Download Raw Diff

Details

Reviewers

spatel
nikic
lebedev.ri
RKSimon

Commits

rG4041c4485358: [InstCombine] Update predicate when canonicalizing comparisons in…

Summary

canonicalizeClampLike canonicalizes the ule/ugt comparisons to ult/uge,
respectively. However, it does not update the variable holding the
comparison predicate type after doing this. Later code fails to handle
the non-canonical predicate type (specifically, the swap of
ThresholdLowIncl and ThresholdHighExcl when Pred0 has been canonicalized
from ugt to uge). This leads to the miscompile reported in PR53252. Fix
this by updating the comparison predicate after canonicalizing.

Fixes https://github.com/llvm/llvm-project/issues/53252.

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	60,030 ms	x64 debian > MLIR.Examples/standalone::test.toy
	60,020 ms	x64 debian > libFuzzer.libFuzzer::large.test

Event Timeline

rickyz created this revision.Feb 13 2022, 10:34 PM

Herald added a subscriber: hiraditya. · View Herald TranscriptFeb 13 2022, 10:34 PM

rickyz requested review of this revision.Feb 13 2022, 10:34 PM

Herald added a project: Restricted Project. · View Herald TranscriptFeb 13 2022, 10:34 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Harbormaster completed remote builds in B149328: Diff 408330.Feb 13 2022, 10:35 PM

Add assert on predicate type.

Harbormaster completed remote builds in B149332: Diff 408334.Feb 13 2022, 11:14 PM

Tests/alive2 only cover the ICMP_UGT case, but not the 3 other affected.

spatel mentioned this in D119689: [InstCombine] Add test reproducing PR53252 (NFC).Feb 15 2022, 7:32 AM

Rebase.

Harbormaster completed remote builds in B149855: Diff 409087.Feb 15 2022, 4:06 PM

I added test coverage of the other cases in D119689 (the parent to this revision).

fwiw, I also verified the fixed transformation with a SAT solver: https://gist.github.com/rickyz/dd9e7c5b73ccf176a80752adf5a0b3f6 (note: doesn't fully model LLVM semantics). It would be cool if these transformations were implemented in some sort of DSL that allowed automatically generating checkers! It looks like bugs like this one are already being found by alive2 + some fuzzing though.

spatel added inline comments.Feb 17 2022, 11:11 AM

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
1381	Why set this if it is never used below here?
llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll
214–215	I don't think this variation adds real coverage for the fix. 'uge' will be canonicalized to 'ugt' before we reach the buggy code, so it's the same as the previous test. Do we need to swap the select operands to exercise the predicate cases further? It's not clear to me from just looking at the code or the existing tests how to hit the bug.

Rebase/respond to comment.

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
1381	This isn't used, but I did it to signal that from this point forward, the predicate has been canonicalized to SLT. I see this as defense in depth against future bugs like this one (kind of like how some C programmers like to set pointer variables to NULL after freeing them). I can see how this could mislead a reader to believe that the variable is used afterwards though. I'll remove it, since it seems like there's some preference against this.
llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll
214–215	Ah, I misinterpreted the comment as asking for tests of different predicates regardless of whether they hit the switch cases in this code (i.e. to provide coverage should canonicalization change at some point). Thinking about this more, I think I also lean towards deleting these tests. I don't know of a good way to exercise the UGE and ULE cases in the switch on `Pred0` - like you mentioned, comparisons against a constant are canonicalized to strict comparisons in `canonicalizeCmpWithConstant`. The only cases I can think of where this canonicalization will not happen are tautological boundary cases like `icmp ule i32 %x, -1` and `icmp uge i32 %x, 0` which will instead be simplified to `true` before we get to canonicalizing the select.

Harbormaster completed remote builds in B150372: Diff 409844.Feb 17 2022, 7:35 PM

@lebedev.ri mentioned that there may be 4 different patterns to test, but I'm not seeing how that happens. Suggestions?
It seems like we should be able to swap the select operands to make Pred0 become "ule", but then what other conditions are needed to trigger the bug?

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
1381	I'm not opposed to the change, but if you add it, then there should be an assert below. That way, it is clear why we did the update.

Reverse ping. It would be great to squash this miscompile-bug.

Herald added a project: Restricted Project. · View Herald TranscriptApr 10 2022, 2:09 AM

@rickyz Are you still looking at this, otherwise would you mind if somebody commandeered the patches to get the bug fixed soon please?

rickyz added a parent revision: D119689: [InstCombine] Add test reproducing PR53252 (NFC).Apr 26 2022, 12:05 AM

Apologies for my long-delayed response!

It seems that I was confused in my previous comments about the difficulty of exercising the non-strict equality cases - swapping the select arguments works as expected. D119689 should now contain negative tests for each possible value of Pred0. The two non-strict equality tests pass even without this change, since the bug is only triggered when Pred0 = UGT.

(edit: corrected the last sentence from ULT to UGT)

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
1381	Good idea, done.

Rebase, add assert on Pred1.

RKSimon added inline comments.Apr 26 2022, 2:17 AM

llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll
189	Remove the FIXME (but please keep the reference to PR53252)

Remove FIXME comment from incorrect merge.

Update commit message to clarify conditions for the bug.

Forgot to pass --verbatim last time, sorry for the noise!

Harbormaster completed remote builds in B161354: Diff 425162.Apr 26 2022, 4:15 AM

@spatel Any comments?

I didn't step through to see why the ult/uge variant doesn't trigger the bug, but there's a test now, so LGTM.

This revision is now accepted and ready to land.Apr 26 2022, 9:42 AM

In D119690#3474998, @spatel wrote:

I didn't step through to see why the ult/uge variant doesn't trigger the bug, but there's a test now, so LGTM.

Thanks! If it helps, here is an attempt to explain why the bug is only triggered by UGT:

Pred0 = UGT

Pred0 is canonicalized to UGE here: https://github.com/llvm/llvm-project/blob/5805cfb90127195a9e8aa09716e989f286d0e22b/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp#L1307-L1316. Before this change, Pred0 would still equal UGT.

https://github.com/llvm/llvm-project/blob/5805cfb90127195a9e8aa09716e989f286d0e22b/llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp#L1389-L1390 is supposed to flip the thresholds when the (post-canonicalization) Pred0 is UGE.

The bug does not occur for any other values of Pred0 because:
UGE is canonicalized to UGE, and correctly flips the thresholds
ULT is canonicalized to ULT, which does not require flipping the thresholds
ULE is canonicalized to ULT, which does not require flipping the thresholds

Thanks for the review - I am not an LLVM committer, so can you please land this and D119689? Thanks!

spatel mentioned this in rG077488a6bf2e: [InstCombine] Add tests reproducing PR53252 (NFC).Apr 26 2022, 2:24 PM

This revision was landed with ongoing or failed builds.Apr 26 2022, 2:36 PM

Closed by commit rG4041c4485358: [InstCombine] Update predicate when canonicalizing comparisons in… (authored by rickyz, committed by spatel). · Explain Why

This revision was automatically updated to reflect the committed changes.

spatel added a commit: rG4041c4485358: [InstCombine] Update predicate when canonicalizing comparisons in….

Diff 425162

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp

Show First 20 Lines • Show All 1,306 Lines • ▼ Show 20 Lines	static Value *canonicalizeClampLike(SelectInst &Sel0, ICmpInst &Cmp0,
case ICmpInst::Predicate::ICMP_UGT:		case ICmpInst::Predicate::ICMP_UGT:
// We want to canonicalize it to 'ult' or 'uge', so we'll need to increment		// We want to canonicalize it to 'ult' or 'uge', so we'll need to increment
// C0, which again means it must not have any all-ones elements.		// C0, which again means it must not have any all-ones elements.
if (!match(C0,		if (!match(C0,
m_SpecificInt_ICMP(		m_SpecificInt_ICMP(
ICmpInst::Predicate::ICMP_NE,		ICmpInst::Predicate::ICMP_NE,
APInt::getAllOnes(C0->getType()->getScalarSizeInBits()))))		APInt::getAllOnes(C0->getType()->getScalarSizeInBits()))))
return nullptr; // Can't do, have all-ones element[s].		return nullptr; // Can't do, have all-ones element[s].
		Pred0 = ICmpInst::getFlippedStrictnessPredicate(Pred0);
C0 = InstCombiner::AddOne(C0);		C0 = InstCombiner::AddOne(C0);
break;		break;
default:		default:
return nullptr; // Unknown predicate.		return nullptr; // Unknown predicate.
}		}

// Now that we've canonicalized the ICmp, we know the X we expect;		// Now that we've canonicalized the ICmp, we know the X we expect;
// the select in other hand should be one-use.		// the select in other hand should be one-use.
▲ Show 20 Lines • Show All 49 Lines • ▼ Show 20 Lines	if (!match(C2,
APInt::getSignedMaxValue(		APInt::getSignedMaxValue(
C2->getType()->getScalarSizeInBits()))))		C2->getType()->getScalarSizeInBits()))))
return nullptr; // Can't do, have signed max element[s].		return nullptr; // Can't do, have signed max element[s].
C2 = InstCombiner::AddOne(C2);		C2 = InstCombiner::AddOne(C2);
LLVM_FALLTHROUGH;		LLVM_FALLTHROUGH;
case ICmpInst::Predicate::ICMP_SGE:		case ICmpInst::Predicate::ICMP_SGE:
// Also non-canonical, but here we don't need to change C2,		// Also non-canonical, but here we don't need to change C2,
// so we don't have any restrictions on C2, so we can just handle it.		// so we don't have any restrictions on C2, so we can just handle it.
		Pred1 = ICmpInst::Predicate::ICMP_SLT;
		spatelUnsubmitted Done Reply Inline Actions Why set this if it is never used below here? spatel: Why set this if it is never used below here?
		rickyzAuthorUnsubmitted Done Reply Inline Actions This isn't used, but I did it to signal that from this point forward, the predicate has been canonicalized to SLT. I see this as defense in depth against future bugs like this one (kind of like how some C programmers like to set pointer variables to NULL after freeing them). I can see how this could mislead a reader to believe that the variable is used afterwards though. I'll remove it, since it seems like there's some preference against this. rickyz: This isn't used, but I did it to signal that from this point forward, the predicate has been…
		spatelUnsubmitted Done Reply Inline Actions I'm not opposed to the change, but if you add it, then there should be an assert below. That way, it is clear why we did the update. spatel: I'm not opposed to the change, but if you add it, then there should be an assert below. That…
		rickyzAuthorUnsubmitted Done Reply Inline Actions Good idea, done. rickyz: Good idea, done.
std::swap(ReplacementLow, ReplacementHigh);		std::swap(ReplacementLow, ReplacementHigh);
break;		break;
default:		default:
return nullptr; // Unknown predicate.		return nullptr; // Unknown predicate.
}		}
		assert(Pred1 == ICmpInst::Predicate::ICMP_SLT &&
		"Unexpected predicate type.");

// The thresholds of this clamp-like pattern.		// The thresholds of this clamp-like pattern.
auto *ThresholdLowIncl = ConstantExpr::getNeg(C1);		auto *ThresholdLowIncl = ConstantExpr::getNeg(C1);
auto *ThresholdHighExcl = ConstantExpr::getSub(C0, C1);		auto *ThresholdHighExcl = ConstantExpr::getSub(C0, C1);

		assert((Pred0 == ICmpInst::Predicate::ICMP_ULT \|\|
		Pred0 == ICmpInst::Predicate::ICMP_UGE) &&
		"Unexpected predicate type.");
if (Pred0 == ICmpInst::Predicate::ICMP_UGE)		if (Pred0 == ICmpInst::Predicate::ICMP_UGE)
std::swap(ThresholdLowIncl, ThresholdHighExcl);		std::swap(ThresholdLowIncl, ThresholdHighExcl);

// The fold has a precondition 1: C2 s>= ThresholdLow		// The fold has a precondition 1: C2 s>= ThresholdLow
auto *Precond1 = ConstantExpr::getICmp(ICmpInst::Predicate::ICMP_SGE, C2,		auto *Precond1 = ConstantExpr::getICmp(ICmpInst::Predicate::ICMP_SGE, C2,
ThresholdLowIncl);		ThresholdLowIncl);
if (!match(Precond1, m_One()))		if (!match(Precond1, m_One()))
return nullptr;		return nullptr;
▲ Show 20 Lines • Show All 1,750 Lines • Show Last 20 Lines

llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll

Show First 20 Lines • Show All 180 Lines • ▼ Show 20 Lines	;
%t0 = icmp slt i32 %x, -17		%t0 = icmp slt i32 %x, -17
%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high		%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high
%t2 = add i32 %x, 16		%t2 = add i32 %x, 16
%t3 = icmp ult i32 %t2, 144		%t3 = icmp ult i32 %t2, 144
%r = select i1 %t3, i32 %x, i32 %t1		%r = select i1 %t3, i32 %x, i32 %t1
ret i32 %r		ret i32 %r
}		}

; FIXME: This is incorrect, see PR53252.		; Regression test for PR53252.
		RKSimonUnsubmitted Not Done Reply Inline Actions Remove the FIXME (but please keep the reference to PR53252) RKSimon: Remove the FIXME (but please keep the reference to PR53252)
define i32 @n10_ugt_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {		define i32 @n10_ugt_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {
; CHECK-LABEL: @n10_ugt_slt(		; CHECK-LABEL: @n10_ugt_slt(
; CHECK-NEXT: [[TMP1:%.]] = icmp slt i32 [[X:%.]], 0		; CHECK-NEXT: [[T0:%.]] = icmp slt i32 [[X:%.]], 0
; CHECK-NEXT: [[TMP2:%.*]] = icmp sgt i32 [[X]], 128		; CHECK-NEXT: [[T1:%.]] = select i1 [[T0]], i32 [[REPLACEMENT_LOW:%.]], i32 [[REPLACEMENT_HIGH:%.*]]
; CHECK-NEXT: [[TMP3:%.]] = select i1 [[TMP1]], i32 [[REPLACEMENT_LOW:%.]], i32 [[X]]		; CHECK-NEXT: [[T2:%.*]] = icmp ugt i32 [[X]], 128
; CHECK-NEXT: [[R:%.]] = select i1 [[TMP2]], i32 [[REPLACEMENT_HIGH:%.]], i32 [[TMP3]]		; CHECK-NEXT: [[R:%.*]] = select i1 [[T2]], i32 [[X]], i32 [[T1]]
; CHECK-NEXT: ret i32 [[R]]		; CHECK-NEXT: ret i32 [[R]]
;		;
%t0 = icmp slt i32 %x, 0		%t0 = icmp slt i32 %x, 0
%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high		%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high
%t2 = icmp ugt i32 %x, 128		%t2 = icmp ugt i32 %x, 128
%r = select i1 %t2, i32 %x, i32 %t1		%r = select i1 %t2, i32 %x, i32 %t1
ret i32 %r		ret i32 %r
}		}

define i32 @n11_uge_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {		define i32 @n11_uge_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {
; CHECK-LABEL: @n11_uge_slt(		; CHECK-LABEL: @n11_uge_slt(
; CHECK-NEXT: [[T0:%.]] = icmp slt i32 [[X:%.]], 0		; CHECK-NEXT: [[T0:%.]] = icmp slt i32 [[X:%.]], 0
; CHECK-NEXT: [[T1:%.]] = select i1 [[T0]], i32 [[REPLACEMENT_LOW:%.]], i32 [[REPLACEMENT_HIGH:%.*]]		; CHECK-NEXT: [[T1:%.]] = select i1 [[T0]], i32 [[REPLACEMENT_LOW:%.]], i32 [[REPLACEMENT_HIGH:%.*]]
; CHECK-NEXT: [[T2:%.*]] = icmp ult i32 [[X]], 129		; CHECK-NEXT: [[T2:%.*]] = icmp ult i32 [[X]], 129
; CHECK-NEXT: [[R:%.*]] = select i1 [[T2]], i32 [[T1]], i32 [[X]]		; CHECK-NEXT: [[R:%.*]] = select i1 [[T2]], i32 [[T1]], i32 [[X]]
; CHECK-NEXT: ret i32 [[R]]		; CHECK-NEXT: ret i32 [[R]]
;		;
%t0 = icmp slt i32 %x, 0		%t0 = icmp slt i32 %x, 0
%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high		%t1 = select i1 %t0, i32 %replacement_low, i32 %replacement_high
%t2 = icmp ult i32 %x, 129		%t2 = icmp ult i32 %x, 129
spatelUnsubmitted Not Done Reply Inline Actions I don't think this variation adds real coverage for the fix. 'uge' will be canonicalized to 'ugt' before we reach the buggy code, so it's the same as the previous test. Do we need to swap the select operands to exercise the predicate cases further? It's not clear to me from just looking at the code or the existing tests how to hit the bug. spatel: I don't think this variation adds real coverage for the fix. 'uge' will be canonicalized to…
rickyzAuthorUnsubmitted Done Reply Inline Actions Ah, I misinterpreted the comment as asking for tests of different predicates regardless of whether they hit the switch cases in this code (i.e. to provide coverage should canonicalization change at some point). Thinking about this more, I think I also lean towards deleting these tests. I don't know of a good way to exercise the UGE and ULE cases in the switch on `Pred0` - like you mentioned, comparisons against a constant are canonicalized to strict comparisons in `canonicalizeCmpWithConstant`. The only cases I can think of where this canonicalization will not happen are tautological boundary cases like `icmp ule i32 %x, -1` and `icmp uge i32 %x, 0` which will instead be simplified to `true` before we get to canonicalizing the select. rickyz: Ah, I misinterpreted the comment as asking for tests of different predicates regardless of…
%r = select i1 %t2, i32 %t1, i32 %x		%r = select i1 %t2, i32 %t1, i32 %x
ret i32 %r		ret i32 %r
}		}

define i32 @n12_ule_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {		define i32 @n12_ule_slt(i32 %x, i32 %replacement_low, i32 %replacement_high) {
; CHECK-LABEL: @n12_ule_slt(		; CHECK-LABEL: @n12_ule_slt(
; CHECK-NEXT: [[T0:%.]] = icmp slt i32 [[X:%.]], -1		; CHECK-NEXT: [[T0:%.]] = icmp slt i32 [[X:%.]], -1
; CHECK-NEXT: [[T1:%.]] = select i1 [[T0]], i32 [[REPLACEMENT_LOW:%.]], i32 [[REPLACEMENT_HIGH:%.*]]		; CHECK-NEXT: [[T1:%.]] = select i1 [[T0]], i32 [[REPLACEMENT_LOW:%.]], i32 [[REPLACEMENT_HIGH:%.*]]
▲ Show 20 Lines • Show All 304 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[InstCombine] Update predicate when canonicalizing comparisons in canonicalizeClampLike.
ClosedPublic

Details

Diff Detail

Unit TestsFailed

Event Timeline

Revision Contents

Diff 425162

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp

llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll

This is an archive of the discontinued LLVM Phabricator instance.

[InstCombine] Update predicate when canonicalizing comparisons in canonicalizeClampLike.ClosedPublic

Details

Diff Detail

Unit TestsFailed

Event Timeline

Revision Contents

Diff 425162

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp

llvm/test/Transforms/InstCombine/canonicalize-clamp-like-pattern-between-negative-and-positive-thresholds.ll

[InstCombine] Update predicate when canonicalizing comparisons in canonicalizeClampLike.
ClosedPublic