mov    %rdi,%rax
   0x000000000041bbab <+11>:    shr    $0x3,%rax
   0x000000000041bbaf <+15>:    mov    0x7fff8000(%rax),%cl
   0x000000000041bbb5 <+21>:    mov    0x2d70bc5(%rip),%al <-- %al is
initialized
   0x000000000041bbbb <+27>:    test   %cl,%cl
   0x000000000041bbbd <+29>:    je     0x41bbc8 <_Z3foov+40>
   0x000000000041bbbf <+31>:    mov    %edi,%edx
   0x000000000041bbc1 <+33>:    and    $0x7,%edx
   0x000000000041bbc4 <+36>:    cmp    %cl,%dl
   0x000000000041bbc6 <+38>:    jge    0x41bc23 <_Z3foov+131>
   0x000000000041bbc8 <+40>:    movzbl %al,%ecx
   0x000000000041bbcb <+43>:    mov    (%rdi),%r8b
=> 0x000000000041bbce <+46>:    div    %r8b  <-------- %ax is divided by %r8b

Here the "div" instruction divides %ax by %r8b, but only the %al stores the
sane value, while %ah may contain arbitrary garbage.

Attaching the LLVM bitcode.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20130221/6e271ac1/attachment.html>

More information about the llvm-bugs mailing list