`sincos` args may get clobbered after #108401 when passed on the stack

[zmodem]

Consider this program on 32-bit x86, where arguments are passed on the stack:

$ cat /tmp/a.cc
#include <math.h>
#include <stdio.h>

double __attribute__((noinline)) g(double a, double b) { return a + b; }

double __attribute__((noinline)) f(double a) {
  double foo = sin(a);
  double bar = cos(a);
  double z = g(bar + 3.14, foo);
  return z;
}

int main() {
  printf("%f\n", f(3.14));
  return 0;
}

After 3073c3c, it fails under ASan:

$ build/bin/clang.bad -target i386-unknown-linux-gnu -lm -fsanitize=address -fno-math-errno -O2 /tmp/a.cc && ASAN_OPTIONS=external_symbolizer_path=$PWD/build/bin/llvm-symbolizer ./a.out
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3898196==ERROR: AddressSanitizer: SEGV on unknown address 0x27eb4300 (pc 0x566160ed bp 0xffab1898 sp 0xffab1470 T0)
==3898196==The signal is caused by a READ memory access.
    #0 0x566160ed in QuickCheckForUnpoisonedRegion /work/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:37:7
    #1 0x566160ed in sincos /work/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5167:12
    #2 0x566b25b1 in f(double) (/work/llvm-project/a.out+0x1085b1)
    #3 0x566b25f3 in main (/work/llvm-project/a.out+0x1085f3)
    #4 0xf7c29b84  (/lib/i386-linux-gnu/libc.so.6+0x23b84) (BuildId: d16f2b0239d79fbec67438094f9a9443121ab72d)
    #5 0xf7c29c47 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x23c47) (BuildId: d16f2b0239d79fbec67438094f9a9443121ab72d)
    #6 0x565c43a6 in _start (/work/llvm-project/a.out+0x1a3a6)

==3898196==Register values:
eax = 0x27eb4300  ebx = 0x27eb4303  ecx = 0x27eb4300  edx = 0x3f5a1819  
edi = 0x07eb4303  esi = 0x07eb4302  ebp = 0xffab1898  esp = 0xffab1470  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/work/llvm-project/a.out+0x1085b1) in f(double)
==3898196==ABORTING

The calls to sin and cos will get folded to a sincos call. After 3073c3c, the call looks like this:

  37:   89 e6                   mov    %esp,%esi
  39:   8d 44 24 18             lea    0x18(%esp),%eax
  3d:   89 44 24 0c             mov    %eax,0xc(%esp)    // <-- cos
  41:   8d 46 08                lea    0x8(%esi),%eax
  44:   89 44 24 08             mov    %eax,0x8(%esp)    // <-- sin
  48:   f2 0f 11 04 24          movsd  %xmm0,(%esp)      // <-- x
  4d:   e8 fc ff ff ff          call   4e <_Z1fd+0x2e>
                        4e: R_386_PLT32 sincos

Look at the value of the sin argument: it's 0x8(%esi) = 0x8(%esp) which is the stack slot for foo in the following call to g. But it's also the stack slot used for sin in the sincos call. This seems dangerous.

Since it's a 64-bit value, when sincos does *sin = ... it will clobber both the sin and cos arguments. ASan happens to notice, because it intercepts sincos and checks the validity of the pointers afterwards.

[MacDue]

Huh, I'm quite confused by this... If I understand correctly it passes the pointers on the stack at sp + 8 and sp + 12. With the sincos store forwarding, it no longer allocates the stack space for the f64 results, so the argument pointers (on the stack) alias memory for the f64 results.

I'm guessing because the FrameIndexSDNode nodes for the results not attached to the call.

[MacDue]

Oh, I see the destination on the stack, and the argument pointers should only be live at separate times. We only really want to do this transform when the destination pointers are being passed into the current function, not if it's referencing a local stack object.

[MacDue]

@zmodem Could you try #115346 and see if it resolves the issue? I believe it should limit this fold to pointers that exist in the IR (rather than those materialized for low-level ABI reasons).