I would check for EHA first before checking if the personality is Asynchronous

OK, make sense. will do.
thank you for the feedback!

nit: bcause -> because

In the previous checkin, you went through and replaced the term EHa with asyncEH or similar in all identifiers and comments, didn't you? If so, I think it would be good to do the same with this one.

Here you've got the signature and the name both indicating that this works at a block scope, and a comment indicating that it is for EHa. I wonder if it wouldn't be better to have the signature indicate block scope and use the name to indicate EHa, something like calculateCXXStateForAsyncEH.

To me, the word "faulty" implies that a fault definitely exists. I think that getFirstMayFaultInst, though perhaps more awkward, would be more clear.

what if the divisior is not a constant but evaluates to 0 at run-time? I assume that's handled differently, but without context I wouldn't know where, so maybe mentioning in the comment would be good.

do the tests (either the new ones you're adding or existing ones) exercise the case where we need this?

How do we know that this is a CleanupPad and not a Catchswitch?

How do we know this doesn't wind back out of the block we care about? Is it worth adding an assertion?

I'm surprised this doesn't cause a problem for super-deep CFGs (pathological cases); consider using a worklist.

I think you're saying here that it's legal for a side exit to target a successor with any ancestor state. But also you're assigning each such successor the exact parent state of its least predecessor ("least" by comparing state numbers). How do you know that it shouldn't be the grandparent (or any other ancestor) of the least predecessor?

nit: should be "trumps others" or "triumphs over others"

Oh, I didn't notice this when I wrote the comment above. I agree with clang-tidy on this one (for both of these functions).

I didn't notice when commenting on this name earlier that this method is on the IR BasicBlock class. I don't know if there's a better term to use for this than "fault". Regardless, I think it would be good to make the comment on the declaration very explicit that this checks for loads/stores (which may dereference a null pointer) and calls/invokes (which may propagate exceptions), since I don't think we have a well-defined IR concept for this particular property of those instructions. (FWIW, The last time I went looking, the closest I could find was the logic in SimplifyCFG that decides how much code it can remove before an unconditional branch to unreachable, which was open-coded.)

Did you mean CallBase here? This will skip InvokeInsts (and CallBrInsts).

good point. done.

yes makes sense. thanks.

as stated in last line comment, in that case the DIV will not be the first instruction in the EH region. we can skip Nop..

Yes, the **Dtor one. it's how we found this bug. thanks.

fixed. thanks.

good point. fixed in the new patch.

done. recursion is replaced by a worklist loop..

the new state only assigned to successor when it's smaller than successor's current state. See the first line in the while loop.
if ( ... && EHInfo.BlockToStateMap[BB] <= State) ..

done. recursion is replaced by a worklist loop..

renamed it with getFirstMayFaultInst(). also added more comments in header. thanks!

good catch! done.

Nit: variable name still indicates cleanup. I'd suggest EHPadMBB.

Yes I see that you're taking the state of the least connected predecessor. What I'm not following is how you know that the least connected predecessor is a sibling, rather than say a neice -- what if the sibling ends in unreached, for example? Something like:

B1: (state = 0
{ // new scope
B2: (state = 1)
  { // new scope
  B2: (state = 2)
     { // new scope
     B3: (state = 3)
        if (_) {
        B4:
            goto B7;
        }
        B5: (state = 3)
        __assume(0);
     } // exit scope
     B6: (state TBD)
  } // exit scope
 B7: (state TBD)
} // exit scope
B8: (state TBD)

And maybe optimization turned __assume(0) into unreachable and got rid of B6 entirely. So then B4 is the only predecessor of B7. Doesn't that mean we'll assign state 2 to B7? But B7 should have state 1. How do we know this doesn't happen?

good catch. will fix it. thanks.

Very good point. In this case, B7 actually is a side-entry that is led by a block of seh_scope_begin() intrinsic (see CpodeGen/CGStmt.cpp change in Part-1 patch). As such, the state will be reset via EHInfo.InvokeStateMap[] when real code blocks are proceeded.

Is this still required? LLVM is no longer adding 1 to the addresses in its SEH tables (although it does for its IP2State table).

Yes, this is required. -EHa is applied to C++ code too. Without this Nop, exception occurs on the instruction immediately following an EH_LABEL won't be caught due to current "+1+offset" mechanism.

If the issue here that the "end" label for a region can accidentally include the following instruction after the region? Would it make sense to explicitly insert a nop earlier, in that case?

I assume this is trying to trick optimizations into avoiding optimizations on the cleanup block if the __try involves multiple basic blocks.

Have you considered trying to fix the control flow graph? I mean, I understand the difficulty of expressing the control flow at the IR level, given we don't have IR versions of "load" and "store" with an unwind edge, but those concerns don't really apply in the same way in a MachineFunction. You can mark the cleanup block as a successor of any block that can throw an exception, without explicitly marking up the control flow on each individual instruction. (This is how exceptions normally work.)

getBasicBlock() can return null, in general. Maybe since this is running during isel, that isn't an issue, though. Maybe worth adding a comment.

If a load is folded into the terminator, it can fault... but I guess that's unlikely to come up in practice. The most likely scenario probably involves indirectbr. Most other indirect jumps probably aren't terminators. I guess a jump table could theoretically fault, but if you cared you could probably just disable those.

I don't see the value of emitting it earlier. I think the closer to emission is safer. Or there is always a risk of being changed or reordered by other phases. Besides, there are a couple of similar cases of emitting Nop in that file (like functionPrfix). I think inserting the nop where the EH_Label is emitted is safest and most straight-forward.

The Cleanup block is turned into a dtor funclet at the end. And the beginning address of that funclet will be recorded in EH table in .xdata section. So it's really address-taken by definition. If you verify this by checking Linker relocation records or the EH table in .asm file. IMO this flag should be set regardless of the SEH feature.

ok, will add a comment. thanks.

Right, it's unlikely in practice. I don't think it's concern here.
thank you for pointing out.

Could you at least clarify the comment to clarify what aspect of the SEH region is problematic? We currently use EH_LABEL for both the beginning and end of a region, and it isn't clear which one this is meant to apply to.

That's not what "address-taken" is supposed to mean.

It's supposed to be equivalent to BasicBlock::hasAddressTaken, which means that the block is the target of a blockaddress expression (used for indirectbr). Primarily, this restricts certain optimizations because in general, we can't split a critical edge from an indirectbr.

hasAddressTaken() is not a general "will the address of the block eventually be emitted somewhere in the assembly". That can happen for a variety of unrelated reasons, including exception handling, debug info, jump tables, and branch lowering.

I apologize for the ridiculous delay in responding, until just now I was under the mistaken impression that you hadn't replied.

I'm still confused by the logic here. Your comment states "Side exits can ONLY jump into parent scopes (lower state number)". My example had a jump to a grandparent, and you pointed out that its destination would be marked as a side entry. Are those the only two cases, would it be equally correct to say "Side exits can ONLY jump to either the immediate parent scope or a side-entry of another ancestor" ? Or is there a way to go straight to grandparent that doesn't get a side entry?

I think an equivalent question is: at the continue on line 300, could you assert EHInfo.BlockToStateMap[BB] == State || (block is side entry) ?

It's for both.
EH_LABEL marks the end of the previous region and the beginning of the following region. The Nop is added to prevent a potential-faulty-instruction from being included in the previous region and to ensure this potential faulty instruction still in the present region.
Yes, I will add more comments.

I'm not sure about your interpretation. the comment of this flag from the header is:

/// Returns true if there are any uses of this basic block other than
/// direct branches, switches, etc. to it.
bool hasAddressTaken() const {
  return getBasicBlockBits().BlockAddressRefCount != 0;
}

it does include "switch" which I think refers to jump-table.
Besides, the dtor-funclet in EH table is invoked via indirectbr/indirect-call. Does not that also meet your interpretation?

Sorry for the confusion. the comment "jump into parent scopes" here does not imply it's the immediate parent. it can be grandparents, etc as in your example. Will fix the comment.
Those two are actually refer to the same scenario. Jumping into a protected parant/grandparent's scope induces a warning, and under that situation the target label is marked as side-entry (JumpDiagnostics.cpp change in Part-1 patch).

We intentionally do not check for hasAddressTaken() here. Even if something refers to the address, it's not legal to branch to the block, so it can't contain any useful instructions. AsmPrinter::emitFunctionBody has some code to print a fake label if there's a reference to an erased block.

"other than direct branches, switches, etc." means MachineBasicBlock terminators, exception pads, and jump tables. Anything which is *not* one of those, we mark up, because target-independent code can't analyze it. But in almost all cases, the above list covers basically everything except indirectbr until you get very late in the compile process.

If we do end up performing some transform that materializes the address of a block outside of the above cases, it could make sense to mark a block address-taken. (Some target-specific code does this. Not sure if that code is really doing it correctly, but none of those calls are relevant to this patch.) But we should not be preemptively marking basic block address-taken: we should wait until such a transform is actually performed.

For a dtor-funclet, we don't actually "take the address" of the funclet until the AsmPrinter, when we compute the exception tables. We could add an address-taken marking at that point... but nothing would check it that late in the pipeline.

Jumping into a protected [ancestor scope other than the immediate parent scope] ... [can't occur unless] the target label is marked as side-entry

That is the key point I was missing. Yes, I think it would be great to include that in the comment and/or as an assertion.

a protected parant/grandparent's

What happens if an unprotected block is only reachable from side-exits of protected regions? Do we end up protecting it, and is that okay? This too would be good to include in comment.

Hmm, really? there are at least three places where hasAddressTaken() is used to guard optimizations in the same pass (BranchFolding.cpp). why is OptimizeBranches() special?

This is exactly the case that a target-independent code (like BranchFolding.cpp) must be aware of it.
The dtor-funclet cleanup block is genuinely address-taken the moment it's created.
Yes, it's not emitted until AsmPrinter. but it does not mean the block is not address-taken until AsmPrinter.

The other places in the pass are checking hasAddressTaken() to try to figure out if they can rewrite the predecessors. Here, we can trivially rewrite all the predecessors: there aren't any.

There's not really any point to arguing what the person who originally wrote the comment meant. Sorry, I shouldn't have tried to take the discussion in that direction.

But I still think this is confusing: there's multiple different use-cases smashed together into one boolean.

How about this: we split up isBlockAddressTarget(), isAsyncSEHTarget(), and maybe isMachineLabelUsed() for the target-specific stuff that messes with MachineBasicBlock labels in weird ways. And then as a transitional measure hasAddressTaken() checks all of them, maybe? Really, I expect most of the relevant places that would check hasAddressTaken(), or something like that.

Then we can go through later and refine various places to check exactly what they need. I suspect most places don't actually need all three.

I feel doing that is over-engineering and I don't see much value out of it.

note that in addition to BasicBlock.h, it's also commented in MachineBasicBlock.h :

/// Test whether this block is **potentially the target of an indirect branch.**
bool hasAddressTaken() const { return AddressTaken; }

Also, some present usages are far from what you described.
See the usages in RetpolineThunkInserter where CaptureSpec and CallTarget blocks are not even address-taken.

The usage of hasAddressTaken() in this revision is much more appropriate and legitimate.

Looked a bit more. It turns out there's an actual bug here: mixing up the different markings could confuse the AsmPrinter if we mix together the different bits. Posted D124697.

With that, the "MBBLabelUsed" is probably close enough to what you need, if we need something. I guess we don't really need to distinguish between the SEH uses and other target-specific uses.

I'm still not sure where, exactly, the MBB is being stored that necessitates this. If I look at an MIR dump, the only place the EHPad shows up is as a successor of the block that can throw an exception. And as far as I can tell, none of the side-tables in WinEHFuncInfo contain any references to MBBs.

The EH table is named $stateUnwindMap$, the 'state' and 'action' map table. It is stored in $cppxdata$ that is the primary EH table passed to _CxxFrameHandler3/4 by __ehhandler$**. Check the new test case windows-seh-EHa-cpp-Dtors01.ll.
LLVM code that emits it is in WinException.cpp:

// UnwindMapEntry {
//   int32_t ToState;
//   void  (*Action)();
// };
if (UnwindMapXData) {
  OS.emitLabel(UnwindMapXData);
  for (const CxxUnwindMapEntry &UME : FuncInfo.CxxUnwindMap) {
    MCSymbol *CleanupSym =
        getMCSymbolForMBB(Asm, UME.Cleanup.dyn_cast<MachineBasicBlock *>());
    AddComment("ToState");
    OS.emitInt32(UME.ToState);

    AddComment("Action");
    OS.emitValue(create32bitRef(CleanupSym), 4);
  }

note getMCSymbolForMBB() that refers to the ehcleanup block we were talking about here.

I guess given that we have references to an MBB stored in FuncInfo, we can't really delete the block. So I guess this is right, sort of. But it would still be undefined behavior to jump to it, so I'm not sure this really solves whatever problem you ran into.

I was more concerned about the other end of it... but looking into it, I guess FunctionLoweringInfo::set() is actually where we end up computing the mapping. So we need to ensure that the FuncInfo tables stay consistent through the entirety of codegen. Which seems like an extreme restriction, but I guess it's unlikely to matter that much in practice.

it's MBB.pred_empty(), so there is no edge jumping to it.
Without this change, an EH Cleanuppad block could be removed and EH runtime would not be able to dtor a live object during unwinding.

the FuncInfo and its related tables is the existent framework that handles EH.
Yes, I'm sure it is reliable and consistent with IR or C++ EH today would not be working at all.
This patch is adding SEH support that is built on top of existent EH framework.

That's a contradiction: you're saying there's no edge jumping to it, but somehow the "EH runtime" is executing the code in the block.

In particular, even if you preserve the block, anything involving dominance relationships, like register allocation, is likely to destroy unreachable code. Maybe you can sort of get away with it in trivial cases.

I meant no edge jumps into it through IR's control flow graph during compilation. EH runtime invokes it via an indirect branch during execution time.

It's the whole point of 'address-taken' attribute; it tells optimizations/transformations that although this block is unreached via IR control flow, its address is taken and runtime (or some other code) can invoke this block via an indirect branch.

Register-allocation, or and all other optimizations (like this BranchFolding) should check whether or not it's address-taken before optimizing it away.
If more cases are revealed, we should fix them. 'Retpoline' and other code are also relying on this flag to guard an unreachable block.

I think you're misunderstanding what I mean by "control flow graph".

Every MachineBasicBlock has a "successor" list, and a "predecessor" list. These can be accessed by MachineBasicBlock::successors() and MachineBasicBlock::predecessors(). MachineBasicBlock::pred_empty() queries the predecessor list. This isn't directly tied to any instructions in the block itself; they're just std::vector<MachineBasicBlock*>. But they reflect the possible directions for control flow. For example, suppose you have an indirectbr. This gets lowered to an indirect jump instruction; none of the destinations are directly encoded into the basic block. However, the block has a successor list; the jump must jump to one of those successors, or the behavior is undefined. And the destination has a predecessor list; the block with the indirectbr must be in that list.

This is a bit different from LLVM IR, where every control flow edge is explicitly attached to a terminator instruction.

This successor list is essential to the way MachineFunction IR works. Before register allocation, the IR is in SSA form; computing where an SSA value is live requires an accurate control flow graph.

If the EH runtime is jumping to a MachineBasicBlock with no predecessors, that means there's a missing call to MachineBasicBlock::addSuccessor() somewhere.

For Switch jump table, yes, pred. & succ. lists are well maintained because they are real control-flow.

We are talking about EH unwinding flow here. EH runtime cannot be in the list. it's why we rely on address-taken flag to convey this scenario to optimizations.

We model EH unwinding flow similarly to any other control flow. Take the following example:

echo "struct A {~A(); }; void f(); void g() { A a; f(); }" | clang++ --target=x86_64-pc-windows-msvc -x c++ - -o - -S -mllvm -stop-before=greedy

This dumps the MIR as it appears during register allocation. If you look at the output, it contains:

bb.0.entry:
  successors: %bb.1(0x40000000), %bb.2(0x40000000)

bb.1 is the normal continuation, bb.2 is the cleanuppad. bb.2 isn't directly reachable; the only way to jump to the block is through the exception unwinder. But we still model the edge.

Yes, we all know that. that is the whole point of this design.
For Asynch Exception, this design only tracks EH state at scope (or block) level, not at instruction level. As such, after seh-scope-intrinsic is lowered, the design relies on address-taken flag to guard ehcleanup pads.
Please review the design on the top.

The reason we agreed not to track the control flow per-instruction at the LLVM IR level is the difficulty of adding the control flow edges: it would require a completely different form of control flow modelling to attach an exception edge to an LLVM IR load instruction. So we use an approximation: controlflow uses the edge encoded on the nearest llvm.seh.try.begin().

We don't need to use the same tradeoff here, though. Control flow doesn't work the same way on MachineBasicBlocks as it does on LLVM IR. We should decide the best way to model the control flow based on the constructs available, independent of what we decided for LLVM IR.

As far as I can tell, there isn't any reason you can't just mark the appropriate edges explicitly.

Alternatively, you could lower llvm.seh.try.begin to a pseudo-instruction, and mark the edge from that instruction to the exception-handling block, the same way we do it on LLVM IR. The control flow in that case wouldn't be precisely correct, but it would be close enough that you can make it work. I don't see any reason to prefer that approach, though.

Depending purely on the address-taken flag to preserve a block with no predecessors isn't ever going to work well; it's incompatible with how the backend reasons about control flow and liveness.

Good to know there is no disagreement about tracking at seh-scope level, not at instruction level.
Good to know you also don't think there is any reason to continue modeling EH flow at scope-level after LLVM IR Lowering.

I agree that address-taken mechanism is not perfect. but it's an existent mechanism in LLVM framework. As said earlier, it's used in many places today. IMO, it's robust and well-understood mechanism employed in several compiler code based (LLVM is 4th one I experienced). In compiler & code-gen space, when we see address-taken, we all know what the implication is.

This revision is about SEH. Any concern or opinion about an existent framework should be resolved in a separate patch.

duplicated.

Check for call instructions?

Check it in test case?

The comment format seems uncommon, reformat it?

It's more preferred to use .. E = MF->end(); MBBI != E; ..

Any reason this has to be done in SelectionDAGISel. If we do it after ISel, we can check mayRaiseFPException for FP instructions too.

Is there any chance a terminator will raise exception?
If we don't emit begin/end labels, why adding them to EHInfo by line 1297?

You can use getFirstTerminator.

Didn't see its free. Would there be memory leak?

There are many function calls, would be better to simplify to

if (Fn && Fn->isIntrinsic()) {
  Intrinsic::ID IID = Fn->getIntrinsicID();
  if (IID == ...)

ditto.

We'd better use machine instruction infos.

This is useless and misleading. Ditto for other tests.

good eyes. thanks.

SEH HW exception will be caught in callee. No need to inject a nop before the call

yes, without this change, tests will fail

ok.

It's convenient and a natural place to do this table. It's already at the end of DAGISel.
If we are still missing some features, I prefer a follow-up patch. This patch has been tested and proved robust.

No. terminator won't raise exception.
Good catch, will move them to the top of that block to avoid unused IPToState entry.

I think I did it once. the reason getFirstTerminator() not used is that there could be real instructions between 1st and 2nd terminator. it's being a while, don't remember exactly. I think it's better not changing it now. this is minor anyways.

it does not really matter as duplicated Fn->getIntrinsicID() will be CSEed away

ditto.

this is the style copied from neighborhood code. do you see any problem or potential bug?

this is testing SEH related table and flag is put properly.
which part is misleading?

Still not see where it been freed. Should we push the object instead?

I'm concerned about the FP exceptions as explained above. Especially FP instructions are more target specific, e.g., given an integet to FP conversion, CVTDQ2PD doesn't raise any FP exception but CVTDQ2PS does.
But I'm fine to improve it in a follow up.

I mean the !2 = !{!"clang version 11.0.0 ...

Oh, my overlooked. done.

ok, thanks.

I see. done.

If the EH runtime is jumping to a MachineBasicBlock with no predecessors, that means there's a missing call to MachineBasicBlock::addSuccessor() somewhere.

I agree with @efriedma here. Even for indirectbr, we still correctly model successor and predecessor lists. Having those be imprecise or omit edges (whether direct or indirect) is asking for trouble.