https://bugs.llvm.org/show_bug.cgi?id=49500
Bug ID: 49500
Summary: RISCV stack temporary overflow
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Backend: RISC-V
Assignee: unassignedb...@nondot.org
Reporter: jist...@redhat.com
CC: a...@lowrisc.org, llvm-bugs@lists.llvm.org
This is a clone of SystemZ bug 49322 because it applies to RISCV too.
That was fixed in https://reviews.llvm.org/D97514.
When a large integer argument on riscv is converted to indirect, but the type
is not a multiple of 64 bits, the writes to the stack are all still in 64-bit
chunks and may clobber neighboring values on the stack.
This can be seen on the SystemZ test added above using -mtriple=riscv64:
llvm/test/CodeGen/SystemZ/args-11.ll
RISCV doesn't have a problem with the first part calling fn1(i96), because that
argument is passed in two registers, so the stack alloca is unaffected.
However, the second part calling fn3(i136) does show the stack-clobbering bug:
declare void @fn3(i136)
define i32 @fn4() {
%1 = alloca i32
store i32 -1, i32* %1
call void @fn3(i136 0)
%2 = load i32, i32* %1
ret i32 %2
}
.globl fn4 # -- Begin function fn4
.p2align 2
.type fn4,@function
fn4: # @fn4
.cfi_startproc
# %bb.0:
addi sp, sp, -32
.cfi_def_cfa_offset 32
sd ra, 24(sp) # 8-byte Folded Spill
.cfi_offset ra, -8
addi a0, zero, 1
slli a0, a0, 32
addi a0, a0, -1
sw a0, 20(sp)
sd zero, 16(sp)
sd zero, 8(sp)
mv a0, sp
sd zero, 0(sp)
call fn3@plt
lw a0, 20(sp)
ld ra, 24(sp) # 8-byte Folded Reload
addi sp, sp, 32
ret
.Lfunc_end1:
.size fn4, .Lfunc_end1-fn4
.cfi_endproc
# -- End function
The store i32 is "sw a0, 20(sp)", immediately overwritten by "sd zero, 16(sp)".
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
