Pointer Dereference Optimization Bug in Clang-18 on ARM64 Depending on Data Patterns at Different Optimization Levels #69294
Comments
|
@llvm/issue-subscribers-backend-aarch64 Author: None (gyuminb)
### **Description:**
When compiling the provided PoC on ARM64 architecture with Clang-18, there seems to be a pointer dereference optimization issue. The behavior of the code changes based on different optimization levels, and it's influenced by the data patterns used as well as the structure of adjacent Environment:
PoC:cCopy code
#include <stdio.h>#include <stdint.h>struct StructA {
uint32_t val1;
const int8_t val2;
uint64_t val3;
uint16_t val4;
};
union UnionB {
uint32_t u_val1;
struct StructA s_val;
uint32_t u_val2;
int32_t u_val3;
int32_t u_val4;
uint64_t u_val5;
};
static union UnionB main_union = {1UL};
static uint32_t *ptr_val1 = &main_union.s_val.val1;
static uint32_t **double_ptr = &ptr_val1;
static uint32_t ***triple_ptr = &double_ptr;
int main() {
printf("Before main_union.u_val5: %lx\n", main_union.u_val5);
uint32_t **local_double_ptr = &ptr_val1;
uint64_t local_val = 0x123456789abcedffLL;
uint64_t *local_ptr = &main_union.u_val5;
(*local_ptr) = local_val;
(triple_ptr = &local_double_ptr);
(***triple_ptr) = 0UL;
printf("After main_union.u_val5: %lx\n", main_union.u_val5);
return 0;
}Expected Behavior:The value of Observed Behavior:he value of Analysis:The optimization seems to overlook the Steps to Reproduce:
Evidence:The following output showcases the behavior for various optimization levels: What's intriguing is that when we replace two identical printf("Before main_union.u_val5: %lx\n", main_union.u_val5);and printf("After main_union.u_val5: %lx\n", main_union.u_val5);the issue only manifests at Conclusion:Across different optimization levels ( |
|
Does it give consistent results with -fno-strict-aliasing? |
Thank you for the suggestion, topperc. While the use of -fno-strict-aliasing provides consistent results, it's worth noting that the observed issue is specific to the ARM64 architecture when compiled without this option. On other architectures like x86-64, and with other compilers like GCC, the behavior is consistent and as expected, even without the -fno-strict-aliasing flag. This specificity suggests that there might be a deeper underlying issue with the ARM64 architecture optimization in Clang-18, rather than just a generic strict aliasing concern. Would appreciate further insights into this matter. |
|
I've taken a brief look at the Arm and AArch64 code. They both generate the same IL I'm not well versed enough in TBAA to trace all this through, although I note that store of 0 and the store of the initializing value have different values of TBAA. An expert may be able to help point out an aliasing problem. Looking at the generated code between Arm and AArch64 it looks like this is a matter of scheduling. The write of 0 happens before the write of the initializing value which removes it. By selecting a different CPU with a different scheduling model like cortex-53 the write of 0 happens after the initialization so you get the answer you expect. I think this adds some weight to an aliasing problem rather than a specific bug in the AArch64 backend although I couldn't be sure. I normally work on linkers. |
Description:
When compiling the provided PoC on ARM64 architecture with Clang-18, there seems to be a pointer dereference optimization issue. The behavior of the code changes based on different optimization levels, and it's influenced by the data patterns used as well as the structure of adjacent
printfcalls. For some data patterns, the issue is observed across optimization levelsO1toO3. Intriguingly, when replacing two identicalprintfcalls with two distinct ones before and after the problematic line, the issue exclusively appears inO3. It suggests that the optimization is influenced not just by data patterns but also by the presence and structure of adjacent print functions.Environment:
O1,O2, andO3depending on the data patterns used. For patterns like0x123456789abcdeff, the issue can be observed from to , but for patterns like0x1234567fffffffff, it exclusively appears at .PoC:
Expected Behavior:
The value of
main_union.u_val5should be consistent across different optimization levels after the pointer dereference operation.Observed Behavior:
he value of
main_union.u_val5changes depending on the optimization level, data patterns, and the structure of adjacentprintfcalls.Analysis:
The optimization seems to overlook the
(**triple_ptr) = 0UL;operation. The discrepancy in output, depending on the structure ofprintfcalls and data patterns, indicates a misoptimization during the compilation process. Notably, when changing the structure of theprintfstatement or using a data pattern with repeating digits, the issue singularly appears inO3optimization level. This brings to light the complex nature of this optimization bug that is sensitive to both the data patterns and surrounding code structures.Steps to Reproduce:
O1,O2, andO3).printfstructure.Evidence:
The following output showcases the behavior for various optimization levels:
What's intriguing is that when we replace two identical
printfcalls before and after the problematic line with two distinctprintfcalls, such as:and
the issue only manifests at
O3optimization level.Conclusion:
Across different optimization levels (
O1toO3), there is a clear evidence of a bug likely resulting from incorrect compiler optimization. The unique scenarios under which this bug emerges, especially when altering theprintfstructures or data patterns, further underline the unpredictable nature of this issue. This bug certainly requires attention to ensure consistent and correct behavior across all optimization levels.The text was updated successfully, but these errors were encountered: