This is an archive of the discontinued LLVM Phabricator instance.

Differential D105838

[GlobalOpt] Fix a miscompile when evaluating struct initializers.
ClosedPublic

Authored by jroelofs on Jul 12 2021, 12:55 PM.

Details

Reviewers
rob.lougher
evgeny777
aeubanks
Commits
rGd14310306827: [GlobalOpt] Fix a miscompile when evaluating struct initializers.
Summary

The bug was that evaluateBitcastFromPtr attempts a narrowing to a struct's 0th element of a store that covers other elements. While this is okay on the load side, applying it to stores causes us to miss the writes to the additionally covered elements.

rdar://79503568

Diff Detail

Event Timeline

jroelofs created this revision.Jul 12 2021, 12:55 PM
Herald added a subscriber: hiraditya. · View Herald TranscriptJul 12 2021, 12:55 PM
jroelofs requested review of this revision.Jul 12 2021, 12:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 12 2021, 12:55 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
jroelofs mentioned this in D60793: [Evaluator] Walk initial elements when handling load through bitcast.Jul 12 2021, 12:56 PM
Harbormaster completed remote builds in B113573: Diff 358040.Jul 12 2021, 2:10 PM
arichardson added a subscriber: arichardson.Jul 12 2021, 3:01 PM
Gerolf added a subscriber: Gerolf.Jul 14 2021, 10:43 AM

This is straightforward. LGTM.

efriedma added a subscriber: efriedma.Jul 14 2021, 11:10 AM
efriedma added inline comments.
llvm/lib/Transforms/Utils/Evaluator.cpp
376

"proposed bitcast load" doesn't make sense. Do you mean to say "The conversion is illegal if the stored type is narrower than the type of the memory location"?

The code would probably be easier to understand if MutatedMemory was represented using a tuple of "(GlobalVariable, Offset, Size)", or something like that, instead of trying to do a delicate dance with ConstantExprs. But you don't need to do that rewrite here.

381

This is a weird way to write Val->getType().

aeubanks added inline comments.Jul 14 2021, 11:12 AM
llvm/lib/Transforms/Utils/Evaluator.cpp
180

ConstantLoad?

374–384

Can you make this uppercase?

llvm/test/Transforms/GlobalOpt/store-struct-element.ll
3

is this necessary?

jroelofs added inline comments.Jul 14 2021, 11:41 AM
llvm/lib/Transforms/Utils/Evaluator.cpp
180

I thought renaming would help clarify what the callback is expected to do. Here in some sense it behaves kind of like a constexpr load would, returning a constant if it can evaluate a load from a constant pointer, and nullptr if it cannot.

376

For context, I meant "proposed bitcast load" in the sense that evaluateBitcastFromPtr making queries to its callback first for the whole struct, then for that struct's first element, etc. is a "proposal" with nullptr return being a rejection, and the evaluation of the callback itself being a sort of constexpr-through-a-bitcast. Agreed that the wording is strange; I'll reword.

The code would probably be easier to understand...

I was thinking the same, but wanted to keep the fix simple.

jroelofs updated this revision to Diff 358697.Jul 14 2021, 12:26 PM

review feedback

jroelofs marked 4 inline comments as done.Jul 14 2021, 12:29 PM
jroelofs added inline comments.
llvm/lib/Transforms/Utils/Evaluator.cpp
180

Just noticed you meant the comment needed updating after renaming it TryLoad.

jroelofs updated this revision to Diff 358698.Jul 14 2021, 12:30 PM

clang-format

Harbormaster completed remote builds in B114057: Diff 358698.Jul 14 2021, 1:36 PM
aeubanks accepted this revision.Jul 14 2021, 2:29 PM

lgtm

This revision is now accepted and ready to land.Jul 14 2021, 2:29 PM
This revision was landed with ongoing or failed builds.Jul 14 2021, 3:45 PM
Closed by commit rGd14310306827: [GlobalOpt] Fix a miscompile when evaluating struct initializers. (authored by jroelofs). · Explain Why
This revision was automatically updated to reflect the committed changes.
jroelofs added a commit: rGd14310306827: [GlobalOpt] Fix a miscompile when evaluating struct initializers..
jroelofs added inline comments.Jul 14 2021, 6:49 PM
llvm/lib/Transforms/Utils/Evaluator.cpp
376

The code would probably be easier to understand if MutatedMemory was represented using a tuple of "(GlobalVariable, Offset, Size)", or something like that, instead of trying to do a delicate dance with ConstantExprs. But you don't need to do that rewrite here.

I'm beginning to think a representational change is *necessary* in order to fix all the issues here. Consider this, for example:

https://llvm.godbolt.org/z/4jhn9PGdW

Revision Contents

PathSize
llvm/
lib/
Transforms/
Utils/
36 lines
test/
Transforms/
GlobalOpt/
36 lines

Diff 358771

llvm/lib/Transforms/Utils/Evaluator.cpp

Show First 20 LinesShow All 168 Lines▼ Show 20 Lines if (CE->getOpcode() == Instruction::GetElementPtr &&
// external globals. // external globals.
return cast<GlobalVariable>(CE->getOperand(0))->hasUniqueInitializer(); return cast<GlobalVariable>(CE->getOperand(0))->hasUniqueInitializer();
} }
} }
return false; return false;
} }
/// Apply 'Func' to Ptr. If this returns nullptr, introspect the pointer's /// Apply \p TryLoad to Ptr. If this returns \p nullptr, introspect the
/// type and walk down through the initial elements to obtain additional /// pointer's type and walk down through the initial elements to obtain
/// pointers to try. Returns the first non-null return value from Func, or /// additional pointers to try. Returns the first non-null return value from
/// nullptr if the type can't be introspected further. /// \p TryLoad, or \p nullptr if the type can't be introspected further.
aeubanksUnsubmitted
Done
ReplyInline Actions

ConstantLoad?

aeubanks: ConstantLoad?
jroelofsAuthorUnsubmitted
Done
ReplyInline Actions

I thought renaming would help clarify what the callback is expected to do. Here in some sense it behaves kind of like a constexpr load would, returning a constant if it can evaluate a load from a constant pointer, and nullptr if it cannot.

jroelofs: I thought renaming would help clarify what the callback is expected to do. Here in some sense…
jroelofsAuthorUnsubmitted
Done
ReplyInline Actions

Just noticed you meant the comment needed updating after renaming it TryLoad.

jroelofs: Just noticed you meant the comment needed updating after renaming it `TryLoad`.
static Constant * static Constant *
evaluateBitcastFromPtr(Constant *Ptr, const DataLayout &DL, evaluateBitcastFromPtr(Constant *Ptr, const DataLayout &DL,
const TargetLibraryInfo *TLI, const TargetLibraryInfo *TLI,
std::function<Constant *(Constant *)> Func) { std::function<Constant *(Constant *)> TryLoad) {
Constant *Val; Constant *Val;
while (!(Val = Func(Ptr))) { while (!(Val = TryLoad(Ptr))) {
// If Ty is a non-opaque struct, we can convert the pointer to the struct // If Ty is a non-opaque struct, we can convert the pointer to the struct
// into a pointer to its first member. // into a pointer to its first member.
// FIXME: This could be extended to support arrays as well. // FIXME: This could be extended to support arrays as well.
Type *Ty = cast<PointerType>(Ptr->getType())->getElementType(); Type *Ty = cast<PointerType>(Ptr->getType())->getElementType();
if (!isa<StructType>(Ty) || cast<StructType>(Ty)->isOpaque()) if (!isa<StructType>(Ty) || cast<StructType>(Ty)->isOpaque())
break; break;
IntegerType *IdxTy = IntegerType::get(Ty->getContext(), 32); IntegerType *IdxTy = IntegerType::get(Ty->getContext(), 32);
Show All 11 Linesstatic Constant *getInitializer(Constant *C) {
return GV && GV->hasDefinitiveInitializer() ? GV->getInitializer() : nullptr; return GV && GV->hasDefinitiveInitializer() ? GV->getInitializer() : nullptr;
} }
/// Return the value that would be computed by a load from P after the stores /// Return the value that would be computed by a load from P after the stores
/// reflected by 'memory' have been performed. If we can't decide, return null. /// reflected by 'memory' have been performed. If we can't decide, return null.
Constant *Evaluator::ComputeLoadResult(Constant *P, Type *Ty) { Constant *Evaluator::ComputeLoadResult(Constant *P, Type *Ty) {
// If this memory location has been recently stored, use the stored value: it // If this memory location has been recently stored, use the stored value: it
// is the most up-to-date. // is the most up-to-date.
auto findMemLoc = [this](Constant *Ptr) { return MutatedMemory.lookup(Ptr); }; auto TryFindMemLoc = [this](Constant *Ptr) {
return MutatedMemory.lookup(Ptr);
};
if (Constant *Val = findMemLoc(P)) if (Constant *Val = TryFindMemLoc(P))
return Val; return Val;
// Access it. // Access it.
if (GlobalVariable *GV = dyn_cast<GlobalVariable>(P)) { if (GlobalVariable *GV = dyn_cast<GlobalVariable>(P)) {
if (GV->hasDefinitiveInitializer()) if (GV->hasDefinitiveInitializer())
return GV->getInitializer(); return GV->getInitializer();
return nullptr; return nullptr;
} }
if (ConstantExpr *CE = dyn_cast<ConstantExpr>(P)) { if (ConstantExpr *CE = dyn_cast<ConstantExpr>(P)) {
switch (CE->getOpcode()) { switch (CE->getOpcode()) {
// Handle a constantexpr getelementptr. // Handle a constantexpr getelementptr.
case Instruction::GetElementPtr: case Instruction::GetElementPtr:
if (auto *I = getInitializer(CE->getOperand(0))) if (auto *I = getInitializer(CE->getOperand(0)))
return ConstantFoldLoadThroughGEPConstantExpr(I, CE, Ty, DL); return ConstantFoldLoadThroughGEPConstantExpr(I, CE, Ty, DL);
break; break;
// Handle a constantexpr bitcast. // Handle a constantexpr bitcast.
case Instruction::BitCast: case Instruction::BitCast:
// We're evaluating a load through a pointer that was bitcast to a // We're evaluating a load through a pointer that was bitcast to a
// different type. See if the "from" pointer has recently been stored. // different type. See if the "from" pointer has recently been stored.
// If it hasn't, we may still be able to find a stored pointer by // If it hasn't, we may still be able to find a stored pointer by
// introspecting the type. // introspecting the type.
Constant *Val = Constant *Val =
evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, findMemLoc); evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, TryFindMemLoc);
if (!Val) if (!Val)
Val = getInitializer(CE->getOperand(0)); Val = getInitializer(CE->getOperand(0));
if (Val) if (Val)
return ConstantFoldLoadThroughBitcast( return ConstantFoldLoadThroughBitcast(
Val, P->getType()->getPointerElementType(), DL); Val, P->getType()->getPointerElementType(), DL);
break; break;
} }
} }
▲ Show 20 LinesShow All 115 Lines▼ Show 20 Lines if (StoreInst *SI = dyn_cast<StoreInst>(CurInst)) {
<< "Attempting to resolve bitcast on constant ptr.\n"); << "Attempting to resolve bitcast on constant ptr.\n");
// If we're evaluating a store through a bitcast, then we need // If we're evaluating a store through a bitcast, then we need
// to pull the bitcast off the pointer type and push it onto the // to pull the bitcast off the pointer type and push it onto the
// stored value. In order to push the bitcast onto the stored value, // stored value. In order to push the bitcast onto the stored value,
// a bitcast from the pointer's element type to Val's type must be // a bitcast from the pointer's element type to Val's type must be
// legal. If it's not, we can try introspecting the type to find a // legal. If it's not, we can try introspecting the type to find a
// legal conversion. // legal conversion.
auto castValTy = [&](Constant *P) -> Constant * { auto TryCastValTy = [&](Constant *P) -> Constant * {
Type *Ty = cast<PointerType>(P->getType())->getElementType(); // The conversion is illegal if the store is wider than the
if (Constant *FV = ConstantFoldLoadThroughBitcast(Val, Ty, DL)) { // pointee proposed by `evaluateBitcastFromPtr`, since that would
efriedmaUnsubmitted
Not Done
ReplyInline Actions

"proposed bitcast load" doesn't make sense. Do you mean to say "The conversion is illegal if the stored type is narrower than the type of the memory location"?

The code would probably be easier to understand if MutatedMemory was represented using a tuple of "(GlobalVariable, Offset, Size)", or something like that, instead of trying to do a delicate dance with ConstantExprs. But you don't need to do that rewrite here.

efriedma: "proposed bitcast load" doesn't make sense. Do you mean to say "The conversion is illegal if…
jroelofsAuthorUnsubmitted
Done
ReplyInline Actions

For context, I meant "proposed bitcast load" in the sense that evaluateBitcastFromPtr making queries to its callback first for the whole struct, then for that struct's first element, etc. is a "proposal" with nullptr return being a rejection, and the evaluation of the callback itself being a sort of constexpr-through-a-bitcast. Agreed that the wording is strange; I'll reword.

The code would probably be easier to understand...

I was thinking the same, but wanted to keep the fix simple.

jroelofs: For context, I meant "proposed bitcast load" in the sense that `evaluateBitcastFromPtr` making…
jroelofsAuthorUnsubmitted
Done
ReplyInline Actions

The code would probably be easier to understand if MutatedMemory was represented using a tuple of "(GlobalVariable, Offset, Size)", or something like that, instead of trying to do a delicate dance with ConstantExprs. But you don't need to do that rewrite here.

I'm beginning to think a representational change is *necessary* in order to fix all the issues here. Consider this, for example:

https://llvm.godbolt.org/z/4jhn9PGdW

jroelofs: > The code would probably be easier to understand if MutatedMemory was represented using a…
// drop stores to other struct elements when the caller attempts to
// look through a struct's 0th element.
Type *NewTy = cast<PointerType>(P->getType())->getElementType();
Type *STy = Val->getType();
if (DL.getTypeSizeInBits(NewTy) < DL.getTypeSizeInBits(STy))
efriedmaUnsubmitted
Done
ReplyInline Actions

This is a weird way to write Val->getType().

efriedma: This is a weird way to write `Val->getType()`.
return nullptr;
if (Constant *FV = ConstantFoldLoadThroughBitcast(Val, NewTy, DL)) {
aeubanksUnsubmitted
Done
ReplyInline Actions

Can you make this uppercase?

aeubanks: Can you make this uppercase?
Ptr = P; Ptr = P;
return FV; return FV;
} }
return nullptr; return nullptr;
}; };
Constant *NewVal = Constant *NewVal =
evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, castValTy); evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, TryCastValTy);
if (!NewVal) { if (!NewVal) {
LLVM_DEBUG(dbgs() << "Failed to bitcast constant ptr, can not " LLVM_DEBUG(dbgs() << "Failed to bitcast constant ptr, can not "
"evaluate.\n"); "evaluate.\n");
return false; return false;
} }
Val = NewVal; Val = NewVal;
LLVM_DEBUG(dbgs() << "Evaluated bitcast: " << *Val << "\n"); LLVM_DEBUG(dbgs() << "Evaluated bitcast: " << *Val << "\n");
▲ Show 20 LinesShow All 370 LinesShow Last 20 Lines

llvm/test/Transforms/GlobalOpt/store-struct-element.ll

  • This file was added.
; RUN: opt < %s -globalopt -S -o - | FileCheck %s
%class.Class = type { i8, i8, i8, i8 }
aeubanksUnsubmitted
Done
ReplyInline Actions

is this necessary?

aeubanks: is this necessary?
@A = local_unnamed_addr global %class.Class undef, align 4
@B = local_unnamed_addr global %class.Class undef, align 4
@llvm.global_ctors = appending global [2 x { i32, void ()*, i8* }] [
{ i32, void ()*, i8* } { i32 65535, void ()* @initA, i8* null },
{ i32, void ()*, i8* } { i32 65535, void ()* @initB, i8* null }
]
define internal void @initA() section "__TEXT,__StaticInit,regular,pure_instructions" {
entry:
store i32 -1, i32* bitcast (%class.Class* @A to i32*), align 4
ret void
}
define internal void @initB() section "__TEXT,__StaticInit,regular,pure_instructions" {
entry:
store i8 -1, i8* bitcast (%class.Class* @B to i8*), align 4
ret void
}
; rdar://79503568
; Check that we don't miscompile when the store covers the whole struct.
; CHECK-NOT: @A = local_unnamed_addr global %class.Class { i8 -1, i8 undef, i8 undef, i8 undef }, align 4
; FIXME: We could optimzie this as { i8 -1, i8 -1, i8 -1, i8 -1 } if constant folding were a little smarter.
; CHECK: @A = local_unnamed_addr global %class.Class undef, align 4
; Check that we still perform the transform when store is smaller than the width of the 0th element.
; CHECK: @B = local_unnamed_addr global %class.Class { i8 -1, i8 undef, i8 undef, i8 undef }, align 4
; CHECK: define internal void @initA()
; CHECK-NOT: define internal void @initB()