[llvm-bugs] [Bug 45590] New: Segfault with update-load-metadata-during-inlining

Fri Apr 17 13:12:19 PDT 2020

https://bugs.llvm.org/show_bug.cgi?id=45590

            Bug ID: 45590
           Summary: Segfault with update-load-metadata-during-inlining
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Transformation Utilities
          Assignee: unassignedbugs at nondot.org
          Reporter: yamauchi at google.com
                CC: llvm-bugs at lists.llvm.org

This regards this commit

https://reviews.llvm.org/rG1d0f757904919d19f1cf5dcd307874bceb1e9efb
https://reviews.llvm.org/D76792

What I think is happening is an incorrect hoisting of a load above the size
check. The dereferenceable attribute gets copied from the call instruction to
the load after inlining. The load incorrectly gets hoistable above due to the
dereferenceable.

Here's a reduced test with repro steps:

$ cat D76792.cc 
#include <cstddef>

template<typename T>
struct Vec {
  T *begin;
  T *end;
  T buf[1];
  Vec() : begin(nullptr), end(nullptr) {}
  size_t size() { return end - begin; }
  T& front() { return *begin; }
};

int g = 1;

__attribute((noinline))
int* test(Vec<int*> &v) {
  if (v.size() == 1) {
    return v.front(); // <---- this load gets hoisted above the size check
  }
  return &g;
}

int main() {
  Vec<int*> vec;
  int *p = test(vec);
  *p = 33;
  return *p;
}
$ # Disable x86-cmov-converter as it hides this bug
$ clang -O3 -o D76792 -mllvm -x86-cmov-converter=false D76792.cc 
$ ./D76792
Segmentation fault
$ clang -O3 -o D76792 -mllvm -x86-cmov-converter=false -mllvm
-update-load-metadata-during-inlining=false D76792.cc
$ ./D76792 
$ # No segfault
$ clang -S -O3 -emit-llvm D76792.cc
$ cat D76792.ll
...
define dso_local i32* @_Z4testR3VecIPiE(%struct.Vec* nocapture readonly
dereferenceable(24) %v) local_unnamed_addr #0 {
entry:
  %end.i = getelementptr inbounds %struct.Vec, %struct.Vec* %v, i64 0, i32 1
  %0 = bitcast i32*** %end.i to i64*
  %1 = load i64, i64* %0, align 8, !tbaa !2
  %2 = bitcast %struct.Vec* %v to i64*
  %3 = load i64, i64* %2, align 8
  %sub.ptr.sub.i = sub i64 %1, %3
  %cmp = icmp eq i64 %sub.ptr.sub.i, 8
  %.cast = inttoptr i64 %3 to i32**
  %4 = load i32*, i32** %.cast, align 8    ; <---- this load was hoisted above
the size check
  %retval.0 = select i1 %cmp, i32* %4, i32* @g
  ret i32* %retval.0
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200417/66d70f52/attachment.html>