This is an archive of the discontinued LLVM Phabricator instance.

Differential D11577

Reassociate: Fix miscompile for va_arg arguments.
ClosedPublic

Authored by MatzeB on Jul 28 2015, 3:00 PM.

Details

Reviewers
qcolombet
majnemer
baldrick
Commits
rG6443cce233c5: [Reassociation] Fix miscompile for va_arg arguments.
Summary

isUnmovableInstruction() had a list of instructions hardcoded which are
considered unmovable. The list lacked (at least) an entry for the va_arg
and cmpxchg instructions.
Fix this by using !Instruction::mayRead() && isSafeToSpeculativelyExecute() instead of maintaining another
instruction list.

Diff Detail

Repository
rL LLVM

Event Timeline

MatzeB updated this revision to Diff 30860.Jul 28 2015, 3:00 PM
MatzeB retitled this revision from to Reassociate: Implement isUnmovableInstruction() without a hardcoded list.
MatzeB updated this object.
MatzeB added reviewers: majnemer, mcrosier, baldrick.
MatzeB set the repository for this revision to rL LLVM.
MatzeB added a subscriber: llvm-commits.
MatzeB added a comment.Jul 28 2015, 3:06 PM

Note that this change takes the [USF]Div and [USF]Rem instructions out of the list, with llvms semantics they do not produce side effects (but just a poison value) so this should be fine. I'm also running the llvm-testsuite now to get some more testing for this change.

bkramer added a subscriber: bkramer.Jul 28 2015, 3:24 PM
In D11577#213912, @MatzeB wrote:

Note that this change takes the [USF]Div and [USF]Rem instructions out of the list, with llvms semantics they do not produce side effects (but just a poison value) so this should be fine. I'm also running the llvm-testsuite now to get some more testing for this change.

Integer div by zero will still trap so div and rem cannot be moved freely between basic blocks without changing behavior. I'm not sure if Reassociate performs movements that could move instructions into a different path in the CFG, but if it does we'll need something stronger like isSafeToSpeculativelyExecute.

MatzeB updated this revision to Diff 30874.Jul 28 2015, 4:33 PM
MatzeB updated this object.

Updated the patch to use a !I->mayRead() && isSafeToSpeculativelyExecute(I) to determine whether we can move an instruction around.

MatzeB added a comment.Jul 28 2015, 4:36 PM
In D11577#213942, @bkramer wrote:
In D11577#213912, @MatzeB wrote:

Note that this change takes the [USF]Div and [USF]Rem instructions out of the list, with llvms semantics they do not produce side effects (but just a poison value) so this should be fine. I'm also running the llvm-testsuite now to get some more testing for this change.

Integer div by zero will still trap so div and rem cannot be moved freely between basic blocks without changing behavior. I'm not sure if Reassociate performs movements that could move instructions into a different path in the CFG, but if it does we'll need something stronger like isSafeToSpeculativelyExecute.

From what I can see it does not move the instructions into different CFG paths but just inside a basic block, but that may already fail if you reorder an instruction potentially triggering undefined behaviour and a call I think, so switching to isSafeToSpeculativelyExecute() is the right call.

majnemer added inline comments.Jul 28 2015, 7:03 PM
lib/Transforms/Scalar/Reassociate.cpp
278

Would it make sense to extract this logic into a hypothetical mayBeControlDependent ?

MatzeB updated this revision to Diff 30932.Jul 29 2015, 11:27 AM

New revision, introducing a mayBeControlDependent() function.

MatzeB updated this revision to Diff 30942.Jul 29 2015, 1:45 PM

Let's call the function mayBeStateDependent() as classical definitions of control dependence are more concerned with control flow while this function is mostly concerned with global state and memory contents (of course the global state is *also* control dependent).

dberlin added a subscriber: dberlin.Jul 29 2015, 2:37 PM

So, these are either data dependent, control dependent, or both :)
(IE that is the correct terminology)

MatzeB added a comment.Jul 29 2015, 2:52 PM
In D11577#214574, @dberlin wrote:

So, these are either data dependent, control dependent, or both :)
(IE that is the correct terminology)

If you think in that dichotomy, then it is a data dependence. However usually data dependence talks about variables or registers while this function specifically is about the things not modeled as variables/ssa values. It is about the global state/memory, that's why I put the "State" in the name data dependence would be too broad.

dberlin added a comment.Jul 29 2015, 2:58 PM

????

I'm not thinking in that dichotomy, that is the generally dichotomy
of dependences in compilers :).

Data dependence talks about memory all the time, in compiler
schedulers, in loop data dependence, etc. Heck, even in SSA.
So I honestly do not grasp the distinction you are trying to draw here.

It happens that in LLVM, explicitly represented data dependences do
not make instructions inherently immovable. The IR explicitly
represents these things well enough that we don't pay a high cost for
figuring out safe move locations for those things.

However, memory data dependences are implicit (becuase we lack
something like memoryssa), and the cost of figuring out where the safe
move points are is not worth it.
(IE none of these instructions are actually immovable, it's just that
we don't want to pay the cost to figure out the place we could move
them to :P. For some of them, there is usually only one correct place
anyway, like phi nodes. )

Not to bikeshed this too hard, but state dependent means nothing to
me, and it doesn't actually give anyone any idea what the function
should return for what.

MatzeB added a comment.Jul 29 2015, 3:38 PM

My previous comment was probably worded to strongly. What I meant was that a function name of "ControlDependent" or "DataDependent" would have been too broad. I just realize that your comment was probably about my "of course the global state is *also* control dependent" remark which I admit is confusing and only makes sense if you have things like the value state dependence graphs or program expression graphs in mind where all control dependences usually manifest themselfes as data dependences on the memory values.

I was going for the term state because we do not just capture the contents of the computer memory but also things like input/output or program abortion because of undefined behaviour. Anyway I'm completely fine with calling this memory dependence which is by far the more popular term.

MatzeB updated this revision to Diff 31039.Jul 30 2015, 9:33 AM
MatzeB retitled this revision from Reassociate: Implement isUnmovableInstruction() without a hardcoded list to Reassociate: Fix miscompile for va_arg arguments..

Uploaded a new version which calls the function mayBeMemoryDependent(). Change the title to make it clear that this is not just a cleanup.

qcolombet added a subscriber: qcolombet.Aug 3 2015, 9:11 AM

Ping.

mcrosier resigned from this revision.Aug 5 2015, 8:01 AM
mcrosier removed a reviewer: mcrosier.

LGTM, but I don't want to undercut Daniel or David, so I won't make my vote official.

dberlin added a comment.Aug 5 2015, 8:25 AM

LGTM

qcolombet accepted this revision.Aug 6 2015, 11:53 AM
qcolombet added a reviewer: qcolombet.

Thanks.

Committed revision 244244.

This revision is now accepted and ready to land.Aug 6 2015, 11:53 AM
qcolombet closed this revision.Aug 6 2015, 11:53 AM

Revision Contents

PathSize
include/
llvm/
Analysis/
10 lines
lib/
Analysis/
4 lines
Transforms/
Scalar/
24 lines
test/
Transforms/
Reassociate/
28 lines

Diff 31039

include/llvm/Analysis/ValueTracking.h

Show First 20 LinesShow All 252 Lines▼ Show 20 Linesnamespace llvm {
/// ///
/// This method can return true for instructions that read memory; /// This method can return true for instructions that read memory;
/// for such instructions, moving them may change the resulting value. /// for such instructions, moving them may change the resulting value.
bool isSafeToSpeculativelyExecute(const Value *V, bool isSafeToSpeculativelyExecute(const Value *V,
const Instruction *CtxI = nullptr, const Instruction *CtxI = nullptr,
const DominatorTree *DT = nullptr, const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr); const TargetLibraryInfo *TLI = nullptr);
/// Returns true if the result or effects of the given instructions \p I
/// depend on or influence global memory.
/// Memory dependence arises for example if the the instruction reads from
/// memory or may produce effects or undefined behaviour. Memory dependent
/// instructions generally cannot be reorderd with respect to other memory
/// dependent instructions or moved into non-dominated basic blocks.
/// Instructions which just compute a value based on the values of their
/// operands are not memory dependent.
bool mayBeMemoryDependent(const Instruction &I);
/// isKnownNonNull - Return true if this pointer couldn't possibly be null by /// isKnownNonNull - Return true if this pointer couldn't possibly be null by
/// its definition. This returns true for allocas, non-extern-weak globals /// its definition. This returns true for allocas, non-extern-weak globals
/// and byval arguments. /// and byval arguments.
bool isKnownNonNull(const Value *V, const TargetLibraryInfo *TLI = nullptr); bool isKnownNonNull(const Value *V, const TargetLibraryInfo *TLI = nullptr);
/// isKnownNonNullAt - Return true if this pointer couldn't possibly be null. /// isKnownNonNullAt - Return true if this pointer couldn't possibly be null.
/// If the context instruction is specified perform context-sensitive analysis /// If the context instruction is specified perform context-sensitive analysis
/// and return true if the pointer couldn't possibly be null at the specified /// and return true if the pointer couldn't possibly be null at the specified
▲ Show 20 LinesShow All 101 LinesShow Last 20 Lines

lib/Analysis/ValueTracking.cpp

Show First 20 LinesShow All 3,149 Lines▼ Show 20 Linesbool llvm::isSafeToSpeculativelyExecute(const Value *V,
case Instruction::LandingPad: case Instruction::LandingPad:
case Instruction::AtomicRMW: case Instruction::AtomicRMW:
case Instruction::AtomicCmpXchg: case Instruction::AtomicCmpXchg:
case Instruction::Resume: case Instruction::Resume:
return false; // Misc instructions which have effects return false; // Misc instructions which have effects
} }
} }
bool llvm::mayBeMemoryDependent(const Instruction &I) {
return I.mayReadOrWriteMemory() || !isSafeToSpeculativelyExecute(&I);
}
/// Return true if we know that the specified value is never null. /// Return true if we know that the specified value is never null.
bool llvm::isKnownNonNull(const Value *V, const TargetLibraryInfo *TLI) { bool llvm::isKnownNonNull(const Value *V, const TargetLibraryInfo *TLI) {
// Alloca never returns null, malloc might. // Alloca never returns null, malloc might.
if (isa<AllocaInst>(V)) return true; if (isa<AllocaInst>(V)) return true;
// A byval, inalloca, or nonnull argument is never null. // A byval, inalloca, or nonnull argument is never null.
if (const Argument *A = dyn_cast<Argument>(V)) if (const Argument *A = dyn_cast<Argument>(V))
return A->hasByValOrInAllocaAttr() || A->hasNonNullAttr(); return A->hasByValOrInAllocaAttr() || A->hasNonNullAttr();
▲ Show 20 LinesShow All 443 LinesShow Last 20 Lines

lib/Transforms/Scalar/Reassociate.cpp

Show All 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/Transforms/Scalar.h" #include "llvm/Transforms/Scalar.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/PostOrderIterator.h" #include "llvm/ADT/PostOrderIterator.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SetVector.h" #include "llvm/ADT/SetVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/CFG.h" #include "llvm/IR/CFG.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DerivedTypes.h" #include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h" #include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/ValueHandle.h" #include "llvm/IR/ValueHandle.h"
▲ Show 20 LinesShow All 213 Lines▼ Show 20 Lines if (V->hasOneUse() && isa<Instruction>(V) &&
(cast<Instruction>(V)->getOpcode() == Opcode1 || (cast<Instruction>(V)->getOpcode() == Opcode1 ||
cast<Instruction>(V)->getOpcode() == Opcode2) && cast<Instruction>(V)->getOpcode() == Opcode2) &&
(!isa<FPMathOperator>(V) || (!isa<FPMathOperator>(V) ||
cast<Instruction>(V)->hasUnsafeAlgebra())) cast<Instruction>(V)->hasUnsafeAlgebra()))
return cast<BinaryOperator>(V); return cast<BinaryOperator>(V);
return nullptr; return nullptr;
} }
static bool isUnmovableInstruction(Instruction *I) {
switch (I->getOpcode()) {
case Instruction::PHI:
case Instruction::LandingPad:
case Instruction::Alloca:
case Instruction::Load:
case Instruction::Invoke:
case Instruction::UDiv:
case Instruction::SDiv:
case Instruction::FDiv:
case Instruction::URem:
case Instruction::SRem:
case Instruction::FRem:
return true;
case Instruction::Call:
return !isa<DbgInfoIntrinsic>(I);
default:
return false;
}
}
void Reassociate::BuildRankMap(Function &F) { void Reassociate::BuildRankMap(Function &F) {
unsigned i = 2; unsigned i = 2;
// Assign distinct ranks to function arguments. // Assign distinct ranks to function arguments.
for (Function::arg_iterator I = F.arg_begin(), E = F.arg_end(); I != E; ++I) { for (Function::arg_iterator I = F.arg_begin(), E = F.arg_end(); I != E; ++I) {
ValueRankMap[&*I] = ++i; ValueRankMap[&*I] = ++i;
DEBUG(dbgs() << "Calculated Rank[" << I->getName() << "] = " << i << "\n"); DEBUG(dbgs() << "Calculated Rank[" << I->getName() << "] = " << i << "\n");
} }
ReversePostOrderTraversal<Function*> RPOT(&F); ReversePostOrderTraversal<Function*> RPOT(&F);
for (ReversePostOrderTraversal<Function*>::rpo_iterator I = RPOT.begin(), for (ReversePostOrderTraversal<Function*>::rpo_iterator I = RPOT.begin(),
E = RPOT.end(); I != E; ++I) { E = RPOT.end(); I != E; ++I) {
BasicBlock *BB = *I; BasicBlock *BB = *I;
unsigned BBRank = RankMap[BB] = ++i << 16; unsigned BBRank = RankMap[BB] = ++i << 16;
// Walk the basic block, adding precomputed ranks for any instructions that // Walk the basic block, adding precomputed ranks for any instructions that
// we cannot move. This ensures that the ranks for these instructions are // we cannot move. This ensures that the ranks for these instructions are
// all different in the block. // all different in the block.
for (BasicBlock::iterator I = BB->begin(), E = BB->end(); I != E; ++I) for (BasicBlock::iterator I = BB->begin(), E = BB->end(); I != E; ++I)
if (isUnmovableInstruction(I)) if (mayBeMemoryDependent(*I))
majnemerUnsubmitted
Not Done
ReplyInline Actions

Would it make sense to extract this logic into a hypothetical mayBeControlDependent ?

majnemer: Would it make sense to extract this logic into a hypothetical `mayBeControlDependent` ?
ValueRankMap[&*I] = ++BBRank; ValueRankMap[&*I] = ++BBRank;
} }
} }
unsigned Reassociate::getRank(Value *V) { unsigned Reassociate::getRank(Value *V) {
Instruction *I = dyn_cast<Instruction>(V); Instruction *I = dyn_cast<Instruction>(V);
if (!I) { if (!I) {
if (isa<Argument>(V)) return ValueRankMap[V]; // Function argument. if (isa<Argument>(V)) return ValueRankMap[V]; // Function argument.
▲ Show 20 LinesShow All 1,970 LinesShow Last 20 Lines

test/Transforms/Reassociate/vaarg_movable.ll

  • This file was added.
; RUN: opt -S -reassociate -die < %s | FileCheck %s
; The two va_arg instructions depend on the memory/context, are therfore not
; identical and the sub should not be optimized to 0 by reassociate.
;
; CHECK-LABEL @func(
; ...
; CHECK: %v0 = va_arg i8** %varargs, i32
; CHECK: %v1 = va_arg i8** %varargs, i32
; CHECK: %v0.neg = sub i32 0, %v0
; CHECK: %sub = add i32 %v0.neg, 1
; CHECK: %add = add i32 %sub, %v1
; ...
; CHECK: ret i32 %add
define i32 @func(i32 %dummy, ...) {
%varargs = alloca i8*, align 8
%varargs1 = bitcast i8** %varargs to i8*
call void @llvm.va_start(i8* %varargs1)
%v0 = va_arg i8** %varargs, i32
%v1 = va_arg i8** %varargs, i32
%sub = sub nsw i32 %v1, %v0
%add = add nsw i32 %sub, 1
call void @llvm.va_end(i8* %varargs1)
ret i32 %add
}
declare void @llvm.va_start(i8*)
declare void @llvm.va_end(i8*)