This is an archive of the discontinued LLVM Phabricator instance.

Differential D118602

[CodeGenPrepare] Avoid out-of-bounds shift
ClosedPublic

Authored by bjope on Jan 31 2022, 5:37 AM.

Details

Reviewers
reames
t.p.northover
spatel
Commits
rG0352ee1a225a: [CodeGenPrepare] Avoid out-of-bounds shift
Summary

AddressingModeMatcher::matchOperationAddr may attempt to shift a
variable by the same amount of steps as found in the IR in a SHL
instruction. This was done without considering that there could be
undefined behavior in the IR, so the shift performed when compiling
could end up having undefined behavior as well.

This patch avoid UB in the codegenprepare by making sure that we
limit the shift amount used, in a similar way as already being done
in CodeGenPrepare::optimizeLoadExt.

Diff Detail

Event Timeline

bjope created this revision.Jan 31 2022, 5:37 AM
Herald added subscribers: pengfei, hiraditya. · View Herald TranscriptJan 31 2022, 5:37 AM
bjope requested review of this revision.Jan 31 2022, 5:37 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 31 2022, 5:37 AM
Harbormaster completed remote builds in B146609: Diff 404493.Jan 31 2022, 6:11 AM
bjope added reviewers: reames, t.p.northover.Jan 31 2022, 9:09 AM
bjope added a reviewer: spatel.Feb 2 2022, 9:51 AM
bjope updated this revision to Diff 405592.Feb 3 2022, 5:27 AM

Fix typo (there was an extra "Scale =" that wasn't supposed to be there).

Harbormaster completed remote builds in B147360: Diff 405592.Feb 3 2022, 6:26 AM
spatel added a comment.Feb 3 2022, 8:02 AM

This seems fine, but check my understanding: there's no difference in the test output with this fix if opt is not built with ubsan enabled?

Could/should we just exit if we detect malformed IR?

diff --git a/llvm/lib/CodeGen/CodeGenPrepare.cpp b/llvm/lib/CodeGen/CodeGenPrepare.cpp
index c888adeafca5..294a37689013 100644
--- a/llvm/lib/CodeGen/CodeGenPrepare.cpp
+++ b/llvm/lib/CodeGen/CodeGenPrepare.cpp
@@ -4551,9 +4551,12 @@ bool AddressingModeMatcher::matchOperationAddr(User *AddrInst, unsigned Opcode,
     if (!RHS || RHS->getBitWidth() > 64)
       return false;
     int64_t Scale = RHS->getSExtValue();
-    if (Opcode == Instruction::Shl)
+    if (Opcode == Instruction::Shl) {
+      // Bail out if the IR is not well-defined (overshift is poison).
+      if (RHS->getZExtValue() > 63)
+        return false;
       Scale = 1LL << Scale;
-
+    }
     return matchScaledValue(AddrInst->getOperand(0), Scale, Depth);
   }
   case Instruction::GetElementPtr: {
bjope added a comment.Feb 3 2022, 8:12 AM
In D118602#3293795, @spatel wrote:

This seems fine, but check my understanding: there's no difference in the test output with this fix if opt is not built with ubsan enabled?

Yes. Unfortunately the test case (as-is) doen't show any difference. I'm not sure exactly how to modify the test case to achive that.

Could/should we just exit if we detect malformed IR?

Yes, that is another option. I kind of copied how this was dealt with on line 6491 (another place where CGP is analyzing Shl), but bailing out when finding an OOB shift amount seems safe here. Is that preferred?

spatel accepted this revision.Feb 3 2022, 8:46 AM
In D118602#3293833, @bjope wrote:

Yes, that is another option. I kind of copied how this was dealt with on line 6491 (another place where CGP is analyzing Shl), but bailing out when finding an OOB shift amount seems safe here. Is that preferred?

I don't think it makes a difference either way. Since there's precedence for this code pattern, LGTM.

This revision is now accepted and ready to land.Feb 3 2022, 8:46 AM
This revision was landed with ongoing or failed builds.Feb 3 2022, 12:14 PM
Closed by commit rG0352ee1a225a: [CodeGenPrepare] Avoid out-of-bounds shift (authored by bjope). · Explain Why
This revision was automatically updated to reflect the committed changes.
bjope added a commit: rG0352ee1a225a: [CodeGenPrepare] Avoid out-of-bounds shift.

Revision Contents

PathSize
llvm/
lib/
CodeGen/
6 lines
test/
CodeGen/
X86/
22 lines

Diff 405741

llvm/lib/CodeGen/CodeGenPrepare.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 4,544 Lines▼ Show 20 Linesbool AddressingModeMatcher::matchOperationAddr(User *AddrInst, unsigned Opcode,
//break; //break;
case Instruction::Mul: case Instruction::Mul:
case Instruction::Shl: { case Instruction::Shl: {
// Can only handle X*C and X << C. // Can only handle X*C and X << C.
AddrMode.InBounds = false; AddrMode.InBounds = false;
ConstantInt *RHS = dyn_cast<ConstantInt>(AddrInst->getOperand(1)); ConstantInt *RHS = dyn_cast<ConstantInt>(AddrInst->getOperand(1));
if (!RHS || RHS->getBitWidth() > 64) if (!RHS || RHS->getBitWidth() > 64)
return false; return false;
int64_t Scale = RHS->getSExtValue(); int64_t Scale = Opcode == Instruction::Shl
if (Opcode == Instruction::Shl) ? 1LL << RHS->getLimitedValue(RHS->getBitWidth() - 1)
Scale = 1LL << Scale; : RHS->getSExtValue();
return matchScaledValue(AddrInst->getOperand(0), Scale, Depth); return matchScaledValue(AddrInst->getOperand(0), Scale, Depth);
} }
case Instruction::GetElementPtr: { case Instruction::GetElementPtr: {
// Scan the GEP. We check it if it contains constant offsets and at most // Scan the GEP. We check it if it contains constant offsets and at most
// one variable offset. // one variable offset.
int VariableOperand = -1; int VariableOperand = -1;
unsigned VariableScale = 0; unsigned VariableScale = 0;
▲ Show 20 LinesShow All 3,735 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/codegen-prepare-oob-shl.ll

  • This file was added.
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt < %s -mtriple i686-unknown-unknown -codegenprepare -S | FileCheck %s
target datalayout = "e-p:8:8"
; The shl has UB (shift count oob). This used to result in undefined behavior
; in codegenprepare when AddressingModeMatcher::matchOperationAddr tried to
; shift a variable by that amount during compilation. Intent with the test
; case is to verify that this compiles without complaints even if opt is built
; with ubsan enabled.
define dso_local void @main(i32 %a, [3 x { i8, i8 }*]* %p) {
; CHECK-LABEL: @main(
; CHECK-NEXT: [[SHL:%.*]] = shl i32 [[A:%.*]], -1229216766
; CHECK-NEXT: [[ARRAYIDX926:%.*]] = getelementptr inbounds [3 x { i8, i8 }*], [3 x { i8, i8 }*]* [[P:%.*]], i32 0, i32 [[SHL]]
; CHECK-NEXT: [[L0:%.*]] = load { i8, i8 }*, { i8, i8 }** [[ARRAYIDX926]], align 1
; CHECK-NEXT: ret void
;
%shl = shl i32 %a, -1229216766
%arrayidx926 = getelementptr inbounds [3 x { i8, i8 }*], [3 x { i8, i8 }*]* %p, i32 0, i32 %shl
%l0 = load { i8, i8 }*, { i8, i8 }** %arrayidx926, align 1
ret void
}