Fix for issue #163015 where corruption can occur with passing parameters on the stack when under register pressure.

carlos4242 · carlos4242 · commit f173d48109c1 · 2025-10-12T18:19:59.000+01:00
diff --git a/llvm/lib/Target/AVR/AVRExpandPseudoInsts.cpp b/llvm/lib/Target/AVR/AVRExpandPseudoInsts.cpp
@@ -1335,6 +1335,17 @@ bool AVRExpandPseudo::expand<AVR::STDWPtrQRr>(Block &MBB, BlockIt MBBI) {
   return true;
 }
 
+// The instructions STDSPQRr and STDWSPQRr are used to store to the stack
+// frame. The most accurate implementation would be to load the SP into
+// a temporary pointer variable and then STDPtrQRr. However for efficiency,
+// we assume that R29R28 contains the current call frame pointer.
+// However in the PEI pass we sometimes rewrite a ADJCALLSTACKDOWN pseudo,
+// plus one or more STDSPQRr/STDWSPQRr pseudo instructions to use Z for a
+// stack adjustment then as a base pointer. To avoid corruption, we thus
+// specify special classes of registers, like GPR8 and DREGS, but with
+// the Z register removed, as the source/input to these instructions.
+// (Note: R29R28 are already reserved by the ABI so would never be used
+// as source registers.)
 template <>
 bool AVRExpandPseudo::expand<AVR::STDSPQRr>(Block &MBB, BlockIt MBBI) {
   MachineInstr &MI = *MBBI;
@@ -1354,6 +1365,7 @@ bool AVRExpandPseudo::expand<AVR::STDSPQRr>(Block &MBB, BlockIt MBBI) {
   return true;
 }
 
+// See the comment on STDSPQRr.
 template <>
 bool AVRExpandPseudo::expand<AVR::STDWSPQRr>(Block &MBB, BlockIt MBBI) {
   MachineInstr &MI = *MBBI;
diff --git a/llvm/lib/Target/AVR/AVRInstrInfo.td b/llvm/lib/Target/AVR/AVRInstrInfo.td
@@ -1506,12 +1506,14 @@ def FRMIDX : Pseudo<(outs DLDREGS:$dst), (ins DLDREGS:$src, i16imm:$src2),
 
 // This pseudo is either converted to a regular store or a push which clobbers
 // SP.
-def STDSPQRr : StorePseudo<(outs), (ins memspi:$dst, GPR8:$src),
+let Defs = [SP], Uses = [SP], hasSideEffects = 0 in
+def STDSPQRr : StorePseudo<(outs), (ins memspi:$dst, GPR8NOZ:$src),
                            "stdstk\t$dst, $src", [(store i8:$src, addr:$dst)]>;
 
 // This pseudo is either converted to a regular store or a push which clobbers
 // SP.
-def STDWSPQRr : StorePseudo<(outs), (ins memspi:$dt, DREGS:$src),
+let Defs = [SP], Uses = [SP], hasSideEffects = 0 in
+def STDWSPQRr : StorePseudo<(outs), (ins memspi:$dt, DREGSNOZ:$src),
                             "stdwstk\t$dt, $src", [(store i16:$src, addr:$dt)]>;
 
 // SP read/write pseudos.
diff --git a/llvm/lib/Target/AVR/AVRRegisterInfo.td b/llvm/lib/Target/AVR/AVRRegisterInfo.td
@@ -211,6 +211,31 @@ def PTRDISPREGS : RegisterClass<"AVR", [i16], 8, (add R31R30, R29R28), ptr>;
 // model this using a register class containing only the Z register.
 def ZREG : RegisterClass<"AVR", [i16], 8, (add R31R30)>;
 
+// general registers excluding Z register lo/hi, these are the only
+// registers that are always safe for STDSPQr instructions
+def GPR8NOZ : RegisterClass<"AVR", [i8], 8,
+                         (// Return value and argument registers.
+                          add R24, R25, R18, R19, R20, R21, R22, R23,
+                          // Scratch registers.
+                          R26, R27,
+                          // Callee saved registers.
+                          R28, R29, R17, R16, R15, R14, R13, R12, R11, R10,
+                          R9, R8, R7, R6, R5, R4, R3, R2, R0, R1)>;
+
+// 16-bit pair register class excluding Z register lo/hi, these are the only
+// registers that are always safe for STDWSPQr instructions
+def DREGSNOZ : RegisterClass<"AVR", [i16], 8,
+                          (// Return value and arguments.
+                           add R25R24, R19R18, R21R20, R23R22,
+                           // Scratch registers.
+                           R27R26,
+                           // Callee saved registers.
+                           R29R28, R17R16, R15R14, R13R12, R11R10, R9R8,
+                           R7R6, R5R4, R3R2, R1R0,
+                           // Pseudo regs for unaligned 16-bits
+                           R26R25, R24R23, R22R21, R20R19, R18R17, R16R15,
+                           R14R13, R12R11, R10R9)>;
+
 // Register class used for the stack read pseudo instruction.
 def GPRSP : RegisterClass<"AVR", [i16], 8, (add SP)>;
 
diff --git a/llvm/test/CodeGen/AVR/dynalloca.ll b/llvm/test/CodeGen/AVR/dynalloca.ll
@@ -1,34 +1,101 @@
 ; RUN: llc < %s -mtriple=avr | FileCheck %s
-
 declare void @foo(ptr, ptr, ptr)
 
 define void @test1(i16 %x) {
 ; CHECK-LABEL: test1:
+
+; r28/r29 are preserved/callee saved per the avr gcc ABI
+; CHECK: push r28
+; CHECK: push r29
+
 ; Frame setup, with frame pointer
+; This includes the fixed size alloca (but not the dynamic alloca)
+; the fixed size alloca was 8 * i16, which is 16 bytes allocated from the stack
 ; CHECK: in r28, 61
 ; CHECK: in r29, 62
+; CHECK: sbiw r28, 16
+; CHECK: out 62, r29
 ; CHECK: out 61, r28
+
+; CHECK: lsl r24
+; CHECK: rol r25
+
 ; allocate first dynalloca
-; CHECK: in {{.*}}, 61
-; CHECK: in {{.*}}, 62
-; CHECK: sub
-; CHECK: sbc
+; note that dynalloca is allocated from the stack
+; but does not move the frame pointer (Y+1) down
+; CHECK: in [[REG1:r[0-9]+]], 61
+; CHECK: in [[REG2:r[0-9]+]], 62
+; CHECK: sub [[REG1]], r24
+; CHECK: sbc [[REG2]], r25
+; CHECK: in r0, 63
+; CHECK-NEXT: cli
+; CHECK-NEXT: out 62, [[REG2]]
+; CHECK-NEXT: out 63, r0
+; CHECK-NEXT: out 61, [[REG1]]
+
+; allocate second dynalloca
+; CHECK: in [[REG3:r[0-9]+]], 61
+; CHECK: in [[REG4:r[0-9]+]], 62
+; CHECK: sub [[REG3]], r24
+; CHECK: sbc [[REG4]], r25
 ; CHECK: in r0, 63
 ; CHECK-NEXT: cli
-; CHECK-NEXT: out 62, {{.*}}
+; CHECK-NEXT: out 62, [[REG4]]
 ; CHECK-NEXT: out 63, r0
-; CHECK-NEXT: out 61, {{.*}}
+; CHECK-NEXT: out 61, [[REG3]]
+
 ; Test writes
-; CHECK: std Z+13, {{.*}}
-; CHECK: std Z+12, {{.*}}
-; CHECK: std Z+7, {{.*}}
+; first check that writes to %a
+; (which points to the results of the static alloca)
+; go to the standard function stack frame, pointed
+; to by Y+1 (not the buffers created by dynamic alloca)
+; note that we use GEP with an offset of 2 * i16 which is 4 bytes
+; hence the two data bytes are stored into Y+5 and Y+6
+; CHECK: ldi [[TMP1:r[0-9]+]], 3
+; CHECK: ldi [[TMP2:r[0-9]+]], 0
+; CHECK: std Y+6, [[TMP2]]
+; CHECK: std Y+5, [[TMP1]]
+
+
+; CHECK: ldi [[TMP3:r[0-9]+]], 4
+; CHECK: ldi [[TMP4:r[0-9]+]], 0
+; CHECK: mov r30, [[REG1]]
+; CHECK: mov r31, [[REG2]]
+; here the GEP instruction is an offset of 6 * i16
+; making the offset Z+13
+; CHECK: std Z+13, [[TMP4]]
+; CHECK: std Z+12, [[TMP3]]
+
+; CHECK: ldi [[TMP5:r[0-9]+]], 44
+
+; CHECK: mov r30, [[REG3]]
+; CHECK: mov r31, [[REG4]]
+
+; here GEP is 7 * i8
+; CHECK: std Z+7, [[TMP5]]
+
+; check calling foo with the pointer to the static alloca buffer,
+; which is Y+1 by avr gcc abi conventions
+; CHECK:  mov r24, r28
+; CHECK:  mov r25, r29
+; CHECK:  adiw  r24, 1
+; CHECK:  rcall foo
+
+
+
+
 ; CHECK-NOT: std
 ; Test SP restore
+; CHECK: adiw r28, 16
 ; CHECK: in r0, 63
 ; CHECK-NEXT: cli
 ; CHECK-NEXT: out 62, r29
 ; CHECK-NEXT: out 63, r0
 ; CHECK-NEXT: out 61, r28
+
+; CHECK: pop r29
+; CHECK: pop r28
+
   %a = alloca [8 x i16]
   %vla = alloca i16, i16 %x
   %add = shl nsw i16 %x, 1
@@ -54,27 +121,27 @@ define void @dynalloca2(i16 %x) {
 ; CHECK: in r28, 61
 ; CHECK: in r29, 62
 ; Allocate stack space for call
-; CHECK: in {{.*}}, 61
-; CHECK: in {{.*}}, 62
-; CHECK: subi
-; CHECK: sbci
+; CHECK: in r30, 61
+; CHECK: in r31, 62
+; CHECK: subi r30, 8
+; CHECK: sbci r31, 0
 ; CHECK: in r0, 63
 ; CHECK-NEXT: cli
-; CHECK-NEXT: out 62, {{.*}}
+; CHECK-NEXT: out 62, r31
 ; CHECK-NEXT: out 63, r0
-; CHECK-NEXT: out 61, {{.*}}
+; CHECK-NEXT: out 61, r30
 ; Store values on the stack
-; CHECK: ldi r20, 0
-; CHECK: ldi r21, 0
-; CHECK: std Z+8, r21
-; CHECK: std Z+7, r20
-; CHECK: std Z+6, r21
-; CHECK: std Z+5, r20
-; CHECK: std Z+4, r21
-; CHECK: std Z+3, r20
-; CHECK: std Z+2, r21
-; CHECK: std Z+1, r20
-; CHECK: call
+; CHECK: ldi [[REG1:r[0-9]+]], 0
+; CHECK: ldi [[REG2:r[0-9]+]], 0
+; CHECK: std Z+8, [[REG2]]
+; CHECK: std Z+7, [[REG1]]
+; CHECK: std Z+6, [[REG2]]
+; CHECK: std Z+5, [[REG1]]
+; CHECK: std Z+4, [[REG2]]
+; CHECK: std Z+3, [[REG1]]
+; CHECK: std Z+2, [[REG2]]
+; CHECK: std Z+1, [[REG1]]
+; CHECK: rcall foo2
 ; Call frame restore
 ; CHECK-NEXT: in r30, 61
 ; CHECK-NEXT: in r31, 62
@@ -84,7 +151,13 @@ define void @dynalloca2(i16 %x) {
 ; CHECK-NEXT: out 62, r31
 ; CHECK-NEXT: out 63, r0
 ; CHECK-NEXT: out 61, r30
-; SP restore
+; SP restore - note this might
+; seem redundant direction after the ADJCALLSTACKUP
+; I think the logic is both should be there because they come from
+; different mechanisms, although clearly an optimisation you could do is
+; discard the ADJCALLSTACKUP if you know the stack pointer is about to be
+; restored back to the value from the start of the function (in r28/r29)
+; straight afterwards
 ; CHECK: in r0, 63
 ; CHECK-NEXT: cli
 ; CHECK-NEXT: out 62, r29
diff --git a/llvm/test/CodeGen/AVR/zreg-clobbering-bug.ll b/llvm/test/CodeGen/AVR/zreg-clobbering-bug.ll
@@ -0,0 +1,34 @@
+; RUN: llc < %s -mtriple=avr | FileCheck -v -dump-input always %s
+
+%Tstats = type <{ i8, i8 }>
+@ui1 = protected local_unnamed_addr global i64 zeroinitializer, align 8
+@ui2 = protected local_unnamed_addr global i64 zeroinitializer, align 8
+@failed = private unnamed_addr addrspace(1) constant [12 x i8] c"test failed\00"
+@stats = external protected global %Tstats, align 1
+
+; CHECK-LABEL: main:
+define protected noundef i32 @main(i32 %0, ptr nocapture readnone %1) local_unnamed_addr addrspace(1) #0 {
+entry:
+  store i64 94, ptr @ui1, align 8
+  store i64 53, ptr @ui2, align 8
+  tail call addrspace(1) void @reportFailureWithDetails(i16 ptrtoint (ptr addrspace(1) @failed to i16), i16 11, i8 2, i16 32, ptr nocapture nonnull swiftself dereferenceable(2) @stats)
+  %11 = load i64, ptr @ui1, align 8
+  %12 = load i64, ptr @ui2, align 8
+
+; COM: CHECK: call __udivdi3
+  %15 = udiv i64 %11, %12
+
+; look for the buggy pattern where r30/r31 are being clobbered, corrupting the stack pointer
+; CHECK-NOT: std  Z+{{[1-9]+}}, r30 
+; CHECK-NOT: std  Z+{{[1-9]+}}, r31
+
+; CHECK: call expect
+  tail call addrspace(1) void @expect(i64 %15, i64 1, i16 ptrtoint (ptr addrspace(1) @failed to i16), i16 11, i8 2, i16 33)
+
+; CHECK: ret
+  ret i32 0
+}
+
+declare protected void @expect(i64, i64, i16, i16, i8, i16) local_unnamed_addr addrspace(1) #0
+declare protected void @reportFailureWithDetails(i16, i16, i8, i16, ptr nocapture swiftself dereferenceable(2)) local_unnamed_addr addrspace(1) #0
+attributes #0 = { nounwind "frame-pointer"="all" "no-trapping-math"="true" "stack-protector-buffer-size"="8" }
