[AArch64] Fix STG instruction being moved past memcpy (llvm#117191)

ostannard · web-flow · commit 7d7252590916 · 2024-12-03T10:32:52.000Z
When merging STG instructions used for AArch64 stack tagging, we were
stopping on reaching a load or store instruction, but not calls, so it
was possible for an STG to be moved past a call to memcpy.
 
This test case (reduced from fuzzer-generated C code) was the result of
StackColoring merging allocas A and B into one stack slot, and
StackSafetyAnalysis proving that B does not need tagging, so we end up
with tagged and untagged objects in the same stack slot. The tagged
object (A) is live first, so it is important that it's memory is
restored to the background tag before it gets reused to hold B.
diff --git a/llvm/lib/Target/AArch64/AArch64FrameLowering.cpp b/llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
@@ -4585,7 +4585,7 @@ MachineBasicBlock::iterator tryMergeAdjacentSTG(MachineBasicBlock::iterator II,
       break;
 
     // Reject anything that may alias the collected instructions.
-    if (MI.mayLoadOrStore() || MI.hasUnmodeledSideEffects())
+    if (MI.mayLoadOrStore() || MI.hasUnmodeledSideEffects() || MI.isCall())
       break;
   }
 
diff --git a/llvm/test/CodeGen/AArch64/stack-tagging-merge-past-memcpy.mir b/llvm/test/CodeGen/AArch64/stack-tagging-merge-past-memcpy.mir
@@ -0,0 +1,103 @@
+# NOTE: Assertions have been autogenerated by utils/update_mir_test_checks.py UTC_ARGS: --version 5
+# RUN: llc -mtriple=aarch64 -mattr=+mte -run-pass=prologepilog %s -o - | FileCheck %s
+--- |
+  target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128-Fn32"
+  target triple = "aarch64-unknown-none-elf"
+
+  @glob = global [8 x i32] zeroinitializer, align 4
+
+  declare dso_local void @F78(ptr %B)
+
+  define void @F55() sanitize_memtag "target-features"="+mte,+strict-align" {
+  entry:
+    %basetag = call ptr @llvm.aarch64.irg.sp(i64 0)
+    %A = alloca i32, i32 8, align 16
+    %A.tag = call ptr @llvm.aarch64.tagp.p0(ptr %A, ptr %basetag, i64 0)
+    %B = alloca i32, i32 8, align 4
+    %C = alloca i32, i32 8, align 16
+    %C.tag = call ptr @llvm.aarch64.tagp.p0(ptr %C, ptr %basetag, i64 1)
+    call void @llvm.aarch64.settag(ptr %C.tag, i64 32)
+    call void @F56(ptr %C.tag)
+    call void @llvm.lifetime.start.p0(i64 32, ptr %A)
+    call void @llvm.aarch64.settag(ptr %A.tag, i64 32)
+    call void @F56(ptr %A.tag)
+    call void @llvm.aarch64.settag(ptr %A, i64 32)
+    call void @llvm.lifetime.end.p0(i64 32, ptr %A)
+    call void @llvm.lifetime.start.p0(i64 32, ptr %A)
+    call void @llvm.memcpy.p0.p0.i64(ptr align 4 %A, ptr align 4 @glob, i64 32, i1 false)
+    call void @F78(ptr %A)
+    call void @llvm.lifetime.end.p0(i64 32, ptr %A)
+    call void @llvm.aarch64.settag(ptr %C, i64 32)
+    ret void
+  }
+
+  declare void @F56(ptr)
+...
+---
+name:            F55
+frameInfo:
+  adjustsStack:    true
+stack:
+  - { id: 0, name: A, type: default, offset: 0, size: 32, alignment: 16,
+      stack-id: default, callee-saved-register: '', callee-saved-restored: true,
+      local-offset: -32, debug-info-variable: '', debug-info-expression: '',
+      debug-info-location: '' }
+  - { id: 2, name: C, type: default, offset: 0, size: 32, alignment: 16,
+      stack-id: default, callee-saved-register: '', callee-saved-restored: true,
+      local-offset: -64, debug-info-variable: '', debug-info-expression: '',
+      debug-info-location: '' }
+body:             |
+  bb.0.entry:
+    ; CHECK-LABEL: name: F55
+    ; CHECK: liveins: $x19, $lr
+    ; CHECK-NEXT: {{  $}}
+    ; CHECK-NEXT: frame-setup EMITMTETAGGED
+    ; CHECK-NEXT: $sp = frame-setup SUBXri $sp, 80, 0
+    ; CHECK-NEXT: frame-setup STPXi killed $lr, killed $x19, $sp, 8 :: (store (s64) into %stack.3), (store (s64) into %stack.2)
+    ; CHECK-NEXT: frame-setup CFI_INSTRUCTION def_cfa_offset 80
+    ; CHECK-NEXT: frame-setup CFI_INSTRUCTION offset $w19, -8
+    ; CHECK-NEXT: frame-setup CFI_INSTRUCTION offset $w30, -16
+    ; CHECK-NEXT: renamable $x0 = IRGstack $sp, $xzr
+    ; CHECK-NEXT: renamable $x19 = TAGPstack $x0, 2, renamable $x0, 1
+    ; CHECK-NEXT: ST2Gi renamable $x0, renamable $x0, 0 :: (store (s256) into %ir.C.tag, align 16)
+    ; CHECK-NEXT: BL @F56, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ; CHECK-NEXT: ST2Gi renamable $x19, renamable $x19, 0 :: (store (s256) into %ir.A.tag, align 16)
+    ; CHECK-NEXT: $x0 = COPY killed renamable $x19
+    ; CHECK-NEXT: BL @F56, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ; CHECK-NEXT: ST2Gi $sp, $sp, 2 :: (store (s256) into %ir.A, align 16)
+    ; CHECK-NEXT: renamable $x1 = LOADgot target-flags(aarch64-got) @glob
+    ; CHECK-NEXT: $x0 = ADDXri $sp, 32, 0
+    ; CHECK-NEXT: dead $w2 = MOVi32imm 32, implicit-def $x2
+    ; CHECK-NEXT: BL &memcpy, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit $x1, implicit $x2, implicit-def $sp, implicit-def dead $x0
+    ; CHECK-NEXT: $x0 = ADDXri $sp, 32, 0
+    ; CHECK-NEXT: BL @F78, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ; CHECK-NEXT: ST2Gi $sp, $sp, 0 :: (store (s256) into %ir.C, align 16)
+    ; CHECK-NEXT: $sp = frame-destroy ADDXri $sp, 64, 0
+    ; CHECK-NEXT: early-clobber $sp, $lr, $x19 = frame-destroy LDPXpost $sp, 2 :: (load (s64) from %stack.3), (load (s64) from %stack.2)
+    ; CHECK-NEXT: RET_ReallyLR
+    renamable $x0 = IRGstack $sp, $xzr
+    renamable $x19 = TAGPstack %stack.0.A, 0, renamable $x0, 1
+    ST2Gi renamable $x0, renamable $x0, 0 :: (store (s256) into %ir.C.tag, align 16)
+    ADJCALLSTACKDOWN 0, 0, implicit-def dead $sp, implicit $sp
+    BL @F56, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ADJCALLSTACKUP 0, 0, implicit-def dead $sp, implicit $sp
+    ST2Gi renamable $x19, renamable $x19, 0 :: (store (s256) into %ir.A.tag, align 16)
+    ADJCALLSTACKDOWN 0, 0, implicit-def dead $sp, implicit $sp
+    $x0 = COPY killed renamable $x19
+    BL @F56, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ADJCALLSTACKUP 0, 0, implicit-def dead $sp, implicit $sp
+    ST2Gi $sp, %stack.0.A, 0 :: (store (s256) into %ir.A, align 16)
+    ADJCALLSTACKDOWN 0, 0, implicit-def dead $sp, implicit $sp
+    renamable $x1 = LOADgot target-flags(aarch64-got) @glob
+    $x0 = ADDXri %stack.0.A, 0, 0
+    dead $w2 = MOVi32imm 32, implicit-def $x2
+    BL &memcpy, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit $x1, implicit $x2, implicit-def $sp, implicit-def dead $x0
+    ADJCALLSTACKUP 0, 0, implicit-def dead $sp, implicit $sp
+    ADJCALLSTACKDOWN 0, 0, implicit-def dead $sp, implicit $sp
+    $x0 = ADDXri %stack.0.A, 0, 0
+    BL @F78, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit $x0, implicit-def $sp
+    ADJCALLSTACKUP 0, 0, implicit-def dead $sp, implicit $sp
+    ST2Gi $sp, %stack.2.C, 0 :: (store (s256) into %ir.C, align 16)
+    RET_ReallyLR
+
+...

Original file line number	Diff line number	Diff line change
`@@ -4585,7 +4585,7 @@ MachineBasicBlock::iterator tryMergeAdjacentSTG(MachineBasicBlock::iterator II,`
`4585`	`4585`	`break;`
`4586`	`4586`
`4587`	`4587`	`// Reject anything that may alias the collected instructions.`
`4588`		`- if (MI.mayLoadOrStore() \|\| MI.hasUnmodeledSideEffects())`
	`4588`	`+ if (MI.mayLoadOrStore() \|\| MI.hasUnmodeledSideEffects() \|\| MI.isCall())`
`4589`	`4589`	`break;`
`4590`	`4590`	`}`
`4591`	`4591`