[llvm-bugs] [Bug 49500] New: RISCV stack temporary overflow

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Mar 9 13:53:20 PST 2021 

https://bugs.llvm.org/show_bug.cgi?id=49500

            Bug ID: 49500
           Summary: RISCV stack temporary overflow
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Backend: RISC-V
          Assignee: unassignedbugs at nondot.org
          Reporter: jistone at redhat.com
                CC: asb at lowrisc.org, llvm-bugs at lists.llvm.org

This is a clone of SystemZ bug 49322 because it applies to RISCV too.
That was fixed in https://reviews.llvm.org/D97514.

When a large integer argument on riscv is converted to indirect, but the type
is not a multiple of 64 bits, the writes to the stack are all still in 64-bit
chunks and may clobber neighboring values on the stack.

This can be seen on the SystemZ test added above using -mtriple=riscv64:
llvm/test/CodeGen/SystemZ/args-11.ll

RISCV doesn't have a problem with the first part calling fn1(i96), because that
argument is passed in two registers, so the stack alloca is unaffected.
However, the second part calling fn3(i136) does show the stack-clobbering bug:

declare void @fn3(i136)
define i32 @fn4() {
  %1 = alloca i32
  store i32 -1, i32* %1
  call void @fn3(i136 0)
  %2 = load i32, i32* %1
  ret i32 %2
}

        .globl  fn4                             # -- Begin function fn4
        .p2align        2
        .type   fn4, at function
fn4:                                    # @fn4
        .cfi_startproc
# %bb.0:
        addi    sp, sp, -32
        .cfi_def_cfa_offset 32
        sd      ra, 24(sp)                      # 8-byte Folded Spill
        .cfi_offset ra, -8
        addi    a0, zero, 1
        slli    a0, a0, 32
        addi    a0, a0, -1
        sw      a0, 20(sp)
        sd      zero, 16(sp)
        sd      zero, 8(sp)
        mv      a0, sp
        sd      zero, 0(sp)
        call    fn3 at plt
        lw      a0, 20(sp)
        ld      ra, 24(sp)                      # 8-byte Folded Reload
        addi    sp, sp, 32
        ret
.Lfunc_end1:
        .size   fn4, .Lfunc_end1-fn4
        .cfi_endproc
                                        # -- End function

The store i32 is "sw a0, 20(sp)", immediately overwritten by "sd zero, 16(sp)".

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210309/d04ef54b/attachment-0001.html>

More information about the llvm-bugs mailing list