This is an archive of the discontinued LLVM Phabricator instance.

Differential D139238

[ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify
ClosedPublic

Authored by Peter on Dec 2 2022, 5:06 PM.

Details

Reviewers
samparker
fhahn
dmgreen
Commits
rGee31a4a7029f: [ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify
Summary

This diff fixes issue https://github.com/llvm/llvm-project/issues/59317

We should check if bitwidth is lower than the shift amount before we subtract them to avoid unsigned overflow.

Diff Detail

Event Timeline

Peter created this revision.Dec 2 2022, 5:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 2 2022, 5:06 PM
Herald added subscribers: hiraditya, kristof.beyls. · View Herald Transcript
Peter requested review of this revision.Dec 2 2022, 5:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 2 2022, 5:06 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Peter added reviewers: samparker, fhahn.Dec 2 2022, 5:10 PM
Harbormaster completed remote builds in B200873: Diff 479783.Dec 2 2022, 6:57 PM
Peter updated this revision to Diff 479797.Dec 2 2022, 7:23 PM

format

Harbormaster completed remote builds in B200883: Diff 479797.Dec 2 2022, 8:13 PM
RKSimon added a subscriber: RKSimon.Dec 3 2022, 3:15 AM
RKSimon added inline comments.
llvm/lib/Target/ARM/ARMISelLowering.cpp
13778

I'm not sure if you can encounter types > 64 bits here - but you might be better doing the test as

if (C2Int.uge(C2Width))
  return SDValue();
uint64_t C2Value = C2Int.getZExtValue();
Peter updated this revision to Diff 480167.Dec 5 2022, 11:05 AM
Peter marked an inline comment as done.

Update and remove getZExtValue()

llvm/lib/Target/ARM/ARMISelLowering.cpp
13778

I 100% agree with you. I meant to change that in another patch as it could be some other issue, but I'll just do it here.
However, I couldn't find a file that can crash it, probably legalizer has already split i128 into smaller types prior to this, so I'll just update the code without new tests.

getZExtValue and getSExtValue in APInt can be particularly problematic, I see people use it without checking if it is allowed and crash the compiler.
I have found another bug with it that actually fits your concern. (https://github.com/llvm/llvm-project/issues/59316)
Probably we should move this discussion to there.

Harbormaster completed remote builds in B201162: Diff 480167.Dec 5 2022, 4:32 PM
dmgreen accepted this revision.Dec 6 2022, 12:22 AM
dmgreen added a subscriber: dmgreen.

The change sounds good to me, LGTM.

This revision is now accepted and ready to land.Dec 6 2022, 12:22 AM
Closed by commit rGee31a4a7029f: [ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify (authored by Peter). · Explain WhyDec 6 2022, 9:58 AM
This revision was automatically updated to reflect the committed changes.
Peter added a commit: rGee31a4a7029f: [ARM] IselLowering unsigned overflow to crash using APInt in PerformSHLSimplify.

Revision Contents

PathSize
llvm/
lib/
Target/
ARM/
7 lines
test/
CodeGen/
ARM/
25 lines

Diff 480534

llvm/lib/Target/ARM/ARMISelLowering.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 13,767 Lines▼ Show 20 Linesstatic SDValue PerformSHLSimplify(SDNode *N,
auto *C1ShlC2 = dyn_cast<ConstantSDNode>(N->getOperand(1)); auto *C1ShlC2 = dyn_cast<ConstantSDNode>(N->getOperand(1));
auto *C2 = dyn_cast<ConstantSDNode>(SHL.getOperand(1)); auto *C2 = dyn_cast<ConstantSDNode>(SHL.getOperand(1));
if (!C1ShlC2 || !C2) if (!C1ShlC2 || !C2)
return SDValue(); return SDValue();
APInt C2Int = C2->getAPIntValue(); APInt C2Int = C2->getAPIntValue();
APInt C1Int = C1ShlC2->getAPIntValue(); APInt C1Int = C1ShlC2->getAPIntValue();
unsigned C2Width = C2Int.getBitWidth();
if (C2Int.uge(C2Width))
return SDValue();
RKSimonUnsubmitted
Done
ReplyInline Actions

I'm not sure if you can encounter types > 64 bits here - but you might be better doing the test as

if (C2Int.uge(C2Width))
  return SDValue();
uint64_t C2Value = C2Int.getZExtValue();
RKSimon: I'm not sure if you can encounter types > 64 bits here - but you might be better doing the test…
PeterAuthorUnsubmitted
Done
ReplyInline Actions

I 100% agree with you. I meant to change that in another patch as it could be some other issue, but I'll just do it here.
However, I couldn't find a file that can crash it, probably legalizer has already split i128 into smaller types prior to this, so I'll just update the code without new tests.

getZExtValue and getSExtValue in APInt can be particularly problematic, I see people use it without checking if it is allowed and crash the compiler.
I have found another bug with it that actually fits your concern. (https://github.com/llvm/llvm-project/issues/59316)
Probably we should move this discussion to there.

Peter: I 100% agree with you. I meant to change that in another patch as it could be some other issue…
uint64_t C2Value = C2Int.getZExtValue();
// Check that performing a lshr will not lose any information. // Check that performing a lshr will not lose any information.
APInt Mask = APInt::getHighBitsSet(C2Int.getBitWidth(), APInt Mask = APInt::getHighBitsSet(C2Width, C2Width - C2Value);
C2Int.getBitWidth() - C2->getZExtValue());
if ((C1Int & Mask) != C1Int) if ((C1Int & Mask) != C1Int)
return SDValue(); return SDValue();
// Shift the first constant. // Shift the first constant.
C1Int.lshrInPlace(C2Int); C1Int.lshrInPlace(C2Int);
// The immediates are encoded as an 8-bit value that can be rotated. // The immediates are encoded as an 8-bit value that can be rotated.
auto LargeImm = [](const APInt &Imm) { auto LargeImm = [](const APInt &Imm) {
▲ Show 20 LinesShow All 8,143 LinesShow Last 20 Lines

llvm/test/CodeGen/ARM/pr59317.ll

  • This file was added.
; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py
; RUN: llc -mtriple=arm %s -o - | FileCheck --check-prefix=arm %s
; RUN: llc -mtriple=armeb %s -o - | FileCheck --check-prefix=armeb %s
define i1 @pr59317(i16 %F) {
; arm-LABEL: pr59317:
; arm: @ %bb.0: @ %BB
; arm-NEXT: sub sp, sp, #8
; arm-NEXT: mov r0, #0
; arm-NEXT: add sp, sp, #8
; arm-NEXT: mov pc, lr
;
; armeb-LABEL: pr59317:
; armeb: @ %bb.0: @ %BB
; armeb-NEXT: sub sp, sp, #8
; armeb-NEXT: mov r0, #0
; armeb-NEXT: add sp, sp, #8
; armeb-NEXT: mov pc, lr
BB:
%E = extractelement <1 x i16> <i16 -1>, i16 %F
%RP = alloca i64, align 8
%B = shl i16 %E, %E
%C1 = icmp ugt i16 %B, %F
ret i1 %C1
}