This is an archive of the discontinued LLVM Phabricator instance.

Differential D103867

[CHR] Don't run ControlHeightReduction if any BB has address taken
ClosedPublic

Authored by lxfind on Jun 7 2021, 10:16 PM.

Details

Reviewers
aeubanks
hjyamauchi
wenlei
hoy
Commits
rGfae7debadcea: [CHR] Don't run ControlHeightReduction if any BB has address taken
Summary

This patch is to address https://bugs.llvm.org/show_bug.cgi?id=50610.
In computed goto pattern, there are usually a list of basic blocks that are all targets of indirectbr instruction, and each basic block also has address taken and stored in a variable.
CHR pass could potentially clone these basic blocks, which would generate a cloned version of the indirectbr and clonved version of all basic blocks in the list.
However these basic blocks will not have their addresses taken and stored anywhere. So latter SimplifyCFG pass will simply remove all tehse cloned basic blocks, resulting in incorrect code.
To fix this, when searching for scopes, we skip scopes that contains BBs with addresses taken.
Added a few test cases.

Diff Detail

Event Timeline

lxfind created this revision.Jun 7 2021, 10:16 PM
Herald added subscribers: hoy, modimo, wenlei, hiraditya. · View Herald TranscriptJun 7 2021, 10:16 PM
lxfind requested review of this revision.Jun 7 2021, 10:16 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 7 2021, 10:16 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
lxfind added reviewers: hjyamauchi, wenlei.Jun 7 2021, 10:17 PM
lxfind edited the summary of this revision. (Show Details)Jun 7 2021, 10:26 PM
Harbormaster completed remote builds in B108130: Diff 350491.Jun 7 2021, 11:02 PM
aeubanks added a comment.Jun 8 2021, 3:10 PM

do all passes that clone BBs have to worry about this?

as for a test, can you take an existing CHR test and take the address of a block, then make sure that CHR doesn't trigger?

lxfind added a comment.Jun 8 2021, 3:34 PM
In D103867#2806612, @aeubanks wrote:

do all passes that clone BBs have to worry about this?

I think so, as long as the cloned BB is in the same module as the original one, we need to worry about this (there are legit cloning in some tools such as llvm-extract, llvm-reduce..)

lxfind updated this revision to Diff 350750.Jun 8 2021, 5:46 PM

Add test case

Harbormaster completed remote builds in B108313: Diff 350750.Jun 8 2021, 6:24 PM
lxfind updated this revision to Diff 350776.Jun 8 2021, 10:01 PM

Only skip regions that contain BBs with address taken

lxfind updated this revision to Diff 350777.Jun 8 2021, 10:02 PM

more test

Harbormaster completed remote builds in B108334: Diff 350777.Jun 8 2021, 10:39 PM
aeubanks accepted this revision.Jun 11 2021, 11:53 AM

lgtm

This revision is now accepted and ready to land.Jun 11 2021, 11:53 AM
hoy accepted this revision.Jun 11 2021, 12:17 PM
In D103867#2806612, @aeubanks wrote:

do all passes that clone BBs have to worry about this?

I think so. We've seen a similar case in inlining where an address-taken block was inlined. The inlining should be disabled as well.

LGTM, thanks for the fix.

hoy added a comment.Jun 11 2021, 12:19 PM

Nit: adjust the summary for the part of testing and the disabling logic.

wenlei accepted this revision.Jun 11 2021, 4:33 PM

LGTM.

In D103867#2814096, @hoy wrote:
In D103867#2806612, @aeubanks wrote:

do all passes that clone BBs have to worry about this?

I think so. We've seen a similar case in inlining where an address-taken block was inlined. The inlining should be disabled as well.

Poking around it looks like this should be handled for inlining, not sure why the previous case we ran into wasn't covered by that code below from CallAnalyzer::analyze()

// Disallow inlining a blockaddress with uses other than strictly callbr.
// A blockaddress only has defined behavior for an indirect branch in the
// same function, and we do not currently support inlining indirect
// branches.  But, the inliner may not see an indirect branch that ends up
// being dead code at a particular call site. If the blockaddress escapes
// the function, e.g., via a global variable, inlining may lead to an
// invalid cross-function reference.
// FIXME: pr/39560: continue relaxing this overt restriction.
if (BB->hasAddressTaken())
  for (User *U : BlockAddress::get(&*BB)->users())
    if (!isa<CallBrInst>(*U))
      return InlineResult::failure("blockaddress used outside of callbr");

LGTM, thanks for the fix.

lxfind added a comment.Jun 11 2021, 5:20 PM

Poking around it looks like this should be handled for inlining, not sure why the previous case we ran into wasn't covered by that code below from CallAnalyzer::analyze()

// Disallow inlining a blockaddress with uses other than strictly callbr.
// A blockaddress only has defined behavior for an indirect branch in the
// same function, and we do not currently support inlining indirect
// branches.  But, the inliner may not see an indirect branch that ends up
// being dead code at a particular call site. If the blockaddress escapes
// the function, e.g., via a global variable, inlining may lead to an
// invalid cross-function reference.
// FIXME: pr/39560: continue relaxing this overt restriction.
if (BB->hasAddressTaken())
  for (User *U : BlockAddress::get(&*BB)->users())
    if (!isa<CallBrInst>(*U))
      return InlineResult::failure("blockaddress used outside of callbr");

LGTM, thanks for the fix.

I think because that code is only checking for CallBrInst users. But in a computed goto pattern, the addresses are usually just stored in a global variable.

wenlei added a comment.Jun 11 2021, 8:04 PM
In D103867#2814684, @lxfind wrote:

Poking around it looks like this should be handled for inlining, not sure why the previous case we ran into wasn't covered by that code below from CallAnalyzer::analyze()

// Disallow inlining a blockaddress with uses other than strictly callbr.
// A blockaddress only has defined behavior for an indirect branch in the
// same function, and we do not currently support inlining indirect
// branches.  But, the inliner may not see an indirect branch that ends up
// being dead code at a particular call site. If the blockaddress escapes
// the function, e.g., via a global variable, inlining may lead to an
// invalid cross-function reference.
// FIXME: pr/39560: continue relaxing this overt restriction.
if (BB->hasAddressTaken())
  for (User *U : BlockAddress::get(&*BB)->users())
    if (!isa<CallBrInst>(*U))
      return InlineResult::failure("blockaddress used outside of callbr");

LGTM, thanks for the fix.

I think because that code is only checking for CallBrInst users. But in a computed goto pattern, the addresses are usually just stored in a global variable.

Taking address of a block and storing it in a jump table does not introduce a use in the IR, however, if we use indirect branch to access the jump table like computed goto, we do count the indirect branch as use of the address taken labels, which in turns blocks inlining. See https://godbolt.org/z/8jYxzq867 (If we comment out the check for disallowing all indirbranch, it would be caught by the check quoted above)..

lxfind edited the summary of this revision. (Show Details)Jun 12 2021, 10:28 AM
Closed by commit rGfae7debadcea: [CHR] Don't run ControlHeightReduction if any BB has address taken (authored by lxfind). · Explain WhyJun 12 2021, 10:30 AM
This revision was automatically updated to reflect the committed changes.
lxfind added a commit: rGfae7debadcea: [CHR] Don't run ControlHeightReduction if any BB has address taken.
hjyamauchi added a comment.Jun 14 2021, 9:53 AM

Late to this, but LGTM.

hoy added a comment.Jun 18 2021, 6:58 PM
In D103867#2814911, @wenlei wrote:
In D103867#2814684, @lxfind wrote:

Poking around it looks like this should be handled for inlining, not sure why the previous case we ran into wasn't covered by that code below from CallAnalyzer::analyze()

// Disallow inlining a blockaddress with uses other than strictly callbr.
// A blockaddress only has defined behavior for an indirect branch in the
// same function, and we do not currently support inlining indirect
// branches.  But, the inliner may not see an indirect branch that ends up
// being dead code at a particular call site. If the blockaddress escapes
// the function, e.g., via a global variable, inlining may lead to an
// invalid cross-function reference.
// FIXME: pr/39560: continue relaxing this overt restriction.
if (BB->hasAddressTaken())
  for (User *U : BlockAddress::get(&*BB)->users())
    if (!isa<CallBrInst>(*U))
      return InlineResult::failure("blockaddress used outside of callbr");

LGTM, thanks for the fix.

I think because that code is only checking for CallBrInst users. But in a computed goto pattern, the addresses are usually just stored in a global variable.

Taking address of a block and storing it in a jump table does not introduce a use in the IR, however, if we use indirect branch to access the jump table like computed goto, we do count the indirect branch as use of the address taken labels, which in turns blocks inlining. See https://godbolt.org/z/8jYxzq867 (If we comment out the check for disallowing all indirbranch, it would be caught by the check quoted above)..

The following example can be used to tell the difference between GCC and LLVM regarding inlining. GCC won't inline function foo into bar while clang will. I was thinking this can be fixed in LLVM by enforcing a noinline attribute to functions of which the code labels are used in a static variable initializer. Fixing in the inliner might be better.

char *g;
void go();
void   foo(char *p)
{
   static const void* array[] = {&&L};
L:
   if (p) {
   p--;
   go();
   goto L;
   }
   return;
}
void bar()
{
  foo(g);
}
wenlei added a comment.Jun 18 2021, 8:21 PM
In D103867#2828561, @hoy wrote:
In D103867#2814911, @wenlei wrote:
In D103867#2814684, @lxfind wrote:

Poking around it looks like this should be handled for inlining, not sure why the previous case we ran into wasn't covered by that code below from CallAnalyzer::analyze()

// Disallow inlining a blockaddress with uses other than strictly callbr.
// A blockaddress only has defined behavior for an indirect branch in the
// same function, and we do not currently support inlining indirect
// branches.  But, the inliner may not see an indirect branch that ends up
// being dead code at a particular call site. If the blockaddress escapes
// the function, e.g., via a global variable, inlining may lead to an
// invalid cross-function reference.
// FIXME: pr/39560: continue relaxing this overt restriction.
if (BB->hasAddressTaken())
  for (User *U : BlockAddress::get(&*BB)->users())
    if (!isa<CallBrInst>(*U))
      return InlineResult::failure("blockaddress used outside of callbr");

LGTM, thanks for the fix.

I think because that code is only checking for CallBrInst users. But in a computed goto pattern, the addresses are usually just stored in a global variable.

Taking address of a block and storing it in a jump table does not introduce a use in the IR, however, if we use indirect branch to access the jump table like computed goto, we do count the indirect branch as use of the address taken labels, which in turns blocks inlining. See https://godbolt.org/z/8jYxzq867 (If we comment out the check for disallowing all indirbranch, it would be caught by the check quoted above)..

The following example can be used to tell the difference between GCC and LLVM regarding inlining. GCC won't inline function foo into bar while clang will. I was thinking this can be fixed in LLVM by enforcing a noinline attribute to functions of which the code labels are used in a static variable initializer. Fixing in the inliner might be better.

char *g;
void go();
void   foo(char *p)
{
   static const void* array[] = {&&L};
L:
   if (p) {
   p--;
   go();
   goto L;
   }
   return;
}
void bar()
{
  foo(g);
}

Yeah, this case differentiates gcc and llvm, because there's no indir branch. Also since there's no indir branch through the jump table, the inlining isn't buggy. However, as soon as you add indir branch through the jump table, inlining would be blocked in llvm like the case from the godbolt link above. It looks to me that there's attempt/effort try to cover such cases to prevent bad inlining, perhaps it's not strong enough - we can pass jump table address to a callee of foo, then that callee calls the address though indirect branch, so from foo, we still don't see a indirect branch.. The more robust way of preventing such bad inlining is as you said, gate it on storing code label into a static/global variable.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
5 lines
test/
Transforms/
PGOProfile/
116 lines

Diff 350777

llvm/lib/Transforms/Instrumentation/ControlHeightReduction.cpp

Show First 20 LinesShow All 761 Lines▼ Show 20 LinesCHRScope * CHR::findScope(Region *R) {
// to this region). // to this region).
bool EntryInSubregion = RI.getRegionFor(Entry) != R; bool EntryInSubregion = RI.getRegionFor(Entry) != R;
if (EntryInSubregion) if (EntryInSubregion)
return nullptr; return nullptr;
// Exclude loops // Exclude loops
for (BasicBlock *Pred : predecessors(Entry)) for (BasicBlock *Pred : predecessors(Entry))
if (R->contains(Pred)) if (R->contains(Pred))
return nullptr; return nullptr;
// If any of the basic blocks have address taken, we must skip this region
// because we cannot clone basic blocks that have address taken.
for (BasicBlock *BB : R->blocks())
if (BB->hasAddressTaken())
return nullptr;
if (Exit) { if (Exit) {
// Try to find an if-then block (check if R is an if-then). // Try to find an if-then block (check if R is an if-then).
// if (cond) { // if (cond) {
// ... // ...
// } // }
auto *BI = dyn_cast<BranchInst>(Entry->getTerminator()); auto *BI = dyn_cast<BranchInst>(Entry->getTerminator());
if (BI) if (BI)
CHR_DEBUG(dbgs() << "BI.isConditional " << BI->isConditional() << "\n"); CHR_DEBUG(dbgs() << "BI.isConditional " << BI->isConditional() << "\n");
▲ Show 20 LinesShow All 1,325 LinesShow Last 20 Lines

llvm/test/Transforms/PGOProfile/chr.ll

Show First 20 LinesShow All 2,521 Lines▼ Show 20 Lines
bb2: bb2:
call void @foo() call void @foo()
br label %bb3 br label %bb3
bb3: bb3:
ret void ret void
} }
; Test that chr will skip this function when addresses are taken on basic blocks.
@gototable1 = weak_odr dso_local local_unnamed_addr constant [2 x i8*] [i8* blockaddress(@test_chr_with_bbs_address_taken1, %bb3), i8* blockaddress(@test_chr_with_bbs_address_taken1, %bb3)]
define void @test_chr_with_bbs_address_taken1(i32* %i) !prof !14 {
; CHECK-LABEL: @test_chr_with_bbs_address_taken1(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[TMP0:%.*]] = load i32, i32* [[I:%.*]], align 4
; CHECK-NEXT: [[TMP1:%.*]] = and i32 [[TMP0]], 1
; CHECK-NEXT: [[TMP2:%.*]] = icmp eq i32 [[TMP1]], 0
; CHECK-NEXT: br i1 [[TMP2]], label [[BB1:%.*]], label [[BB0:%.*]], !prof [[PROF16]]
; CHECK: bb0:
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: br label [[BB1]]
; CHECK: bb1:
; CHECK-NEXT: [[TMP3:%.*]] = and i32 [[TMP0]], 2
; CHECK-NEXT: [[TMP4:%.*]] = icmp eq i32 [[TMP3]], 0
; CHECK-NEXT: br i1 [[TMP4]], label [[BB4:%.*]], label [[BB2:%.*]], !prof [[PROF16]]
; CHECK: bb2:
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: br label [[BB4]]
; CHECK: bb4:
; CHECK-NEXT: ret void
;
entry:
%0 = load i32, i32* %i
%1 = and i32 %0, 1
%2 = icmp eq i32 %1, 0
br i1 %2, label %bb1, label %bb0, !prof !15
bb0:
call void @foo()
br label %bb1
bb1:
%3 = and i32 %0, 2
%4 = icmp eq i32 %3, 0
br i1 %4, label %bb4, label %bb2, !prof !15
bb2:
call void @foo()
%pc = bitcast i32* %i to i8*
indirectbr i8* %pc, [label %bb3, label %bb3]
bb3:
br label %bb4
bb4:
ret void
}
; Test that chr will still optimize the first 2 regions,
; but will skip the last one due to basic blocks have address taken.
@gototable2 = weak_odr dso_local local_unnamed_addr constant [2 x i8*] [i8* blockaddress(@test_chr_with_bbs_address_taken2, %bb5), i8* blockaddress(@test_chr_with_bbs_address_taken2, %bb5)]
define void @test_chr_with_bbs_address_taken2(i32* %i) !prof !14 {
; CHECK-LABEL: @test_chr_with_bbs_address_taken2(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[TMP0:%.*]] = load i32, i32* [[I:%.*]], align 4
; CHECK-NEXT: [[TMP1:%.*]] = and i32 [[TMP0]], 3
; CHECK-NEXT: [[TMP2:%.*]] = icmp eq i32 [[TMP1]], 3
; CHECK-NEXT: br i1 [[TMP2]], label [[BB0:%.*]], label [[ENTRY_SPLIT_NONCHR:%.*]], !prof [[PROF15]]
; CHECK: bb0:
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: br label [[BB3:%.*]]
; CHECK: entry.split.nonchr:
; CHECK-NEXT: [[TMP3:%.*]] = and i32 [[TMP0]], 1
; CHECK-NEXT: [[DOTNOT:%.*]] = icmp eq i32 [[TMP3]], 0
; CHECK-NEXT: br i1 [[DOTNOT]], label [[BB1_NONCHR:%.*]], label [[BB0_NONCHR:%.*]], !prof [[PROF16]]
; CHECK: bb0.nonchr:
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: br label [[BB1_NONCHR]]
; CHECK: bb1.nonchr:
; CHECK-NEXT: [[TMP4:%.*]] = and i32 [[TMP0]], 2
; CHECK-NEXT: [[TMP5:%.*]] = icmp eq i32 [[TMP4]], 0
; CHECK-NEXT: br i1 [[TMP5]], label [[BB3]], label [[BB2_NONCHR:%.*]], !prof [[PROF16]]
; CHECK: bb2.nonchr:
; CHECK-NEXT: call void @foo()
; CHECK-NEXT: br label [[BB3]]
; CHECK: bb3:
; CHECK-NEXT: ret void
;
entry:
%0 = load i32, i32* %i
%1 = and i32 %0, 1
%2 = icmp eq i32 %1, 0
br i1 %2, label %bb1, label %bb0, !prof !15
bb0:
call void @foo()
br label %bb1
bb1:
%3 = and i32 %0, 2
%4 = icmp eq i32 %3, 0
br i1 %4, label %bb3, label %bb2, !prof !15
bb2:
call void @foo()
br label %bb3
bb3:
%5 = and i32 %0, 2
%6 = icmp eq i32 %5, 0
br i1 %6, label %bb6, label %bb4, !prof !15
bb4:
%pc = bitcast i32* %i to i8*
indirectbr i8* %pc, [label %bb5, label %bb5]
bb5:
br label %bb6
bb6:
ret void
}
!llvm.module.flags = !{!0} !llvm.module.flags = !{!0}
!0 = !{i32 1, !"ProfileSummary", !1} !0 = !{i32 1, !"ProfileSummary", !1}
!1 = !{!2, !3, !4, !5, !6, !7, !8, !9} !1 = !{!2, !3, !4, !5, !6, !7, !8, !9}
!2 = !{!"ProfileFormat", !"InstrProf"} !2 = !{!"ProfileFormat", !"InstrProf"}
!3 = !{!"TotalCount", i64 10000} !3 = !{!"TotalCount", i64 10000}
!4 = !{!"MaxCount", i64 10} !4 = !{!"MaxCount", i64 10}
!5 = !{!"MaxInternalCount", i64 1} !5 = !{!"MaxInternalCount", i64 1}
!6 = !{!"MaxFunctionCount", i64 1000} !6 = !{!"MaxFunctionCount", i64 1000}
Show All 16 Lines