This is an archive of the discontinued LLVM Phabricator instance.

Differential D121744

[SCCP] do not clean up dead blocks that have their address taken
ClosedPublic

Authored by nickdesaulniers on Mar 15 2022, 3:00 PM.

Details

Reviewers
nikic
bcl5980
efriedma
fhahn
Commits
rGe1bae23f6f2b: [SCCP] do not clean up dead blocks that have their address taken
Summary

[SCCP] do not clean up dead blocks that have their address taken

Fixes a crash observed in IPSCCP.

Because the SCCPSolver has already internalized BlockAddresses as
Constants or ConstantExprs, we don't want to try to update their Values
in the ValueLatticeElement. Instead, continue to propagate these
BlockAddress Constants, continue converting BasicBlocks to unreachable,
but don't delete the "dead" BasicBlocks which happen to have their
address taken. Leave replacing the BlockAddresses to another pass.

Fixes: https://github.com/llvm/llvm-project/issues/54238
Fixes: https://github.com/llvm/llvm-project/issues/54251

Diff Detail

Event Timeline

nickdesaulniers created this revision.Mar 15 2022, 3:00 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 15 2022, 3:00 PM
Herald added subscribers: hiraditya, arichardson. · View Herald Transcript
nickdesaulniers requested review of this revision.Mar 15 2022, 3:00 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 15 2022, 3:00 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
nickdesaulniers mentioned this in D121580: [SCCP] Fix crash when function arg is a unused basic block's address.Mar 15 2022, 3:00 PM
nickdesaulniers added inline comments.Mar 15 2022, 3:08 PM
llvm/lib/Transforms/Scalar/SCCP.cpp
527–530

There's probably some code somewhere in llvm::SimplifyInstruction that already does this transform (as observed by SimplifyCFG in https://github.com/llvm/llvm-project/issues/54328#issuecomment-1067229660). maybe that can be reused here?

Since the behavior is surprising to users (https://github.com/llvm/llvm-project/issues/54328) maybe we could consolidate such transforms with a comment about why this is done, for historical context?

llvm/lib/Transforms/Utils/SCCPSolver.cpp
424–426 ↗(On Diff #415599)

This added bitcast is a bit curious, I'd like to clean it up, but I'm not sure yet how best to do so.

Basically, we know we want to replace i8* blockaddress(@fn, %bb) with i8* inttoptr (i32 1 to i8*), but the User of the BA and entry in ValueState is %1 = bitcast i8* blockaddress(@fn, %bb) to i64*.

Maybe I should be doing an operand replacement? As in take Old and replace its operand with New?

nickdesaulniers planned changes to this revision.Mar 15 2022, 3:12 PM
nickdesaulniers added inline comments.Mar 15 2022, 3:23 PM
llvm/lib/Transforms/Utils/SCCPSolver.cpp
424–426 ↗(On Diff #415599)

Looks like User::replaceUsesOfWith can't be called with a Constant. Maybe I need to construct a new Instruction to replace the prior use, with the new operand?

Harbormaster completed remote builds in B154434: Diff 415599.Mar 15 2022, 3:59 PM
nickdesaulniers added inline comments.Mar 16 2022, 10:08 AM
llvm/lib/Transforms/Utils/SCCPSolver.cpp
424–426 ↗(On Diff #415599)

Looks like I need to be doing checks for ConstantExprs in the caller rather than dealing strictly with Constants.

nickdesaulniers updated this revision to Diff 415906.Mar 16 2022, 10:59 AM
  • handle ConstExpr's rather than just BitCasts
Harbormaster completed remote builds in B154646: Diff 415906.Mar 16 2022, 11:00 AM
nickdesaulniers planned changes to this revision.Mar 16 2022, 11:08 AM
nickdesaulniers added inline comments.
llvm/lib/Transforms/Scalar/SCCP.cpp
533–542

While this removes the special case for bitcasts, it's still subtly not quite right; it only checks for one level of nesting of ConstExprs; there could be multiple "levels of nesting" for the aggregated Constant stored in the lattice.

i.e. the BlockAddress of interest might have the following User: i64* bitcast (i8* blockaddress(@main, %redirected) to i64*); but I worry if the lattice had something like i8* bitcast (i64* bitcast (i8* blockaddress(@main, %redirected) to i64*) to i8*); then we'd be trying to replace the former and not finding the latter. Unless the latter is also considered a User of the BlockAddress?

I can test that, but I'm going to see first whether we can query the solver whether it has reach-ability info ready BEFORE we internalize new ConstantExpr's containing BlockAddress Constants into the lattice. Then we could avoid this find+replace dance and simply do less work.

nickdesaulniers added inline comments.Mar 16 2022, 11:29 AM
llvm/lib/Transforms/Scalar/SCCP.cpp
533–542

but I'm going to see first whether we can query the solver whether it has reach-ability info ready BEFORE we internalize new ConstantExpr's containing BlockAddress Constants into the lattice. Then we could avoid this find+replace dance and simply do less work.

Yeah, the SCCPVisitor marks blocks executable during a traversal, while eagerly adding values to the lattice; so block executability is not precise until we've completed the traversal. At that point, it's too late as we've already merged values into the lattice.

efriedma added a reviewer: fhahn.Mar 16 2022, 11:37 AM

I think my preferred solution here would be to delay deleting dead blocks further, until the lattice stops mattering.

Any solution that involves trying to explicitly fix up the lattice, like the current patch, is going to cause problems for correctness and perf, I think.

For your other proposed solution, I don't think you can tell whether a block is reachable at the point where the blockaddress shows up in the lattice. You could blacklist all blockaddresses from the lattice, I guess, for a minor loss of optimization power.

You could also possibly use a TrackingVH in ValueLatticeElement; not sure what consequences that would have.

nickdesaulniers added a comment.Mar 16 2022, 11:59 AM
In D121744#3386887, @efriedma wrote:

I think my preferred solution here would be to delay deleting dead blocks further, until the lattice stops mattering.

diff --git a/llvm/lib/Transforms/Scalar/SCCP.cpp b/llvm/lib/Transforms/Scalar/SCCP.cpp
index 794d4c5b5bc6..e9e3e90df875 100644
--- a/llvm/lib/Transforms/Scalar/SCCP.cpp
+++ b/llvm/lib/Transforms/Scalar/SCCP.cpp
@@ -505,7 +505,7 @@ bool llvm::runIPSCCP(
 
         MadeChanges = true;
 
-        if (&BB != &F.front())
+        if (&BB != &F.front() && !BB.hasAddressTaken())
           BlocksToErase.push_back(&BB);
         continue;
       }

?

efriedma added inline comments.Mar 16 2022, 12:10 PM
llvm/lib/Transforms/Scalar/SCCP.cpp
533–534

Something more like this, I think? Assuming this doesn't have any side-effects I'm not thinking of.

nickdesaulniers added inline comments.Mar 16 2022, 1:40 PM
llvm/lib/Transforms/Scalar/SCCP.cpp
533–534

yeah, that's the simplest fix.

I'm going to pre-commit updating llvm/test/Transforms/SCCP/dangling-block-address.ll's RUN line to use NPM, and run it through update_test_checks.py, just so we can see what changes.

nickdesaulniers mentioned this in rG6ede09b6b71e: [SCCP] update test to NPM, update_test_checks. NFC.Mar 16 2022, 1:51 PM
nickdesaulniers updated this revision to Diff 415971.Mar 16 2022, 2:06 PM
  • rebase on pre-committed test changes. Use @efriedma's sugguestion.
nickdesaulniers retitled this revision from [SCCP] Update ValueLatticeElement blockaddresses when removing unreachable BasicBlocks to [SCCP] do not clean up dead blocks that have their address taken.Mar 16 2022, 2:06 PM
nickdesaulniers edited the summary of this revision. (Show Details)
nickdesaulniers marked an inline comment as done.
Harbormaster completed remote builds in B154699: Diff 415971.Mar 16 2022, 2:48 PM
nikic accepted this revision.Mar 17 2022, 1:32 AM

LGTM. We could still delay these blocks later (after all functions have been handled), but I don't think it would be worthwhile.

This revision is now accepted and ready to land.Mar 17 2022, 1:32 AM
This revision was landed with ongoing or failed builds.Mar 18 2022, 11:02 AM
Closed by commit rGe1bae23f6f2b: [SCCP] do not clean up dead blocks that have their address taken (authored by nickdesaulniers). · Explain Why
This revision was automatically updated to reflect the committed changes.
nickdesaulniers added a commit: rGe1bae23f6f2b: [SCCP] do not clean up dead blocks that have their address taken.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Scalar/
3 lines
test/
Transforms/
SCCP/
39 lines

Diff 416564

llvm/lib/Transforms/Scalar/SCCP.cpp

Show First 20 LinesShow All 518 Lines▼ Show 20 Lines for (Function &F : M) {
// nodes in executable blocks we found values for. The function's entry // nodes in executable blocks we found values for. The function's entry
// block is not part of BlocksToErase, so we have to handle it separately. // block is not part of BlocksToErase, so we have to handle it separately.
for (BasicBlock *BB : BlocksToErase) { for (BasicBlock *BB : BlocksToErase) {
NumInstRemoved += changeToUnreachable(BB->getFirstNonPHI(), NumInstRemoved += changeToUnreachable(BB->getFirstNonPHI(),
/*PreserveLCSSA=*/false, &DTU); /*PreserveLCSSA=*/false, &DTU);
} }
if (!Solver.isBlockExecutable(&F.front())) if (!Solver.isBlockExecutable(&F.front()))
NumInstRemoved += changeToUnreachable(F.front().getFirstNonPHI(), NumInstRemoved += changeToUnreachable(F.front().getFirstNonPHI(),
/*PreserveLCSSA=*/false, &DTU); /*PreserveLCSSA=*/false, &DTU);
for (BasicBlock &BB : F) for (BasicBlock &BB : F)
MadeChanges |= removeNonFeasibleEdges(Solver, &BB, DTU); MadeChanges |= removeNonFeasibleEdges(Solver, &BB, DTU);
nickdesaulniersAuthorUnsubmitted
Done
ReplyInline Actions

There's probably some code somewhere in llvm::SimplifyInstruction that already does this transform (as observed by SimplifyCFG in https://github.com/llvm/llvm-project/issues/54328#issuecomment-1067229660). maybe that can be reused here?

Since the behavior is surprising to users (https://github.com/llvm/llvm-project/issues/54328) maybe we could consolidate such transforms with a comment about why this is done, for historical context?

nickdesaulniers: There's probably some code somewhere in `llvm::SimplifyInstruction` that already does this…
for (BasicBlock *DeadBB : BlocksToErase) for (BasicBlock *DeadBB : BlocksToErase)
if (!DeadBB->hasAddressTaken())
DTU.deleteBB(DeadBB); DTU.deleteBB(DeadBB);
efriedmaUnsubmitted
Done
ReplyInline Actions
for (BasicBlock *DeadBB : BlocksToErase)
- DTU.deleteBB(DeadBB);
+ if (!BB.hasAddressTaken())
+ DTU.deleteBB(DeadBB);
for (BasicBlock &BB : F) {

Something more like this, I think? Assuming this doesn't have any side-effects I'm not thinking of.

efriedma: Something more like this, I think? Assuming this doesn't have any side-effects I'm not…
nickdesaulniersAuthorUnsubmitted
Done
ReplyInline Actions

yeah, that's the simplest fix.

I'm going to pre-commit updating llvm/test/Transforms/SCCP/dangling-block-address.ll's RUN line to use NPM, and run it through update_test_checks.py, just so we can see what changes.

nickdesaulniers: yeah, that's the simplest fix. I'm going to pre-commit updating…
for (BasicBlock &BB : F) { for (BasicBlock &BB : F) {
for (Instruction &Inst : llvm::make_early_inc_range(BB)) { for (Instruction &Inst : llvm::make_early_inc_range(BB)) {
if (Solver.getPredicateInfoFor(&Inst)) { if (Solver.getPredicateInfoFor(&Inst)) {
if (auto *II = dyn_cast<IntrinsicInst>(&Inst)) { if (auto *II = dyn_cast<IntrinsicInst>(&Inst)) {
if (II->getIntrinsicID() == Intrinsic::ssa_copy) { if (II->getIntrinsicID() == Intrinsic::ssa_copy) {
Value *Op = II->getOperand(0); Value *Op = II->getOperand(0);
Inst.replaceAllUsesWith(Op); Inst.replaceAllUsesWith(Op);
nickdesaulniersAuthorUnsubmitted
Done
ReplyInline Actions

While this removes the special case for bitcasts, it's still subtly not quite right; it only checks for one level of nesting of ConstExprs; there could be multiple "levels of nesting" for the aggregated Constant stored in the lattice.

i.e. the BlockAddress of interest might have the following User: i64* bitcast (i8* blockaddress(@main, %redirected) to i64*); but I worry if the lattice had something like i8* bitcast (i64* bitcast (i8* blockaddress(@main, %redirected) to i64*) to i8*); then we'd be trying to replace the former and not finding the latter. Unless the latter is also considered a User of the BlockAddress?

I can test that, but I'm going to see first whether we can query the solver whether it has reach-ability info ready BEFORE we internalize new ConstantExpr's containing BlockAddress Constants into the lattice. Then we could avoid this find+replace dance and simply do less work.

nickdesaulniers: While this removes the special case for bitcasts, it's still subtly not quite right; it only…
nickdesaulniersAuthorUnsubmitted
Done
ReplyInline Actions

but I'm going to see first whether we can query the solver whether it has reach-ability info ready BEFORE we internalize new ConstantExpr's containing BlockAddress Constants into the lattice. Then we could avoid this find+replace dance and simply do less work.

Yeah, the SCCPVisitor marks blocks executable during a traversal, while eagerly adding values to the lattice; so block executability is not precise until we've completed the traversal. At that point, it's too late as we've already merged values into the lattice.

nickdesaulniers: > but I'm going to see first whether we can query the solver whether it has reach-ability info…
Inst.eraseFromParent(); Inst.eraseFromParent();
} }
} }
} }
} }
} }
} }
▲ Show 20 LinesShow All 108 LinesShow Last 20 Lines

llvm/test/Transforms/SCCP/dangling-block-address.ll

; NOTE: Assertions have been autogenerated by utils/update_test_checks.py ; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt -S -passes=internalize,ipsccp %s | FileCheck %s ; RUN: opt -S -passes=internalize,ipsccp %s | FileCheck %s
; PR5569 ; PR5569
; IPSCCP should prove that the blocks are dead and delete them, and ; If BasicBlocks are unreachable, IPSCCP should convert them to unreachable.
; properly handle the dangling blockaddress constants. ; Unless they have their address taken, delete them. If they do have their
; address taken, let other passes replace these "dead" blockaddresses with some
; other Constant.
; CHECK: @bar.l = internal constant [2 x i8*] [i8* blockaddress(@bar, %lab0), i8* blockaddress(@bar, %end)]
; CHECK: @bar.l = internal constant [2 x i8*] [i8* inttoptr (i32 1 to i8*), i8* inttoptr (i32 1 to i8*)]
@code = global [5 x i32] [i32 0, i32 0, i32 0, i32 0, i32 1], align 4 ; <[5 x i32]*> [#uses=0] @code = global [5 x i32] [i32 0, i32 0, i32 0, i32 0, i32 1], align 4 ; <[5 x i32]*> [#uses=0]
@bar.l = internal constant [2 x i8*] [i8* blockaddress(@bar, %lab0), i8* blockaddress(@bar, %end)] ; <[2 x i8*]*> [#uses=1] @bar.l = internal constant [2 x i8*] [i8* blockaddress(@bar, %lab0), i8* blockaddress(@bar, %end)] ; <[2 x i8*]*> [#uses=1]
define void @foo(i32 %x) nounwind readnone { define void @foo(i32 %x) nounwind readnone {
; CHECK-LABEL: @foo( ; CHECK-LABEL: @foo(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: unreachable ; CHECK-NEXT: unreachable
; ;
entry: entry:
%b = alloca i32, align 4 ; <i32*> [#uses=1] %b = alloca i32, align 4 ; <i32*> [#uses=1]
store volatile i32 -1, i32* %b store volatile i32 -1, i32* %b
ret void ret void
} }
define void @bar(i32* nocapture %pc) nounwind readonly { define void @bar(i32* nocapture %pc) nounwind readonly {
; CHECK-LABEL: @bar( ; CHECK-LABEL: @bar(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: unreachable ; CHECK-NEXT: unreachable
; CHECK: lab0:
; CHECK-NEXT: unreachable
; CHECK: end:
; CHECK-NEXT: unreachable
; ;
entry: entry:
br label %indirectgoto br label %indirectgoto
lab0: ; preds = %indirectgoto lab0: ; preds = %indirectgoto
%indvar.next = add i32 %indvar, 1 ; <i32> [#uses=1] %indvar.next = add i32 %indvar, 1 ; <i32> [#uses=1]
br label %indirectgoto br label %indirectgoto
Show All 12 Lines
define i32 @main() nounwind readnone { define i32 @main() nounwind readnone {
; CHECK-LABEL: @main( ; CHECK-LABEL: @main(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: unreachable ; CHECK-NEXT: unreachable
; ;
entry: entry:
ret i32 0 ret i32 0
} }
; https://github.com/llvm/llvm-project/issues/54238
; https://github.com/llvm/llvm-project/issues/54251
; https://github.com/llvm/llvm-project/issues/54328
define i32 @test1() {
; CHECK-LABEL: @test1(
; CHECK-NEXT: unreachable
; CHECK: redirected:
; CHECK-NEXT: unreachable
;
%1 = bitcast i8* blockaddress(@test1, %redirected) to i64*
call void @set_return_addr(i64* %1)
ret i32 0
redirected:
ret i32 0
}
define internal void @set_return_addr(i64* %addr) {
; CHECK-LABEL: @set_return_addr(
; CHECK-NEXT: unreachable
;
%addr.addr = alloca i64*, i32 0, align 8
store i64* %addr, i64** %addr.addr, align 8
ret void
}