This is an archive of the discontinued LLVM Phabricator instance.

Differential D86673

[StackColoring] Conservatively merge point pV = &(&Variable) in catch(Variable)
ClosedPublic

Authored by xiangzhangllvm on Aug 26 2020, 8:24 PM.

Details

Reviewers
gkistanova
thanm
dotdash
arielb1
inouehrs
MatzeB
arsenm
craig.topper
LuoYuanke
pengfei
MaskRay
annita.zhang
wxiao3
clin1
Commits
rG7ba3293691be: [StackColoring] Conservatively merge catch point of V for catch(V)
Summary

Conservatively merge pV = &(&Variable) for catch(Variable), EH libs may write the catch value and return the Point (Type**) pV back.
This Point may be dangerously over written due to some work of objects' destructor in try block. (The destructor may work after EH written)

In fact, for the catch point pV, there is usually a very long life range guarded with TIME_START and TIME_END (usually almost through the whole program),
but there is an potion "-stackcoloring-lifetime-start-on-first-use" which will cut it shorter.

This patch try let pV conservatively use its TIME_START and TIME_END as its live-range, not affected by the option "-stackcoloring-lifetime-start-on-first-use"

We find this bug in a big win32 project, which hard to reproduce, now the following case can reproduce.
We also analysis it from front/mid-end, it is hard for front/mid-end to fix this bug, So I continue push this patch go ahead.

Compile with:
 clang-cl -m32 -O2 -EHs test.cpp

__attribute__((noinline,nothrow,weak)) void escape(int *p) { }
struct object {
  int i;
  object() {
    i = 1;
  }
  ~object() {
    // if "object" and "exp" are assigned to the same slot,
    // this assign will corrupt "exp".
    i = 9999;
    escape(&i);
  }
};
inline void throwit() { throw 999; }

volatile int v;
inline void func() {
  try {
    object o;
    throwit();
  }
  // "exp" is written by the OS when the "throw" occurs.
  // Then the destructor is called, and the store-assign
  // clobbers the value of "exp".
  // The dereference of "exp" (with value 9999) causes a crash.
  catch (int &exp) {
    v = exp;
  }
}

int main() {
  func();
  return 0;
}

Diff Detail

Event Timeline

xiangzhangllvm created this revision.Aug 26 2020, 8:24 PM
Herald added a reviewer: gkistanova. · View Herald TranscriptAug 26 2020, 8:24 PM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
xiangzhangllvm requested review of this revision.Aug 26 2020, 8:24 PM
efriedma added reviewers: thanm, dotdash, arielb1, inouehrs, MatzeB, arsenm.Aug 26 2020, 9:45 PM
efriedma added a subscriber: efriedma.

Special-casing a specific load instruction isn't the right approach; the affected instruction is, at best, unpredictable.

Fundamentally, the issue is that the code can't really figure out what the lifetime of the alloca is supposed to be. On the non-exception path, there's an llvm.lifetime.end marker, but on the exception path there is no such marker.

I see two possible approaches here:

  1. Teach stackcoloring to detect that there's a "missing" llvm.lifetime.end marker for the alloca in question, and handle that somehow.
  2. Teach clang to emit an appropriate llvm.lifetime.end marker in the catch block, to precisely express the lifetime to stackcoloring.
Herald added a subscriber: wdng. · View Herald TranscriptAug 26 2020, 9:45 PM
xiangzhangllvm added reviewers: craig.topper, LuoYuanke, pengfei, MaskRay.Aug 26 2020, 10:41 PM
xiangzhangllvm added a reviewer: annita.zhang.Aug 26 2020, 10:44 PM
xiangzhangllvm edited the summary of this revision. (Show Details)Aug 26 2020, 10:48 PM
xiangzhangllvm added a comment.EditedAug 26 2020, 11:03 PM

Hello efriedma, first thanks for your suggestion.
I agree with"specific load instruction isn't good approach", I just don't know how to easily identify the catch variable in Machine IR.
So I choose the first Load in landing-pad. (I think this can be checked in catch's lowering)

I think there isn't problem of llvm.lifetime.start/end, please see the test in the patch, line 240, 241, 250, 276 all marked with lifetime.start/end.
Without this patch, The catch variable will still be merged even it guard with " lifetime.start/end" and has life-interval with other variable's life range.

xiangzhangllvm added a reviewer: wxiao3.Aug 26 2020, 11:18 PM
lebedev.ri retitled this revision from Conservatively merge &&Variable for catch(Variable) to [StackColoring] Conservatively merge &&Variable for catch(Variable).Aug 26 2020, 11:52 PM
xiangzhangllvm edited the summary of this revision. (Show Details)Aug 27 2020, 1:28 AM
efriedma added a comment.Aug 27 2020, 3:50 AM

I think there isn't problem of llvm.lifetime.start/end, please see the test in the patch, line 240, 241, 250, 276 all marked with lifetime.start/end.

Those markings aren't really complete. In particular, if the call throws an exception, the LIFETIME_END of the allocation %stack.1.ex2 never runs. So it's not clear when the lifetime is supposed to end.

thanm added a comment.Aug 27 2020, 5:01 AM

I agree with Eli, this does not seem like a good fix, it would be better to figure out why/how the lifetime markers wind up malformed and work on the problem from that angle.

xiangzhangllvm added a comment.Aug 27 2020, 10:13 PM
xiangzhangllvm added inline comments.Aug 27 2020, 10:17 PM
llvm/test/CodeGen/X86/StackColoring-first-use-in-catch.mir
251

Here really I manually add the LIFETIME_END to reproduce merge action.
I'll re-analysis the problem project, thank you for your advise!

xiangzhangllvm updated this revision to Diff 300567.Oct 25 2020, 6:58 PM
xiangzhangllvm retitled this revision from [StackColoring] Conservatively merge &&Variable for catch(Variable) to [StackColoring] Conservatively merge Variable in catch(Variable).
xiangzhangllvm edited the summary of this revision. (Show Details)
xiangzhangllvm added a reviewer: clin1.
xiangzhangllvm edited the summary of this revision. (Show Details)
clin1 added inline comments.Oct 26 2020, 3:03 PM
llvm/lib/CodeGen/StackColoring.cpp
706

It might be worth explaining here that the runtime writes to X outside of the user code, which is why we don't know the exact start of the lifetime.
Question: Why does a memory read start a stack value lifetime---shouldn't it be a write? And if we don't find a write, then the coloring should be conservative?

clin1 added inline comments.Oct 26 2020, 3:39 PM
llvm/test/CodeGen/X86/StackColoring-first-use-in-catch.mir
8

The "printf" calls and string values can be removed from the test case. The optimizer passes must be prevented from removing the "i = 9999" in the destructor, and "exp" must be read in the catch block. This can be done in simpler ways (volatile store, call to dummy non-removable function, etc.)

xiangzhangllvm added inline comments.Oct 26 2020, 5:54 PM
llvm/lib/CodeGen/StackColoring.cpp
706

Yes, maybe we can check the "write", but I am afraid the "undef" stack-value, it may just has read at first use.

Current stack-coloring code didn't distinguish the read/write status for the stack-mem operand in MI,
please refer line 611, "InterestingSlots.test(Slot)" mainly check if the stack-slot guard with lifetime.start/end, and
the applyFirstUse(Slot) is mainly check the LifetimeStartOnFirstUse option.

I'll update the test, thank you a lot!

xiangzhangllvm updated this revision to Diff 300881.Oct 26 2020, 8:52 PM
Herald added a subscriber: jfb. · View Herald TranscriptOct 26 2020, 8:52 PM
xiangzhangllvm updated this revision to Diff 300900.Oct 26 2020, 11:17 PM
xiangzhangllvm marked an inline comment as done.Oct 26 2020, 11:24 PM
xiangzhangllvm added inline comments.
llvm/lib/CodeGen/StackColoring.cpp
706

@clin1 Thx for your hint!
Now this patch first record the "write Solt" into StoreSlots, and collect the "load Slot" in catchpad.
After doing that, check "write Solt" and "catchpad load Slot", then put it into ConservativeSlots or not.

xiangzhangllvm edited the summary of this revision. (Show Details)Oct 26 2020, 11:26 PM
xiangzhangllvm edited the summary of this revision. (Show Details)
LuoYuanke added inline comments.Oct 26 2020, 11:40 PM
llvm/test/CodeGen/X86/StackColoring-first-use-in-catch.mir
8

Since you have an .cpp or .ll to duplicate the bug, do you still need .mir test case?

xiangzhangllvm added inline comments.Oct 26 2020, 11:45 PM
llvm/test/CodeGen/X86/StackColoring-first-use-in-catch.mir
8

Yes, .mir test is better, I used "-run-pass=stack-coloring" here.
it let us just test the "stack-coloring" changing, not affected by other optimizations.

thanm added a comment.Oct 27 2020, 5:26 AM

In your C++ test case, you write this:

// "exp" is written by the OS when the "throw" occurs.

however when I compile the testcase as instructed I see the following entry block:

define dso_local i32 @main() local_unnamed_addr #1 personality i32 (...)* @__CxxFrameHandler3 {
entry:
  %tmp.i.i = alloca i32, align 4
  %o.i = alloca %struct.object, align 4
  %exp.i = alloca i32*, align 4
  %0 = bitcast i32** %exp.i to i8*
  call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %0)
  %1 = bitcast %struct.object* %o.i to i8*
  call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %1) #3
  %i.i.i = getelementptr inbounds %struct.object, %struct.object* %o.i, i32 0, i32 0
  store i32 1, i32* %i.i.i, align 4
  %2 = bitcast i32* %tmp.i.i to i8*
  call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %2)
  store i32 999, i32* %tmp.i.i, align 4
  invoke void @_CxxThrowException(i8* nonnull %2, %eh.ThrowInfo* nonnull @_TI1H) #4
          to label %.noexc.i unwind label %ehcleanup.i

If as you say the OS writes to "%exp.i", then this should be reflected in the IR in the entry block -- the call/invoke should include a reference to the thing that potentially gets written. Otherwise it's hard to see how optimization passes can safely work on the IR.

Suppose this was a C program and the code looked like

int myfunction() {
  char b[128];
  somefunction();
  ... 
  b[0] = ...
}

You are effectively saying "When the call to 'somefunction' happens, the OS may write to 'b'", even though the address of 'b' is not used until much later in the function.

This doesn't make sense -- what would be better is to have the IR reflect realitty, e.g. that the address in question has effectively escaped, and thus it can be written at calls, etc.

xiangzhangllvm added a comment.Oct 27 2020, 6:41 AM

Unlike linux, usually by @__cxa_begin_catch ,windows Exception didn't has a suitable port to reflect how it change the catch value, it is more like a "ABI" action, where the throw impliedly write and where the catch block get it.
I think the early designer do this mainly because the catch value (e.g. type** exp.i), is only used in adjacent catch block.

xiangzhangllvm added a comment.Oct 28 2020, 5:48 PM

First, I thanks for your careful reviewing.
The windows Exception model has work well for many years, I tend not to change it. If we carefully watch the catch values (e.g. Type * *exp.i), we will find that they usually have a very long life range guarded by lifetime.start and lifetime.end, (usually almost equal with the whole function life range).
This seems that the front/mid ends don't want to do much optimization on this special mechanism, because in their eyes, the back-end optimization should based on the lifetime.start and lifetime.end they generated.
And if we reflected it in the IR, it will bring much complexity into current clear mid end IR, because every function in try block (may contain branch) need to reflected that it may change the catch values (e.g. Type * *exp.i).
I also find that, current "-stackcoloring-lifetime-start-on-first-use" didn't handle the multi-lifetime.start/end case, catch value may has multi-first use. it is make sense to handle the corner case of catch variable in this option.
What's more, current patch is simple and clear, I think it is the most probably easiest way to fix this bug.

xiangzhangllvm added a comment.Nov 2 2020, 12:35 AM

Hello @thanm, I think you care about this patch/bug, do you have additional comments? If you feel my idea is reasonable, could you help accept this patch, thank you again!

thanm added a comment.Nov 2 2020, 8:09 AM

If updating the front end is out of the question, then I suppose your approach makes sense.

I'll send some additional comments.

thanm added a comment.Nov 2 2020, 8:21 AM

In your commit message. you refer to "Conservatively merge &(&Variable) for catch(Variable)" -- this seems like a problematic choice of words/terminology. StackColoring operates on slots, not on addresses of slots.

Also "there is a potion" => "there is an option"

llvm/lib/CodeGen/StackColoring.cpp
437

"for which may write memory" is awkward wording. How about "Record the FI slots referenced by a 'may write to memory' instruction?

691

I think it would be better to append this comment to the large block at the start of the file (from lines 103-375), since that's currently the place for discussions about how the algorithm works and the various limitations. You can then refer back up to it here.

703

This doesn't make sense to me. ConservativeSlots contains slots, not addresses of slots -- I think it would be clearer just to say "we put X into ConservativeSlots".

xiangzhangllvm updated this revision to Diff 302446.Nov 2 2020, 6:39 PM
xiangzhangllvm retitled this revision from [StackColoring] Conservatively merge Variable in catch(Variable) to [StackColoring] Conservatively merge point pV = &(&Variable) in catch(Variable).
xiangzhangllvm edited the summary of this revision. (Show Details)
xiangzhangllvm marked 5 inline comments as done.
xiangzhangllvm added a comment.Nov 2 2020, 6:42 PM

Thanks for your review !

thanm accepted this revision.Nov 3 2020, 12:40 PM

LGTM. Is there a bug number associated with this?

This revision is now accepted and ready to land.Nov 3 2020, 12:40 PM
xiangzhangllvm added a comment.Nov 3 2020, 3:53 PM
In D86673#2372064, @thanm wrote:

LGTM. Is there a bug number associated with this?

Thank you! There is no bug number, did you mean I need to put it on Bugzilla ?

xiangzhangllvm added a comment.Nov 3 2020, 4:37 PM

I created a bug ID (48064) for it https://bugs.llvm.org/show_bug.cgi?id=48064

pengfei added a comment.Nov 3 2020, 4:46 PM
In D86673#2372616, @xiangzhangllvm wrote:

I created a bug ID (48064) for it https://bugs.llvm.org/show_bug.cgi?id=48064

Then you can change your test case name to pr48064.mir

xiangzhangllvm added a comment.Nov 3 2020, 4:50 PM

Then you can change your test case name to pr48064.mir

OK, good, I'll change it in committing.

Closed by commit rG7ba3293691be: [StackColoring] Conservatively merge catch point of V for catch(V) (authored by xiangzhangllvm). · Explain WhyNov 3 2020, 6:55 PM
This revision was automatically updated to reflect the committed changes.
xiangzhangllvm added a commit: rG7ba3293691be: [StackColoring] Conservatively merge catch point of V for catch(V).
LuoYuanke added a comment.Nov 3 2020, 7:17 PM

Good to see the problem is solved. Thank you! 😊

nikic mentioned this in rGb3cb4f069c2c: [StackColoring] Handle SEH catch object stack slots conservatively.Sep 22 2023, 2:51 AM

Revision Contents

PathSize
llvm/
lib/
CodeGen/
30 lines
test/
CodeGen/
X86/
435 lines

Diff 300881

llvm/lib/CodeGen/StackColoring.cpp

Show First 20 LinesShow All 428 Lines▼ Show 20 Linesclass StackColoring : public MachineFunctionPass {
/// Record the FI slots for which we have seen some sort of /// Record the FI slots for which we have seen some sort of
/// lifetime marker (either start or end). /// lifetime marker (either start or end).
BitVector InterestingSlots; BitVector InterestingSlots;
/// FI slots that need to be handled conservatively (for these /// FI slots that need to be handled conservatively (for these
/// slots lifetime-start-on-first-use is disabled). /// slots lifetime-start-on-first-use is disabled).
BitVector ConservativeSlots; BitVector ConservativeSlots;
/// Number of iterations taken during data flow analysis. /// Number of iterations taken during data flow analysis.
thanmUnsubmitted
Done
ReplyInline Actions

"for which may write memory" is awkward wording. How about "Record the FI slots referenced by a 'may write to memory' instruction?

thanm: "for which may write memory" is awkward wording. How about "Record the FI slots referenced by a…
unsigned NumIterations; unsigned NumIterations;
public: public:
static char ID; static char ID;
StackColoring() : MachineFunctionPass(ID) { StackColoring() : MachineFunctionPass(ID) {
initializeStackColoringPass(*PassRegistry::getPassRegistry()); initializeStackColoringPass(*PassRegistry::getPassRegistry());
} }
▲ Show 20 LinesShow All 200 Lines▼ Show 20 Lines for (MachineBasicBlock::const_pred_iterator PI = MBB->pred_begin(),
PE = MBB->pred_end(); PI != PE; ++PI) { PE = MBB->pred_end(); PI != PE; ++PI) {
BlockBitVecMap::const_iterator I = SeenStartMap.find(*PI); BlockBitVecMap::const_iterator I = SeenStartMap.find(*PI);
if (I != SeenStartMap.end()) { if (I != SeenStartMap.end()) {
BetweenStartEnd |= I->second; BetweenStartEnd |= I->second;
} }
} }
// Walk the instructions in the block to look for start/end ops. // Walk the instructions in the block to look for start/end ops.
bool FirstLoad = true;
for (MachineInstr &MI : *MBB) { for (MachineInstr &MI : *MBB) {
if (MI.getOpcode() == TargetOpcode::LIFETIME_START || if (MI.getOpcode() == TargetOpcode::LIFETIME_START ||
MI.getOpcode() == TargetOpcode::LIFETIME_END) { MI.getOpcode() == TargetOpcode::LIFETIME_END) {
int Slot = getStartOrEndSlot(MI); int Slot = getStartOrEndSlot(MI);
if (Slot < 0) if (Slot < 0)
continue; continue;
InterestingSlots.set(Slot); InterestingSlots.set(Slot);
if (MI.getOpcode() == TargetOpcode::LIFETIME_START) { if (MI.getOpcode() == TargetOpcode::LIFETIME_START) {
Show All 20 Lines for (MachineInstr &MI : *MBB) {
if (!MO.isFI()) if (!MO.isFI())
continue; continue;
int Slot = MO.getIndex(); int Slot = MO.getIndex();
if (Slot < 0) if (Slot < 0)
continue; continue;
if (! BetweenStartEnd.test(Slot)) { if (! BetweenStartEnd.test(Slot)) {
ConservativeSlots.set(Slot); ConservativeSlots.set(Slot);
} }
// There is a bug for using LifetimeStartOnFirstUse in win32.
thanmUnsubmitted
Done
ReplyInline Actions

I think it would be better to append this comment to the large block at the start of the file (from lines 103-375), since that's currently the place for discussions about how the algorithm works and the various limitations. You can then refer back up to it here.

thanm: I think it would be better to append this comment to the large block at the start of the file…
// class Type1 {
// ...
// ~Type1(){ write memory;}
// }
// ...
// try{
// Type1 V
// ...
// } catch (Type2 X){
// ...
// }
// For variable X in catch(X), we put &(&X) into ConservativeSlots
thanmUnsubmitted
Done
ReplyInline Actions

This doesn't make sense to me. ConservativeSlots contains slots, not addresses of slots -- I think it would be clearer just to say "we put X into ConservativeSlots".

thanm: This doesn't make sense to me. ConservativeSlots contains slots, not addresses of slots -- I…
// to prevent using LifetimeStartOnFirstUse. Because &(&X) may merged
// with object V which may call destructor after write &(&X). All these
// are done in C++ EH runtime libs (through CxxThrowException), and
clin1Unsubmitted
Done
ReplyInline Actions

It might be worth explaining here that the runtime writes to X outside of the user code, which is why we don't know the exact start of the lifetime.
Question: Why does a memory read start a stack value lifetime---shouldn't it be a write? And if we don't find a write, then the coloring should be conservative?

clin1: It might be worth explaining here that the runtime writes to X outside of the user code, which…
xiangzhangllvmAuthorUnsubmitted
Done
ReplyInline Actions

Yes, maybe we can check the "write", but I am afraid the "undef" stack-value, it may just has read at first use.

Current stack-coloring code didn't distinguish the read/write status for the stack-mem operand in MI,
please refer line 611, "InterestingSlots.test(Slot)" mainly check if the stack-slot guard with lifetime.start/end, and
the applyFirstUse(Slot) is mainly check the LifetimeStartOnFirstUse option.

I'll update the test, thank you a lot!

xiangzhangllvm: Yes, maybe we can check the "write", but I am afraid the "undef" stack-value, it may just has…
xiangzhangllvmAuthorUnsubmitted
Done
ReplyInline Actions

@clin1 Thx for your hint!
Now this patch first record the "write Solt" into StoreSlots, and collect the "load Slot" in catchpad.
After doing that, check "write Solt" and "catchpad load Slot", then put it into ConservativeSlots or not.

xiangzhangllvm: @clin1 Thx for your hint! Now this patch first record the "write Solt" into StoreSlots, and…
// hard to check it in IR level.
//
// The loader of &(&X) is the first LOAD MI in EHPad. Some like:
// bb.x.catch.i (landing-pad, ehfunclet-entry):
// ; predecessors: %bb...
// successors: %bb...
// %x:gr32 = MOV32rm %stack.X.i ...
// ...
if (MF->getWinEHFuncInfo() && FirstLoad &&
MBB->isEHPad() && MI.mayLoad()) {
FirstLoad = false;
ConservativeSlots.set(Slot);
}
} }
} }
} }
BitVector &SeenStart = SeenStartMap[MBB]; BitVector &SeenStart = SeenStartMap[MBB];
SeenStart |= BetweenStartEnd; SeenStart |= BetweenStartEnd;
} }
if (!MarkersFound) { if (!MarkersFound) {
return 0; return 0;
▲ Show 20 LinesShow All 629 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/StackColoring-first-use-in-catch.mir

  • This file was added.
# RUN: llc -mtriple="i386-pc-windows-msvc" -run-pass=stack-coloring %s -o - | FileCheck %s
# There is a problem with the exception handler, we found in windows, when set
# LifetimeStartOnFirstUse=true for stack-coloring in default. Take the following
# case for example:
#
#// Compile with "clang-cl -m32 -O2 -EHs test.cpp"
#__attribute__((noinline,nothrow,weak)) void escape(int *p) { }
clin1Unsubmitted
Done
ReplyInline Actions

The "printf" calls and string values can be removed from the test case. The optimizer passes must be prevented from removing the "i = 9999" in the destructor, and "exp" must be read in the catch block. This can be done in simpler ways (volatile store, call to dummy non-removable function, etc.)

clin1: The "printf" calls and string values can be removed from the test case. The optimizer passes…
LuoYuankeUnsubmitted
Done
ReplyInline Actions

Since you have an .cpp or .ll to duplicate the bug, do you still need .mir test case?

LuoYuanke: Since you have an .cpp or .ll to duplicate the bug, do you still need .mir test case?
xiangzhangllvmAuthorUnsubmitted
Done
ReplyInline Actions

Yes, .mir test is better, I used "-run-pass=stack-coloring" here.
it let us just test the "stack-coloring" changing, not affected by other optimizations.

xiangzhangllvm: Yes, .mir test is better, I used "-run-pass=stack-coloring" here. it let us just test the…
#struct object {
# int i;
# object() {
# i = 1;
# }
# ~object() {
# // if "object" and "exp" are assigned to the same slot,
# // this assign will corrupt "exp".
# i = 9999;
# escape(&i);
# }
#};
#inline void throwit() { throw 999; }
#
#volatile int v;
#inline void func() {
# try {
# object o;
# throwit();
# }
# // "exp" is written by the OS when the "throw" occurs.
# // Then the destructor is called, and the store-assign
# // clobbers the value of "exp".
# // The dereference of "exp" (with value 9999) causes a crash.
# // All these done in libruntime, so it is hard to check in IR.
# catch (int &exp) {
# v = exp;
# }
#}
#
#int main() {
# func();
# return 0;
#}
## Make sure that o.i not merge with exp.i
# CHECK: stack:
# CHECK: id: 2, name: o.i, type: default, offset: 0, size: 4, alignment: 4,
# CHECK: id: 3, name: exp.i, type: default, offset: 0, size: 4, alignment: 4,
## Make sure that %stack.3.exp.i not replaced with %stack.2.o.i
# CHECK: bb.3.catch.i (landing-pad, ehfunclet-entry):
# CHECK: %7:gr32 = MOV32rm %stack.3.exp.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.exp.i)
--- |
; ModuleID = 'test-pre-stc.mir'
source_filename = "test.cpp"
target datalayout = "e-m:x-p:32:32-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:32-n8:16:32-a:0:32-S32"
%rtti.TypeDescriptor2 = type { i8**, i8*, [3 x i8] }
%eh.CatchableType = type { i32, i8*, i32, i32, i32, i32, i8* }
%eh.CatchableTypeArray.1 = type { i32, [1 x %eh.CatchableType*] }
%eh.ThrowInfo = type { i32, i8*, i8*, i8* }
%CXXExceptionRegistration = type { i8*, %EHRegistrationNode, i32 }
%EHRegistrationNode = type { %EHRegistrationNode*, i8* }
%struct.object = type { i32 }
$"_R0H@8" = comdat any
$"_CT_R0H@84" = comdat any
$_CTA1H = comdat any
$_TI1H = comdat any
@v__3HC = dso_local global i32 0, align 4
@"_7type_info__6B@" = external constant i8*
@"_R0H@8" = linkonce_odr global %rtti.TypeDescriptor2 { i8** @"_7type_info__6B@", i8* null, [3 x i8] c".H\00" }, comdat
@"_CT_R0H@84" = linkonce_odr unnamed_addr constant %eh.CatchableType { i32 1, i8* bitcast (%rtti.TypeDescriptor2* @"_R0H@8" to i8*), i32 0, i32 -1, i32 0, i32 4, i8* null }, section ".xdata", comdat
@_CTA1H = linkonce_odr unnamed_addr constant %eh.CatchableTypeArray.1 { i32 1, [1 x %eh.CatchableType*] [%eh.CatchableType* @"_CT_R0H@84"] }, section ".xdata", comdat
@_TI1H = linkonce_odr unnamed_addr constant %eh.ThrowInfo { i32 0, i8* null, i8* null, i8* bitcast (%eh.CatchableTypeArray.1* @_CTA1H to i8*) }, section ".xdata", comdat
; Function Attrs: noinline nounwind sspstrong
define weak dso_local void @"escape__YAXPAH@Z"(i32* %p) local_unnamed_addr #0 {
entry:
ret void
}
; Function Attrs: norecurse sspstrong
define dso_local i32 @main() local_unnamed_addr #1 personality i32 (...)* @__CxxFrameHandler3 {
entry:
%0 = alloca %CXXExceptionRegistration, align 4
%1 = bitcast %CXXExceptionRegistration* %0 to i8*
call void @llvm.x86.seh.ehregnode(i8* %1)
%2 = call i8* @llvm.stacksave()
%3 = getelementptr inbounds %CXXExceptionRegistration, %CXXExceptionRegistration* %0, i32 0, i32 0
store i8* %2, i8** %3, align 4
%4 = getelementptr inbounds %CXXExceptionRegistration, %CXXExceptionRegistration* %0, i32 0, i32 2
store i32 -1, i32* %4, align 4
%5 = getelementptr inbounds %CXXExceptionRegistration, %CXXExceptionRegistration* %0, i32 0, i32 1
%6 = getelementptr inbounds %EHRegistrationNode, %EHRegistrationNode* %5, i32 0, i32 1
store i8* bitcast (i32 (i8*, i8*, i8*, i8*)* @"__ehhandler$main" to i8*), i8** %6, align 4
%7 = load %EHRegistrationNode*, %EHRegistrationNode* addrspace(257)* null, align 4
%8 = getelementptr inbounds %EHRegistrationNode, %EHRegistrationNode* %5, i32 0, i32 0
store %EHRegistrationNode* %7, %EHRegistrationNode** %8, align 4
store %EHRegistrationNode* %5, %EHRegistrationNode* addrspace(257)* null, align 4
%tmp.i.i = alloca i32, align 4
%o.i = alloca %struct.object, align 4
%zx = alloca i32*, align 4
%exp.i = alloca i32*, align 4
%9 = bitcast i32** %exp.i to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %9)
%10 = bitcast %struct.object* %o.i to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %10) #7
%i.i.i1 = bitcast %struct.object* %o.i to i32*
store i32 1, i32* %i.i.i1, align 4
%11 = bitcast i32* %tmp.i.i to i8*
call void @llvm.lifetime.start.p0i8(i64 4, i8* nonnull %11)
store i32 999, i32* %tmp.i.i, align 4
%12 = getelementptr inbounds %CXXExceptionRegistration, %CXXExceptionRegistration* %0, i32 0, i32 2
store i32 1, i32* %12, align 4
invoke void @_CxxThrowException(i8* nonnull %11, %eh.ThrowInfo* nonnull @_TI1H) #8
to label %.noexc.i unwind label %ehcleanup.i
.noexc.i: ; preds = %entry
unreachable
ehcleanup.i: ; preds = %entry
%13 = cleanuppad within none []
%14 = bitcast %struct.object* %o.i to i32*
%15 = bitcast %struct.object* %o.i to i8*
store i32 9999, i32* %14, align 4
call void @"escape__YAXPAH@Z"(i32* nonnull %14) #7 [ "funclet"(token %13) ]
call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %15) #7
cleanupret from %13 unwind label %catch.dispatch.i
catch.dispatch.i: ; preds = %ehcleanup.i
%16 = catchswitch within none [label %catch.i] unwind to caller
catch.i: ; preds = %catch.dispatch.i
%17 = catchpad within %16 [%rtti.TypeDescriptor2* @"_R0H@8", i32 8, i32** %exp.i]
%18 = load i32*, i32** %exp.i, align 4
%19 = load i32, i32* %18, align 4
store atomic volatile i32 %19, i32* @v__3HC release, align 4
catchret from %17 to label %func__YAXXZ.exit
func__YAXXZ.exit: ; preds = %catch.i
%20 = bitcast i32** %exp.i to i8*
call void @llvm.lifetime.end.p0i8(i64 4, i8* nonnull %20)
%21 = getelementptr inbounds %CXXExceptionRegistration, %CXXExceptionRegistration* %0, i32 0, i32 1
%22 = getelementptr inbounds %EHRegistrationNode, %EHRegistrationNode* %21, i32 0, i32 0
%23 = load %EHRegistrationNode*, %EHRegistrationNode** %22, align 4
store %EHRegistrationNode* %23, %EHRegistrationNode* addrspace(257)* null, align 4
ret i32 0
}
; Function Attrs: argmemonly nofree nosync nounwind willreturn
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) #2
; Function Attrs: nofree
declare dso_local i32 @__CxxFrameHandler3(...) #3
; Function Attrs: argmemonly nofree nosync nounwind willreturn
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) #2
; Function Attrs: nofree
declare dso_local x86_stdcallcc void @_CxxThrowException(i8*, %eh.ThrowInfo*) local_unnamed_addr #3
declare i32 @_setjmp3(i8*, i32, ...)
; Function Attrs: nofree nosync nounwind willreturn
declare i8* @llvm.stacksave() #4
define internal i32 @"__ehhandler$main"(i8* %0, i8* %1, i8* %2, i8* %3) #5 {
entry:
%4 = call i8* @llvm.x86.seh.lsda(i8* bitcast (i32 ()* @main to i8*))
%5 = tail call i32 bitcast (i32 (...)* @__CxxFrameHandler3 to i32 (i8*, i8*, i8*, i8*, i8*)*)(i8* inreg %4, i8* %0, i8* %1, i8* %2, i8* %3)
ret i32 %5
}
; Function Attrs: nounwind readnone
declare i8* @llvm.x86.seh.lsda(i8*) #6
declare x86_stdcallcc void @__CxxLongjmpUnwind(i8*)
; Function Attrs: nounwind
declare void @llvm.x86.seh.ehregnode(i8*) #7
attributes #0 = { noinline nounwind sspstrong "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="none" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="pentium4" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { norecurse sspstrong "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="none" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="pentium4" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #2 = { argmemonly nofree nosync nounwind willreturn }
attributes #3 = { nofree }
attributes #4 = { nofree nosync nounwind willreturn }
attributes #5 = { "safeseh" }
attributes #6 = { nounwind readnone }
attributes #7 = { nounwind }
attributes #8 = { noreturn }
!llvm.linker.options = !{!0, !1, !2}
!llvm.module.flags = !{!3, !4}
!llvm.ident = !{!5}
!0 = !{!"/DEFAULTLIB:libcmt.lib"}
!1 = !{!"/DEFAULTLIB:libmmt.lib"}
!2 = !{!"/DEFAULTLIB:oldnames.lib"}
!3 = !{i32 1, !"NumRegisterParameters", i32 0}
!4 = !{i32 1, !"wchar_size", i32 2}
!5 = !{!"Intel(R) oneAPI DPC++ Compiler Pro 2021.1 (YYYY.x.0.MMDD)"}
...
---
name: 'escape__YAXPAH@Z'
alignment: 16
exposesReturnsTwice: false
legalized: false
regBankSelected: false
selected: false
failedISel: false
tracksRegLiveness: true
hasWinCFI: false
registers: []
liveins: []
frameInfo:
isFrameAddressTaken: false
isReturnAddressTaken: false
hasStackMap: false
hasPatchPoint: false
stackSize: 0
offsetAdjustment: 0
maxAlignment: 4
adjustsStack: false
hasCalls: false
stackProtector: ''
maxCallFrameSize: 4294967295
cvBytesOfCalleeSavedRegisters: 0
hasOpaqueSPAdjustment: false
hasVAStart: false
hasMustTailInVarArgFunc: false
localFrameSize: 0
savePoint: ''
restorePoint: ''
fixedStack:
- { id: 0, type: default, offset: 0, size: 4, alignment: 4, stack-id: default,
isImmutable: true, isAliased: false, callee-saved-register: '', callee-saved-restored: true,
debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
stack: []
callSites: []
debugValueSubstitutions: []
constants: []
machineFunctionInfo: {}
body: |
bb.0.entry:
RET 0
xiangzhangllvmAuthorUnsubmitted
Done
ReplyInline Actions

Here really I manually add the LIFETIME_END to reproduce merge action.
I'll re-analysis the problem project, thank you for your advise!

xiangzhangllvm: Here really I manually add the LIFETIME_END to reproduce merge action. I'll re-analysis the…
...
---
name: main
alignment: 16
exposesReturnsTwice: false
legalized: false
regBankSelected: false
selected: false
failedISel: false
tracksRegLiveness: true
hasWinCFI: false
registers:
- { id: 0, class: gr32, preferred-register: '' }
- { id: 1, class: gr32, preferred-register: '' }
- { id: 2, class: gr32, preferred-register: '' }
- { id: 3, class: gr32, preferred-register: '' }
- { id: 4, class: gr32, preferred-register: '' }
- { id: 5, class: gr32, preferred-register: '' }
- { id: 6, class: gr32, preferred-register: '' }
- { id: 7, class: gr32, preferred-register: '' }
- { id: 8, class: gr32, preferred-register: '' }
- { id: 9, class: gr32, preferred-register: '' }
- { id: 10, class: gr32, preferred-register: '' }
liveins: []
frameInfo:
isFrameAddressTaken: false
isReturnAddressTaken: false
hasStackMap: false
hasPatchPoint: false
stackSize: 0
offsetAdjustment: 0
maxAlignment: 4
adjustsStack: false
hasCalls: true
stackProtector: ''
maxCallFrameSize: 4294967295
cvBytesOfCalleeSavedRegisters: 0
hasOpaqueSPAdjustment: true
hasVAStart: false
hasMustTailInVarArgFunc: false
localFrameSize: 0
savePoint: ''
restorePoint: ''
fixedStack: []
stack:
- { id: 0, name: zx, type: default, offset: 0, size: 16, alignment: 4,
stack-id: default, callee-saved-register: '', callee-saved-restored: true,
debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
- { id: 1, name: tmp.i.i, type: default, offset: 0, size: 4, alignment: 4,
stack-id: default, callee-saved-register: '', callee-saved-restored: true,
debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
- { id: 2, name: o.i, type: default, offset: 0, size: 4, alignment: 4,
stack-id: default, callee-saved-register: '', callee-saved-restored: true,
debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
- { id: 3, name: exp.i, type: default, offset: 0, size: 4, alignment: 4,
stack-id: default, callee-saved-register: '', callee-saved-restored: true,
debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
callSites: []
debugValueSubstitutions: []
constants: []
machineFunctionInfo: {}
body: |
bb.0.entry:
successors: %bb.1(0x7ffff800), %bb.2(0x00000800)
%0:gr32 = COPY $esp
MOV32mr %stack.0.zx, 1, $noreg, 0, $noreg, %0 :: (store 4 into %ir.3)
MOV32mi %stack.0.zx, 1, $noreg, 12, $noreg, -1 :: (store 4 into %ir.4)
%1:gr32 = nuw LEA32r %stack.0.zx, 1, $noreg, 4, $noreg
MOV32mi %stack.0.zx, 1, $noreg, 8, $noreg, @"__ehhandler$main" :: (store 4 into %ir.6)
%2:gr32 = MOV32rm $noreg, 1, $noreg, 0, $fs :: (load 4 from `%EHRegistrationNode* addrspace(257)* null`, addrspace 257)
MOV32mr %stack.0.zx, 1, $noreg, 4, $noreg, killed %2 :: (store 4 into %ir.8)
MOV32mr $noreg, 1, $noreg, 0, $fs, killed %1 :: (store 4 into `%EHRegistrationNode* addrspace(257)* null`, addrspace 257)
MOV32mi %stack.2.o.i, 1, $noreg, 0, $noreg, 1 :: (store 4 into %ir.i.i.i1)
MOV32mi %stack.1.tmp.i.i, 1, $noreg, 0, $noreg, 999 :: (store 4 into %ir.tmp.i.i)
MOV32mi %stack.0.zx, 1, $noreg, 12, $noreg, 1 :: (store 4 into %ir.12)
ADJCALLSTACKDOWN32 8, 0, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
%3:gr32 = COPY $esp
%4:gr32 = LEA32r %stack.1.tmp.i.i, 1, $noreg, 0, $noreg
MOV32mr %3, 1, $noreg, 0, $noreg, killed %4 :: (store 4 into stack)
MOV32mi %3, 1, $noreg, 4, $noreg, @_TI1H :: (store 4 into stack + 4)
CALLpcrel32 @_CxxThrowException, csr_noregs, implicit $esp, implicit $ssp, implicit-def $esp, implicit-def $ssp
ADJCALLSTACKUP32 8, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
JMP_1 %bb.1
bb.1..noexc.i:
successors:
bb.2.ehcleanup.i (landing-pad, ehfunclet-entry):
successors: %bb.3(0x80000000)
MOV32mi %stack.2.o.i, 1, $noreg, 0, $noreg, 9999 :: (store 4 into %ir.14)
ADJCALLSTACKDOWN32 4, 0, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
%5:gr32 = COPY $esp
%6:gr32 = LEA32r %stack.2.o.i, 1, $noreg, 0, $noreg
MOV32mr %5, 1, $noreg, 0, $noreg, killed %6 :: (store 4 into stack)
CALLpcrel32 @"escape__YAXPAH@Z", csr_32, implicit $esp, implicit $ssp, implicit-def $esp, implicit-def $ssp
ADJCALLSTACKUP32 4, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
CLEANUPRET
bb.3.catch.i (landing-pad, ehfunclet-entry):
successors: %bb.4(0x80000000)
%7:gr32 = MOV32rm %stack.3.exp.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.exp.i)
%8:gr32 = MOV32rm killed %7, 1, $noreg, 0, $noreg :: (load 4 from %ir.18)
MOV32mr $noreg, 1, $noreg, @v__3HC, $noreg, killed %8 :: (volatile store release 4 into @v__3HC)
CATCHRET %bb.4, %bb.0
bb.4.catch.i (landing-pad):
successors: %bb.5(0x80000000)
JMP_4 %bb.5
bb.5.func__YAXXZ.exit:
%9:gr32 = MOV32rm %stack.0.zx, 1, $noreg, 4, $noreg :: (dereferenceable load 4 from %ir.22)
MOV32mr $noreg, 1, $noreg, 0, $fs, killed %9 :: (store 4 into `%EHRegistrationNode* addrspace(257)* null`, addrspace 257)
%10:gr32 = MOV32r0 implicit-def dead $eflags
$eax = COPY %10
RET 0, $eax
...
---
name: '__ehhandler$main'
alignment: 16
exposesReturnsTwice: false
legalized: false
regBankSelected: false
selected: false
failedISel: false
tracksRegLiveness: true
hasWinCFI: false
registers:
- { id: 0, class: gr32, preferred-register: '' }
liveins: []
frameInfo:
isFrameAddressTaken: false
isReturnAddressTaken: false
hasStackMap: false
hasPatchPoint: false
stackSize: 0
offsetAdjustment: 0
maxAlignment: 4
adjustsStack: false
hasCalls: false
stackProtector: ''
maxCallFrameSize: 4294967295
cvBytesOfCalleeSavedRegisters: 0
hasOpaqueSPAdjustment: false
hasVAStart: false
hasMustTailInVarArgFunc: false
localFrameSize: 0
savePoint: ''
restorePoint: ''
fixedStack:
- { id: 0, type: default, offset: 0, size: 4, alignment: 4, stack-id: default,
isImmutable: false, isAliased: false, callee-saved-register: '',
callee-saved-restored: true, debug-info-variable: '', debug-info-expression: '',
debug-info-location: '' }
- { id: 1, type: default, offset: 4, size: 4, alignment: 4, stack-id: default,
isImmutable: false, isAliased: false, callee-saved-register: '',
callee-saved-restored: true, debug-info-variable: '', debug-info-expression: '',
debug-info-location: '' }
- { id: 2, type: default, offset: 8, size: 4, alignment: 4, stack-id: default,
isImmutable: false, isAliased: false, callee-saved-register: '',
callee-saved-restored: true, debug-info-variable: '', debug-info-expression: '',
debug-info-location: '' }
- { id: 3, type: default, offset: 12, size: 4, alignment: 4, stack-id: default,
isImmutable: false, isAliased: false, callee-saved-register: '',
callee-saved-restored: true, debug-info-variable: '', debug-info-expression: '',
debug-info-location: '' }
stack: []
callSites: []
debugValueSubstitutions: []
constants: []
machineFunctionInfo: {}
body: |
bb.0.entry:
%0:gr32 = MOV32ri <mcsymbol L__ehtable$main>
$eax = COPY %0
TCRETURNdi @__CxxFrameHandler3, 0, csr_32, implicit $esp, implicit $ssp, implicit $eax
...