From a9906c1e5e990e37cf46d7522e22e1dd25ce35bc Mon Sep 17 00:00:00 2001
From: Vedant Kumar <vsk@apple.com>
Date: Thu, 17 Jan 2019 02:15:05 +0000
Subject: [MergeFunc] Prevent silent miscompile of vararg functions

The function merging pass miscompiles identical vararg functions. The
forwarding thunk it emits doesn't forward the full variable-length list
of arguments. Disable merging for vararg functions for now.

I've filed llvm.org/PR40345 to track the issue.

rdar://47326238

llvm-svn: 351411
---
 llvm/lib/Transforms/IPO/MergeFunctions.cpp |  8 ++-
 llvm/test/Transforms/MergeFunc/va_arg.ll   | 89 ++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 llvm/test/Transforms/MergeFunc/va_arg.ll

diff --git a/llvm/lib/Transforms/IPO/MergeFunctions.cpp b/llvm/lib/Transforms/IPO/MergeFunctions.cpp
index 11efe95b10d4..26b204f61cb9 100644
--- a/llvm/lib/Transforms/IPO/MergeFunctions.cpp
+++ b/llvm/lib/Transforms/IPO/MergeFunctions.cpp
@@ -383,6 +383,12 @@ bool MergeFunctions::doSanityCheck(std::vector<WeakTrackingVH> &Worklist) {
 }
 #endif
 
+/// Check whether \p F is eligible for function merging.
+static bool isEligibleForMerging(Function &F) {
+  return !F.isDeclaration() && !F.hasAvailableExternallyLinkage() &&
+         !F.isVarArg();
+}
+
 bool MergeFunctions::runOnModule(Module &M) {
   if (skipModule(M))
     return false;
@@ -394,7 +400,7 @@ bool MergeFunctions::runOnModule(Module &M) {
   std::vector<std::pair<FunctionComparator::FunctionHash, Function *>>
     HashedFuncs;
   for (Function &Func : M) {
-    if (!Func.isDeclaration() && !Func.hasAvailableExternallyLinkage()) {
+    if (isEligibleForMerging(Func)) {
       HashedFuncs.push_back({FunctionComparator::functionHash(Func), &Func});
     }
   }
diff --git a/llvm/test/Transforms/MergeFunc/va_arg.ll b/llvm/test/Transforms/MergeFunc/va_arg.ll
new file mode 100644
index 000000000000..eb49a7286ff4
--- /dev/null
+++ b/llvm/test/Transforms/MergeFunc/va_arg.ll
@@ -0,0 +1,89 @@
+; RUN: opt -S -mergefunc < %s | FileCheck %s
+
+target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
+target triple = "x86_64-unknown-linux-gnu"
+
+%struct.__va_list_tag = type { i32, i32, i8*, i8* }
+
+; CHECK-LABEL: define {{.*}}@_Z9simple_vaPKcz
+; CHECK: call void @llvm.va_start
+; CHECK: call void @llvm.va_end
+define dso_local void @_Z9simple_vaPKcz(i8* nocapture readnone, ...) local_unnamed_addr {
+  %2 = alloca [1 x %struct.__va_list_tag], align 16
+  %3 = bitcast [1 x %struct.__va_list_tag]* %2 to i8*
+  call void @llvm.va_start(i8* nonnull %3)
+  %4 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 0
+  %5 = load i32, i32* %4, align 16
+  %6 = icmp ult i32 %5, 41
+  br i1 %6, label %7, label %13
+
+; <label>:7:                                      ; preds = %1
+  %8 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 3
+  %9 = load i8*, i8** %8, align 16
+  %10 = sext i32 %5 to i64
+  %11 = getelementptr i8, i8* %9, i64 %10
+  %12 = add i32 %5, 8
+  store i32 %12, i32* %4, align 16
+  br label %17
+
+; <label>:13:                                     ; preds = %1
+  %14 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 2
+  %15 = load i8*, i8** %14, align 8
+  %16 = getelementptr i8, i8* %15, i64 8
+  store i8* %16, i8** %14, align 8
+  br label %17
+
+; <label>:17:                                     ; preds = %13, %7
+  %18 = phi i8* [ %11, %7 ], [ %15, %13 ]
+  %19 = bitcast i8* %18 to i32*
+  %20 = load i32, i32* %19, align 4
+  call void @_Z6escapei(i32 %20)
+  call void @llvm.va_end(i8* nonnull %3)
+  ret void
+}
+
+; Function Attrs: nounwind
+declare void @llvm.va_start(i8*)
+
+; Function Attrs: minsize optsize
+declare dso_local void @_Z6escapei(i32) local_unnamed_addr
+
+; Function Attrs: nounwind
+declare void @llvm.va_end(i8*)
+
+; CHECK-LABEL: define {{.*}}@_Z10simple_va2PKcz
+; CHECK: call void @llvm.va_start
+; CHECK: call void @llvm.va_end
+define dso_local void @_Z10simple_va2PKcz(i8* nocapture readnone, ...) local_unnamed_addr {
+  %2 = alloca [1 x %struct.__va_list_tag], align 16
+  %3 = bitcast [1 x %struct.__va_list_tag]* %2 to i8*
+  call void @llvm.va_start(i8* nonnull %3)
+  %4 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 0
+  %5 = load i32, i32* %4, align 16
+  %6 = icmp ult i32 %5, 41
+  br i1 %6, label %7, label %13
+
+; <label>:7:                                      ; preds = %1
+  %8 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 3
+  %9 = load i8*, i8** %8, align 16
+  %10 = sext i32 %5 to i64
+  %11 = getelementptr i8, i8* %9, i64 %10
+  %12 = add i32 %5, 8
+  store i32 %12, i32* %4, align 16
+  br label %17
+
+; <label>:13:                                     ; preds = %1
+  %14 = getelementptr inbounds [1 x %struct.__va_list_tag], [1 x %struct.__va_list_tag]* %2, i64 0, i64 0, i32 2
+  %15 = load i8*, i8** %14, align 8
+  %16 = getelementptr i8, i8* %15, i64 8
+  store i8* %16, i8** %14, align 8
+  br label %17
+
+; <label>:17:                                     ; preds = %13, %7
+  %18 = phi i8* [ %11, %7 ], [ %15, %13 ]
+  %19 = bitcast i8* %18 to i32*
+  %20 = load i32, i32* %19, align 4
+  call void @_Z6escapei(i32 %20)
+  call void @llvm.va_end(i8* nonnull %3)
+  ret void
+}
-- 
cgit v1.2.3