This is an archive of the discontinued LLVM Phabricator instance.

[BasicAA] Fix order in which we pass MemoryLocations to alias()
ClosedPublic

Authored by aeubanks on May 10 2022, 10:23 AM.

Download Raw Diff

Details

Reviewers

dfukalov
asbirlea
nikic

Commits

rG7e0802aeb5b9: [BasicAA] Fix order in which we pass MemoryLocations to alias()

Summary

D98718 caused the order of Values/MemoryLocations we pass to alias() to
be significant due to storing the offset in the PartialAlias case. But
some callers weren't audited and were still passing swapped arguments,
causing the returned PartialAlias offset to be negative in some
cases. For example, the newly added unittests would return -1
instead of 1.

Fixes #55343, a miscompile.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

aeubanks created this revision.May 10 2022, 10:23 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 10 2022, 10:23 AM

Herald added subscribers: jeroen.dobbelaere, hiraditya. · View Herald Transcript

aeubanks requested review of this revision.May 10 2022, 10:23 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 10 2022, 10:23 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

format

looks like this isn't the only time this sort of thing has come up: D115927

LGTM

This revision is now accepted and ready to land.May 10 2022, 11:24 AM

asbirlea accepted this revision.May 10 2022, 11:36 AM

Harbormaster completed remote builds in B163730: Diff 428427.May 10 2022, 11:59 AM

This revision was landed with ongoing or failed builds.May 10 2022, 12:09 PM

Closed by commit rG7e0802aeb5b9: [BasicAA] Fix order in which we pass MemoryLocations to alias() (authored by aeubanks). · Explain Why

This revision was automatically updated to reflect the committed changes.

aeubanks added a commit: rG7e0802aeb5b9: [BasicAA] Fix order in which we pass MemoryLocations to alias().

arichardson added a subscriber: arichardson.May 13 2022, 10:41 AM

arichardson added inline comments.

llvm/include/llvm/IR/IRBuilder.h
544	Would it be possible to drop the default zero argument for new APIs? Defaulting to AS0 instead of explicitly passing address spaces often causes assertion errors for targets such as AVR or the downstream CHERI-RISC-V and Arm Morello targets.
544	o

aeubanks added inline comments.May 13 2022, 10:46 AM

llvm/include/llvm/IR/IRBuilder.h
544	As somebody unfamiliar with those targets, what would be the right thing to pass in various cases? And if you're interested in dropping the default argument, I think it would be better to do that all at once for all APIs. Is it possible to add in-tree testing for the sort of thing you're interested in without upstreaming an entire target?

Revision Contents

Path

Size

llvm/

include/

llvm/

IR/

IRBuilder.h

5 lines

lib/

Analysis/

BasicAliasAnalysis.cpp

17 lines

unittests/

Analysis/

BasicAliasAnalysisTest.cpp

77 lines

Diff 428461

llvm/include/llvm/IR/IRBuilder.h

Show First 20 Lines • Show All 534 Lines • ▼ Show 20 Lines	Type *getDoubleTy() {
return Type::getDoubleTy(Context);		return Type::getDoubleTy(Context);
}		}

/// Fetch the type representing void.		/// Fetch the type representing void.
Type *getVoidTy() {		Type *getVoidTy() {
return Type::getVoidTy(Context);		return Type::getVoidTy(Context);
}		}

		/// Fetch the type representing a pointer.
		PointerType *getPtrTy(unsigned AddrSpace = 0) {
		arichardsonUnsubmitted Not Done Reply Inline Actions Would it be possible to drop the default zero argument for new APIs? Defaulting to AS0 instead of explicitly passing address spaces often causes assertion errors for targets such as AVR or the downstream CHERI-RISC-V and Arm Morello targets. arichardson: Would it be possible to drop the default zero argument for new APIs? Defaulting to AS0 instead…
		aeubanksAuthorUnsubmitted Done Reply Inline Actions As somebody unfamiliar with those targets, what would be the right thing to pass in various cases? And if you're interested in dropping the default argument, I think it would be better to do that all at once for all APIs. Is it possible to add in-tree testing for the sort of thing you're interested in without upstreaming an entire target? aeubanks: As somebody unfamiliar with those targets, what would be the right thing to pass in various…
		arichardsonUnsubmitted Not Done Reply Inline Actions o arichardson: o
		return PointerType::get(Context, AddrSpace);
		}

/// Fetch the type representing a pointer to an 8-bit integer value.		/// Fetch the type representing a pointer to an 8-bit integer value.
PointerType *getInt8PtrTy(unsigned AddrSpace = 0) {		PointerType *getInt8PtrTy(unsigned AddrSpace = 0) {
return Type::getInt8PtrTy(Context, AddrSpace);		return Type::getInt8PtrTy(Context, AddrSpace);
}		}

/// Fetch the type representing a pointer to an integer value.		/// Fetch the type representing a pointer to an integer value.
IntegerType *getIntPtrTy(const DataLayout &DL, unsigned AddrSpace = 0) {		IntegerType *getIntPtrTy(const DataLayout &DL, unsigned AddrSpace = 0) {
return DL.getIntPtrType(Context, AddrSpace);		return DL.getIntPtrType(Context, AddrSpace);
▲ Show 20 Lines • Show All 2,006 Lines • Show Last 20 Lines

llvm/lib/Analysis/BasicAliasAnalysis.cpp

Show First 20 Lines • Show All 1,385 Lines • ▼ Show 20 Lines	if (SI->getCondition() == SI2->getCondition()) {
AliasResult ThisAlias = getBestAAResults().alias(		AliasResult ThisAlias = getBestAAResults().alias(
MemoryLocation(SI->getFalseValue(), SISize),		MemoryLocation(SI->getFalseValue(), SISize),
MemoryLocation(SI2->getFalseValue(), V2Size), AAQI);		MemoryLocation(SI2->getFalseValue(), V2Size), AAQI);
return MergeAliasResults(ThisAlias, Alias);		return MergeAliasResults(ThisAlias, Alias);
}		}

// If both arms of the Select node NoAlias or MustAlias V2, then returns		// If both arms of the Select node NoAlias or MustAlias V2, then returns
// NoAlias / MustAlias. Otherwise, returns MayAlias.		// NoAlias / MustAlias. Otherwise, returns MayAlias.
AliasResult Alias = getBestAAResults().alias(		AliasResult Alias =
MemoryLocation(V2, V2Size),		getBestAAResults().alias(MemoryLocation(SI->getTrueValue(), SISize),
MemoryLocation(SI->getTrueValue(), SISize), AAQI);		MemoryLocation(V2, V2Size), AAQI);
if (Alias == AliasResult::MayAlias)		if (Alias == AliasResult::MayAlias)
return AliasResult::MayAlias;		return AliasResult::MayAlias;

AliasResult ThisAlias = getBestAAResults().alias(		AliasResult ThisAlias =
MemoryLocation(V2, V2Size),		getBestAAResults().alias(MemoryLocation(SI->getFalseValue(), SISize),
MemoryLocation(SI->getFalseValue(), SISize), AAQI);		MemoryLocation(V2, V2Size), AAQI);
return MergeAliasResults(ThisAlias, Alias);		return MergeAliasResults(ThisAlias, Alias);
}		}

/// Provide a bunch of ad-hoc rules to disambiguate a PHI instruction against		/// Provide a bunch of ad-hoc rules to disambiguate a PHI instruction against
/// another.		/// another.
AliasResult BasicAAResult::aliasPHI(const PHINode *PN, LocationSize PNSize,		AliasResult BasicAAResult::aliasPHI(const PHINode *PN, LocationSize PNSize,
const Value *V2, LocationSize V2Size,		const Value *V2, LocationSize V2Size,
AAQueryInfo &AAQI) {		AAQueryInfo &AAQI) {
▲ Show 20 Lines • Show All 105 Lines • ▼ Show 20 Lines	AliasResult BasicAAResult::aliasPHI(const PHINode *PN, LocationSize PNSize,

// If we inserted a block into VisitedPhiBBs, alias analysis results that		// If we inserted a block into VisitedPhiBBs, alias analysis results that
// have been cached earlier may no longer be valid. Perform recursive queries		// have been cached earlier may no longer be valid. Perform recursive queries
// with a new AAQueryInfo.		// with a new AAQueryInfo.
AAQueryInfo NewAAQI = AAQI.withEmptyCache();		AAQueryInfo NewAAQI = AAQI.withEmptyCache();
AAQueryInfo *UseAAQI = BlockInserted ? &NewAAQI : &AAQI;		AAQueryInfo *UseAAQI = BlockInserted ? &NewAAQI : &AAQI;

AliasResult Alias = getBestAAResults().alias(		AliasResult Alias = getBestAAResults().alias(
MemoryLocation(V2, V2Size),		MemoryLocation(V1Srcs[0], PNSize), MemoryLocation(V2, V2Size), *UseAAQI);
MemoryLocation(V1Srcs[0], PNSize), *UseAAQI);

// Early exit if the check of the first PHI source against V2 is MayAlias.		// Early exit if the check of the first PHI source against V2 is MayAlias.
// Other results are not possible.		// Other results are not possible.
if (Alias == AliasResult::MayAlias)		if (Alias == AliasResult::MayAlias)
return AliasResult::MayAlias;		return AliasResult::MayAlias;
// With recursive phis we cannot guarantee that MustAlias/PartialAlias will		// With recursive phis we cannot guarantee that MustAlias/PartialAlias will
// remain valid to all elements and needs to conservatively return MayAlias.		// remain valid to all elements and needs to conservatively return MayAlias.
if (isRecursive && Alias != AliasResult::NoAlias)		if (isRecursive && Alias != AliasResult::NoAlias)
return AliasResult::MayAlias;		return AliasResult::MayAlias;

// If all sources of the PHI node NoAlias or MustAlias V2, then returns		// If all sources of the PHI node NoAlias or MustAlias V2, then returns
// NoAlias / MustAlias. Otherwise, returns MayAlias.		// NoAlias / MustAlias. Otherwise, returns MayAlias.
for (unsigned i = 1, e = V1Srcs.size(); i != e; ++i) {		for (unsigned i = 1, e = V1Srcs.size(); i != e; ++i) {
Value *V = V1Srcs[i];		Value *V = V1Srcs[i];

AliasResult ThisAlias = getBestAAResults().alias(		AliasResult ThisAlias = getBestAAResults().alias(
MemoryLocation(V2, V2Size), MemoryLocation(V, PNSize), *UseAAQI);		MemoryLocation(V, PNSize), MemoryLocation(V2, V2Size), *UseAAQI);
Alias = MergeAliasResults(ThisAlias, Alias);		Alias = MergeAliasResults(ThisAlias, Alias);
if (Alias == AliasResult::MayAlias)		if (Alias == AliasResult::MayAlias)
break;		break;
}		}

return Alias;		return Alias;
}		}

▲ Show 20 Lines • Show All 393 Lines • Show Last 20 Lines

llvm/unittests/Analysis/BasicAliasAnalysisTest.cpp

Show First 20 Lines • Show All 57 Lines • ▼ Show 20 Lines	protected:
TestAnalyses &setupAnalyses() {		TestAnalyses &setupAnalyses() {
assert(F);		assert(F);
Analyses.emplace(*this);		Analyses.emplace(*this);
return Analyses.getValue();		return Analyses.getValue();
}		}

public:		public:
BasicAATest()		BasicAATest()
: M("BasicAATest", C), B(C), DL(DLString), TLI(TLII), F(nullptr) {}		: M("BasicAATest", C), B(C), DL(DLString), TLI(TLII), F(nullptr) {
		C.setOpaquePointers(true);
		}
};		};

// Check that a function arg can't trivially alias a global when we're accessing		// Check that a function arg can't trivially alias a global when we're accessing
// >sizeof(global) bytes through that arg, unless the access size is just an		// >sizeof(global) bytes through that arg, unless the access size is just an
// upper-bound.		// upper-bound.
TEST_F(BasicAATest, AliasInstWithObjectOfImpreciseSize) {		TEST_F(BasicAATest, AliasInstWithObjectOfImpreciseSize) {
F = Function::Create(		F = Function::Create(FunctionType::get(B.getVoidTy(), {B.getPtrTy()}, false),
FunctionType::get(B.getVoidTy(), {B.getInt32Ty()->getPointerTo()}, false),
GlobalValue::ExternalLinkage, "F", &M);		GlobalValue::ExternalLinkage, "F", &M);

BasicBlock *Entry(BasicBlock::Create(C, "", F));		BasicBlock *Entry(BasicBlock::Create(C, "", F));
B.SetInsertPoint(Entry);		B.SetInsertPoint(Entry);

Value *IncomingI32Ptr = F->arg_begin();		Value *IncomingI32Ptr = F->arg_begin();

auto *GlobalPtr =		auto *GlobalPtr =
cast<GlobalVariable>(M.getOrInsertGlobal("some_global", B.getInt8Ty()));		cast<GlobalVariable>(M.getOrInsertGlobal("some_global", B.getInt8Ty()));
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines	ASSERT_EQ(BasicAA.alias(
AliasResult::PartialAlias);		AliasResult::PartialAlias);

ASSERT_EQ(BasicAA.alias(		ASSERT_EQ(BasicAA.alias(
MemoryLocation(I8, LocationSize::upperBound(2)),		MemoryLocation(I8, LocationSize::upperBound(2)),
MemoryLocation(I8AtUncertainOffset, LocationSize::precise(1)),		MemoryLocation(I8AtUncertainOffset, LocationSize::precise(1)),
AAQI),		AAQI),
AliasResult::MayAlias);		AliasResult::MayAlias);
}		}

		TEST_F(BasicAATest, PartialAliasOffsetPhi) {
		F = Function::Create(
		FunctionType::get(B.getVoidTy(), {B.getPtrTy(), B.getInt1Ty()}, false),
		GlobalValue::ExternalLinkage, "F", &M);

		Value *Ptr = F->arg_begin();
		Value *I = F->arg_begin() + 1;

		BasicBlock *Entry(BasicBlock::Create(C, "", F));
		BasicBlock *B1(BasicBlock::Create(C, "", F));
		BasicBlock *B2(BasicBlock::Create(C, "", F));
		BasicBlock *End(BasicBlock::Create(C, "", F));

		B.SetInsertPoint(Entry);
		B.CreateCondBr(I, B1, B2);

		B.SetInsertPoint(B1);
		auto *Ptr1 =
		cast<GetElementPtrInst>(B.CreateGEP(B.getInt8Ty(), Ptr, B.getInt32(1)));
		B.CreateBr(End);

		B.SetInsertPoint(B2);
		auto *Ptr2 =
		cast<GetElementPtrInst>(B.CreateGEP(B.getInt8Ty(), Ptr, B.getInt32(1)));
		B.CreateBr(End);

		B.SetInsertPoint(End);
		auto *Phi = B.CreatePHI(B.getPtrTy(), 2);
		Phi->addIncoming(Ptr1, B1);
		Phi->addIncoming(Ptr2, B2);
		B.CreateRetVoid();

		auto &AllAnalyses = setupAnalyses();
		BasicAAResult &BasicAA = AllAnalyses.BAA;
		AAQueryInfo &AAQI = AllAnalyses.AAQI;
		AliasResult AR =
		BasicAA.alias(MemoryLocation(Ptr, LocationSize::precise(2)),
		MemoryLocation(Phi, LocationSize::precise(1)), AAQI);
		ASSERT_EQ(AR.getOffset(), 1);
		}

		TEST_F(BasicAATest, PartialAliasOffsetSelect) {
		F = Function::Create(
		FunctionType::get(B.getVoidTy(), {B.getPtrTy(), B.getInt1Ty()}, false),
		GlobalValue::ExternalLinkage, "F", &M);

		Value *Ptr = F->arg_begin();
		Value *I = F->arg_begin() + 1;

		BasicBlock *Entry(BasicBlock::Create(C, "", F));
		B.SetInsertPoint(Entry);

		auto *Ptr1 =
		cast<GetElementPtrInst>(B.CreateGEP(B.getInt8Ty(), Ptr, B.getInt32(1)));
		auto *Ptr2 =
		cast<GetElementPtrInst>(B.CreateGEP(B.getInt8Ty(), Ptr, B.getInt32(1)));
		auto *Select = B.CreateSelect(I, Ptr1, Ptr2);
		B.CreateRetVoid();

		auto &AllAnalyses = setupAnalyses();
		BasicAAResult &BasicAA = AllAnalyses.BAA;
		AAQueryInfo &AAQI = AllAnalyses.AAQI;
		AliasResult AR =
		BasicAA.alias(MemoryLocation(Ptr, LocationSize::precise(2)),
		MemoryLocation(Select, LocationSize::precise(1)), AAQI);
		ASSERT_EQ(AR.getOffset(), 1);
		}