[llvm-bugs] [Bug 27605] New: InstCombine optimization changes Address Sanitizer instrumentation and alters its behavior

via llvm-bugs llvm-bugs at lists.llvm.org
Mon May 2 10:39:15 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=27605

            Bug ID: 27605
           Summary: InstCombine optimization changes Address Sanitizer
                    instrumentation and alters its behavior
           Product: libraries
           Version: 3.8
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Miscellaneous Instrumentation passes
          Assignee: unassignedbugs at nondot.org
          Reporter: nahk4r at gmail.com
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 16294
  --> https://llvm.org/bugs/attachment.cgi?id=16294&action=edit
bitcode of code.c from bh benchmark in olden suite.

Here's what's going on.
I have a snippet of code:

  %59 = load i8, i8* inttoptr (i64 add (i64 lshr (i64 ptrtoint (i32*
getelementptr inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1)
to i64), i64 3), i64 2147450880) to i8*)
  %60 = icmp ne i8 %59, 0
  br i1 %60, label %61, label %64

; <label>:61:                                     ; preds = %if.else
  %62 = icmp sge i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64), i64
7), i64 3) to i8), %59
  br i1 %62, label %63, label %64

; <label>:63:                                     ; preds = %61
  call void @__asan_report_store4(i64 ptrtoint (i32* getelementptr inbounds
(%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64))
  call void asm sideeffect "", ""()
  unreachable

; <label>:64:                                     ; preds = %61, %if.else
  store i32 %call15, i32* getelementptr inbounds (%struct.anon.0,
%struct.anon.0* @bodytab, i32 0, i32 1), align 8

This is a part of llvmIR inside of "startrun" function, retrieved by compiling
code.c from bh benchmark in olden benchmark suite, by using the following
command:
clang -c -emit-llvm -fsanitize=address code.c -O0

This is  basically creating a bitcode of code.c by using address sanitizer and
no optimization.

I have attached the codeInst.bc file. This file is code.bc, but I've added a
few metadata to instructions to easily identify which code has been added by
address sanitizer.
To find the above code, you can search for "!poistartrun11."

The problem is, once I optimize this code with -O3:
opt -disable-inlining -O3 < codeInst.bc > codeInstOpt3.bc

The following is the code I get:

  %call15 = tail call i32 @getiparam(i8* nonnull getelementptr inbounds ({ [6 x
i8], [58 x i8] }, { [6 x i8], [58 x i8] }* @.str.24, i64 0, i32 0, i64 0)) #3
  %52 = load i8, i8* inttoptr (i64 add (i64 lshr (i64 ptrtoint (i32*
getelementptr inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i64 0, i32 1)
to i64), i64 3), i64 2147450880) to i8*)
  %53 = icmp ne i8 %52, 0
  %54 = icmp slt i8 %52, 4
  %or.cond7 = and i1 %53, %54
  br i1 %or.cond7, label %55, label %56

; <label>:55:                                     ; preds = %if.else
  tail call void @__asan_report_store4(i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i64 0, i32 1) to i64)) #3
  tail call void asm sideeffect "", ""() #3
  unreachable

; <label>:56:                                     ; preds = %if.else
  store i32 %call15, i32* getelementptr inbounds (%struct.anon.0,
%struct.anon.0* @bodytab, i64 0, i32 1), align 8

The difference is at these lines:
 %62 = icmp sge i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr
inbounds (%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64), i64
7), i64 3) to i8), %59

and

%54 = icmp slt i8 %52, 4

For some reason, 
i8 trunc (i64 add (i64 and (i64 ptrtoint (i32* getelementptr inbounds
(%struct.anon.0, %struct.anon.0* @bodytab, i32 0, i32 1) to i64) 
seems to be translated into the number "4."

I have confirmed that this is causing a problem by compiling "bh" benchmark
using address sanitizer and it ran fine. Once I compile it using address
sanitizer AND O3, address sanitizer threw and exception and exited (basically
jumping to label 55 in the O3 version).



Here are some things that I found about this bug:
1. It is caused by InstCombine. When I only compiled using instcombine pass,
the optimization was present.
2. This is happening in every address sanitizer instrumentation optimization
when "@bodytab, i32 0, i32 1" is in there. You will find multiple instances in
code.bc where such optimization is happening.
3. The version of compilers I used to check this is: 
  a. clang version 3.9.0 (trunk 259660) (llvm/trunk 259659)
  b. clang version 3.8.1 (branches/release_38 265724) (llvm/branches/release_38
265723)




If there are any additional information you need, please let me know.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160502/6a68b50f/attachment.html>

More information about the llvm-bugs mailing list