Open llvmbot opened 11 years ago
Any update on this? :-)
Cloned to rdar://15266303
Ping?
Peng, Can you bisect it and find out when (on which commit) this bug started ?
it seems that the problem is from X86 DAG->DAG Instruction Selection:
see the machine instructions after # IR Dump After X86 DAG->DAG Instruction Selection (using llc (llvm 3.0 on win32))
The first three lines and the last two lines alone together are used to compute "sin" for some double number.
line 1: move the stack pointer down 8
line 2: copy the updated stack pointer to a base register
line 3: copy a double number to location pointed by the base register
line end-1: to the last call "sin" to compute the result
line end: move the stack pointer up 8
The problem is that there are many other instructions inserted between them, and these instructions include stack allocations. This causes:
the function call after line end could get wrong values because after line end the stack pointer is pointing to useful data.
ADJCALLSTACKDOWN32 8, %ESP<imp-def,dead>, %EFLAGS<imp-def,dead>, %ESP
A correction:
After reading the assembly code, the problem is when stack memory allocation is happening between the stack subtraction and the actual function call.
For example, the correct call to sin is:
sub esp, 8 move [esp], xmm0 call sin add esp, 8
While the generated code has:
sub esp, 8
move [esp], xmm0
move eax, 10h
call chkstk ; allocate more stack
mov esi,esp
mov eax,dword ptr [ebp-278h]
mov dword ptr [esi+8],eax
mov eax,dword ptr [ebp-274h]
mov dword ptr [esi+4],eax
mov eax,dword ptr [ebp-26Ch]
mov dword ptr [esi],eax
call sin
add esp, 8
This causes the stack pointer is pointing to the some user data, i.e., 8 bytes above the true stack top.
Extended Description
I recently ran into a case, where x86 fails to run correctly.
Checking into the emitted code, it seems that the local memory anchored at ebp has conflict with stack memory anchored at esp prepared for function calls.
For example, let us say:
foo() { ... call bar(); }
There is some local data for foo() at ebp-170h. while preparing the call to bar, some data is written to esp+17h. The problem is that esp+17h and ebp-170h point to the same address, and therefore the data is corrupted.
See the attached llvm ir and assembly code. The conflict happens at line 292 and 294 in the assembly code. The address pointed by esp with offsets is the same as two of them addressed by sbp with offsets.