[llvm-bugs] [Bug 47980] New: Instcombine optimization f5df5cd55 causes miscompile in CFI code for Android
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Oct 26 10:47:24 PDT 2020
https://bugs.llvm.org/show_bug.cgi?id=47980
Bug ID: 47980
Summary: Instcombine optimization f5df5cd55 causes miscompile
in CFI code for Android
Product: libraries
Version: trunk
Hardware: PC
OS: All
Status: NEW
Severity: enhancement
Priority: P
Component: Scalar Optimizations
Assignee: unassignedbugs at nondot.org
Reporter: pirama at google.com
CC: eugeni.stepanov at gmail.com, lebedev.ri at gmail.com,
llvm-bugs at lists.llvm.org, srhines at google.com
Created attachment 24101
--> https://bugs.llvm.org/attachment.cgi?id=24101&action=edit
repro
https://github.com/llvm/llvm-project/commit/f5df5cd5586ae9cfb2d9e53704dfc76f47aff149
causes a miscompile for __cfi_slowpath_diag in
https://android.googlesource.com/platform/bionic/+/refs/heads/master/libdl/libdl_cfi.cpp.
The optimization in f5df5cd5586 fires for the following lines:
uintptr_t p = aligned_addr - (static_cast<uintptr_t>(v -
CFIShadow::kRegularShadowMin)
<< CFIShadow::kCfiCheckGranularity);
The optimization seems valid but it somehow triggers a downstream miscompile.
With f5df5cd5586, the trailing end of cfi_slowpath_diag looks like this:
...
a8: b002 add sp, #8
aa: bdd0 pop {r4, r6, r7, pc}
ac: 2400 movs r4, #0
ae: f6cf 74fc movt r4, #65532 ; 0xfffc
b2: f504 3e7c add.w lr, r4, #258048 ; 0x3f000
b6: 4614 mov r4, r2
b8: f36f 0411 bfc r4, #0, #18
bc: fb0c 440e mla r4, ip, lr, r4
c0: f504 2484 add.w r4, r4, #270336 ; 0x42000
c4: 3401 adds r4, #1
c6: b002 add sp, #8
c8: e8bd 40d0 ldmia.w sp!, {r4, r6, r7, lr}
cc: 4720 bx r4
ce: bf00 nop
d0: 00000044 andeq r0, r0, r4, asr #32
Note that the value in $r4 from address 42 is clobbered by the ldmia in 46 but
is still used as the branch target in 4a.
With f5df5cd5586 reverted,
...
a0: b002 add sp, #8
a2: bdd0 pop {r4, r6, r7, pc}
a4: f502 2e80 add.w lr, r2, #262144 ; 0x40000
a8: f44f 5400 mov.w r4, #8192 ; 0x2000
ac: f364 0e11 bfi lr, r4, #0, #18
b0: 2400 movs r4, #0
b2: f6cf 74fc movt r4, #65532 ; 0xfffc
b6: f504 347c add.w r4, r4, #258048 ; 0x3f000
ba: fb0c e404 mla r4, ip, r4, lr
be: f044 0c01 orr.w ip, r4, #1
c2: b002 add sp, #8
c4: e8bd 40d0 ldmia.w sp!, {r4, r6, r7, lr}
c8: 4760 bx ip
ca: bf00 nop
cc: 00000048 andeq r0, r0, r8, asr #32
cc: R_ARM_REL32 _ZL19shadow_base_storage
Note that the address is computed in $ip instead of $r4.
To reproduce, build the attached source with the following command:
$ clang++ -c -mthumb -O2 -target armv7a-linux-androideabi -o libdl_cfi.o
libdl_cfi.ii
Note that this doesn't reproduce without -mthumb.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20201026/2d5ad52d/attachment.html>
More information about the llvm-bugs
mailing list