Differential D129745
Fix a stack overflow in ScalarEvolution. Authored by jreiffers on Jul 14 2022, 2:06 AM.
Details
Unfortunately, this overflow is extremely hard to reproduce reliably (in fact, I was unable to do so). The issue is that:
For certain deep dependency trees, this causes a stack overflow.
Diff Detail
Event TimelineComment Actions Before doing something like this, we should evaluate compile-time impact of dropping this optimization entirely. Comment Actions Happy to do that. programUndefinedIfPoison looks fairly expensive on its own. I'm fairly new to this project, do you have a pointer what to run? Also, unfortunately some tests appear to depend on this optimization. It would also be great if I could drop the optimization in a follow-up, since this bug is currently causing production issues for us (and I'm not sure how long the tests will take to fix). Comment Actions Here's what I've been using: std::string replace_all(const std::string &s, const std::string &needle,
const std::string &replacement) {
std::size_t prev = 0, pos;
std::string out = s;
while ((pos = out.find(needle, prev)) != std::string::npos) {
prev = pos;
out.replace(pos, needle.length(), replacement);
}
return out;
}
TEST_F(ScalarEvolutionsTest, StackOverflowForDeepExpression) {
#define MAX 70
#define MAX_STR "70"
std::string kLoopBodyTemplate = R"(
%a${n} = getelementptr inbounds i8, ptr %0, i64 14794768
%b${n} = getelementptr inbounds [1 x [8192 x float]], ptr %a${n}, i64 0, i64 0, i64 %i${n-1}
%c${n} = load float, ptr %b${n}, align 4
%d${n} = getelementptr inbounds [1 x [8192 x [2 x float]]], ptr %1, i64 0, i64 0, i64 %i${n-1}, i64 0
store float %c${n}, ptr %d${n}, align 8
%e${n} = getelementptr inbounds i8, ptr %1, i64 14762000
%f${n} = getelementptr inbounds [1 x [8192 x float]], ptr %e${n}, i64 0, i64 0, i64 %i${n-1}
%g${n} = load float, ptr %f${n}, align 4
%h${n} = getelementptr inbounds [1 x [8192 x [2 x float]]], ptr %1, i64 0, i64 0, i64 %i${n-1}, i64 1
store float %g${n}, ptr %h${n}, align 4
%i${n} = add nuw nsw i64 %i${n-1}, 1
%j${n} = icmp eq i64 %i${n}, 8192
)";
std::string ModuleCode = R"(
define i32 @foo() {
while.171.exit:
br label %fusion.286.loop_header.dim.2.preheader
fusion.286.loop_header.dim.2.preheader: ; preds = %fusion.286.loop_header.dim.2.preheader, %while.171.exit
%i0 = phi i64 [ 0, %while.171.exit ], [ %i)" MAX_STR
R"(, %fusion.286.loop_header.dim.2.preheader ]
%0 = inttoptr i32 0 to ptr
%1 = inttoptr i32 0 to ptr
)";
for (int i = 1; i <= MAX; ++i) {
ModuleCode += replace_all(replace_all(kLoopBodyTemplate, "${n}", itostr(i)),
"${n-1}", itostr(i - 1));
}
ModuleCode +=
"br i1 %j" MAX_STR
R"(, label %fusion.286.loop_exit.dim.0, label %fusion.286.loop_header.dim.2.preheader
fusion.286.loop_exit.dim.0:
ret i32 0
}
)";
LLVMContext C;
SMDiagnostic Err;
std::unique_ptr<Module> M = parseAssemblyString(ModuleCode, Err, C);
ASSERT_EQ(Err.getMessage(), "");
struct rlimit rl;
ASSERT_EQ(getrlimit(RLIMIT_STACK, &rl), 0);
rl.rlim_cur = 1;
ASSERT_EQ(setrlimit(RLIMIT_STACK, &rl), 0);
ASSERT_TRUE(M && "Could not parse module?");
ASSERT_TRUE(!verifyModule(*M, &llvm::errs()) &&
"Must have been well formed!");
runWithSE(*M, "foo", [&](Function &F, LoopInfo &LI, ScalarEvolution &SE) {
auto *ScevIV = SE.getSCEV(getInstructionByName(F, "i63"));
ASSERT_NE(ScevIV, nullptr);
});
}But it's not very reliable, you may have to run it a few times and/or fiddle with MAX. For me it fails about 30% of the time. Comment Actions Thanks, I'll give that a try!
This seems very surprising. I'd expect the stack overflow to reproduce consistently as each run should produce the same call stack with the same size (at least if the depth is deep enough). There's probably some non-determinism somewhere that should also be fixed. Comment Actions Ah sorry, my wording here was really ambiguous: By "optimization" I was referring to the compile-time optimization of combining operands from multiple add/muls, rather than just creating pairwise expressions. The preservation of nowrap flags via UB reasoning is important, and not something that can be dropped. Comment Actions I also meant just trying to drop the special-casing of add and mul in getOperandsToCreate. I didn't run the tests myself, but bkramer mentioned that doing this (i.e. always enqueueing LHS and RHS here) broke some tests. I agree, it's somewhat weird. However, I was running this on our internal test infrastructure, so the tests may have been running on different architectures/CPUs. Maybe that plays a role. Comment Actions Compile-time impact on CTMark for removing the special handling: http://llvm-compile-time-tracker.com/compare.php?from=2659e1bf4b54cf9c2fadac0813e5e0ab4d2c49d5&to=38c11e7340b66928403db9eceb302bb216ca060b&stat=instructions Comment Actions Can we land this? The deep recursion is actively causing trouble for LLVM users by crashing the compiler. Even if it's not a perfect fix it's still better than overflowing the stack. Comment Actions Yeah, let me try to reproduce this locally tomorrow and land it over wise. @jreiffers could you share the interesting bit of the stack-trace causing the overflow? Comment Actions @fhahn The recursion loop is createSCEV -> isSCEVExprNeverPoison -> createSCEVIter -> createSCEV (see also the summary of this change). Comment Actions LGTM thanks! I managed to reproduce this locally with much larger value for MAX & co. It looks like avoiding the optimization is the only option here, as createSCEV itself will create SCEVs for all intermediate binary expressions in those cases...... It might be good to adjust the commit message to be a bit more precise about the actual fix.
Comment Actions
It would have been good to improve the commit title.... Comment Actions Sorry, missed that. Also, I don't know what improvement you had in mind. I find it pretty clear.
Comment Actions It's too generic, it should ideally be more clear about which stack overflow was fixed for example. Comment Actions There's a description of what causes the stack overflow in the summary. I don't really have anything to add to that. | ||||||||||||||||||||||||