[llvm-bugs] [Bug 46194] New: trunk clang miscompiles sqlite after 21dadd774

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Jun 4 02:43:33 PDT 2020


https://bugs.llvm.org/show_bug.cgi?id=46194

            Bug ID: 46194
           Summary: trunk clang miscompiles sqlite after 21dadd774
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: hans at chromium.org
                CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org,
                    spatel+llvm at rotateright.com

OSSFuzz flagged an issue in SQLite that really appears to be a miscompile due
to an llvm bug:
https://sqlite.org/forum/forumpost/e7e828bb6f


It appears that in this code:

      c = pMem->flags;
      sqlite3VdbeMemRelease(pMem);
      pMem->flags = MEM_Str|MEM_Term|(c&(MEM_AffMask|MEM_Subtype));

the load of pMem->flags is moved from before the call to sqlite3VdbeMemRelease
to afterwards, even though the call may affect the flags.


The suspect transformation can be observed with:

$ wget https://www.sqlite.org/2020/sqlite-amalgamation-3320100.zip
$ unzip sqlite-amalgamation-3320100.zip
$ build.release/bin/clang -fno-omit-frame-pointer -DSQLITE_DEBUG=1 -c -O1
sqlite-amalgamation-3320100/sqlite3.c -o sqlite3.o && objdump -dr sqlite3.o |
grep -A500 '<sqlite3VdbeMemTranslate>:' | grep -B30 retq
   2ee89:       41 80 fe 01             cmp    $0x1,%r14b
   2ee8d:       0f 94 c0                sete   %al
   2ee90:       c6 01 00                movb   $0x0,(%rcx)
   2ee93:       49 63 4d 0c             movslq 0xc(%r13),%rcx
   2ee97:       ba 02 00 00 00          mov    $0x2,%edx
   2ee9c:       29 c2                   sub    %eax,%edx
   2ee9e:       48 01 ca                add    %rcx,%rdx
   2eea1:       49 39 d1                cmp    %rdx,%r9
   2eea4:       0f 8c de 00 00 00       jl     2ef88
<sqlite3VdbeMemTranslate+0x688>
   2eeaa:       4c 89 ef                mov    %r13,%rdi
   2eead:       e8 ee 8c fd ff          callq  7ba0 <sqlite3VdbeMemRelease>
   2eeb2:       b8 3d 80 ff ff          mov    $0xffff803d,%eax
   2eeb7:       41 23 45 08             and    0x8(%r13),%eax
   2eebb:       0d 02 02 00 00          or     $0x202,%eax
   2eec0:       66 41 89 45 08          mov    %ax,0x8(%r13)
   2eec5:       45 88 75 0a             mov    %r14b,0xa(%r13)
   2eec9:       4d 89 7d 10             mov    %r15,0x10(%r13)
   2eecd:       4d 89 7d 18             mov    %r15,0x18(%r13)
   2eed1:       49 8b 7d 28             mov    0x28(%r13),%rdi
   2eed5:       4c 89 fe                mov    %r15,%rsi
   2eed8:       e8 c3 44 fd ff          callq  33a0 <sqlite3DbMallocSize>
   2eedd:       41 89 45 20             mov    %eax,0x20(%r13)
   2eee1:       31 c0                   xor    %eax,%eax
   2eee3:       48 83 c4 08             add    $0x8,%rsp
   2eee7:       5b                      pop    %rbx
   2eee8:       41 5c                   pop    %r12
   2eeea:       41 5d                   pop    %r13
   2eeec:       41 5e                   pop    %r14
   2eeee:       41 5f                   pop    %r15
   2eef0:       5d                      pop    %rbp
   2eef1:       c3                      retq




Bisection shows that the behaviour changed at

commit 21dadd774f56778ef68c1ce307205dfbdacc793a
Author: Sanjay Patel <spatel at rotateright.com>
Date:   Fri May 29 09:31:11 2020 -0400

    [DAGCombiner] avoid unnecessary indirection from SDNode/SDValue; NFCI




Before that, the generated code looks like this:

   2ee89:       41 80 fe 01             cmp    $0x1,%r14b
   2ee8d:       0f 94 c0                sete   %al
   2ee90:       c6 01 00                movb   $0x0,(%rcx)
   2ee93:       49 63 4d 0c             movslq 0xc(%r13),%rcx
   2ee97:       ba 02 00 00 00          mov    $0x2,%edx
   2ee9c:       29 c2                   sub    %eax,%edx
   2ee9e:       48 01 ca                add    %rcx,%rdx
   2eea1:       49 39 d1                cmp    %rdx,%r9
   2eea4:       0f 8c df 00 00 00       jl     2ef89
<sqlite3VdbeMemTranslate+0x689>
   2eeaa:       bb 3d 80 ff ff          mov    $0xffff803d,%ebx
   2eeaf:       41 23 5d 08             and    0x8(%r13),%ebx     <----- c =
pMem->flags & (MEM_AffMask|MEM_Subtype)
   2eeb3:       4c 89 ef                mov    %r13,%rdi
   2eeb6:       e8 e5 8c fd ff          callq  7ba0 <sqlite3VdbeMemRelease>
   2eebb:       81 cb 02 02 00 00       or     $0x202,%ebx
   2eec1:       66 41 89 5d 08          mov    %bx,0x8(%r13)      <-----
pMem->flags = ...
   2eec6:       45 88 75 0a             mov    %r14b,0xa(%r13)
   2eeca:       4d 89 7d 10             mov    %r15,0x10(%r13)
   2eece:       4d 89 7d 18             mov    %r15,0x18(%r13)
   2eed2:       49 8b 7d 28             mov    0x28(%r13),%rdi
   2eed6:       4c 89 fe                mov    %r15,%rsi
   2eed9:       e8 c2 44 fd ff          callq  33a0 <sqlite3DbMallocSize>
   2eede:       41 89 45 20             mov    %eax,0x20(%r13)
   2eee2:       31 c0                   xor    %eax,%eax
   2eee4:       48 83 c4 08             add    $0x8,%rsp
   2eee8:       5b                      pop    %rbx
   2eee9:       41 5c                   pop    %r12
   2eeeb:       41 5d                   pop    %r13
   2eeed:       41 5e                   pop    %r14
   2eeef:       41 5f                   pop    %r15
   2eef1:       5d                      pop    %rbp
   2eef2:       c3                      retq

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200604/1d28f3a6/attachment.html>


More information about the llvm-bugs mailing list