This is an archive of the discontinued LLVM Phabricator instance.

[SDAG] fix crash in getNegatedExpression() from altered number of uses
AbandonedPublic

Authored by spatel on Mar 19 2020, 11:23 AM.

Download Raw Diff

Details

Reviewers

RKSimon
bjope
steven.zhang
dstuttard

Summary

We've discussed this problem before in D70975. Copying directly from that description:
We check the number of uses as a predicate for whether some value is free to negate, but that use count can change as we rewrite the expression in getNegatedExpression(). So something that was marked free to negate during the cost evaluation phase becomes not free to negate during the rewrite phase (or the inverse - something that was not free becomes free). This can lead to a crash/assert because we expect that everything in an expression that is negatible to be handled in the corresponding code within getNegatedExpression().

The problem was similarly partly fixed in D75501, but we missed that the same behavior could originate from fmul/fdiv.

This is another incomplete fix for the whole problem, but I think that requires integrating getNegatibleCost() and getNegatedExpression(), so that we can't alter costs between analysis and rewrite.

Diff Detail

Event Timeline

spatel created this revision.Mar 19 2020, 11:23 AM

Herald added subscribers: hiraditya, mcrosier. · View Herald TranscriptMar 19 2020, 11:23 AM

spatel mentioned this in D76319: [DAGCombiner] Fix non-determinism problem related to argument evaluation order in visitFDIV.Mar 19 2020, 11:41 AM

Shall we also need to update the cost evaluation for FMUL/FDIV, that is calculating both operands and select the cheapest cost of them ? And it seems that FADD also have such issues. -(A+B)->-A - B or -B-A
Technical speaking, we can't have the same expensive cost for both operands when negating the expression but now, we indeed have sometimes. And we choose one by chance which also would have problems.

I am not clear on the origin design but I wonder if we can remove the check of cost before calling the getNegateExpression, but call it directly, which allow to be null value to avoid such kind of out of sync between these two calls.

In D76439#1932659, @steven.zhang wrote:

Shall we also need to update the cost evaluation for FMUL/FDIV, that is calculating both operands and select the cheapest cost of them ? And it seems that FADD also have such issues. -(A+B)->-A - B or -B-A
Technical speaking, we can't have the same expensive cost for both operands when negating the expression but now, we indeed have sometimes. And we choose one by chance which also would have problems.

Yes, this whole API is unsound - we need to rewrite it to be completely correct. But I think this change makes it at least a little bit safer and more similar to the FMA logic. I can add a FIXME comment for FADD, and try to come up with a similar failure case as this one.

I am not clear on the origin design but I wonder if we can remove the check of cost before calling the getNegateExpression, but call it directly, which allow to be null value to avoid such kind of out of sync between these two calls.

Yes, if I understand correctly, we will need to integrate the cost+rewrite functions, so they are always in sync.

bjope mentioned this in rGd168b7778035: [DAGCombiner] Fix non-determinism problem related to argument evaluation order….Mar 20 2020, 8:38 AM

We need to update the cost as they are pair. For now, it returns the first operand immediately if it is not expensive. But it could be neutral. And we will have problems if the cost of second operand is cheap. Because we should return cheap, but now, it is neutral. Does it make sense ?

In D76439#1935992, @steven.zhang wrote:

We need to update the cost as they are pair. For now, it returns the first operand immediately if it is not expensive. But it could be neutral. And we will have problems if the cost of second operand is cheap. Because we should return cheap, but now, it is neutral. Does it make sense ?

Sorry, but I'm not understanding. With this patch we have fneg (fmul/fdiv X, Y):

CostX == cheaper == 2; CostY == cheaper == 2 --> negate X
CostX == cheaper == 2; CostY == neutral == 1 --> negate X
CostX == neutral == 1; CostY == cheaper ==2 --> negate Y
CostX == neutral == 1; CostY == neutral == 1 --> negate X

But I have an alternate idea to avoid the crash that is probably a better fix given the current logic:
D76638

In D76439#1937652, @spatel wrote:

In D76439#1935992, @steven.zhang wrote:

We need to update the cost as they are pair. For now, it returns the first operand immediately if it is not expensive. But it could be neutral. And we will have problems if the cost of second operand is cheap. Because we should return cheap, but now, it is neutral. Does it make sense ?

Sorry, but I'm not understanding. With this patch we have fneg (fmul/fdiv X, Y):

CostX == cheaper == 2; CostY == cheaper == 2 --> negate X

CostX == cheaper == 2; CostY == neutral == 1 --> negate X

CostX == neutral == 1; CostY == cheaper ==2 --> negate Y

CostX == neutral == 1; CostY == neutral == 1 --> negate X

But I have an alternate idea to avoid the crash that is probably a better fix given the current logic:
D76638

I mean when evaluating the cost of fmul/fdiv X, Y, not the logic inside getNegatedExpression, but the logic inside getNegatibleCost. We have:

CostX == neutral == 1; CostY == cheaper --> Cost(fmul/fdiv) == neutral (Wrong)

This is the code.

case ISD::FMUL:
case ISD::FDIV: {
  // fold (fneg (fmul X, Y)) -> (fmul (fneg X), Y) or (fmul X, (fneg Y))
  NegatibleCost V0 = getNegatibleCost(Op.getOperand(0), DAG, LegalOperations,
                                      ForCodeSize, Depth + 1);
  if (V0 != NegatibleCost::Expensive)    // Steven: if it is neutral, we should not return immediately, we need to check the cost of operand 2 and compare them.
    return V0;

  // Ignore X * 2.0 because that is expected to be canonicalized to X + X.
  if (auto *C = isConstOrConstSplatFP(Op.getOperand(1)))
    if (C->isExactlyValue(2.0) && Op.getOpcode() == ISD::FMUL)
      return NegatibleCost::Expensive;

  return getNegatibleCost(Op.getOperand(1), DAG, LegalOperations, ForCodeSize,
                          Depth + 1);

spatel mentioned this in D76585: [PowerPC] Require NSZ flag for c-a*b to FNMSUB.Mar 26 2020, 6:53 AM

steven.zhang mentioned this in D77319: [DAGCombine] Remove the getNegatibleCost to avoid the out of sync with getNegatedExpression.Apr 3 2020, 1:00 AM

Abandoning - D77319 will solve the larger problem.

Revision Contents

Path

Size

llvm/

lib/

CodeGen/

SelectionDAG/

TargetLowering.cpp

8 lines

test/

CodeGen/

X86/

neg_fp.ll

29 lines

Diff 251422

llvm/lib/CodeGen/SelectionDAG/TargetLowering.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 5,755 Lines • ▼ Show 20 Lines	if (ConstantFPSDNode C = isConstOrConstSplatFP(X, /AllowUndefs*/ true))
return Y;		return Y;

// fold (fneg (fsub X, Y)) -> (fsub Y, X)		// fold (fneg (fsub X, Y)) -> (fsub Y, X)
return DAG.getNode(ISD::FSUB, DL, VT, Y, X, Flags);		return DAG.getNode(ISD::FSUB, DL, VT, Y, X, Flags);
}		}
case ISD::FMUL:		case ISD::FMUL:
case ISD::FDIV: {		case ISD::FDIV: {
SDValue X = Op.getOperand(0), Y = Op.getOperand(1);		SDValue X = Op.getOperand(0), Y = Op.getOperand(1);
// fold (fneg (fmul X, Y)) -> (fmul (fneg X), Y)
NegatibleCost CostX = getNegatibleCost(X, DAG, LegalOps, OptForSize, Depth);		NegatibleCost CostX = getNegatibleCost(X, DAG, LegalOps, OptForSize, Depth);
if (CostX != NegatibleCost::Expensive)		NegatibleCost CostY = getNegatibleCost(Y, DAG, LegalOps, OptForSize, Depth);
		// TODO: The comparison is inverted from what we might expect of a "cost"
		// because the enum values have "Cheaper" with a larger numerical
		// value than "Expensive".
		if (CostX >= CostY)
		// fold (fneg (fmul X, Y)) -> (fmul (fneg X), Y)
return DAG.getNode(		return DAG.getNode(
Opcode, DL, VT,		Opcode, DL, VT,
getNegatedExpression(X, DAG, LegalOps, OptForSize, Depth), Y, Flags);		getNegatedExpression(X, DAG, LegalOps, OptForSize, Depth), Y, Flags);

// fold (fneg (fmul X, Y)) -> (fmul X, (fneg Y))		// fold (fneg (fmul X, Y)) -> (fmul X, (fneg Y))
return DAG.getNode(		return DAG.getNode(
Opcode, DL, VT, X,		Opcode, DL, VT, X,
getNegatedExpression(Y, DAG, LegalOps, OptForSize, Depth), Flags);		getNegatedExpression(Y, DAG, LegalOps, OptForSize, Depth), Flags);
▲ Show 20 Lines • Show All 1,948 Lines • Show Last 20 Lines

llvm/test/CodeGen/X86/neg_fp.ll

Show First 20 Lines • Show All 48 Lines • ▼ Show 20 Lines	; CHECK-NEXT: retl
%t11 = fmul double %t, %t		%t11 = fmul double %t, %t
%t13 = fsub double %t11, %t		%t13 = fsub double %t11, %t
%t14 = fneg double %t		%t14 = fneg double %t
%t15 = fmul double %t, %t14		%t15 = fmul double %t, %t14
%t16 = fmul double %t, %t15		%t16 = fmul double %t, %t15
%t18 = fadd double %t16, %t7		%t18 = fadd double %t16, %t7
ret double %t18		ret double %t18
}		}

		; This would crash because the negated expression for %sub4
		; creates a new use of %sub1 and that alters the negated cost

		define float @fdiv_extra_use_changes_cost(float %a0, float %a1, float %a2) nounwind {
		; CHECK-LABEL: fdiv_extra_use_changes_cost:
		; CHECK: # %bb.0:
		; CHECK-NEXT: pushl %eax
		; CHECK-NEXT: movss {{.*#+}} xmm0 = mem[0],zero,zero,zero
		; CHECK-NEXT: movss {{.*#+}} xmm1 = mem[0],zero,zero,zero
		; CHECK-NEXT: movss {{.*#+}} xmm2 = mem[0],zero,zero,zero
		; CHECK-NEXT: movaps %xmm2, %xmm3
		; CHECK-NEXT: subss %xmm1, %xmm3
		; CHECK-NEXT: subss %xmm2, %xmm1
		; CHECK-NEXT: mulss %xmm0, %xmm1
		; CHECK-NEXT: subss %xmm0, %xmm3
		; CHECK-NEXT: divss %xmm1, %xmm3
		; CHECK-NEXT: movss %xmm3, (%esp)
		; CHECK-NEXT: flds (%esp)
		; CHECK-NEXT: popl %eax
		; CHECK-NEXT: retl
		%sub1 = fsub fast float %a0, %a1
		%mul2 = fmul fast float %sub1, %a2
		%neg = fneg fast float %a0
		%add3 = fadd fast float %a1, %neg
		%sub4 = fadd fast float %add3, %a2
		%div5 = fdiv fast float %sub4, %mul2
		ret float %div5
		}