[llvm-bugs] [Bug 47980] New: Instcombine optimization f5df5cd55 causes miscompile in CFI code for Android

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Oct 26 10:47:24 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=47980

            Bug ID: 47980
           Summary: Instcombine optimization f5df5cd55 causes miscompile
                    in CFI code for Android
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: pirama at google.com
                CC: eugeni.stepanov at gmail.com, lebedev.ri at gmail.com,
                    llvm-bugs at lists.llvm.org, srhines at google.com

Created attachment 24101
  --> https://bugs.llvm.org/attachment.cgi?id=24101&action=edit
repro

https://github.com/llvm/llvm-project/commit/f5df5cd5586ae9cfb2d9e53704dfc76f47aff149
causes a miscompile for __cfi_slowpath_diag in
https://android.googlesource.com/platform/bionic/+/refs/heads/master/libdl/libdl_cfi.cpp.
 The optimization in f5df5cd5586 fires for the following lines:

uintptr_t p = aligned_addr - (static_cast<uintptr_t>(v -
CFIShadow::kRegularShadowMin)
                                << CFIShadow::kCfiCheckGranularity);

The optimization seems valid but it somehow triggers a downstream miscompile.

With f5df5cd5586, the trailing end of cfi_slowpath_diag looks like this:

...
  a8:   b002            add     sp, #8
  aa:   bdd0            pop     {r4, r6, r7, pc}
  ac:   2400            movs    r4, #0
  ae:   f6cf 74fc       movt    r4, #65532      ; 0xfffc
  b2:   f504 3e7c       add.w   lr, r4, #258048 ; 0x3f000
  b6:   4614            mov     r4, r2
  b8:   f36f 0411       bfc     r4, #0, #18
  bc:   fb0c 440e       mla     r4, ip, lr, r4
  c0:   f504 2484       add.w   r4, r4, #270336 ; 0x42000
  c4:   3401            adds    r4, #1
  c6:   b002            add     sp, #8
  c8:   e8bd 40d0       ldmia.w sp!, {r4, r6, r7, lr}
  cc:   4720            bx      r4
  ce:   bf00            nop
  d0:   00000044        andeq   r0, r0, r4, asr #32


Note that the value in $r4 from address 42 is clobbered by the ldmia in 46 but
is still used as the branch target in 4a.

With f5df5cd5586 reverted,
...
  a0:   b002            add     sp, #8
  a2:   bdd0            pop     {r4, r6, r7, pc}
  a4:   f502 2e80       add.w   lr, r2, #262144 ; 0x40000
  a8:   f44f 5400       mov.w   r4, #8192       ; 0x2000
  ac:   f364 0e11       bfi     lr, r4, #0, #18
  b0:   2400            movs    r4, #0
  b2:   f6cf 74fc       movt    r4, #65532      ; 0xfffc
  b6:   f504 347c       add.w   r4, r4, #258048 ; 0x3f000
  ba:   fb0c e404       mla     r4, ip, r4, lr
  be:   f044 0c01       orr.w   ip, r4, #1
  c2:   b002            add     sp, #8
  c4:   e8bd 40d0       ldmia.w sp!, {r4, r6, r7, lr}
  c8:   4760            bx      ip
  ca:   bf00            nop
  cc:   00000048        andeq   r0, r0, r8, asr #32
                        cc: R_ARM_REL32 _ZL19shadow_base_storage

Note that the address is computed in $ip instead of $r4.

To reproduce, build the attached source with the following command:

$ clang++ -c -mthumb -O2 -target armv7a-linux-androideabi -o libdl_cfi.o
libdl_cfi.ii

Note that this doesn't reproduce without -mthumb.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20201026/2d5ad52d/attachment.html>

More information about the llvm-bugs mailing list