Skip to content

[Clang][CodeGen][Sema] Fix crash when compiling naked lambdas #165524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[Clang][CodeGen][Sema] Fix crash when compiling naked lambdas #165524

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f303f13
[Clang][CodeGen] Fix crash when compiling naked lambdas
alcxpr Oct 29, 2025
54b6d3e
Merge branch 'main' into main
alcxpr Oct 29, 2025
666aed6
[Clang][CodeGen] Apply clang-format
alcxpr Oct 29, 2025
b986c74
[Clang][CodeGen] Make naked lambda captures analyzed
alcxpr Oct 29, 2025
6e341cb
Revert file back
alcxpr Oct 29, 2025
e5a214d
[Clang][CodeGen] Format
alcxpr Oct 29, 2025
79d9422
[Clang][Sema] Remove naked attribute from lambdas with ODR-used captures
alcxpr Oct 30, 2025
ba6ece5
Remove compilation database
alcxpr Oct 30, 2025
d57f804
Remove FIXME in the special path
alcxpr Oct 30, 2025
70e9883
Merge branch 'llvm:main' into main
alcxpr Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 49 additions & 35 deletions clang/lib/CodeGen/CodeGenFunction.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1277,44 +1277,58 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
MD && !MD->isStatic()) {
bool IsInLambda =
MD->getParent()->isLambda() && MD->getOverloadedOperator() == OO_Call;
if (MD->isImplicitObjectMemberFunction())
CGM.getCXXABI().EmitInstanceFunctionProlog(*this);
if (IsInLambda) {
// We're in a lambda; figure out the captures.
MD->getParent()->getCaptureFields(LambdaCaptureFields,
LambdaThisCaptureField);
if (LambdaThisCaptureField) {
// If the lambda captures the object referred to by '*this' - either by
// value or by reference, make sure CXXThisValue points to the correct
// object.

// Get the lvalue for the field (which is a copy of the enclosing object
// or contains the address of the enclosing object).
LValue ThisFieldLValue = EmitLValueForLambdaField(LambdaThisCaptureField);
if (!LambdaThisCaptureField->getType()->isPointerType()) {
// If the enclosing object was captured by value, just use its
// address. Sign this pointer.
CXXThisValue = ThisFieldLValue.getPointer(*this);
} else {
// Load the lvalue pointed to by the field, since '*this' was captured
// by reference.
CXXThisValue =
EmitLoadOfLValue(ThisFieldLValue, SourceLocation()).getScalarVal();

const FunctionDecl *FD = dyn_cast_if_present<FunctionDecl>(D);
bool IsNaked = FD && FD->hasAttr<NakedAttr>();
if (!IsNaked) {
Comment on lines +1282 to +1283
Copy link
Contributor

@ojhunt ojhunt Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than this significant diff I think this would be better served by having

if (!IsNaked && MD->isImplicitObjectMemberFunction())

and

if (!IsNaked && IsInLamda)

I think that this approach would help reduce the code churn, and reduce the impact of the extremely low column limit our code style enforces.

Copy link
Contributor

@ojhunt ojhunt Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Sorry I should have noticed this in the first pass)

if (MD->isImplicitObjectMemberFunction())
CGM.getCXXABI().EmitInstanceFunctionProlog(*this);

if (IsInLambda) {
// We're in a lambda; figure out the captures.
MD->getParent()->getCaptureFields(LambdaCaptureFields,
LambdaThisCaptureField);
if (LambdaThisCaptureField) {
// If the lambda captures the object referred to by '*this' - either
// by value or by reference, make sure CXXThisValue points to the
// correct object.

// Get the lvalue for the field (which is a copy of the enclosing
// object or contains the address of the enclosing object).
LValue ThisFieldLValue =
EmitLValueForLambdaField(LambdaThisCaptureField);
if (!LambdaThisCaptureField->getType()->isPointerType()) {
// If the enclosing object was captured by value, just use its
// address. Sign this pointer.
CXXThisValue = ThisFieldLValue.getPointer(*this);
} else {
// Load the lvalue pointed to by the field, since '*this' was
// captured by reference.
CXXThisValue = EmitLoadOfLValue(ThisFieldLValue, SourceLocation())
.getScalarVal();
}
}
}
for (auto *FD : MD->getParent()->fields()) {
if (FD->hasCapturedVLAType()) {
auto *ExprArg = EmitLoadOfLValue(EmitLValueForLambdaField(FD),
SourceLocation()).getScalarVal();
auto VAT = FD->getCapturedVLAType();
VLASizeMap[VAT->getSizeExpr()] = ExprArg;

for (auto *FD : MD->getParent()->fields()) {
if (FD->hasCapturedVLAType()) {
auto *ExprArg =
EmitLoadOfLValue(EmitLValueForLambdaField(FD), SourceLocation())
.getScalarVal();
auto VAT = FD->getCapturedVLAType();
VLASizeMap[VAT->getSizeExpr()] = ExprArg;
}
}
} else if (MD->isImplicitObjectMemberFunction()) {
// Not in a lambda; just use 'this' from the method.
// FIXME: Should we generate a new load for each use of 'this'? The
// fast register allocator would be happier...
CXXThisValue = CXXABIThisValue;
}
} else if (MD->isImplicitObjectMemberFunction()) {
// Not in a lambda; just use 'this' from the method.
// FIXME: Should we generate a new load for each use of 'this'? The
// fast register allocator would be happier...
CXXThisValue = CXXABIThisValue;
} else if (IsInLambda && MD->isImplicitObjectMemberFunction()) {
// Populate capture fields metadata for analysis. We skip
// EmitInstanceProlog to avoid emitting prologue code.
MD->getParent()->getCaptureFields(LambdaCaptureFields,
Copy link
Collaborator

@efriedma-quic efriedma-quic Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we refactor the code so it doesn't have two separate calls to getCaptureFields()?

LambdaThisCaptureField);
}

// Check the 'this' pointer once per function, if it's available.
Expand Down
14 changes: 14 additions & 0 deletions clang/lib/Sema/SemaLambda.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2332,6 +2332,20 @@ ExprResult Sema::BuildLambdaExpr(SourceLocation StartLoc,
maybeAddDeclWithEffects(LSI->CallOperator);
}

// This is for GCC compatibility. If any lambda captures are actually used in the
// function body. GCC silently removes the naked attribute when captures are
Copy link
Collaborator

@efriedma-quic efriedma-quic Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regardless of what gcc does here, silently ignoring the naked attribute is not acceptable: the result will almost certainly be broken.

Probably simplest to just reject any usage of naked with captures; if gcc's behavior is broken, probably nobody is using it.

Copy link
Contributor

@ojhunt ojhunt Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're ok with that approach I think it's definitely what we should do, given that GCC is permissive here I can imagine it causing breakage so I'm unsure if we should report as a warning that default errors (so people can override it) or simply make it an error and if it turns out people do hit it swift to a warning that errors by default.

The benefit of the former is that it means that if people do hit it they can override locally without waiting for a new release, whereas the latter means people are more likely to report that they are hitting it.

// ODR-used, as naked functions cannot have prologues to set up the closure.
if (CallOperator->hasAttr<NakedAttr>() && !Captures.empty()) {
// If any captures are ODR-used by examining the capture list
// that was already analyzed during semantic analysis, drop it.
for (const Capture &Cap : LSI->Captures) {
if (Cap.isODRUsed()) {
CallOperator->dropAttr<NakedAttr>();
break;
}
}
}

return MaybeBindToTemporary(Lambda);
}

Expand Down
18 changes: 18 additions & 0 deletions clang/test/CodeGenCXX/naked-lambda-capture-multi.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -emit-llvm %s -o - | FileCheck %s

void test_naked_lambda_capture_multi() {
int x = 42;
int y = 100;
auto l = [&x, y]() __attribute__((naked)) {
asm volatile("retq");
};
l();
}

// CHECK-LABEL: define {{.*}} @"_ZZ31test_naked_lambda_capture_multivENK3$_0clEv"
// CHECK-NOT: load i32
// CHECK-NOT: load ptr
// CHECK-NOT: getelementptr
// CHECK-NOT: alloca
// CHECK: call void asm sideeffect "retq"
// CHECK-NEXT: unreachable
28 changes: 28 additions & 0 deletions clang/test/CodeGenCXX/naked-lambda-capture-this.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -emit-llvm %s -o - | FileCheck %s
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -S %s -o - | FileCheck %s --check-prefix=ASM

struct S {
int member;
void test_naked_lambda_capture_this() {
auto l = [this]() __attribute__((naked)) {
asm volatile("retq");
};
l();
}
};

void test() {
S s;
s.test_naked_lambda_capture_this();
}

// CHECK-LABEL: define {{.*}} @_ZZN1S30test_naked_lambda_capture_thisEvENKUlvE_clEv
// CHECK-NOT: load ptr
// CHECK-NOT: getelementptr
// CHECK-NOT: alloca
// CHECK: call void asm sideeffect "retq"

// ASM-LABEL: _ZZN1S30test_naked_lambda_capture_thisEvENKUlvE_clEv:
// ASM-NOT: push
// ASM-NOT: mov
// ASM: retq
21 changes: 21 additions & 0 deletions clang/test/CodeGenCXX/naked-lambda-capture-var.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -emit-llvm %s -o - | FileCheck %s
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -S %s -o - | FileCheck %s --check-prefix=ASM

void test_naked_lambda_capture_var() {
int x = 42;
auto l = [x]() __attribute__((naked)) {
asm volatile("retq");
};
l();
}

// CHECK-LABEL: define {{.*}} @"_ZZ29test_naked_lambda_capture_varvENK3$_0clEv"
// CHECK-NOT: load i32
// CHECK-NOT: alloca
// CHECK-NOT: getelementptr
// CHECK: call void asm sideeffect "retq"

// ASM-LABEL: _ZZ29test_naked_lambda_capture_varvENK3$_0clEv:
// ASM-NOT: push
// ASM-NOT: mov
// ASM: retq
17 changes: 17 additions & 0 deletions clang/test/CodeGenCXX/naked-lambda-odr-used-captures.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -emit-llvm %s -o - | FileCheck %s

// Test that naked attribute is removed when captures are ODR-used (GCC compat)
void test_odr_used_captures() {
int x = 42;
int y = 6;
auto l = [x, &y]() __attribute__((naked)) {
asm volatile("movl %0, %%eax\n\tmovl %1, %%ebx\n\tretq" : : "r"(x), "r"(y));
};
l();
}

// CHECK-LABEL: define internal void @"_ZZ22test_odr_used_capturesvENK3$_0clEv"
// CHECK-NOT: naked
// CHECK: alloca
// CHECK: store

18 changes: 18 additions & 0 deletions clang/test/CodeGenCXX/naked-lambda.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -emit-llvm %s -o - | FileCheck %s
// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -S %s -o - | FileCheck %s --check-prefix=ASM

void test_naked_lambda() {
auto l = []() __attribute__((naked)) {
asm volatile("retq");
};
l();
}

// CHECK: define internal void @"_ZZ17test_naked_lambdavENK3$_0clEv"
// CHECK-NOT: alloca
// CHECK-NOT: store
// CHECK-NOT: call void @_ZN
// ASM-LABEL: _ZZ17test_naked_lambdavENK3$_0clEv:
// ASM-NOT: push
// ASM-NOT: pop
// ASM: retq
18 changes: 18 additions & 0 deletions clang/test/SemaCXX/naked-lambda-odr.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// RUN: %clang_cc1 -fsyntax-only -verify %s -triple x86_64-pc-linux-gnu

void uses_capture() {
int x = 42;
int y = 6;
auto l = [x, &y]() __attribute__((naked)) { // expected-no-diagnostics
asm volatile("movl %0, %%eax\n\tmovl %1, %%ebx\n\tretq" : : "r"(x), "r"(y));
};
l();
}

void unused_captures() {
int x = 42;
auto l = [x]() __attribute__((naked)) { // expected-no-diagnostics
asm volatile("retq");
};
l();
}
Loading