This is an archive of the discontinued LLVM Phabricator instance.

Differential D126546

[InstCombine] decomposeSimpleLinearExpr should bail out on negative operands.
ClosedPublic

Authored by w2yehia on May 27 2022, 7:59 AM.

Details

Reviewers
nikic
spatel
Commits
rG0952cf5bbbc4: [InstCombine] decomposeSimpleLinearExpr should bail out on negative operands.
Summary

InstCombine tries to rewrite

%prod = mul nsw i64 %X,   Scale
%acc = add nsw i64 %prod,   Offset
%0 = alloca i8, i64 %acc, align 4
%1 = bitcast i8* %0 to i32*
Use ( %1 )

into

%prod = mul nsw i64 %X,   Scale/4
%acc = add nsw i64 %prod,   Offset/4
%0 = alloca i32, i64 %acc, align 4
Use (%0)

But it assumes Scale is unsigned.

For now, bail out on negative operands to avoid an incorrect transformation.

Diff Detail

Event Timeline

w2yehia created this revision.May 27 2022, 7:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 27 2022, 7:59 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
w2yehia requested review of this revision.May 27 2022, 7:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 27 2022, 7:59 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B166654: Diff 432561.May 27 2022, 8:49 AM
w2yehia updated this revision to Diff 432578.May 27 2022, 9:12 AM
This comment was removed by w2yehia.
w2yehia edited the summary of this revision. (Show Details)May 27 2022, 9:13 AM
nikic added reviewers: nikic, spatel.May 27 2022, 9:23 AM
nikic added a subscriber: nikic.
nikic added inline comments.
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

Isn't the actual bug here? The && !OBI->hasNoSignedWrap() shouldn't be there. The number of elements is an unsigned value, so we should be checking for no unsigned wrap, not "either no unsigned or no signed wrap".

nikic retitled this revision from decomposeSimpleLinearExpr should bail out on negative operands. to [InstCombine] decomposeSimpleLinearExpr should bail out on negative operands..May 27 2022, 9:23 AM
Harbormaster completed remote builds in B166670: Diff 432578.May 27 2022, 9:58 AM
w2yehia added inline comments.May 27 2022, 10:18 AM
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

i'm not that familiar with the implications of (not) having nsw, so you are likely correct.
Does the presence of nsw indicate the operands of the multiplication are signed?

nikic added inline comments.May 30 2022, 3:52 AM
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

nsw indicates that there is no signed overflow, while we need no unsigned overflow here.

w2yehia added inline comments.Jun 2 2022, 5:59 AM
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

Thanks for reviewing. I had to read up more about nsw/nuw and signedness in llvm in general.
I couldn't conclude that the presence of nuw indicates that the operands of the mul can be safely interpreted as unsigned.
I might be asking the wrong question, so can you please tell me why checking for nuw is necessary and sufficient in order to make the code (in decomposeSimpleLinearExpr and PromoteCastOfAllocation) to be sound?

w2yehia added a subscriber: sfertile.Jun 6 2022, 6:11 AM
w2yehia added inline comments.
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

@nikic I will implement your suggestion. I had to convince myself (and get educated on these flags)

After brainstorming with @sfertile about the implications of the nuw/nsw flags, we concluded that doing only the && !OBI->hasNoSignedWrap() is not a sufficient condition to safely interpret Scale (2nd) operand of the mul as unsigned in isolation.
Consider this pseudo-llvm where the -4 is intended to be signed:

if ( %X == 1 || %X == 0) {
  %0 = mul nuw i32 %X, -4   // 1 * 4294967292 = 4294967292 (no unsigned wrap)
  ..

However, because this exit condition applies to all visited instructions (add, mul, shl), having the nuw means you cannot having something like 24 - 4 because it unsigned overflows. So if we expand the above example:

if ( %X == 1 || %X == 0) {
  %0 = mul nuw i32 %X, -4   // 1 * 4294967292 = 4294967292 (no unsigned wrap)
  %1 = add nuw i32 %0, C    // 4294967292 + C
   alloca i8, %1

The addition 4294967292 + C must overflow in order to produce a positive signed number. If it does not overflow then the user-intended result is simply a large unsigned number and storing it in an unsigned is fine.

w2yehia added inline comments.Jun 6 2022, 6:27 AM
llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp
42

basically, if you have a complex expression involving add/mul/shl and one of the operands is negative, then in order to bring back the result to a positive value an unsigned overflow has to occur:

  1. add i32 -1, C // (unsigned) -1 + C must overflow
  2. mul i32 -1, C // (unsigned) -1 * C must overflow
  3. shl i32 -1, C // (unsigned) -1 << C must overflow
w2yehia updated this revision to Diff 434461.Jun 6 2022, 7:10 AM

As per review, remove !OBI->hasNoSignedWrap() from the early exit condition. Also the original fix is no longer needed so remove it as well.

nikic added inline comments.Jun 6 2022, 7:21 AM
llvm/test/Transforms/InstCombine/neg-alloca.ll
2

Please use the llvm/utils/update_test_checks.py script to generate CHECK lines.

Also, I think that this test case may be reduced, I don't think you really need much more than then mul+add+alloca+bitcast sequence?

Harbormaster completed remote builds in B168042: Diff 434461.Jun 6 2022, 7:56 AM
w2yehia added inline comments.Jun 6 2022, 11:39 AM
llvm/test/Transforms/InstCombine/neg-alloca.ll
2

I reduced the testcase, and made the RUN command canonical (based on suggestions in update_test_checks.py).
I think the current CHECKs capture the required functionality best.

w2yehia updated this revision to Diff 434552.Jun 6 2022, 11:39 AM
Harbormaster completed remote builds in B168117: Diff 434552.Jun 6 2022, 12:15 PM
w2yehia added inline comments.Jun 6 2022, 12:56 PM
llvm/test/Transforms/InstCombine/neg-alloca.ll
2

I think the current CHECKs capture the required functionality best.

Sorry wrote in a rush. I mean that we want the test not to be fragile (that's obvious) and so having too much CHECKs is not good. I think it's enough to CHECK that the negative operand remains and the alloca type is the same.

w2yehia added a comment.Jun 7 2022, 6:13 AM

@nikic any chance you can review this today? thanks!

nikic added inline comments.Jun 7 2022, 7:12 AM
llvm/test/Transforms/InstCombine/neg-alloca.ll
2

We generally prefer to always use auto-generated check lines, even if they contain "unnecessary" instructions, because it makes it easier to update tests in the future.

w2yehia updated this revision to Diff 434866.Jun 7 2022, 10:21 AM

use update_test_checks.py to generate the CHECKs

w2yehia added inline comments.Jun 7 2022, 10:22 AM
llvm/test/Transforms/InstCombine/neg-alloca.ll
2

fair enough. Thanks.

Harbormaster completed remote builds in B168343: Diff 434866.Jun 7 2022, 11:06 AM
nikic accepted this revision.Jun 7 2022, 2:26 PM

LGTM, though patch description needs an update.

This revision is now accepted and ready to land.Jun 7 2022, 2:26 PM
This revision was landed with ongoing or failed builds.Jun 7 2022, 5:58 PM
Closed by commit rG0952cf5bbbc4: [InstCombine] decomposeSimpleLinearExpr should bail out on negative operands. (authored by w2yehia). · Explain Why
This revision was automatically updated to reflect the committed changes.
w2yehia added a commit: rG0952cf5bbbc4: [InstCombine] decomposeSimpleLinearExpr should bail out on negative operands..

Revision Contents

PathSize
llvm/
lib/
Transforms/
InstCombine/
4 lines
test/
Transforms/
InstCombine/
10 lines
21 lines

Diff 435009

llvm/lib/Transforms/InstCombine/InstCombineCasts.cpp

Show All 30 Linesstatic Value *decomposeSimpleLinearExpr(Value *Val, unsigned &Scale,
if (ConstantInt *CI = dyn_cast<ConstantInt>(Val)) { if (ConstantInt *CI = dyn_cast<ConstantInt>(Val)) {
Offset = CI->getZExtValue(); Offset = CI->getZExtValue();
Scale = 0; Scale = 0;
return ConstantInt::get(Val->getType(), 0); return ConstantInt::get(Val->getType(), 0);
} }
if (BinaryOperator *I = dyn_cast<BinaryOperator>(Val)) { if (BinaryOperator *I = dyn_cast<BinaryOperator>(Val)) {
// Cannot look past anything that might overflow. // Cannot look past anything that might overflow.
// We specifically require nuw because we store the Scale in an unsigned
// and perform an unsigned divide on it.
OverflowingBinaryOperator *OBI = dyn_cast<OverflowingBinaryOperator>(Val); OverflowingBinaryOperator *OBI = dyn_cast<OverflowingBinaryOperator>(Val);
if (OBI && !OBI->hasNoUnsignedWrap() && !OBI->hasNoSignedWrap()) { if (OBI && !OBI->hasNoUnsignedWrap()) {
nikicUnsubmitted
Not Done
ReplyInline Actions

Isn't the actual bug here? The && !OBI->hasNoSignedWrap() shouldn't be there. The number of elements is an unsigned value, so we should be checking for no unsigned wrap, not "either no unsigned or no signed wrap".

nikic: Isn't the actual bug here? The `&& !OBI->hasNoSignedWrap()` shouldn't be there. The number of…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

i'm not that familiar with the implications of (not) having nsw, so you are likely correct.
Does the presence of nsw indicate the operands of the multiplication are signed?

w2yehia: i'm not that familiar with the implications of (not) having `nsw`, so you are likely correct.
nikicUnsubmitted
Not Done
ReplyInline Actions

nsw indicates that there is no signed overflow, while we need no unsigned overflow here.

nikic: nsw indicates that there is no signed overflow, while we need no unsigned overflow here.
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for reviewing. I had to read up more about nsw/nuw and signedness in llvm in general.
I couldn't conclude that the presence of nuw indicates that the operands of the mul can be safely interpreted as unsigned.
I might be asking the wrong question, so can you please tell me why checking for nuw is necessary and sufficient in order to make the code (in decomposeSimpleLinearExpr and PromoteCastOfAllocation) to be sound?

w2yehia: Thanks for reviewing. I had to read up more about nsw/nuw and signedness in llvm in general. I…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

@nikic I will implement your suggestion. I had to convince myself (and get educated on these flags)

After brainstorming with @sfertile about the implications of the nuw/nsw flags, we concluded that doing only the && !OBI->hasNoSignedWrap() is not a sufficient condition to safely interpret Scale (2nd) operand of the mul as unsigned in isolation.
Consider this pseudo-llvm where the -4 is intended to be signed:

if ( %X == 1 || %X == 0) {
  %0 = mul nuw i32 %X, -4   // 1 * 4294967292 = 4294967292 (no unsigned wrap)
  ..

However, because this exit condition applies to all visited instructions (add, mul, shl), having the nuw means you cannot having something like 24 - 4 because it unsigned overflows. So if we expand the above example:

if ( %X == 1 || %X == 0) {
  %0 = mul nuw i32 %X, -4   // 1 * 4294967292 = 4294967292 (no unsigned wrap)
  %1 = add nuw i32 %0, C    // 4294967292 + C
   alloca i8, %1

The addition 4294967292 + C must overflow in order to produce a positive signed number. If it does not overflow then the user-intended result is simply a large unsigned number and storing it in an unsigned is fine.

w2yehia: @nikic I will implement your suggestion. I had to convince myself (and get educated on these…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

basically, if you have a complex expression involving add/mul/shl and one of the operands is negative, then in order to bring back the result to a positive value an unsigned overflow has to occur:

  1. add i32 -1, C // (unsigned) -1 + C must overflow
  2. mul i32 -1, C // (unsigned) -1 * C must overflow
  3. shl i32 -1, C // (unsigned) -1 << C must overflow
w2yehia: basically, if you have a complex expression involving add/mul/shl and one of the operands is…
Scale = 1; Scale = 1;
Offset = 0; Offset = 0;
return Val; return Val;
} }
if (ConstantInt *RHS = dyn_cast<ConstantInt>(I->getOperand(1))) { if (ConstantInt *RHS = dyn_cast<ConstantInt>(I->getOperand(1))) {
if (I->getOpcode() == Instruction::Shl) { if (I->getOpcode() == Instruction::Shl) {
// This is a value scaled by '1 << the shift amt'. // This is a value scaled by '1 << the shift amt'.
▲ Show 20 LinesShow All 2,865 LinesShow Last 20 Lines

llvm/test/Transforms/InstCombine/2011-06-13-nsw-alloca.ll

Show All 9 Lines; CHECK: alloca double*
store i32 %parm, i32* %1, align 4 store i32 %parm, i32* %1, align 4
store double* null, double** %ptr, align 4 store double* null, double** %ptr, align 4
%2 = load i32, i32* %1, align 4 %2 = load i32, i32* %1, align 4
%3 = icmp ne i32 %2, 0 %3 = icmp ne i32 %2, 0
br i1 %3, label %4, label %10 br i1 %3, label %4, label %10
; <label>:4 ; preds = %0 ; <label>:4 ; preds = %0
%5 = load i32, i32* %1, align 4 %5 = load i32, i32* %1, align 4
%6 = shl nsw i32 %5, 3 %6 = shl nuw i32 %5, 3
; With "nsw", the alloca and its bitcast can be fused: ; With "nuw", the alloca and its bitcast can be fused:
%7 = add nsw i32 %6, 2048 %7 = add nuw i32 %6, 2048
; CHECK: alloca double ; CHECK: alloca double
%8 = alloca i8, i32 %7 %8 = alloca i8, i32 %7
%9 = bitcast i8* %8 to double* %9 = bitcast i8* %8 to double*
; CHECK-NEXT: store double* ; CHECK-NEXT: store double*
store double* %9, double** %ptr, align 4 store double* %9, double** %ptr, align 4
br label %10 br label %10
; <label>:10 ; preds = %4, %0 ; <label>:10 ; preds = %4, %0
%11 = load double*, double** %ptr, align 4 %11 = load double*, double** %ptr, align 4
Show All 11 Linesdefine void @fu2(i32 %parm) nounwind ssp {
store i32 %parm, i32* %1, align 4 store i32 %parm, i32* %1, align 4
store double* null, double** %ptr, align 4 store double* null, double** %ptr, align 4
%2 = load i32, i32* %1, align 4 %2 = load i32, i32* %1, align 4
%3 = icmp ne i32 %2, 0 %3 = icmp ne i32 %2, 0
br i1 %3, label %4, label %10 br i1 %3, label %4, label %10
; <label>:4 ; preds = %0 ; <label>:4 ; preds = %0
%5 = load i32, i32* %1, align 4 %5 = load i32, i32* %1, align 4
%6 = mul nsw i32 %5, 8 %6 = mul nuw i32 %5, 8
; Without "nsw", the alloca and its bitcast cannot be fused: ; Without "nuw", the alloca and its bitcast cannot be fused:
%7 = add i32 %6, 2048 %7 = add i32 %6, 2048
; CHECK: alloca i8 ; CHECK: alloca i8
%8 = alloca i8, i32 %7 %8 = alloca i8, i32 %7
; CHECK-NEXT: bitcast double** ; CHECK-NEXT: bitcast double**
; CHECK-NEXT: store i8* ; CHECK-NEXT: store i8*
%9 = bitcast i8* %8 to double* %9 = bitcast i8* %8 to double*
store double* %9, double** %ptr, align 4 store double* %9, double** %ptr, align 4
br label %10 br label %10
; <label>:10 ; preds = %4, %0 ; <label>:10 ; preds = %4, %0
%11 = load double*, double** %ptr, align 4 %11 = load double*, double** %ptr, align 4
call void @bar(double* %11) call void @bar(double* %11)
ret void ret void
} }

llvm/test/Transforms/InstCombine/neg-alloca.ll

  • This file was added.
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt < %s -passes=instcombine -S | FileCheck %s
nikicUnsubmitted
Not Done
ReplyInline Actions

Please use the llvm/utils/update_test_checks.py script to generate CHECK lines.

Also, I think that this test case may be reduced, I don't think you really need much more than then mul+add+alloca+bitcast sequence?

nikic: Please use the llvm/utils/update_test_checks.py script to generate CHECK lines. Also, I think…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

I reduced the testcase, and made the RUN command canonical (based on suggestions in update_test_checks.py).
I think the current CHECKs capture the required functionality best.

w2yehia: I reduced the testcase, and made the RUN command canonical (based on suggestions in…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

I think the current CHECKs capture the required functionality best.

Sorry wrote in a rush. I mean that we want the test not to be fragile (that's obvious) and so having too much CHECKs is not good. I think it's enough to CHECK that the negative operand remains and the alloca type is the same.

w2yehia: > I think the current CHECKs capture the required functionality best. Sorry wrote in a rush. I…
nikicUnsubmitted
Not Done
ReplyInline Actions

We generally prefer to always use auto-generated check lines, even if they contain "unnecessary" instructions, because it makes it easier to update tests in the future.

nikic: We generally prefer to always use auto-generated check lines, even if they contain…
w2yehiaAuthorUnsubmitted
Done
ReplyInline Actions

fair enough. Thanks.

w2yehia: fair enough. Thanks.
declare void @use(i32 *)
define void @foo(i64 %X) {
; Currently we cannot handle expressions of the form Offset - X * Scale.
; CHECK-LABEL: @foo(
; CHECK-NEXT: [[TMP1:%.*]] = mul nsw i64 [[X:%.*]], -4
; CHECK-NEXT: [[TMP2:%.*]] = add nsw i64 [[TMP1]], 24
; CHECK-NEXT: [[TMP3:%.*]] = alloca i8, i64 [[TMP2]], align 4
; CHECK-NEXT: [[TMP4:%.*]] = bitcast i8* [[TMP3]] to i32*
; CHECK-NEXT: call void @use(i32* nonnull [[TMP4]])
; CHECK-NEXT: ret void
;
%1 = mul nsw i64 %X, -4
%2 = add nsw i64 %1, 24
%3 = alloca i8, i64 %2, align 4
%4 = bitcast i8* %3 to i32*
call void @use(i32 *%4)
ret void
}