This is an archive of the discontinued LLVM Phabricator instance.

Differential D104063

[SimplifyCFG] avoid crash on degenerate loop
ClosedPublic

Authored by spatel on Jun 10 2021, 2:30 PM.

Details

Reviewers
lebedev.ri
reames
RKSimon
Commits
rG602ab248335e: [SimplifyCFG] avoid crash on degenerate loop
Summary

I'm not sure how to describe the code pattern in the test based on:
https://llvm.org/PR50638
...but if the IfCond is itself the phi that we are trying to remove, then the loop at line 2835 can end up with something like:

%cmp = select i1 %cmp, i1 false, i1 true

And that can then lead to an assert somewhere else (although I'm still not seeing that locally in my release + asserts build). I think this can only happen with unreachable code.

Diff Detail

Event Timeline

spatel created this revision.Jun 10 2021, 2:30 PM
Herald added subscribers: hiraditya, mcrosier. · View Herald TranscriptJun 10 2021, 2:30 PM
spatel requested review of this revision.Jun 10 2021, 2:30 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 10 2021, 2:30 PM
lebedev.ri added a comment.Jun 10 2021, 2:49 PM

And what happens when there's more than one PHI node in the block?
I think the extra missing check is !isa<Instruction>(IfCond) || cast<Instruction>(IfCond)->getParent() != BB.

lebedev.ri added inline comments.Jun 10 2021, 2:53 PM
llvm/lib/Transforms/Utils/SimplifyCFG.cpp
2710

(1) If you change IfCond's type to AssertingVH<Value> ...

2843

(3) ... so here on the second loop iteration IfCond is use-after-free.

2846

(2) ... the backtrace will tell you that the handle goes bad here ...

lebedev.ri added a comment.Jun 10 2021, 3:06 PM
In D104063#2811595, @lebedev.ri wrote:

And what happens when there's more than one PHI node in the block?
I think the extra missing check is !isa<Instruction>(IfCond) || cast<Instruction>(IfCond)->getParent() != BB.

And thinking about it more, this should even be PHINode, not Instruction.

Harbormaster completed remote builds in B108692: Diff 351260.Jun 10 2021, 3:30 PM
spatel added a comment.Jun 11 2021, 5:07 AM
In D104063#2811595, @lebedev.ri wrote:

And what happens when there's more than one PHI node in the block?

If I'm seeing the code correctly, we can't get into trouble on anything other than the pattern in the test. That's because we limit the transform to a block with at most 2 phis (line 2723). If the problematic phi was 2nd, we'd escape without trying to touch the freed instruction.

But it's a valid concern (the assumption of 2 phis could change some day), so I agree, we should do better...

I think the extra missing check is !isa<Instruction>(IfCond) || cast<Instruction>(IfCond)->getParent() != BB.

But this won't work unless I've misunderstood the suggestion - the condition could be a function argument. Here's the first failing test that I found with that check:

define i32 @FoldTwoEntryPHINode(i1 %C, i32 %V1, i32 %V2, i16 %V3) {
entry:
        br i1 %C, label %then, label %else, !prof !0, !unpredictable !1
then:
        %V4 = or i32 %V2, %V1
        br label %Cont
else:
        %V5 = sext i16 %V3 to i32
        br label %Cont
Cont:
        %V6 = phi i32 [ %V5, %else ], [ %V4, %then ]
        call i32 @FoldTwoEntryPHINode( i1 false, i32 0, i32 0, i16 0 )
        ret i32 %V1
}

We still want that to fold to:

; CHECK-LABEL: @FoldTwoEntryPHINode(
; CHECK-NEXT:  entry:
; CHECK-NEXT:  %V5 = sext i16 %V3 to i32
; CHECK-NEXT:  %V4 = or i32 %V2, %V1
; CHECK-NEXT:  %V6 = select i1 %C, i32 %V4, i32 %V5, !prof !0, !unpredictable !1
; CHECK-NEXT:  %0 = call i32 @FoldTwoEntryPHINode(i1 false, i32 0, i32 0, i16 0)
; CHECK-NEXT:  ret i32 %V1
spatel updated this revision to Diff 351413.Jun 11 2021, 5:14 AM
Patch updated:

Make the bailout more general and try to explain the problem pattern in a code comment.
lebedev.ri accepted this revision.Jun 11 2021, 5:18 AM


In D104063#2813104, @spatel wrote:


Patch updated:

Make the bailout more general and try to explain the problem pattern in a code comment.





Thanks, that's precisely what i meant.

Thanks.
llvm/lib/Transforms/Utils/SimplifyCFG.cpp


2718
I think we only need to care about PHI nodes
This revision is now accepted and ready to land.Jun 11 2021, 5:18 AM
Harbormaster completed remote builds in B108787: Diff 351413.Jun 11 2021, 5:50 AM
spatel marked an inline comment as done.Jun 11 2021, 5:56 AM
spatel added inline comments.
llvm/lib/Transforms/Utils/SimplifyCFG.cpp


2718
Sounds good - I'll change that on final commit.
Closed by commit rG602ab248335e: [SimplifyCFG] avoid crash on degenerate loop (authored by spatel).  ·  Explain WhyJun 11 2021, 6:44 AM
This revision was automatically updated to reflect the committed changes.
spatel marked an inline comment as done.
spatel added a commit: rG602ab248335e: [SimplifyCFG] avoid crash on degenerate loop.
Revision Contents
PathSize
llvm/
lib/
Transforms/
Utils/
2 lines
test/
Transforms/
SimplifyCFG/
29 lines
Diff 351260
llvm/lib/Transforms/Utils/SimplifyCFG.cpp
  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 2,701 Lines▼ Show 20 Linesstatic bool FoldTwoEntryPHINode(PHINode *PN, const TargetTransformInfo &TTI,

  // statement", which has a very simple dominance structure.  Basically, we
  // statement", which has a very simple dominance structure.  Basically, we

  // are trying to find the condition that is being branched on, which
  // are trying to find the condition that is being branched on, which

  // subsequently causes this merge to happen.  We really want control
  // subsequently causes this merge to happen.  We really want control

  // dependence information for this check, but simplifycfg can't keep it up
  // dependence information for this check, but simplifycfg can't keep it up

  // to date, and this catches most of the cases we care about anyway.
  // to date, and this catches most of the cases we care about anyway.

  BasicBlock *BB = PN->getParent();
  BasicBlock *BB = PN->getParent();




  BasicBlock *IfTrue, *IfFalse;
  BasicBlock *IfTrue, *IfFalse;

  Value *IfCond = GetIfCondition(BB, IfTrue, IfFalse);
  Value *IfCond = GetIfCondition(BB, IfTrue, IfFalse);

lebedev.riUnsubmitted
Not Done
ReplyInline Actions
(1) If you change IfCond's type to AssertingVH<Value> ...
lebedev.ri: (1) If you change `IfCond`'s type to `AssertingVH<Value>` ...
  if (!IfCond ||
  if (!IfCond ||

      // Don't bother if the branch will be constant folded trivially.
      // Don't bother if the branch will be constant folded trivially.

      isa<ConstantInt>(IfCond))
      isa<ConstantInt>(IfCond) || IfCond == PN)

    return false;
    return false;




  // Okay, we found that we can merge this two-entry phi node into a select.
  // Okay, we found that we can merge this two-entry phi node into a select.

  // Doing so would require us to fold *all* two entry phi nodes in this block.
  // Doing so would require us to fold *all* two entry phi nodes in this block.

  // At some point this becomes non-profitable (particularly if the target
  // At some point this becomes non-profitable (particularly if the target

lebedev.riUnsubmitted
Done
ReplyInline Actions
I think we only need to care about PHI nodes
lebedev.ri: I think we only need to care about PHI nodes
spatelAuthorUnsubmitted
Done
ReplyInline Actions
Sounds good - I'll change that on final commit.
spatel: Sounds good - I'll change that on final commit.
  // doesn't support cmov's).  Only do this transformation if there are two or
  // doesn't support cmov's).  Only do this transformation if there are two or

  // fewer PHI nodes in this block.
  // fewer PHI nodes in this block.

  unsigned NumPhis = 0;
  unsigned NumPhis = 0;

  for (BasicBlock::iterator I = BB->begin(); isa<PHINode>(I); ++NumPhis, ++I)
  for (BasicBlock::iterator I = BB->begin(); isa<PHINode>(I); ++NumPhis, ++I)

    if (NumPhis > 2)
    if (NumPhis > 2)

      return false;
      return false;




  // Loop over the PHI's seeing if we can promote them all to select
  // Loop over the PHI's seeing if we can promote them all to select

▲ Show 20 LinesShow All 108 Lines▼ Show 20 Linesstatic bool FoldTwoEntryPHINode(PHINode *PN, const TargetTransformInfo &TTI,

  while (PHINode *PN = dyn_cast<PHINode>(BB->begin())) {
  while (PHINode *PN = dyn_cast<PHINode>(BB->begin())) {

    if (isa<FPMathOperator>(PN))
    if (isa<FPMathOperator>(PN))

      Builder.setFastMathFlags(PN->getFastMathFlags());
      Builder.setFastMathFlags(PN->getFastMathFlags());




    // Change the PHI node into a select instruction.
    // Change the PHI node into a select instruction.

    Value *TrueVal = PN->getIncomingValue(PN->getIncomingBlock(0) == IfFalse);
    Value *TrueVal = PN->getIncomingValue(PN->getIncomingBlock(0) == IfFalse);

    Value *FalseVal = PN->getIncomingValue(PN->getIncomingBlock(0) == IfTrue);
    Value *FalseVal = PN->getIncomingValue(PN->getIncomingBlock(0) == IfTrue);




    Value *Sel = Builder.CreateSelect(IfCond, TrueVal, FalseVal, "", InsertPt);
    Value *Sel = Builder.CreateSelect(IfCond, TrueVal, FalseVal, "", InsertPt);

lebedev.riUnsubmitted
Not Done
ReplyInline Actions
(3) ... so here on the second loop iteration IfCond is use-after-free.
lebedev.ri: (3) ... so here on the second loop iteration `IfCond` is use-after-free.
    PN->replaceAllUsesWith(Sel);
    PN->replaceAllUsesWith(Sel);

    Sel->takeName(PN);
    Sel->takeName(PN);

    PN->eraseFromParent();
    PN->eraseFromParent();

lebedev.riUnsubmitted
Not Done
ReplyInline Actions
(2) ... the backtrace will tell you that the handle goes bad here ...
lebedev.ri: (2) ... the backtrace will tell you that the handle goes bad here ...
  }
  }




  // At this point, IfBlock1 and IfBlock2 are both empty, so our if statement
  // At this point, IfBlock1 and IfBlock2 are both empty, so our if statement

  // has been flattened.  Change DomBlock to jump directly to our new block to
  // has been flattened.  Change DomBlock to jump directly to our new block to

  // avoid other simplifycfg's kicking in on the diamond.
  // avoid other simplifycfg's kicking in on the diamond.

  Instruction *OldTI = DomBlock->getTerminator();
  Instruction *OldTI = DomBlock->getTerminator();

  Builder.SetInsertPoint(OldTI);
  Builder.SetInsertPoint(OldTI);

  Builder.CreateBr(BB);
  Builder.CreateBr(BB);

▲ Show 20 LinesShow All 3,953 LinesShow Last 20 Lines
llvm/test/Transforms/SimplifyCFG/two-entry-phi-return.ll
Show All 17 Linesbb:

  br label %UnifiedReturnBlock
  br label %UnifiedReturnBlock




UnifiedReturnBlock:
UnifiedReturnBlock:

  %result = phi i1 [ 0, %entry ], [ %t15, %bb ]
  %result = phi i1 [ 0, %entry ], [ %t15, %bb ]

  ret i1 %result
  ret i1 %result




}
}




@a = external dso_local global i32, align 4



define i32 @PR50638() {

; CHECK-LABEL: @PR50638(

; CHECK-NEXT:  entry:

; CHECK-NEXT:    store i32 0, i32* @a, align 4

; CHECK-NEXT:    ret i32 0

;

entry:

  store i32 0, i32* @a, align 4

  br label %pre.for



pre.for:

  %tobool.not = phi i1 [ false, %for ], [ true, %entry ]

  br i1 %tobool.not, label %end, label %for



for:

  %cmp = phi i1 [ true, %pre.for ], [ false, %post.for ]

  %storemerge = phi i32 [ 0, %pre.for ], [ 1, %post.for ]

  store i32 %storemerge, i32* @a, align 4

  br i1 %cmp, label %post.for, label %pre.for



post.for:

  br label %for



end:

  ret i32 0

}



!0 = !{!"branch_weights", i32 4, i32 64}
!0 = !{!"branch_weights", i32 4, i32 64}