This is an archive of the discontinued LLVM Phabricator instance.

[safestack] Fast access to the unsafe stack pointer on AArch64/Android (2nd try).
ClosedPublic

Authored by eugenis on Oct 15 2015, 3:21 PM.

Download Raw Diff

Details

Reviewers

rengolin
echristo

Summary

Android libc provides a fixed TLS slot for the unsafe stack pointer,
and this change implements direct access to that slot on AArch64 via
__builtin_thread_pointer() + offset.

This change also moves more code into TargetLowering and its
target-specific subclasses to get rid of target-specific codegen
in SafeStackPass.

This change does not touch the ARM backend because ARM lowers
builting_thread_pointer as aeabi_read_tp, which is not available
on Android.

This is a second attempt which leave the generic, compiler-rt-based implementation in SafeStack.cpp. This way things still work even when there is no TargetMachine.

Diff Detail

Repository: rL LLVM

Event Timeline

eugenis updated this revision to Diff 37527.Oct 15 2015, 3:21 PM

eugenis retitled this revision from to [safestack] Fast access to the unsafe stack pointer on AArch64/Android (2nd try)..

eugenis updated this object.

eugenis added reviewers: echristo, rengolin.

eugenis set the repository for this revision to rL LLVM.

eugenis added a subscriber: llvm-commits.

Herald added subscribers: srhines, danalbert, tberghammer and 2 others. · View Herald TranscriptOct 15 2015, 3:21 PM

To clarify, Eric, Renato, this goes against some of your comments in the original review. Namely, the TargetLowering methods are, again, Android-specific because I had to move the generic implementation to SafeStack pass to have it working without TargetMachine. This sounds like the right thing to do, because the compiler-rt based implementation does not require target knowledge to emit the IR, and this allows target-independent testing.

I'd like a confirmation that you are OK with this.

Overall, this is less android specific in that only x86_64 and AArch64 knows about it, but the generic target lowering is independent. In that sense, it is better this way than previously.

lib/Transforms/Instrumentation/SafeStack.cpp
513	Moving this around makes it harder to review. Can you move it back where it was?

eugenis updated this revision to Diff 37907.Oct 20 2015, 12:14 PM

eugenis edited edge metadata.

eugenis added inline comments.

lib/Transforms/Instrumentation/SafeStack.cpp
513	Sorry, did not noticed the method was moved. Fixed.

LGTM.

-eric

This revision is now accepted and ready to land.Oct 23 2015, 6:31 PM

Thank you.
r251324

Revision Contents

Path

Size

include/

llvm/

Target/

TargetLowering.h

10 lines

lib/

CodeGen/

TargetLoweringBase.cpp

13 lines

Target/

AArch64/

AArch64ISelLowering.h

4 lines

AArch64ISelLowering.cpp

16 lines

X86/

X86ISelLowering.h

3 lines

X86ISelLowering.cpp

17 lines

Transforms/

Instrumentation/

SafeStack.cpp

72 lines

test/

Transforms/

SafeStack/

AArch64/

abi.ll

4 lines

Diff 37907

include/llvm/Target/TargetLowering.h

Show First 20 Lines • Show All 989 Lines • ▼ Show 20 Lines	public:
/// Return true if the target stores stack protector cookies at a fixed offset		/// Return true if the target stores stack protector cookies at a fixed offset
/// in some non-standard address space, and populates the address space and		/// in some non-standard address space, and populates the address space and
/// offset as appropriate.		/// offset as appropriate.
virtual bool getStackCookieLocation(unsigned &/AddressSpace/,		virtual bool getStackCookieLocation(unsigned &/AddressSpace/,
unsigned &/Offset/) const {		unsigned &/Offset/) const {
return false;		return false;
}		}

/// Return true if the target stores SafeStack pointer at a fixed offset in		/// If the target has a standard location for the unsafe stack pointer,
/// some non-standard address space, and populates the address space and		/// returns the address of that location. Otherwise, returns nullptr.
/// offset as appropriate.		virtual Value *getSafeStackPointerLocation(IRBuilder<> &IRB) const;
virtual bool getSafeStackPointerLocation(unsigned & /AddressSpace/,
unsigned & /Offset/) const {
return false;
}

/// Returns true if a cast between SrcAS and DestAS is a noop.		/// Returns true if a cast between SrcAS and DestAS is a noop.
virtual bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const {		virtual bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const {
return false;		return false;
}		}

/// Return true if the pointer arguments to CI should be aligned by aligning		/// Return true if the pointer arguments to CI should be aligned by aligning
/// the object whose address is being passed. If so then MinSize is set to the		/// the object whose address is being passed. If so then MinSize is set to the
▲ Show 20 Lines • Show All 1,849 Lines • Show Last 20 Lines

lib/CodeGen/TargetLoweringBase.cpp

Show First 20 Lines • Show All 1,656 Lines • ▼ Show 20 Lines	while (true) {
if (LK.first == TypeSplitVector \|\| LK.first == TypeExpandInteger)		if (LK.first == TypeSplitVector \|\| LK.first == TypeExpandInteger)
Cost *= 2;		Cost *= 2;

// Keep legalizing the type.		// Keep legalizing the type.
MTy = LK.second;		MTy = LK.second;
}		}
}		}

		Value *TargetLoweringBase::getSafeStackPointerLocation(IRBuilder<> &IRB) const {
		if (!TM.getTargetTriple().isAndroid())
		return nullptr;

		// Android provides a libc function to retrieve the address of the current
		// thread's unsafe stack pointer.
		Module *M = IRB.GetInsertBlock()->getParent()->getParent();
		Type *StackPtrTy = Type::getInt8PtrTy(M->getContext());
		Value *Fn = M->getOrInsertFunction("__safestack_pointer_address",
		StackPtrTy->getPointerTo(0), nullptr);
		return IRB.CreateCall(Fn);
		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Loop Strength Reduction hooks		// Loop Strength Reduction hooks
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

/// isLegalAddressingMode - Return true if the addressing mode represented		/// isLegalAddressingMode - Return true if the addressing mode represented
/// by AM is legal for this target, for a load/store of the specified type.		/// by AM is legal for this target, for a load/store of the specified type.
bool TargetLoweringBase::isLegalAddressingMode(const DataLayout &DL,		bool TargetLoweringBase::isLegalAddressingMode(const DataLayout &DL,
const AddrMode &AM, Type *Ty,		const AddrMode &AM, Type *Ty,
Show All 32 Lines

lib/Target/AArch64/AArch64ISelLowering.h

Show First 20 Lines • Show All 356 Lines • ▼ Show 20 Lines	public:
shouldExpandAtomicRMWInIR(AtomicRMWInst *AI) const override;		shouldExpandAtomicRMWInIR(AtomicRMWInst *AI) const override;

bool shouldExpandAtomicCmpXchgInIR(AtomicCmpXchgInst *AI) const override;		bool shouldExpandAtomicCmpXchgInIR(AtomicCmpXchgInst *AI) const override;

bool useLoadStackGuardNode() const override;		bool useLoadStackGuardNode() const override;
TargetLoweringBase::LegalizeTypeAction		TargetLoweringBase::LegalizeTypeAction
getPreferredVectorAction(EVT VT) const override;		getPreferredVectorAction(EVT VT) const override;

		/// If the target has a standard location for the unsafe stack pointer,
		/// returns the address of that location. Otherwise, returns nullptr.
		Value *getSafeStackPointerLocation(IRBuilder<> &IRB) const override;

private:		private:
bool isExtFreeImpl(const Instruction *Ext) const override;		bool isExtFreeImpl(const Instruction *Ext) const override;

/// Subtarget - Keep a pointer to the AArch64Subtarget around so that we can		/// Subtarget - Keep a pointer to the AArch64Subtarget around so that we can
/// make the right decision when generating code for different targets.		/// make the right decision when generating code for different targets.
const AArch64Subtarget *Subtarget;		const AArch64Subtarget *Subtarget;

void addTypeForNEON(EVT VT, EVT PromotedBitwiseVT);		void addTypeForNEON(EVT VT, EVT PromotedBitwiseVT);
▲ Show 20 Lines • Show All 156 Lines • Show Last 20 Lines

lib/Target/AArch64/AArch64ISelLowering.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 9,947 Lines • ▼ Show 20 Lines	bool AArch64TargetLowering::functionArgumentNeedsConsecutiveRegisters(
Type *Ty, CallingConv::ID CallConv, bool isVarArg) const {		Type *Ty, CallingConv::ID CallConv, bool isVarArg) const {
return Ty->isArrayTy();		return Ty->isArrayTy();
}		}

bool AArch64TargetLowering::shouldNormalizeToSelectSequence(LLVMContext &,		bool AArch64TargetLowering::shouldNormalizeToSelectSequence(LLVMContext &,
EVT) const {		EVT) const {
return false;		return false;
}		}

		Value *AArch64TargetLowering::getSafeStackPointerLocation(IRBuilder<> &IRB) const {
		if (!Subtarget->isTargetAndroid())
		return TargetLowering::getSafeStackPointerLocation(IRB);

		// Android provides a fixed TLS slot for the SafeStack pointer. See the
		// definition of TLS_SLOT_SAFESTACK in
		// https://android.googlesource.com/platform/bionic/+/master/libc/private/bionic_tls.h
		const unsigned TlsOffset = 0x48;
		Module *M = IRB.GetInsertBlock()->getParent()->getParent();
		Function *ThreadPointerFunc =
		Intrinsic::getDeclaration(M, Intrinsic::aarch64_thread_pointer);
		return IRB.CreatePointerCast(
		IRB.CreateConstGEP1_32(IRB.CreateCall(ThreadPointerFunc), TlsOffset),
		Type::getInt8PtrTy(IRB.getContext())->getPointerTo(0));
		}

lib/Target/X86/X86ISelLowering.h

Show First 20 Lines • Show All 897 Lines • ▼ Show 20 Lines	public:
/// offset in some non-standard address space, and populates the address		/// offset in some non-standard address space, and populates the address
/// space and offset as appropriate.		/// space and offset as appropriate.
bool getStackCookieLocation(unsigned &AddressSpace,		bool getStackCookieLocation(unsigned &AddressSpace,
unsigned &Offset) const override;		unsigned &Offset) const override;

/// Return true if the target stores SafeStack pointer at a fixed offset in		/// Return true if the target stores SafeStack pointer at a fixed offset in
/// some non-standard address space, and populates the address space and		/// some non-standard address space, and populates the address space and
/// offset as appropriate.		/// offset as appropriate.
bool getSafeStackPointerLocation(unsigned &AddressSpace,		Value *getSafeStackPointerLocation(IRBuilder<> &IRB) const override;
unsigned &Offset) const override;

SDValue BuildFILD(SDValue Op, EVT SrcVT, SDValue Chain, SDValue StackSlot,		SDValue BuildFILD(SDValue Op, EVT SrcVT, SDValue Chain, SDValue StackSlot,
SelectionDAG &DAG) const;		SelectionDAG &DAG) const;

bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const override;		bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const override;

bool useLoadStackGuardNode() const override;		bool useLoadStackGuardNode() const override;
/// \brief Customize the preferred legalization strategy for certain types.		/// \brief Customize the preferred legalization strategy for certain types.
▲ Show 20 Lines • Show All 221 Lines • Show Last 20 Lines

lib/Target/X86/X86ISelLowering.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 2,109 Lines • ▼ Show 20 Lines	bool X86TargetLowering::getStackCookieLocation(unsigned &AddressSpace,
} else {		} else {
// %gs:0x14 on i386		// %gs:0x14 on i386
Offset = 0x14;		Offset = 0x14;
AddressSpace = 256;		AddressSpace = 256;
}		}
return true;		return true;
}		}

/// Android provides a fixed TLS slot for the SafeStack pointer.		Value *X86TargetLowering::getSafeStackPointerLocation(IRBuilder<> &IRB) const {
/// See the definition of TLS_SLOT_SAFESTACK in
/// https://android.googlesource.com/platform/bionic/+/master/libc/private/bionic_tls.h
bool X86TargetLowering::getSafeStackPointerLocation(unsigned &AddressSpace,
unsigned &Offset) const {
if (!Subtarget->isTargetAndroid())		if (!Subtarget->isTargetAndroid())
return false;		return TargetLowering::getSafeStackPointerLocation(IRB);

		// Android provides a fixed TLS slot for the SafeStack pointer. See the
		// definition of TLS_SLOT_SAFESTACK in
		// https://android.googlesource.com/platform/bionic/+/master/libc/private/bionic_tls.h
		unsigned AddressSpace, Offset;
if (Subtarget->is64Bit()) {		if (Subtarget->is64Bit()) {
// %fs:0x48, unless we're using a Kernel code model, in which case it's %gs:		// %fs:0x48, unless we're using a Kernel code model, in which case it's %gs:
Offset = 0x48;		Offset = 0x48;
if (getTargetMachine().getCodeModel() == CodeModel::Kernel)		if (getTargetMachine().getCodeModel() == CodeModel::Kernel)
AddressSpace = 256;		AddressSpace = 256;
else		else
AddressSpace = 257;		AddressSpace = 257;
} else {		} else {
// %gs:0x24 on i386		// %gs:0x24 on i386
Offset = 0x24;		Offset = 0x24;
AddressSpace = 256;		AddressSpace = 256;
}		}
return true;
		return ConstantExpr::getIntToPtr(
		ConstantInt::get(Type::getInt32Ty(IRB.getContext()), Offset),
		Type::getInt8PtrTy(IRB.getContext())->getPointerTo(AddressSpace));
}		}

bool X86TargetLowering::isNoopAddrSpaceCast(unsigned SrcAS,		bool X86TargetLowering::isNoopAddrSpaceCast(unsigned SrcAS,
unsigned DestAS) const {		unsigned DestAS) const {
assert(SrcAS != DestAS && "Expected different address spaces!");		assert(SrcAS != DestAS && "Expected different address spaces!");

return SrcAS < 256 && DestAS < 256;		return SrcAS < 256 && DestAS < 256;
}		}
▲ Show 20 Lines • Show All 25,358 Lines • Show Last 20 Lines

lib/Transforms/Instrumentation/SafeStack.cpp

Show All 40 Lines
#include "llvm/Target/TargetSubtargetInfo.h"		#include "llvm/Target/TargetSubtargetInfo.h"
#include "llvm/Transforms/Utils/Local.h"		#include "llvm/Transforms/Utils/Local.h"
#include "llvm/Transforms/Utils/ModuleUtils.h"		#include "llvm/Transforms/Utils/ModuleUtils.h"

using namespace llvm;		using namespace llvm;

#define DEBUG_TYPE "safestack"		#define DEBUG_TYPE "safestack"

static const char *const kUnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";
static const char *const kUnsafeStackPtrAddrFn = "__safestack_pointer_address";

namespace llvm {		namespace llvm {

STATISTIC(NumFunctions, "Total number of functions");		STATISTIC(NumFunctions, "Total number of functions");
STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");		STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");
STATISTIC(NumUnsafeStackRestorePointsFunctions,		STATISTIC(NumUnsafeStackRestorePointsFunctions,
"Number of functions that use setjmp or exceptions");		"Number of functions that use setjmp or exceptions");

STATISTIC(NumAllocas, "Total number of allocas");		STATISTIC(NumAllocas, "Total number of allocas");
▲ Show 20 Lines • Show All 117 Lines • ▼ Show 20 Lines	class SafeStack : public FunctionPass {
/// Unsafe stack alignment. Each stack frame must ensure that the stack is		/// Unsafe stack alignment. Each stack frame must ensure that the stack is
/// aligned to this value. We need to re-align the unsafe stack if the		/// aligned to this value. We need to re-align the unsafe stack if the
/// alignment of any object on the stack exceeds this value.		/// alignment of any object on the stack exceeds this value.
///		///
/// 16 seems like a reasonable upper bound on the alignment of objects that we		/// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets.		/// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 };		enum { StackAlignment = 16 };

/// \brief Build a constant representing a pointer to the unsafe stack		/// \brief Build a value representing a pointer to the unsafe stack pointer.
/// pointer.
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);		Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);

/// \brief Find all static allocas, dynamic allocas, return instructions and		/// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the		/// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors.		/// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,		void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,		SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,		SmallVectorImpl<ReturnInst *> &Returns,
▲ Show 20 Lines • Show All 48 Lines • ▼ Show 20 Lines	bool doInitialization(Module &M) override {

return false;		return false;
}		}

bool runOnFunction(Function &F) override;		bool runOnFunction(Function &F) override;
}; // class SafeStack		}; // class SafeStack

Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {		Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
Module &M = *F.getParent();		// Check if there is a target-specific location for the unsafe stack pointer.
Triple TargetTriple(M.getTargetTriple());		if (TLI)
		if (Value *V = TLI->getSafeStackPointerLocation(IRB))
		return V;

unsigned Offset;		// Otherwise, assume the target links with compiler-rt, which provides a
unsigned AddressSpace;		// thread-local variable with a magic name.
// Check if the target keeps the unsafe stack pointer at a fixed offset.		Module &M = *F.getParent();
if (TLI && TLI->getSafeStackPointerLocation(AddressSpace, Offset)) {		const char *UnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";
Constant *OffsetVal =
ConstantInt::get(Type::getInt32Ty(F.getContext()), Offset);
return ConstantExpr::getIntToPtr(OffsetVal,
StackPtrTy->getPointerTo(AddressSpace));
}

// Android provides a libc function that returns the stack pointer address.
if (TargetTriple.isAndroid()) {
Value *Fn = M.getOrInsertFunction(kUnsafeStackPtrAddrFn,
StackPtrTy->getPointerTo(0), nullptr);
return IRB.CreateCall(Fn);
} else {
// Otherwise, declare a thread-local variable with a magic name.
auto UnsafeStackPtr =		auto UnsafeStackPtr =
dyn_cast_or_null<GlobalVariable>(M.getNamedValue(kUnsafeStackPtrVar));		dyn_cast_or_null<GlobalVariable>(M.getNamedValue(UnsafeStackPtrVar));

if (!UnsafeStackPtr) {		if (!UnsafeStackPtr) {
// The global variable is not defined yet, define it ourselves.		// The global variable is not defined yet, define it ourselves.
// We use the initial-exec TLS model because we do not support the		// We use the initial-exec TLS model because we do not support the
// variable living anywhere other than in the main executable.		// variable living anywhere other than in the main executable.
UnsafeStackPtr = new GlobalVariable(		UnsafeStackPtr = new GlobalVariable(
/Module=/M, /Type=/StackPtrTy,		M, StackPtrTy, false, GlobalValue::ExternalLinkage, 0,
/isConstant=/false, /Linkage=/GlobalValue::ExternalLinkage,		UnsafeStackPtrVar, nullptr, GlobalValue::InitialExecTLSModel);
/Initializer=/nullptr, /Name=/kUnsafeStackPtrVar,
/InsertBefore=/nullptr,
/ThreadLocalMode=/GlobalValue::InitialExecTLSModel);
} else {		} else {
// The variable exists, check its type and attributes.		// The variable exists, check its type and attributes.
if (UnsafeStackPtr->getValueType() != StackPtrTy) {		if (UnsafeStackPtr->getValueType() != StackPtrTy)
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must have void* type");		report_fatal_error(Twine(UnsafeStackPtrVar) + " must have void* type");
}		if (!UnsafeStackPtr->isThreadLocal())
		report_fatal_error(Twine(UnsafeStackPtrVar) + " must be thread-local");
if (!UnsafeStackPtr->isThreadLocal()) {
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must be thread-local");
}
}		}
return UnsafeStackPtr;		return UnsafeStackPtr;
}		}
}

void SafeStack::findInsts(Function &F,		void SafeStack::findInsts(Function &F,
SmallVectorImpl<AllocaInst *> &StaticAllocas,		SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,		SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,		SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints) {		SmallVectorImpl<Instruction *> &StackRestorePoints) {
for (Instruction &I : instructions(&F)) {		for (Instruction &I : instructions(&F)) {
if (auto AI = dyn_cast<AllocaInst>(&I)) {		if (auto AI = dyn_cast<AllocaInst>(&I)) {
▲ Show 20 Lines • Show All 222 Lines • ▼ Show 20 Lines	for (inst_iterator It = inst_begin(&F), Ie = inst_end(&F); It != Ie;) {
SI->takeName(II);		SI->takeName(II);
assert(II->use_empty());		assert(II->use_empty());
II->eraseFromParent();		II->eraseFromParent();
}		}
}		}
}		}
}		}

bool SafeStack::runOnFunction(Function &F) {		bool SafeStack::runOnFunction(Function &F) {
		rengolinUnsubmitted Not Done Reply Inline Actions Moving this around makes it harder to review. Can you move it back where it was? rengolin: Moving this around makes it harder to review. Can you move it back where it was?
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions Sorry, did not noticed the method was moved. Fixed. eugenis: Sorry, did not noticed the method was moved. Fixed.
DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");		DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");

if (!F.hasFnAttribute(Attribute::SafeStack)) {		if (!F.hasFnAttribute(Attribute::SafeStack)) {
DEBUG(dbgs() << "[SafeStack] safestack is not requested"		DEBUG(dbgs() << "[SafeStack] safestack is not requested"
" for this function\n");		" for this function\n");
return false;		return false;
}		}

▲ Show 20 Lines • Show All 89 Lines • Show Last 20 Lines

test/Transforms/SafeStack/AArch64/abi.ll

	; RUN: opt -safe-stack -S -mtriple=aarch64-linux-android < %s -o - \| FileCheck %s			; RUN: opt -safe-stack -S -mtriple=aarch64-linux-android < %s -o - \| FileCheck %s


	define void @foo() nounwind uwtable safestack {			define void @foo() nounwind uwtable safestack {
	entry:			entry:
	; CHECK: %[[SPA:.]] = call i8* @__safestack_pointer_address()			; CHECK: %[[TP:.]] = call i8 @llvm.aarch64.thread.pointer()
				; CHECK: %[[SPA0:.]] = getelementptr i8, i8 %[[TP]], i32 72
				; CHECK: %[[SPA:.]] = bitcast i8 %[[SPA0]] to i8**
	; CHECK: %[[USP:.]] = load i8, i8** %[[SPA]]			; CHECK: %[[USP:.]] = load i8, i8** %[[SPA]]
	; CHECK: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16			; CHECK: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16
	; CHECK: store i8* %[[USST]], i8** %[[SPA]]			; CHECK: store i8* %[[USST]], i8** %[[SPA]]

	%a = alloca i8, align 8			%a = alloca i8, align 8
	call void @Capture(i8* %a)			call void @Capture(i8* %a)

	; CHECK: store i8* %[[USP]], i8** %[[SPA]]			; CHECK: store i8* %[[USP]], i8** %[[SPA]]
	ret void			ret void
	}			}

	declare void @Capture(i8*)			declare void @Capture(i8*)