This is an archive of the discontinued LLVM Phabricator instance.

Differential D103077

[DAGCombine] Poison-prove scalarizeExtractedVectorLoad.
ClosedPublic

Authored by fhahn on May 25 2021, 3:53 AM.

Details

Reviewers
efriedma
craig.topper
nlopes
spatel
Commits
rG126f90b25250: [DAGCombine] Poison-prove scalarizeExtractedVectorLoad.
Summary

extractelement is poison if the index is out-of-bounds, so just
scalarizing the load may introduce an out-of-bounds load, which is UB.

To avoid introducing new UB, we can mask the index so it only contains
valid indices.

Fixes PR50382.

Diff Detail

Event Timeline

fhahn created this revision.May 25 2021, 3:53 AM
Herald added subscribers: ecnelises, pengfei, arphaman, hiraditya. · View Herald TranscriptMay 25 2021, 3:53 AM
fhahn requested review of this revision.May 25 2021, 3:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 25 2021, 3:53 AM
Harbormaster completed remote builds in B106062: Diff 347623.May 25 2021, 5:00 AM
fhahn updated this revision to Diff 347714.May 25 2021, 9:55 AM
fhahn added a subscriber: jonpa.

Adjust failing SystemZ test. It would be great if someone familiar with SystemZ could take a look to double-check this makes sense. Perhaps @jonpa?

Harbormaster completed remote builds in B106121: Diff 347714.May 25 2021, 10:27 AM
RKSimon added a subscriber: RKSimon.May 25 2021, 3:04 PM
RKSimon added inline comments.
llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
18423

Is there any chance of NumElts not being a pow2 here?

jonpa added a subscriber: uweigand.May 25 2021, 5:04 PM
In D103077#2779949, @fhahn wrote:

Adjust failing SystemZ test. It would be great if someone familiar with SystemZ could take a look to double-check this makes sense. Perhaps @jonpa?

Yes, this looks like a correct test update to me: the changed immediate operand reflects that now only two shifted bits are inserted into %r1 (instead of all 32).

I wonder what the rationale behind this patch is: if the instruction is poison to begin with, then the program is broken and I don't understand how changing the argument value can change that..?

Adding @uweigand as well just in case...

qiucf added a subscriber: qiucf.May 25 2021, 7:56 PM
fhahn added a comment.May 26 2021, 1:18 AM
In D103077#2780921, @jonpa wrote:
In D103077#2779949, @fhahn wrote:

Adjust failing SystemZ test. It would be great if someone familiar with SystemZ could take a look to double-check this makes sense. Perhaps @jonpa?

Yes, this looks like a correct test update to me: the changed immediate operand reflects that now only two shifted bits are inserted into %r1 (instead of all 32).

I wonder what the rationale behind this patch is: if the instruction is poison to begin with, then the program is broken and I don't understand how changing the argument value can change that..?

Whether the whole program is broken (has UB) depends on how the returned value is used in the callers. Returning poison is not UB, unless the function has the noundef attribute.

uweigand added a comment.May 26 2021, 3:05 AM
In D103077#2780921, @jonpa wrote:
In D103077#2779949, @fhahn wrote:

Adjust failing SystemZ test. It would be great if someone familiar with SystemZ could take a look to double-check this makes sense. Perhaps @jonpa?

Yes, this looks like a correct test update to me: the changed immediate operand reflects that now only two shifted bits are inserted into %r1 (instead of all 32).

I wonder what the rationale behind this patch is: if the instruction is poison to begin with, then the program is broken and I don't understand how changing the argument value can change that..?

Adding @uweigand as well just in case...

This looks correct to me as well, it simply implements the mask to valid index (which can be merged into the existing risbgn instruction).

efriedma added inline comments.May 27 2021, 12:37 PM
llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
18423

I can't think of anything that would enforce it being a power of two. The usage of getKnownMinValue() here is also wrong: for a scalable vector, we need to clamp the index relative to the actual number of lanes at runtime, not the minimum number of lanes.

TargetLowering::getVectorElementPointer() has all the logic to do this correctly; can we use it here?

fhahn mentioned this in rGa773b2e430a8: [AArch64] Add additional vector load scalarization tests for D103077..May 28 2021, 5:40 AM
fhahn updated this revision to Diff 348502.May 28 2021, 5:45 AM

Updated to use TLI.getVectorElementPointer, thanks!

fhahn added inline comments.May 28 2021, 5:47 AM
llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
18423

Yes, it looks like we can still have non-power-of-2 vectors here. We bail out earlier for scalable vectors.

I adjusted the code to use TargetLowering::getVectorElementPointer() as suggested by Eli! Seems like a great way to simplify the existing logic which I was not aware of, thanks!

Harbormaster completed remote builds in B106693: Diff 348502.May 28 2021, 6:06 AM
efriedma accepted this revision.May 28 2021, 12:35 PM

LGTM

This revision is now accepted and ready to land.May 28 2021, 12:35 PM
This revision was landed with ongoing or failed builds.May 30 2021, 3:56 AM
Closed by commit rG126f90b25250: [DAGCombine] Poison-prove scalarizeExtractedVectorLoad. (authored by fhahn). · Explain Why
This revision was automatically updated to reflect the committed changes.
fhahn added a commit: rG126f90b25250: [DAGCombine] Poison-prove scalarizeExtractedVectorLoad..

Revision Contents

PathSize
llvm/
lib/
CodeGen/
SelectionDAG/
10 lines
test/
CodeGen/
AArch64/
3 lines
SystemZ/
2 lines
X86/
10 lines

Diff 347714

llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 18,410 Lines▼ Show 20 LinesSDValue DAGCombiner::scalarizeExtractedVectorLoad(SDNode *EVE, EVT InVecVT,
MachinePointerInfo MPI; MachinePointerInfo MPI;
SDLoc DL(EVE); SDLoc DL(EVE);
if (auto *ConstEltNo = dyn_cast<ConstantSDNode>(EltNo)) { if (auto *ConstEltNo = dyn_cast<ConstantSDNode>(EltNo)) {
int Elt = ConstEltNo->getZExtValue(); int Elt = ConstEltNo->getZExtValue();
unsigned PtrOff = VecEltVT.getSizeInBits() * Elt / 8; unsigned PtrOff = VecEltVT.getSizeInBits() * Elt / 8;
Offset = DAG.getConstant(PtrOff, DL, PtrType); Offset = DAG.getConstant(PtrOff, DL, PtrType);
MPI = OriginalLoad->getPointerInfo().getWithOffset(PtrOff); MPI = OriginalLoad->getPointerInfo().getWithOffset(PtrOff);
} else { } else {
// Unless the index is known to be valid, the extract may be poison. Emit a
// mask to ensure the index is valid such cases, so no new out-of-bound loads
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-    // mask to ensure the index is valid such cases, so no new out-of-bound loads
-    // are introduced.
+    // mask to ensure the index is valid such cases, so no new out-of-bound
+    // loads are introduced.
Lint: Pre-merge checks: clang-format: please reformat the code ``` - // mask to ensure the index is valid such cases…
// are introduced.
KnownBits EltNoBits = DAG.computeKnownBits(EltNo);
unsigned NumElts = InVecVT.getVectorElementCount().getKnownMinValue();
RKSimonUnsubmitted
Not Done
ReplyInline Actions

Is there any chance of NumElts not being a pow2 here?

RKSimon: Is there any chance of NumElts not being a pow2 here?
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I can't think of anything that would enforce it being a power of two. The usage of getKnownMinValue() here is also wrong: for a scalable vector, we need to clamp the index relative to the actual number of lanes at runtime, not the minimum number of lanes.

TargetLowering::getVectorElementPointer() has all the logic to do this correctly; can we use it here?

efriedma: I can't think of anything that would enforce it being a power of two. The usage of…
fhahnAuthorUnsubmitted
Done
ReplyInline Actions

Yes, it looks like we can still have non-power-of-2 vectors here. We bail out earlier for scalable vectors.

I adjusted the code to use TargetLowering::getVectorElementPointer() as suggested by Eli! Seems like a great way to simplify the existing logic which I was not aware of, thanks!

fhahn: Yes, it looks like we can still have non-power-of-2 vectors here. We bail out earlier for…
if (!EltNoBits.getMaxValue().ult(NumElts))
EltNo = DAG.getNode(ISD::AND, DL, EltNo.getValueType(), EltNo,
DAG.getConstant((1 << Log2_64(NumElts)) - 1, DL,
EltNo.getValueType()));
Offset = DAG.getZExtOrTrunc(EltNo, DL, PtrType); Offset = DAG.getZExtOrTrunc(EltNo, DL, PtrType);
Offset = DAG.getNode( Offset = DAG.getNode(
ISD::MUL, DL, PtrType, Offset, ISD::MUL, DL, PtrType, Offset,
DAG.getConstant(VecEltVT.getStoreSize(), DL, PtrType)); DAG.getConstant(VecEltVT.getStoreSize(), DL, PtrType));
// Discard the pointer info except the address space because the memory // Discard the pointer info except the address space because the memory
// operand can't represent this new access since the offset is variable. // operand can't represent this new access since the offset is variable.
MPI = MachinePointerInfo(OriginalLoad->getPointerInfo().getAddrSpace()); MPI = MachinePointerInfo(OriginalLoad->getPointerInfo().getAddrSpace());
} }
▲ Show 20 LinesShow All 4,727 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/arm64-indexed-vector-ldst.ll

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 6,366 Lines▼ Show 20 Lines
; ;
%lv = load <8 x i16>, <8 x i16>* %A %lv = load <8 x i16>, <8 x i16>* %A
%e = extractelement <8 x i16> %lv, i32 %idx %e = extractelement <8 x i16> %lv, i32 %idx
ret i16 %e ret i16 %e
} }
define i32 @load_single_extract_variable_index_i32(<4 x i32>* %A, i32 %idx) { define i32 @load_single_extract_variable_index_i32(<4 x i32>* %A, i32 %idx) {
; CHECK-LABEL: load_single_extract_variable_index_i32 ; CHECK-LABEL: load_single_extract_variable_index_i32
; CHECK: ldr w0, [x0, w1, sxtw #2] ; CHECK: and [[IDX:.*]], x1, #0x3
; CHECK-NEXT: ldr w0, [x0, [[IDX]], lsl #2]
; CHECK-NEXT: ret ; CHECK-NEXT: ret
; ;
%lv = load <4 x i32>, <4 x i32>* %A %lv = load <4 x i32>, <4 x i32>* %A
%e = extractelement <4 x i32> %lv, i32 %idx %e = extractelement <4 x i32> %lv, i32 %idx
ret i32 %e ret i32 %e
} }
define i32 @load_single_extract_variable_index_masked_i32(<4 x i32>* %A, i32 %idx) { define i32 @load_single_extract_variable_index_masked_i32(<4 x i32>* %A, i32 %idx) {
Show All 22 Lines

llvm/test/CodeGen/SystemZ/vec-extract-02.ll

; Verify ReplaceExtractVectorEltOfLoadWithNarrowedLoad fixes ; Verify ReplaceExtractVectorEltOfLoadWithNarrowedLoad fixes
; ;
; RUN: llc < %s -mtriple=s390x-linux-gnu -mcpu=z13 | FileCheck %s ; RUN: llc < %s -mtriple=s390x-linux-gnu -mcpu=z13 | FileCheck %s
; Test a case where a vector extraction can be simplified to a scalar load. ; Test a case where a vector extraction can be simplified to a scalar load.
; The index must be extended from i32 to i64. ; The index must be extended from i32 to i64.
define i32 @f1(<4 x i32> *%ptr, i32 %index) { define i32 @f1(<4 x i32> *%ptr, i32 %index) {
; CHECK-LABEL: f1: ; CHECK-LABEL: f1:
; CHECK: risbgn {{%r[0-5]}}, %r3, 30, 189, 2 ; CHECK: risbgn {{%r[0-5]}}, %r3, 60, 189, 2
; CHECK: l %r2, ; CHECK: l %r2,
; CHECK: br %r14 ; CHECK: br %r14
%vec = load <4 x i32>, <4 x i32> *%ptr %vec = load <4 x i32>, <4 x i32> *%ptr
%res = extractelement <4 x i32> %vec, i32 %index %res = extractelement <4 x i32> %vec, i32 %index
ret i32 %res ret i32 %res
} }

llvm/test/CodeGen/X86/vecloadextract.ll

Show All 13 Lines
define i32 @const_index(<8 x i32>* %v) { define i32 @const_index(<8 x i32>* %v) {
%a = load <8 x i32>, <8 x i32>* %v %a = load <8 x i32>, <8 x i32>* %v
%b = extractelement <8 x i32> %a, i32 1 %b = extractelement <8 x i32> %a, i32 1
ret i32 %b ret i32 %b
} }
; CHECK: name: variable_index ; CHECK: name: variable_index
; CHECK: bb.0 (%ir-block.0): ; CHECK: bb.0 (%ir-block.0):
; CHECK: [[INDEX:%[0-9]+]]:gr32_nosp = MOV32rm %fixed-stack.0, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.0)
; CHECK: [[POINTER:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.1, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.1) ; CHECK: [[POINTER:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.1, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.1)
; CHECK: [[LOAD:%[0-9]+]]:gr32 = MOV32rm killed [[POINTER]], 4, killed [[INDEX]], 0, $noreg :: (load 4) ; CHECK: [[INDEX:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.0, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.0)
; CHECK: [[MASKED_INDEX:%[0-9]+]]:gr32_nosp = AND32ri8 [[INDEX]], 7, implicit-def dead $eflags
; CHECK: [[LOAD:%[0-9]+]]:gr32 = MOV32rm killed [[POINTER]], 4, killed [[MASKED_INDEX]], 0, $noreg :: (load 4)
; CHECK: $eax = COPY [[LOAD]] ; CHECK: $eax = COPY [[LOAD]]
; CHECK: RET 0, $eax ; CHECK: RET 0, $eax
define i32 @variable_index(<8 x i32>* %v, i32 %i) { define i32 @variable_index(<8 x i32>* %v, i32 %i) {
%a = load <8 x i32>, <8 x i32>* %v %a = load <8 x i32>, <8 x i32>* %v
%b = extractelement <8 x i32> %a, i32 %i %b = extractelement <8 x i32> %a, i32 %i
ret i32 %b ret i32 %b
} }
; CHECK: name: variable_index_with_addrspace ; CHECK: name: variable_index_with_addrspace
; CHECK: bb.0 (%ir-block.0): ; CHECK: bb.0 (%ir-block.0):
; CHECK: [[INDEX:%[0-9]+]]:gr32_nosp = MOV32rm %fixed-stack.0, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.0)
; CHECK: [[POINTER:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.1, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.1) ; CHECK: [[POINTER:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.1, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.1)
; CHECK: [[LOAD:%[0-9]+]]:gr32 = MOV32rm killed [[POINTER]], 4, killed [[INDEX]], 0, $noreg :: (load 4, addrspace 1) ; CHECK: [[INDEX:%[0-9]+]]:gr32 = MOV32rm %fixed-stack.0, 1, $noreg, 0, $noreg :: (load 4 from %fixed-stack.0)
; CHECK: [[MASKED_INDEX:%[0-9]+]]:gr32_nosp = AND32ri8 [[INDEX]], 7, implicit-def dead $eflags
; CHECK: [[LOAD:%[0-9]+]]:gr32 = MOV32rm killed [[POINTER]], 4, killed [[MASKED_INDEX]], 0, $noreg :: (load 4, addrspace 1)
; CHECK: $eax = COPY [[LOAD]] ; CHECK: $eax = COPY [[LOAD]]
; CHECK: RET 0, $eax ; CHECK: RET 0, $eax
define i32 @variable_index_with_addrspace(<8 x i32> addrspace(1)* %v, i32 %i) { define i32 @variable_index_with_addrspace(<8 x i32> addrspace(1)* %v, i32 %i) {
%a = load <8 x i32>, <8 x i32> addrspace(1)* %v %a = load <8 x i32>, <8 x i32> addrspace(1)* %v
%b = extractelement <8 x i32> %a, i32 %i %b = extractelement <8 x i32> %a, i32 %i
ret i32 %b ret i32 %b
} }