This is an archive of the discontinued LLVM Phabricator instance.

Differential D134892

[X86] Avoid miscompile in combineOr (X86ISelLowering.cpp)
ClosedPublic

Authored by bjope on Sep 29 2022, 9:32 AM.

Details

Reviewers
craig.topper
RKSimon
deadalnix
Commits
rG0513b0305acd: [X86] Avoid miscompile in combineOr (X86ISelLowering.cpp)
Summary

In combineOr (X86ISelLowering.cpp) there is a DAG combine that rewrite
a "(0 - SetCC) | C" pattern into something simpler given that a LEA
can be used. Another requirement is that C has some specific value,
for example 1 or 7. When checking those requirements the code used a
32-bit unsigned variable to store the value of C. So for a 64-bit OR
this could miscompile in case any of the 32 most significant bits in
C were non zero.

This patch adds fixes the bug by using a large enough type for the
C value.

The faulty code seem to have been introduced by commit 9bceb8981d32fe
(D131358).

Diff Detail

Event Timeline

bjope created this revision.Sep 29 2022, 9:32 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 29 2022, 9:32 AM
Herald added subscribers: StephenFan, pengfei, hiraditya. · View Herald Transcript
bjope requested review of this revision.Sep 29 2022, 9:32 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 29 2022, 9:32 AM
Harbormaster completed remote builds in B189446: Diff 463936.Sep 29 2022, 9:33 AM
RKSimon accepted this revision.Sep 29 2022, 10:23 AM

Nice catch!

This revision is now accepted and ready to land.Sep 29 2022, 10:23 AM
This revision was landed with ongoing or failed builds.Sep 29 2022, 12:26 PM
Closed by commit rG0513b0305acd: [X86] Avoid miscompile in combineOr (X86ISelLowering.cpp) (authored by bjope). · Explain Why
This revision was automatically updated to reflect the committed changes.
bjope added a commit: rG0513b0305acd: [X86] Avoid miscompile in combineOr (X86ISelLowering.cpp).
bjope added a comment.Sep 29 2022, 2:04 PM

For the record, we found this problem after having merged

commit d1baed7c9c8341c43c696cce1b7ec846c21b0b45
Author: Amaury Séchet <deadalnix@gmail.com>
Date:   Fri Aug 5 13:33:07 2022 +0000

    [DAG] select Cond, -1, C --> or (sext Cond), C if Cond is MVT::i1
    
    This seems to be beneficial overall, except for midpoint-int.ll .
    
    The X86 backend seems to generate zeroing that are not necesary.
    
    Reviewed By: shchenz
    
    Differential Revision: https://reviews.llvm.org/D131260

even though the bug seems to have been around since Aug 7 (commit 9bceb8981d32fe).

Revision Contents

PathSize
llvm/
lib/
Target/
X86/
2 lines
test/
CodeGen/
X86/
8 lines

Diff 463997

llvm/lib/Target/X86/X86ISelLowering.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 48,586 Lines▼ Show 20 Lines if ((VT == MVT::i32 || VT == MVT::i64) &&
N0.getOpcode() == ISD::SUB && N0.hasOneUse() && N0.getOpcode() == ISD::SUB && N0.hasOneUse() &&
isNullConstant(N0.getOperand(0))) { isNullConstant(N0.getOperand(0))) {
SDValue Cond = N0.getOperand(1); SDValue Cond = N0.getOperand(1);
if (Cond.getOpcode() == ISD::ZERO_EXTEND && Cond.hasOneUse()) if (Cond.getOpcode() == ISD::ZERO_EXTEND && Cond.hasOneUse())
Cond = Cond.getOperand(0); Cond = Cond.getOperand(0);
if (Cond.getOpcode() == X86ISD::SETCC && Cond.hasOneUse()) { if (Cond.getOpcode() == X86ISD::SETCC && Cond.hasOneUse()) {
if (auto *CN = dyn_cast<ConstantSDNode>(N1)) { if (auto *CN = dyn_cast<ConstantSDNode>(N1)) {
unsigned Val = CN->getZExtValue(); uint64_t Val = CN->getZExtValue();
if (Val == 1 || Val == 2 || Val == 3 || Val == 4 || Val == 7 || Val == 8) { if (Val == 1 || Val == 2 || Val == 3 || Val == 4 || Val == 7 || Val == 8) {
X86::CondCode CCode = (X86::CondCode)Cond.getConstantOperandVal(0); X86::CondCode CCode = (X86::CondCode)Cond.getConstantOperandVal(0);
CCode = X86::GetOppositeBranchCondition(CCode); CCode = X86::GetOppositeBranchCondition(CCode);
SDValue NotCond = getSETCC(CCode, Cond.getOperand(1), SDLoc(Cond), DAG); SDValue NotCond = getSETCC(CCode, Cond.getOperand(1), SDLoc(Cond), DAG);
SDValue R = DAG.getZExtOrTrunc(NotCond, dl, VT); SDValue R = DAG.getZExtOrTrunc(NotCond, dl, VT);
R = DAG.getNode(ISD::MUL, dl, VT, R, DAG.getConstant(Val + 1, dl, VT)); R = DAG.getNode(ISD::MUL, dl, VT, R, DAG.getConstant(Val + 1, dl, VT));
R = DAG.getNode(ISD::SUB, dl, VT, R, DAG.getConstant(1, dl, VT)); R = DAG.getNode(ISD::SUB, dl, VT, R, DAG.getConstant(1, dl, VT));
▲ Show 20 LinesShow All 8,057 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/or-lea.ll

Show First 20 LinesShow All 805 Lines▼ Show 20 Lines
; X86-NEXT: negl %eax ; X86-NEXT: negl %eax
; X86-NEXT: sbbl %edx, %edx ; X86-NEXT: sbbl %edx, %edx
; X86-NEXT: orl $1, %eax ; X86-NEXT: orl $1, %eax
; X86-NEXT: orl $128, %edx ; X86-NEXT: orl $128, %edx
; X86-NEXT: retl ; X86-NEXT: retl
; ;
; X64-LABEL: or_large_constant: ; X64-LABEL: or_large_constant:
; X64: # %bb.0: # %entry ; X64: # %bb.0: # %entry
; X64-NEXT: xorl %eax, %eax ; X64-NEXT: xorl %ecx, %ecx
; X64-NEXT: cmpq $2, %rdi ; X64-NEXT: cmpq $2, %rdi
; X64-NEXT: setl %al ; X64-NEXT: setge %cl
; X64-NEXT: leaq -1(%rax,%rax), %rax ; X64-NEXT: negq %rcx
; X64-NEXT: movabsq $549755813889, %rax # imm = 0x8000000001
; X64-NEXT: orq %rcx, %rax
; X64-NEXT: retq ; X64-NEXT: retq
entry: entry:
%cmp = icmp sgt i64 %x, 1 %cmp = icmp sgt i64 %x, 1
%zext = zext i1 %cmp to i64 %zext = zext i1 %cmp to i64
%sub = sub i64 0, %zext %sub = sub i64 0, %zext
%or = or i64 %sub, 549755813889 ; 0x8000000001 %or = or i64 %sub, 549755813889 ; 0x8000000001
ret i64 %or ret i64 %or
} }