[llvm-bugs] [Bug 46194] New: trunk clang miscompiles sqlite after 21dadd774
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu Jun 4 02:43:33 PDT 2020
https://bugs.llvm.org/show_bug.cgi?id=46194
Bug ID: 46194
Summary: trunk clang miscompiles sqlite after 21dadd774
Product: new-bugs
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: hans at chromium.org
CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org,
spatel+llvm at rotateright.com
OSSFuzz flagged an issue in SQLite that really appears to be a miscompile due
to an llvm bug:
https://sqlite.org/forum/forumpost/e7e828bb6f
It appears that in this code:
c = pMem->flags;
sqlite3VdbeMemRelease(pMem);
pMem->flags = MEM_Str|MEM_Term|(c&(MEM_AffMask|MEM_Subtype));
the load of pMem->flags is moved from before the call to sqlite3VdbeMemRelease
to afterwards, even though the call may affect the flags.
The suspect transformation can be observed with:
$ wget https://www.sqlite.org/2020/sqlite-amalgamation-3320100.zip
$ unzip sqlite-amalgamation-3320100.zip
$ build.release/bin/clang -fno-omit-frame-pointer -DSQLITE_DEBUG=1 -c -O1
sqlite-amalgamation-3320100/sqlite3.c -o sqlite3.o && objdump -dr sqlite3.o |
grep -A500 '<sqlite3VdbeMemTranslate>:' | grep -B30 retq
2ee89: 41 80 fe 01 cmp $0x1,%r14b
2ee8d: 0f 94 c0 sete %al
2ee90: c6 01 00 movb $0x0,(%rcx)
2ee93: 49 63 4d 0c movslq 0xc(%r13),%rcx
2ee97: ba 02 00 00 00 mov $0x2,%edx
2ee9c: 29 c2 sub %eax,%edx
2ee9e: 48 01 ca add %rcx,%rdx
2eea1: 49 39 d1 cmp %rdx,%r9
2eea4: 0f 8c de 00 00 00 jl 2ef88
<sqlite3VdbeMemTranslate+0x688>
2eeaa: 4c 89 ef mov %r13,%rdi
2eead: e8 ee 8c fd ff callq 7ba0 <sqlite3VdbeMemRelease>
2eeb2: b8 3d 80 ff ff mov $0xffff803d,%eax
2eeb7: 41 23 45 08 and 0x8(%r13),%eax
2eebb: 0d 02 02 00 00 or $0x202,%eax
2eec0: 66 41 89 45 08 mov %ax,0x8(%r13)
2eec5: 45 88 75 0a mov %r14b,0xa(%r13)
2eec9: 4d 89 7d 10 mov %r15,0x10(%r13)
2eecd: 4d 89 7d 18 mov %r15,0x18(%r13)
2eed1: 49 8b 7d 28 mov 0x28(%r13),%rdi
2eed5: 4c 89 fe mov %r15,%rsi
2eed8: e8 c3 44 fd ff callq 33a0 <sqlite3DbMallocSize>
2eedd: 41 89 45 20 mov %eax,0x20(%r13)
2eee1: 31 c0 xor %eax,%eax
2eee3: 48 83 c4 08 add $0x8,%rsp
2eee7: 5b pop %rbx
2eee8: 41 5c pop %r12
2eeea: 41 5d pop %r13
2eeec: 41 5e pop %r14
2eeee: 41 5f pop %r15
2eef0: 5d pop %rbp
2eef1: c3 retq
Bisection shows that the behaviour changed at
commit 21dadd774f56778ef68c1ce307205dfbdacc793a
Author: Sanjay Patel <spatel at rotateright.com>
Date: Fri May 29 09:31:11 2020 -0400
[DAGCombiner] avoid unnecessary indirection from SDNode/SDValue; NFCI
Before that, the generated code looks like this:
2ee89: 41 80 fe 01 cmp $0x1,%r14b
2ee8d: 0f 94 c0 sete %al
2ee90: c6 01 00 movb $0x0,(%rcx)
2ee93: 49 63 4d 0c movslq 0xc(%r13),%rcx
2ee97: ba 02 00 00 00 mov $0x2,%edx
2ee9c: 29 c2 sub %eax,%edx
2ee9e: 48 01 ca add %rcx,%rdx
2eea1: 49 39 d1 cmp %rdx,%r9
2eea4: 0f 8c df 00 00 00 jl 2ef89
<sqlite3VdbeMemTranslate+0x689>
2eeaa: bb 3d 80 ff ff mov $0xffff803d,%ebx
2eeaf: 41 23 5d 08 and 0x8(%r13),%ebx <----- c =
pMem->flags & (MEM_AffMask|MEM_Subtype)
2eeb3: 4c 89 ef mov %r13,%rdi
2eeb6: e8 e5 8c fd ff callq 7ba0 <sqlite3VdbeMemRelease>
2eebb: 81 cb 02 02 00 00 or $0x202,%ebx
2eec1: 66 41 89 5d 08 mov %bx,0x8(%r13) <-----
pMem->flags = ...
2eec6: 45 88 75 0a mov %r14b,0xa(%r13)
2eeca: 4d 89 7d 10 mov %r15,0x10(%r13)
2eece: 4d 89 7d 18 mov %r15,0x18(%r13)
2eed2: 49 8b 7d 28 mov 0x28(%r13),%rdi
2eed6: 4c 89 fe mov %r15,%rsi
2eed9: e8 c2 44 fd ff callq 33a0 <sqlite3DbMallocSize>
2eede: 41 89 45 20 mov %eax,0x20(%r13)
2eee2: 31 c0 xor %eax,%eax
2eee4: 48 83 c4 08 add $0x8,%rsp
2eee8: 5b pop %rbx
2eee9: 41 5c pop %r12
2eeeb: 41 5d pop %r13
2eeed: 41 5e pop %r14
2eeef: 41 5f pop %r15
2eef1: 5d pop %rbp
2eef2: c3 retq
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200604/1d28f3a6/attachment.html>
More information about the llvm-bugs
mailing list