Miscompilation with -fsanitize=undefined,memtag-stack

[ostannard]

When this code is compiled with UBSan and MTE stack tagging, the generated code hits a breakpoint instruction to report a UBSan failure, despite the lack of UB in the source code:

int g_12[2] = {0, 0};
int g_21 = 0;

void main() {
  g_12[1];

  int *l_73[3][7] = {{&g_21, &g_21, &g_21, &g_21, &g_21, &g_21},
                     {&g_21, &g_21, &g_21, &g_21, &g_21, &g_21},
                     {&g_21, &g_21, &g_21, &g_21, &g_21, &g_21}};
  l_73[0][2];

  for (int i = 0; i < 2; i++) {
    int **l_76[2][2];
    l_76[1][0] = &g_21;
    l_76[1][0];
  }
}

Generated code:

$ /work/llvm/build/bin/clang --target=aarch64-arm-none-eabi -march=armv8.5-a+memtag -c test.c -o file001051.o -O3 -fsanitize=memtag-stack,undefined -fsanitize-trap=undefined -o - -S
...
main:                                   // @main
        .cfi_startproc
// %bb.0:                               // %entry
        .cfi_mte_tagged_frame
        sub     sp, sp, #208
        .cfi_def_cfa_offset 208
        .cfi_remember_state
        irg     x8, sp
        adrp    x11, g_12
        add     x11, x11, :lo12:g_12
        addg    x9, x8, #32, #1
        mov     x10, x9
        cmn     x11, #4
        mov     x11, #160                       // =0xa0
        stg     x10, [x10], #16
.LBB0_1:                                // %entry
                                        // =>This Inner Loop Header: Depth=1
        sub     x11, x11, #32
        st2g    x10, [x10], #32
        cbnz    x11, .LBB0_1
// %bb.2:                               // %entry
        st2g    x8, [x8]
        b.eq    .LBB0_10
// %bb.3:                               // %cont4
        adrp    x10, .L__const.main.l_73
        add     x10, x10, :lo12:.L__const.main.l_73
        cmn     x9, #17
        ldp     q0, q1, [x10, #128]
        ldp     q2, q3, [x10, #64]
        stp     q0, q1, [sp, #160]
        ldp     q1, q0, [x10, #96]
        stp     q2, q3, [sp, #96]
        ldp     q2, q3, [x10]
        stp     q1, q0, [sp, #128]
        ldp     q1, q0, [x10, #32]
        stp     q2, q3, [sp, #32]
        ldr     x11, [x10, #160]
        stp     q1, q0, [sp, #64]
        str     x11, [sp, #192]
        b.hi    .LBB0_10
// %bb.4:                               // %cont10
        cmn     x8, #17
        //APP
        //NO_APP
        b.hi    .LBB0_10
// %bb.5:                               // %cont10.split
        cmn     x8, #16
        b.eq    .LBB0_9
// %bb.6:                               // %for.body.preheader
        mov     x9, sp
        mov     w0, wzr
        mov     x8, #192                        // =0xc0
        stg     x9, [x9], #16
.LBB0_7:                                // %for.body.preheader
                                        // =>This Inner Loop Header: Depth=1
        sub     x8, x8, #32
        st2g    x9, [x9], #32
        cbnz    x8, .LBB0_7
// %bb.8:                               // %for.body.preheader
        add     sp, sp, #208
        .cfi_def_cfa_offset 0
        ret
.LBB0_9:                                // %for.body.us31
        .cfi_restore_state
        adrp    x8, g_21
        add     x8, x8, :lo12:g_21
        str     x8, [sp, #16]
.LBB0_10:                               // %trap1
        brk     #0x5513
.Lfunc_end0:
...

The breakpoint is hit because the first branch to LBB0_10 is taken. It looks like this is trying to check that the address of g_12[1] is not null, but an MTE tag setting loop has been inserted between the check and the branch, clobbering CPSR.

This is a regression caused by:
#61830
https://reviews.llvm.org/D148508

[llvmbot]

@llvm/issue-subscribers-backend-aarch64

[ostannard]

Another reproducer, this one triggers with just memtag-stack, no need for ubsan:

#include <stdio.h>

static int safe_rshift_func_int32_t_s_s(int left, int right) {
  return (right < 0 || left < 0) ? left : (left >> right);
}

int g_64;
int g_96;
volatile int g_103[4];
int g_108 = 0;
int g_132 = 0;
int g_140;
int g_169 = 0;
short g_336 = 0;
int m;
int n;
int o = 1;
int p_28 = 0;

int l_499[9][5] = {{0x3383DD30L, 0L, 0x3383DD30L, 0xF531C439L, (-1L)},
                   {1L, 0x71DFB4F0L, 2L, 0x71DFB4F0L, 1L},
                   {0x3383DD30L, 0x794567FAL, 0L, (-1L), 0L},
                   {2L, 2L, 2L, 1L, 0xDBBC287CL},
                   {0x794567FAL, 0x3383DD30L, 0x3383DD30L, 0x794567FAL, 0L},
                   {0x71DFB4F0L, 1L, 0x97F03475L, 0x97F03475L, 1L},
                   {0L, 0x3383DD30L, 0xF531C439L, (-1L), (-1L)},
                   {1L, 2L, 1L, 0x97F03475L, 2L},
                   {(-1L), 0x794567FAL, (-1L), 0x794567FAL, (-1L)}};

int main(void) {
  for (int i = 1; i < 4; i++) {
    for (int j = 2; j >= 0; j--) {
      int a = 1;
      int l_534[9][5] = {{0, 0, 1, 0, 1}, {0, 0, 0, 0, 0}, {0, 0, 0, 0, 0},
                         {0, 0, 0, 0, 0}, {0, 0, 0, 0, 0}, {0, 0, 0, 0, 0},
                         {0, 0, 0, 0, 0}, {0, 0, 0, 0, 0}, {1, 0, 0, 0, 1}};
      g_336 &= 1;
      if (g_103[j + 1])
        a ^= g_103[j + 1];
      else
        a ^= (m |= g_336);
      g_96 = a;

      g_64 = j >> 1;
      if (g_64 || safe_rshift_func_int32_t_s_s(
                      !(g_108 && (g_132 ^ (g_336 = 0))) >= p_28, o)) {
        for (int k = 0; k < 5; k++) {
          asm volatile("");
          n--;
          l_499[(j + 2)][j] = 0;
          g_140 = g_169 < 1;
        }
      } else {
        l_499[0][0] = l_534[0][j] > l_499[i + 1][0];
        g_140 = 42;
      }
    }
  }
  printf("checksum = %X\n", g_140);
  return 0;
}

$ /work/llvm/build/bin/clang --target=aarch64-none-eabi -march=armv8.5-a+memtag -c test.c -O3 -w -fsanitize=memtag-stack -o - -S
...
        cmn     x20, #3
.LBB0_14:                               // %if.end41
                                        //   Parent Loop BB0_2 Depth=1
                                        //     Parent Loop BB0_3 Depth=2
                                        // =>    This Inner Loop Header: Depth=3
        subs    x24, x24, #32
        st2g    x25, [x25], #32
        b.ne    .LBB0_14
// %bb.15:                              // %if.end41
                                        //   in Loop: Header=BB0_3 Depth=2
        b.ne    .LBB0_3
        b       .LBB0_1
...

This again looks like a tag-setting loop has been inserted between a pair of cmn and b.ne instructions, where CPSR is live.

Both of these errors are detected by the MIR verifier:

$ /work/llvm/build/bin/clang --target=aarch64-none-eabi -march=armv8.5-a+memtag -c test.c -O3 -w -fsanitize=memtag-stack -o - -S -mllvm -verify-machineinstrs
...
*** Bad machine code: Live in register not found to be live out from predecessor. ***
- function:    main
- basic block: %bb.17 if.end41 (0x55a9903e7a40)
NZCV not found to be live out from %bb.16
fatal error: error in backend: Found 1 machine code errors.
...

[ostannard]

This was fixed by https://reviews.llvm.org/D158262.

[efriedma-quic]

/cherry-pick b09c575

We also ran into this internally, so I think we should consider the fix for the 17 branch.

[llvmbot]

/branch llvm/llvm-project-release-prs/issue64309

[llvmbot]

/pull-request llvm/llvm-project-release-prs#670