This is an archive of the discontinued LLVM Phabricator instance.

Differential D112693

[SimplifyCFG] Fix miscompile in tryWidenCondBranchToCondBranch. PR52290
AbandonedPublic

Authored by mkazantsev on Oct 27 2021, 11:53 PM.

Details

Reviewers
reames
apilipenko
lebedev.ri
craig.topper
Summary

tryWidenCondBranchToCondBranch is supposed to perform guard widening,
redirecting a deopting exit of successor block into a deopting exit of the
widenable predecessor block. But the check that the latter is actually deoptimizing
was never done. As result, the transform was turning

define i32 @test(float %arg) gc "statepoint-example" personality i32* ()* @blam {
bb:
  %tmp = call i1 @llvm.experimental.widenable.condition()
  br i1 %tmp, label %bb2, label %bb1

bb1:                                              ; preds = %bb
  br i1 undef, label %bb7, label %bb5

bb2:                                              ; preds = %bb
  %tmp3 = getelementptr inbounds i8, i8 addrspace(1)* undef, i64 16
  br i1 undef, label %bb7, label %bb4

bb4:                                              ; preds = %bb2
  call void @snork() [ "deopt"() ]
  unreachable

bb5:                                              ; preds = %bb1
  ret i32 0

bb7:                                              ; preds = %bb2, %bb1
  %tmp8 = call i32 (...) @llvm.experimental.deoptimize.i32(i32 10) [ "deopt"() ]
  ret i32 %tmp8
}

into

define i32 @test(float %arg) gc "statepoint-example" personality i32* ()* @blam {
bb:
  %tmp = call i1 @llvm.experimental.widenable.condition()
  br i1 %tmp, label %bb2, label %bb1

bb1:                                              ; preds = %bb2, %bb
  br i1 undef, label %bb7, label %bb5

bb2:                                              ; preds = %bb
  %tmp3 = getelementptr inbounds i8, i8 addrspace(1)* undef, i64 16
  br i1 undef, label %bb1, label %bb4

bb4:                                              ; preds = %bb2
  call void @snork() [ "deopt"() ]
  unreachable

bb5:                                              ; preds = %bb1
  ret i32 0

bb7:                                              ; preds = %bb1
  %tmp8 = call i32 (...) @llvm.experimental.deoptimize.i32(i32 10) [ "deopt"() ]
  ret i32 %tmp8
}

Note that this is just wrong: previously taking branch bb2->bb7 was always a deopt,
but then it was replaced with bb2->bb1 and then it could go to bb5 which was not
even reachable from bb2 before the transform. (In this test conditions are undef, but
in fact they are never analyzed so it doesn't matter; condition in bb2 could as well be
a regular value).

So in fact, this transform may replace a deopting edge with some random edge which
never deopts. It's a miscompile by itself, and in case of SimplifyCFG, it has weird interactions
with other transforms of SimplifyCondBranchToCondBranch, which create a .pr Phi, then
thread through it, and then the described buggy transform repeats and brings the code into
its initial state. So we end up stuck in an infinite loop.

This patch fixes this situation by ensuring that widenable condition branch actually goes to
deopt if the condition is false.

Diff Detail

Event Timeline

mkazantsev created this revision.Oct 27 2021, 11:53 PM
Herald added a subscriber: hiraditya. · View Herald TranscriptOct 27 2021, 11:53 PM
mkazantsev requested review of this revision.Oct 27 2021, 11:53 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 27 2021, 11:53 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B131135: Diff 382929.Oct 28 2021, 12:59 AM
lebedev.ri added a comment.Oct 28 2021, 2:27 AM

I'm not familiar with @llvm.experimental.deoptimize.
This should not be in parseWidenableBranch(), right?

mkazantsev added a child revision: D112699: [SimplifyCFG] Simplify conditions of branches.Oct 28 2021, 2:46 AM
reames added a comment.Oct 28 2021, 8:43 AM

Max, the wideable condition intrinsic is carefully specified to not require any particular item down the widened path. Your explanation is misleading at best.

I suspect you do have a bug here - the test case sure seems to imply that - but it's not the lack of a deoptimizing call down the untaken path of the widenable condition. I'd almost suspect a bug in your frontend lowering to this if it weren't for the infinite loop in the test case.

mkazantsev added a comment.Oct 31 2021, 9:41 PM

Philip, the bug was indeed revealed on attempt to change the frontend, but there was no bug in initial IR. You are right that widenable condition does not require anything specific be down the false path. But guard widening does. All deopts are mutually replacable, but you can't replace a deopt with a random branch just because there is a widenable condition elsewhere. This makes SimplifyCFG somewhat mad.

mkazantsev added a comment.EditedOct 31 2021, 9:43 PM

Some more detailed description: imagine each block had a unique call signaling that we entered it. In the initial test, path bb->bb1->bb5 did exist and was legal. But if after bb we've decided to go to bb2, then there is no possible way we can ever get to bb5. But with this transform, we sure can (bb->bb2->bb1->bb5), for no explainable reason. Guard widening doesn't explain it. It's a bug.

mkazantsev added a comment.Nov 7 2021, 10:09 PM

Ping

apilipenko added a comment.Nov 9 2021, 12:20 PM

I agree with Philip, widening transformation doesn't rely on deoptimizations.

Some more detailed description: imagine each block had a unique call signaling that we entered it.

The transform in question will not happen if there are side effects in the block.

dbakunevich mentioned this in D115781: [SimplifyCFG] Try to do somethink with misscompile bug in widenable condition..Dec 14 2021, 9:00 PM
mkazantsev abandoned this revision.Dec 19 2021, 8:52 PM
mkazantsev reclaimed this revision.Mar 29 2022, 1:20 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 29 2022, 1:20 AM
Herald added a subscriber: StephenFan. · View Herald Transcript
mkazantsev abandoned this revision.Jun 1 2022, 12:01 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Utils/
4 lines
test/
Transforms/
SimplifyCFG/
24 lines

Diff 382929

llvm/lib/Transforms/Utils/SimplifyCFG.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,621 Lines▼ Show 20 Linesstatic bool tryWidenCondBranchToCondBranch(BranchInst *PBI, BranchInst *BI,
// BI's condition. // BI's condition.
Value *CondWB, *WC; Value *CondWB, *WC;
BasicBlock *IfTrueBB, *IfFalseBB; BasicBlock *IfTrueBB, *IfFalseBB;
if (!parseWidenableBranch(PBI, CondWB, WC, IfTrueBB, IfFalseBB) || if (!parseWidenableBranch(PBI, CondWB, WC, IfTrueBB, IfFalseBB) ||
IfTrueBB != BI->getParent() || !BI->getParent()->getSinglePredecessor()) IfTrueBB != BI->getParent() || !BI->getParent()->getSinglePredecessor())
return false; return false;
if (!IfFalseBB->phis().empty()) if (!IfFalseBB->phis().empty())
return false; // TODO return false; // TODO
// We are going to replace one of deopting successors of BB with IfFalseBB,
// but for that we need to make sure it's actually deoptimizing.
if (!IfFalseBB->getTerminatingDeoptimizeCall())
return false;
// Use lambda to lazily compute expensive condition after cheap ones. // Use lambda to lazily compute expensive condition after cheap ones.
auto NoSideEffects = [](BasicBlock &BB) { auto NoSideEffects = [](BasicBlock &BB) {
return !llvm::any_of(BB, [](const Instruction &I) { return !llvm::any_of(BB, [](const Instruction &I) {
return I.mayWriteToMemory() || I.mayHaveSideEffects(); return I.mayWriteToMemory() || I.mayHaveSideEffects();
}); });
}; };
if (BI->getSuccessor(1) != IfFalseBB && // no inf looping if (BI->getSuccessor(1) != IfFalseBB && // no inf looping
BI->getSuccessor(1)->getTerminatingDeoptimizeCall() && // profitability BI->getSuccessor(1)->getTerminatingDeoptimizeCall() && // profitability
▲ Show 20 LinesShow All 3,146 LinesShow Last 20 Lines

llvm/test/Transforms/SimplifyCFG/pr52290.ll

; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt < %s -simplifycfg -S | FileCheck %s ; RUN: opt < %s -simplifycfg -S | FileCheck %s
; RUN: opt < %s -passes=simplifycfg -S | FileCheck %s ; RUN: opt < %s -passes=simplifycfg -S | FileCheck %s
; XFAIL: *
; REQUIRES: asserts
; FIXME: Fails due to infinite loop in iterativelySimplifyCFG.
; ModuleID = 'test/Transforms/SimplifyCFG/pr-new.ll' ; ModuleID = 'test/Transforms/SimplifyCFG/pr-new.ll'
source_filename = "test/Transforms/SimplifyCFG/pr-new.ll" source_filename = "test/Transforms/SimplifyCFG/pr-new.ll"
define i32 @test(float %arg) gc "statepoint-example" personality i32* ()* @blam { define i32 @test(float %arg) gc "statepoint-example" personality i32* ()* @blam {
; CHECK-LABEL: @test ; CHECK-LABEL: @test(
; CHECK-NEXT: bb:
; CHECK-NEXT: [[TMP:%.*]] = call i1 @llvm.experimental.widenable.condition()
; CHECK-NEXT: br i1 [[TMP]], label [[BB2:%.*]], label [[BB1:%.*]]
; CHECK: bb1:
; CHECK-NEXT: br i1 undef, label [[BB7:%.*]], label [[BB5:%.*]]
; CHECK: bb2:
; CHECK-NEXT: [[TMP3:%.*]] = getelementptr inbounds i8, i8 addrspace(1)* undef, i64 16
; CHECK-NEXT: br i1 undef, label [[BB7]], label [[BB4:%.*]]
; CHECK: bb4:
; CHECK-NEXT: call void @snork() [ "deopt"() ]
; CHECK-NEXT: unreachable
; CHECK: bb5:
; CHECK-NEXT: ret i32 0
; CHECK: bb7:
; CHECK-NEXT: [[TMP8:%.*]] = call i32 (...) @llvm.experimental.deoptimize.i32(i32 10) [ "deopt"() ]
; CHECK-NEXT: ret i32 [[TMP8]]
;
bb: bb:
%tmp = call i1 @llvm.experimental.widenable.condition() %tmp = call i1 @llvm.experimental.widenable.condition()
br i1 %tmp, label %bb2, label %bb1 br i1 %tmp, label %bb2, label %bb1
bb1: ; preds = %bb bb1: ; preds = %bb
br i1 undef, label %bb7, label %bb5 br i1 undef, label %bb7, label %bb5
bb2: ; preds = %bb bb2: ; preds = %bb
Show All 29 Lines