[llvm-bugs] [Bug 49322] New: SystemZ stack temporary overflow
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Feb 22 14:56:40 PST 2021
https://bugs.llvm.org/show_bug.cgi?id=49322
Bug ID: 49322
Summary: SystemZ stack temporary overflow
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Backend: SystemZ
Assignee: unassignedbugs at nondot.org
Reporter: jistone at redhat.com
CC: llvm-bugs at lists.llvm.org
This bug was reduced from one of the failures in Rust #80810:
https://github.com/rust-lang/rust/issues/80810
When a large integer argument on s390x is converted to indirect, but the type
is not a multiple of 64 bits, the writes to the stack are all still in 64-bit
chunks and may clobber neighboring values on the stack.
### arg-i96.ll
target datalayout = "E-m:e-i1:8:16-i8:8:16-i64:64-f128:64-a:8:16-n32:64"
target triple = "s390x-unknown-linux-gnu"
declare hidden void @fn1(i96) unnamed_addr
define hidden i32 @fn2() unnamed_addr {
start:
%0 = alloca i32, align 4
store i32 -1, i32* %0, align 4
call void @fn1(i96 0)
%1 = load i32, i32* %0, align 4
ret i32 %1
}
### llc -O0
.text
.file "arg-i96.ll"
.hidden fn2 # -- Begin function fn2
.globl fn2
.p2align 4
.type fn2, at function
fn2: # @fn2
.cfi_startproc
# %bb.0: # %start
stmg %r14, %r15, 112(%r15)
.cfi_offset %r14, -48
.cfi_offset %r15, -40
aghi %r15, -176
.cfi_def_cfa_offset 336
mvhi 172(%r15), -1
mvghi 168(%r15), 0
mvghi 160(%r15), 0
la %r2, 160(%r15)
brasl %r14, fn1 at PLT
l %r2, 172(%r15)
lmg %r14, %r15, 288(%r15)
br %r14
.Lfunc_end0:
.size fn2, .Lfunc_end0-fn2
.cfi_endproc
# -- End function
.hidden fn1
.section ".note.GNU-stack","", at progbits
###
In this reproducer, the 32-bit store to %0 -- mvhi 172(%r15), -1 -- is
immediately overwritten by the overflowing 64-bit store to the end of %1 --
mvghi 168(%r15), 0.
With --print-after-all, you can also see the 12-byte (96-bit) frame allocation
with two 8-byte writes.
# *** IR Dump After Finalize ISel and expand pseudo-instructions ***:
# Machine code for function fn2: IsSSA, TracksLiveness
Frame Objects:
fi#0: size=4, align=4, at location [SP]
fi#1: size=12, align=8, at location [SP]
bb.0.start:
MVHI %stack.0, 0, -1 :: (store 4 into %ir.0)
ADJCALLSTACKDOWN 0, 0
MVGHI %stack.1, 8, 0 :: (store 8 into %stack.1)
MVGHI %stack.1, 0, 0 :: (store 8 into %stack.1)
%0:gr64bit = LA %stack.1, 0, $noreg
$r2d = COPY %0:gr64bit
CallBRASL @fn1, $r2d, <regmask $f8d $f9d $f10d $f11d $f12d $f13d $f14d $f15d
$f8q $f9q $f12q $f13q $f8s $f9s $f10s $f11s $f12s $f13s $f14s $f15s $r6d $r7d
$r8d $r9d $r10d $r11d $r12d $r13d $r14d $r15d $r6h $r7h $r8h and 22 more...>,
implicit-def dead $r14d, implicit-def dead $cc, implicit $fpc
ADJCALLSTACKUP 0, 0
%1:gr32bit = L %stack.0, 0, $noreg :: (dereferenceable load 4 from %ir.0)
$r2l = COPY %1:gr32bit
Return implicit $r2l
# End machine code for function fn2.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210222/aec115cc/attachment-0001.html>
More information about the llvm-bugs
mailing list