[llvm-bugs] [Bug 51362] New: Incorrect code generation when enabled stack instrumentation with arm64 MTE

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Aug 5 08:42:44 PDT 2021


            Bug ID: 51362
           Summary: Incorrect code generation when enabled stack
                    instrumentation with arm64 MTE
           Product: clang
           Version: 12.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: C
          Assignee: unassignedclangbugs at nondot.org
          Reporter: scopichmu at gmail.com
                CC: blitzrakete at gmail.com, dgregor at apple.com,
                    erik.pilkington at gmail.com, llvm-bugs at lists.llvm.org,
                    richard-llvm at metafoo.co.uk

Stack instrumentation with arm64 MTE were enabled using such options: "-target
aarch64-linux -march=armv8+memtag -fsanitize=memtag". Clang generates such

00000000000014a0 <test_func>:
    14a0:       d100c3ff        sub     sp, sp, #0x30
    14a4:       a9027bfd        stp     x29, x30, [sp, #32]
    14a8:       910083fd        add     x29, sp, #0x20
    14c8:       f81f83a8        stur    x8, [x29, #-8]

Here Clang copies address of stack into 'x29' register then copy 'x8' register
into stack using 'x29' register. This violates arm spec. and causes false
positive Tag Check Fault MTE reports.

When CPU executes 'stur' instruction (at address 14c8), Synchronous Tag Check
Fault exception is triggered. Exception happens because only 'sp' allows to be
used to perform Tag Unchecked access - all load and store instructions with SP
base register and immediate offset do not check tags. Arm spec. says:

A Tag Unchecked access will be generated for a load or store that uses either
of the following:
• A base register only, with the SP as the base register.
• A base register plus immediate offset addressing form, with the SP as the
base register.


You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210805/1bb604af/attachment.html>

More information about the llvm-bugs mailing list