From 8f44c98d046a22348504ff11e048753edbeea086 Mon Sep 17 00:00:00 2001 From: "Duncan P. N. Exon Smith" Date: Sun, 21 Aug 2016 00:08:10 +0000 Subject: [PATCH] ARM: Avoid dereferencing end() in ARMFrameLowering::emitEpilogue This fixes the crash from PR29072, where the MachineBasicBlock::iterator wasn't being properly checked against MachineBasicBlock::end() before iterating. This was another bug exposed by the new ilist::iterator::operator*() assertion from r279314. This testcase is poor quality. bugpoint couldn't reduce any further, and I haven't had time to dig into what's going on so I can't invent a better one. I didn't even get good CHECK lines in: this is just a crasher. I'm committing anyway since this is a real crash with an obvious fix, but I'll leave PR29072 open and ask an ARM maintainer to help improve the testcase. llvm-svn: 279391 --- llvm/lib/Target/ARM/ARMFrameLowering.cpp | 4 +- .../ARM/arm-frame-lowering-no-terminator.ll | 82 ++++++++++++++++++++++ 2 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 llvm/test/CodeGen/ARM/arm-frame-lowering-no-terminator.ll diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/llvm/lib/Target/ARM/ARMFrameLowering.cpp index cfc0faaa..4c8646c 100644 --- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp +++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp @@ -776,11 +776,11 @@ void ARMFrameLowering::emitEpilogue(MachineFunction &MF, emitSPUpdate(isARM, MBB, MBBI, dl, TII, NumBytes); // Increment past our save areas. - if (AFI->getDPRCalleeSavedAreaSize()) { + if (MBBI != MBB.end() && AFI->getDPRCalleeSavedAreaSize()) { MBBI++; // Since vpop register list cannot have gaps, there may be multiple vpop // instructions in the epilogue. - while (MBBI->getOpcode() == ARM::VLDMDIA_UPD) + while (MBBI != MBB.end() && MBBI->getOpcode() == ARM::VLDMDIA_UPD) MBBI++; } if (AFI->getDPRCalleeSavedGapSize()) { diff --git a/llvm/test/CodeGen/ARM/arm-frame-lowering-no-terminator.ll b/llvm/test/CodeGen/ARM/arm-frame-lowering-no-terminator.ll new file mode 100644 index 0000000..5a48fa3 --- /dev/null +++ b/llvm/test/CodeGen/ARM/arm-frame-lowering-no-terminator.ll @@ -0,0 +1,82 @@ +; RUN: llc < %s +; Ensure that ARMFrameLowering can emit an epilogue when there's no terminator. +; This is the crasher from PR29072. + +target datalayout = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64" +target triple = "armv7-unknown-linux-gnueabihf" + +%t1 = type { [4 x float] } +%t3 = type { i32 (...)** } +%t2 = type { %t3, i8, %t1, %t1, float } + +define internal void @foo(%t2* nocapture %this, %t1* nocapture readonly %triangle, i32 %partId, i32 %triangleIndex) { +entry: + br i1 undef, label %if.else, label %if.end + +if.else: ; preds = %entry + %arrayidx.i = getelementptr inbounds %t1, %t1* %triangle, i32 0, i32 0, i32 0 + %0 = load float, float* %arrayidx.i, align 4 + %arrayidx5.i = getelementptr inbounds %t1, %t1* %triangle, i32 0, i32 0, i32 1 + %1 = load float, float* %arrayidx5.i, align 4 + %2 = load float, float* null, align 4 + %arrayidx11.i = getelementptr inbounds %t1, %t1* %triangle, i32 0, i32 0, i32 2 + %3 = load float, float* %arrayidx11.i, align 4 + %arrayidx13.i = getelementptr inbounds %t2, %t2* %this, i32 0, i32 2, i32 0, i32 2 + %4 = load float, float* %arrayidx13.i, align 4 + %arrayidx.i129 = getelementptr inbounds %t1, %t1* %triangle, i32 1, i32 0, i32 0 + %5 = load float, float* %arrayidx.i129, align 4 + %sub.i131 = fsub float %5, 0.000000e+00 + %arrayidx5.i132 = getelementptr inbounds %t1, %t1* %triangle, i32 1, i32 0, i32 1 + %6 = load float, float* %arrayidx5.i132, align 4 + %sub8.i134 = fsub float %6, %2 + %arrayidx11.i135 = getelementptr inbounds %t1, %t1* %triangle, i32 1, i32 0, i32 2 + %7 = load float, float* %arrayidx11.i135, align 4 + %sub14.i137 = fsub float %7, %4 + %arrayidx.i149 = getelementptr inbounds %t1, %t1* %triangle, i32 2, i32 0, i32 0 + %8 = load float, float* %arrayidx.i149, align 4 + %sub.i151 = fsub float %8, 0.000000e+00 + %arrayidx5.i152 = getelementptr inbounds %t1, %t1* %triangle, i32 2, i32 0, i32 1 + %9 = load float, float* %arrayidx5.i152, align 4 + %sub8.i154 = fsub float %9, %2 + %10 = load float, float* undef, align 4 + %sub14.i157 = fsub float %10, %4 + %mul.i = fmul float %sub8.i134, %sub14.i157 + %mul10.i = fmul float %sub14.i137, %sub8.i154 + %sub.i146 = fsub float %mul.i, %mul10.i + %mul11.i = fmul float undef, %sub.i146 + %mul18.i = fmul float %sub14.i137, %sub.i151 + %mul23.i = fmul float %sub.i131, %sub14.i157 + %sub24.i = fsub float %mul18.i, %mul23.i + %mul25.i = fmul float undef, %sub24.i + %add.i148 = fadd float %mul11.i, %mul25.i + %add40.i = fadd float undef, %add.i148 + %call.i = tail call float @fabsf(float %add40.i) + %mul = fmul float %call.i, 2.500000e-01 + %add.i118 = fadd float %0, %5 + %add8.i121 = fadd float %1, %6 + %add14.i124 = fadd float %3, %7 + %add.i105 = fadd float %add.i118, %8 + %add8.i108 = fadd float %add8.i121, %9 + %add14.i111 = fadd float %add14.i124, %10 + %add.i93 = fadd float 0.000000e+00, %add.i105 + %add8.i96 = fadd float %2, %add8.i108 + %add14.i = fadd float %4, %add14.i111 + %mul.i.i = fmul float %add.i93, %mul + %mul4.i.i = fmul float %add8.i96, %mul + %mul8.i.i = fmul float %mul, %add14.i + %arrayidx3.i = getelementptr inbounds %t2, %t2* %this, i32 0, i32 3, i32 0, i32 0 + %add.i = fadd float undef, %mul.i.i + store float %add.i, float* %arrayidx3.i, align 4 + %arrayidx7.i86 = getelementptr inbounds %t2, %t2* %this, i32 0, i32 3, i32 0, i32 1 + %add8.i = fadd float %mul4.i.i, undef + store float %add8.i, float* %arrayidx7.i86, align 4 + %arrayidx12.i = getelementptr inbounds %t2, %t2* %this, i32 0, i32 3, i32 0, i32 2 + %add13.i = fadd float %mul8.i.i, undef + store float %add13.i, float* %arrayidx12.i, align 4 + br label %if.end + +if.end: ; preds = %if.else, %entry + ret void +} + +declare float @fabsf(float) readnone -- 2.7.4