This is an archive of the discontinued LLVM Phabricator instance.

Differential D9904

[RegAllocGreedy] Rematerialization crashes while updating operands in bundled MIs
ClosedPublic

Authored by dshtilman on May 20 2015, 10:39 PM.

Details

Reviewers
qcolombet
Commits
rG7b73bfa67a2a: [InlineSpiller] Fix rematerialization for bundles.
Summary

Hi Quentin,

This patch fixes rematerialization in InlineSpiller so it can handle bundles of MIs properly.

Context:
Before InlineSpiller rematerializes a vreg, it iterates over operands of each MI in a bundle, collecting all (MI, OpNo) pairs that reference that vreg.

Then if it does rematerialize, it goes through the pair list and replaces the operands with the new (rematerialized) vreg. The problem is, it tries to replace all of these operands in the main MI ! This works fine for single MIs. However, if we are processing a bundle of MIs and the list contains multiple pairs - the rematerialization will either crash trying to access a non-existing operand of the main MI, or silently corrupt one of the existing ones. It will also ignore other MIs in the bundle.

The obvious fix is to use the MI pointers saved in collected (MI, OpNo) pairs. This must have been the original intent of the pair list but somehow these pointers got lost.

Please review.

Thanks,
Dmitri

Diff Detail

Event Timeline

dshtilman updated this revision to Diff 26203.May 20 2015, 10:39 PM
dshtilman retitled this revision from to [RegAllocGreedy] Rematerialization crashes while updating operands in bundled MIs.
dshtilman updated this object.
dshtilman edited the test plan for this revision. (Show Details)
dshtilman added a reviewer: qcolombet.
dshtilman added a subscriber: resistor.
dshtilman added a subscriber: Unknown Object (MLST).
dshtilman updated this revision to Diff 26204.May 20 2015, 10:49 PM
dshtilman added a comment.May 20 2015, 10:51 PM

Hi Quentin,

This patch fixes rematerialization in InlineSpiller so it can handle bundles of MIs properly.

Context:
Before InlineSpiller rematerializes a vreg, it iterates over operands of each MI in a bundle, collecting all (MI, OpNo) pairs that reference that vreg.

Then if it does rematerialize, it goes through the pair list and replaces the operands with the new (rematerialized) vreg. The problem is, it tries to replace all of these operands in the main MI ! This works fine for single MIs. However, if we are processing a bundle of MIs and the list contains multiple pairs - the rematerialization will either crash trying to access a non-existing operand of the main MI, or silently corrupt one of the existing ones. It will also ignore other MIs in the bundle.

The obvious fix is to use the MI pointers saved in collected (MI, OpNo) pairs. This must have been the original intent of the pair list but somehow these pointers got lost.

Please review.

Thanks,
Dmitri

qcolombet accepted this revision.May 21 2015, 9:43 AM
qcolombet edited edge metadata.

Hi Dmitri,

The bug is scary!

This LGTM to a few nitpicks while you are here.
Also I assume this is not triggered by any in-tree target. If it is, please add a test case.

Thanks,
-Quentin

lib/CodeGen/InlineSpiller.cpp
924

MI is not reused anywhere so just fold the expression here:
MachineOperand &MO = Ops[i].first->getOperand(Ops[i].second);

That way we won’t have the shadow variable.

1102–1103

While you are here, add an assert in that loop:
MI == Ops[i].first

This revision is now accepted and ready to land.May 21 2015, 9:43 AM
dshtilman updated this revision to Diff 26275.May 21 2015, 2:03 PM
dshtilman edited edge metadata.

Scary indeed!

I addressed your comments. This hasn't been triggered by an in-tree target,
so at this point I don't have any tests that I could add.

The loop in InlineSpiller::foldMemoryOperand() is actually guarded by

// Don't attempt folding in bundles.
MachineInstr *MI = Ops.front().first;
if (Ops.back().first != MI || MI->isBundled())
  return false;

so we're unlikely to run into similar issues in this loop.
But I agree it's good to have an extra assert here just to be sure.

Thanks,
Dmitri

qcolombet added a comment.May 21 2015, 2:09 PM

Thanks Dmitri!

Do you want me to commit on your behalf?

Cheers,
-Quentin

dshtilman added a comment.May 21 2015, 2:21 PM

Yes, please do.

Thanks,
Dmitri

Eugene.Zelenko closed this revision.Sep 27 2016, 3:46 PM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.

Committed in rL237964.

Revision Contents

PathSize
lib/
CodeGen/
3 lines

Diff 26275

lib/CodeGen/InlineSpiller.cpp

Show First 20 LinesShow All 915 Lines▼ Show 20 Linesbool InlineSpiller::reMaterializeFor(LiveInterval &VirtReg,
SlotIndex DefIdx = Edit->rematerializeAt(*MI->getParent(), MI, NewVReg, RM, SlotIndex DefIdx = Edit->rematerializeAt(*MI->getParent(), MI, NewVReg, RM,
TRI); TRI);
(void)DefIdx; (void)DefIdx;
DEBUG(dbgs() << "\tremat: " << DefIdx << '\t' DEBUG(dbgs() << "\tremat: " << DefIdx << '\t'
<< *LIS.getInstructionFromIndex(DefIdx)); << *LIS.getInstructionFromIndex(DefIdx));
// Replace operands // Replace operands
for (unsigned i = 0, e = Ops.size(); i != e; ++i) { for (unsigned i = 0, e = Ops.size(); i != e; ++i) {
MachineOperand &MO = MI->getOperand(Ops[i].second); MachineOperand &MO = Ops[i].first->getOperand(Ops[i].second);
qcolombetUnsubmitted
Not Done
ReplyInline Actions

MI is not reused anywhere so just fold the expression here:
MachineOperand &MO = Ops[i].first->getOperand(Ops[i].second);

That way we won’t have the shadow variable.

qcolombet: MI is not reused anywhere so just fold the expression here: MachineOperand &MO = Ops[i].first…
if (MO.isReg() && MO.isUse() && MO.getReg() == VirtReg.reg) { if (MO.isReg() && MO.isUse() && MO.getReg() == VirtReg.reg) {
MO.setReg(NewVReg); MO.setReg(NewVReg);
MO.setIsKill(); MO.setIsKill();
} }
} }
DEBUG(dbgs() << "\t " << UseIdx << '\t' << *MI << '\n'); DEBUG(dbgs() << "\t " << UseIdx << '\t' << *MI << '\n');
++NumRemats; ++NumRemats;
▲ Show 20 LinesShow All 161 Lines▼ Show 20 LinesfoldMemoryOperand(ArrayRef<std::pair<MachineInstr*, unsigned> > Ops,
bool SpillSubRegs = (MI->getOpcode() == TargetOpcode::STATEPOINT || bool SpillSubRegs = (MI->getOpcode() == TargetOpcode::STATEPOINT ||
MI->getOpcode() == TargetOpcode::PATCHPOINT || MI->getOpcode() == TargetOpcode::PATCHPOINT ||
MI->getOpcode() == TargetOpcode::STACKMAP); MI->getOpcode() == TargetOpcode::STACKMAP);
// TargetInstrInfo::foldMemoryOperand only expects explicit, non-tied // TargetInstrInfo::foldMemoryOperand only expects explicit, non-tied
// operands. // operands.
SmallVector<unsigned, 8> FoldOps; SmallVector<unsigned, 8> FoldOps;
for (unsigned i = 0, e = Ops.size(); i != e; ++i) { for (unsigned i = 0, e = Ops.size(); i != e; ++i) {
unsigned Idx = Ops[i].second; unsigned Idx = Ops[i].second;
assert(MI == Ops[i].first && "Instruction conflict during operand folding");
qcolombetUnsubmitted
Not Done
ReplyInline Actions

While you are here, add an assert in that loop:
MI == Ops[i].first

qcolombet: While you are here, add an assert in that loop: MI == Ops[i].first
MachineOperand &MO = MI->getOperand(Idx); MachineOperand &MO = MI->getOperand(Idx);
if (MO.isImplicit()) { if (MO.isImplicit()) {
ImpReg = MO.getReg(); ImpReg = MO.getReg();
continue; continue;
} }
// FIXME: Teach targets to deal with subregs. // FIXME: Teach targets to deal with subregs.
if (!SpillSubRegs && MO.getSubReg()) if (!SpillSubRegs && MO.getSubReg())
return false; return false;
▲ Show 20 LinesShow All 287 LinesShow Last 20 Lines