Computation of locals' offsets is wrong when stack size exceeds 2G #48911

nagisa · 2021-03-12T23:42:43Z


Bugzilla Link	49567
Version	trunk
OS	All
CC	@topperc,@cuviper,@jdm,@RKSimon,@phoebewang,@rotateright,@oToToT

Extended Description

Given the following test case:

; RUN: llc -O0 -mtriple=x86_64 < %s
; RUN: llc -O0 -mtriple=i686 < %s

%large = type [2148000000 x i8]

define void @banana() unnamed_addr #0 {
  %1 = alloca %large, align 1
  %2 = alloca %large, align 1
  %3 = getelementptr inbounds %large, %large* %1, i64 0, i64 0
  store i8 42, i8* %3, align 1
  %4 = getelementptr inbounds %large, %large* %2, i64 0, i64 0
  store i8 43, i8* %4, align 1
  ret void
}

Will produce the following assembly:

movabsq	$4295999872, %rax               # imm = 0x1000FC180
subq	%rax, %rsp
.cfi_def_cfa_offset 1032584
movb	$42, -2146967424(%rsp)
movb	$43, -128(%rsp)
movabsq	$4295999872, %rax               # imm = 0x1000FC180
addq	%rax, %rsp
.cfi_def_cfa_offset 8
retq

You will notice that both the variables allocad in this function are considered to be below the already adjusted stack pointer, rather than above it, where they ought to be.

This looks like a basic signed 32-bit integer overflow somewhere in prologepilog:

# *** IR Dump Before Prologue/Epilogue Insertion & Frame Finalization (prologepilog) ***:
# Machine code for function banana: NoPHIs, TracksLiveness, NoVRegs, TiedOpsRewritten
Frame Objects:
  fi#0: size=2148000000, align=1, at location [SP+8]
  fi#1: size=2148000000, align=1, at location [SP+8]

bb.0 (%ir-block.0):
  MOV8mi %stack.0, 1, $noreg, 0, $noreg, 42 :: (store 1 into %ir.3)
  MOV8mi %stack.1, 1, $noreg, 0, $noreg, 43 :: (store 1 into %ir.4)
  RET 0

# *** IR Dump After Prologue/Epilogue Insertion & Frame Finalization (prologepilog) ***:
# Machine code for function banana: NoPHIs, TracksLiveness, NoVRegs, TiedOpsRewritten
Frame Objects:
  fi#0: size=2148000000, align=1, at location [SP-2148000000]
  fi#1: size=2148000000, align=1, at location [SP-4296000000]

bb.0 (%ir-block.0):
  $rax = frame-setup MOV64ri 4295999872
  $rsp = SUB64rr $rsp(tied-def 0), $rax, implicit-def dead $eflags
  CFI_INSTRUCTION def_cfa_offset 1032584
  MOV8mi $rsp, 1, $noreg, -2146967424, $noreg, 42 :: (store 1 into %ir.3)
  MOV8mi $rsp, 1, $noreg, -128, $noreg, 43 :: (store 1 into %ir.4)
  $rax = frame-destroy MOV64ri 4295999872
  $rsp = ADD64rr $rsp(tied-def 0), $rax, implicit-def dead $eflags
  CFI_INSTRUCTION def_cfa_offset 8
  RET 0

Worth noting that the the def_cfa_offset directive also overflowed in this reproducer here.

The text was updated successfully, but these errors were encountered:

nagisa · 2021-03-12T23:44:58Z

Reproducible as far back as LLVM 7, and as recently as of a2eca31

For very large stack frames, the offset from the stack pointer to a local can be more than 2^31 which overflows various `int` offsets in the frame lowering code. This patch updates the frame lowering code to calculate the offsets as 64-bit values and resolves the overflows, resulting in the correct codegen for very large frames. Fixes #48911

…rames (#101840)" This casuses assertion failures targeting 32-bit x86: lib/Target/X86/X86RegisterInfo.cpp:989: virtual bool llvm::X86RegisterInfo::eliminateFrameIndex(MachineBasicBlock::iterator, int, unsigned int, RegScavenger *) const: Assertion `(Is64Bit || FitsIn32Bits) && "Requesting 64-bit offset in 32-bit immediate!"' failed. See comment on the PR. > Fix 32-bit integer overflows in the X86 target frame layout when dealing > with frames larger than 4gb. When this occurs, we'll scavenge a scratch > register to be able to hold the correct stack offset for frame locals. > > This completes reapplying #84114. > > Fixes #48911 > Fixes #75944 > Fixes #87154 This reverts commit 0abb779.

…rames (llvm#101840)" This casuses assertion failures targeting 32-bit x86: lib/Target/X86/X86RegisterInfo.cpp:989: virtual bool llvm::X86RegisterInfo::eliminateFrameIndex(MachineBasicBlock::iterator, int, unsigned int, RegScavenger *) const: Assertion `(Is64Bit || FitsIn32Bits) && "Requesting 64-bit offset in 32-bit immediate!"' failed. See comment on the PR. > Fix 32-bit integer overflows in the X86 target frame layout when dealing > with frames larger than 4gb. When this occurs, we'll scavenge a scratch > register to be able to hold the correct stack offset for frame locals. > > This completes reapplying llvm#84114. > > Fixes llvm#48911 > Fixes llvm#75944 > Fixes llvm#87154 This reverts commit 0abb779.

llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 11, 2021

pnkfelix mentioned this issue Sep 30, 2022

LLVM miscompiles large stack allocations rust-lang/rust#100914

Open

pnkfelix mentioned this issue Apr 14, 2023

Regressions with large (2-4GB) stack arrays on large stacks rust-lang/rust#83060

Open

wesleywiser mentioned this issue Mar 6, 2024

Fix stack layout for frames larger than 2gb #84114

Merged

RKSimon closed this as completed in #84114 Mar 27, 2024

EugeneZelenko added llvm:codegen mc Machine (object) code and removed backend:X86 labels Mar 27, 2024

RKSimon reopened this Mar 27, 2024

wesleywiser mentioned this issue Aug 3, 2024

[LLVM] [X86] Fix integer overflows in frame layout for huge frames #101840

Merged

arsenm closed this as completed in #101840 Aug 19, 2024

arsenm closed this as completed in 0abb779 Aug 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Computation of locals' offsets is wrong when stack size exceeds 2G #48911

Computation of locals' offsets is wrong when stack size exceeds 2G #48911

nagisa commented Mar 12, 2021 •

edited by RKSimon

Loading

nagisa commented Mar 12, 2021

Uh oh!

Computation of locals' offsets is wrong when stack size exceeds 2G #48911

Computation of locals' offsets is wrong when stack size exceeds 2G #48911

Comments

nagisa commented Mar 12, 2021 • edited by RKSimon Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Extended Description

nagisa commented Mar 12, 2021

Uh oh!

nagisa commented Mar 12, 2021 •

edited by RKSimon

Loading