This is an archive of the discontinued LLVM Phabricator instance.

Differential D144671

[InstCombine] prevent miscompiles from select-of-div/rem transform
ClosedPublic

Authored by spatel on Feb 23 2023, 12:55 PM.

Details

Reviewers
regehr
nlopes
aqjune
nikic
Commits
rG452279efe21a: [InstCombine] prevent miscompiles from select-of-div/rem transform
Summary

This avoids the danger shown in issue #60906. There were no regression tests for these patterns, so these potential failures have been around for a long time.

We freeze the condition and preserve the optimization because getting rid of a div/rem is always a big win.

Here are a couple of examples that can be corrected by freezing the condition:
https://alive2.llvm.org/ce/z/sXHTTC

Diff Detail

Event Timeline

spatel created this revision.Feb 23 2023, 12:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 23 2023, 12:55 PM
Herald added subscribers: StephenFan, hiraditya, mcrosier. · View Herald Transcript
spatel requested review of this revision.Feb 23 2023, 12:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 23 2023, 12:55 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B215592: Diff 499956.Feb 23 2023, 2:43 PM
aqjune added a comment.Feb 26 2023, 3:28 PM

We could carve out some exceptions to this bailout. For example, the transform is actually ok with udiv/urem and a common divisor because poison in the dividend would not cause immediate UB - the divisor has to be zero, and that would be UB in the original code too. That doesn't work with signed div/rem because we can choose the poison dividend to be MinSignedValue, and that overflows when divided by -1 causing UB that doesn't exist in the original code.

This makes a lot of sense to me. Should we make this patch support this case as well?

efriedma added a subscriber: efriedma.Feb 26 2023, 3:46 PM

Alternatively, if you freeze the condition of the select, the transform is legal in all cases.

spatel added a comment.Feb 27 2023, 6:08 AM
In D144671#4154013, @efriedma wrote:

Alternatively, if you freeze the condition of the select, the transform is legal in all cases.

Thanks! Yes, that's the likely better fix. This transform does get rid of a div/rem, so that's a potentially big win vs. adding a freeze.

spatel updated this revision to Diff 500754.Feb 27 2023, 6:11 AM
spatel edited the summary of this revision. (Show Details)

Patch updated:
When necessary, freeze the select condition value to preserve the optimization.

Harbormaster completed remote builds in B216197: Diff 500754.Feb 27 2023, 7:20 AM
aqjune added inline comments.Feb 28 2023, 4:30 AM
llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
440

Should we avoid introducing freeze if MatchIsOpZero is false and the op is udiv/urem?

spatel marked an inline comment as done.Feb 28 2023, 9:11 AM
spatel added inline comments.
llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp
440

Sure, we can refine the check.

spatel updated this revision to Diff 501175.Feb 28 2023, 9:18 AM
spatel marked an inline comment as done.

Patch updated:
Add restriction to freeze creation for unsigned ops because they are easier to determine as safe.

Harbormaster completed remote builds in B216497: Diff 501175.Feb 28 2023, 10:45 AM
aqjune accepted this revision.Feb 28 2023, 11:57 AM

LGTM, thanks..!

This revision is now accepted and ready to land.Feb 28 2023, 11:57 AM
Closed by commit rG452279efe21a: [InstCombine] prevent miscompiles from select-of-div/rem transform (authored by spatel). · Explain WhyMar 1 2023, 5:56 AM
This revision was automatically updated to reflect the committed changes.
spatel added a commit: rG452279efe21a: [InstCombine] prevent miscompiles from select-of-div/rem transform.

Revision Contents

PathSize
llvm/
lib/
Transforms/
InstCombine/
10 lines
test/
Transforms/
InstCombine/
33 lines

Diff 500754

llvm/lib/Transforms/InstCombine/InstCombineSelect.cpp

Show First 20 LinesShow All 423 Lines▼ Show 20 LinesInstruction *InstCombinerImpl::foldSelectOpOp(SelectInst &SI, Instruction *TI,
// If the select condition is a vector, the operands of the original select's // If the select condition is a vector, the operands of the original select's
// operands also must be vectors. This may not be the case for getelementptr // operands also must be vectors. This may not be the case for getelementptr
// for example. // for example.
if (CondTy->isVectorTy() && (!OtherOpT->getType()->isVectorTy() || if (CondTy->isVectorTy() && (!OtherOpT->getType()->isVectorTy() ||
!OtherOpF->getType()->isVectorTy())) !OtherOpF->getType()->isVectorTy()))
return nullptr; return nullptr;
// If we are sinking div/rem after a select, freeze the condition because
// div/rem may induce immediate UB with a poison operand.
// For example, the following transform is not safe if Cond can ever be poison
// because we can replace poison with zero and then we have div-by-zero that
// didn't exist in the original code:
// Cond ? x/y : x/z --> x / (Cond ? y : z)
auto *BO = dyn_cast<BinaryOperator>(TI);
if (BO && BO->isIntDivRem() && !isGuaranteedNotToBePoison(Cond))
Cond = Builder.CreateFreeze(Cond);
aqjuneUnsubmitted
Done
ReplyInline Actions

Should we avoid introducing freeze if MatchIsOpZero is false and the op is udiv/urem?

aqjune: Should we avoid introducing freeze if `MatchIsOpZero` is false and the op is `udiv`/`urem`?
spatelAuthorUnsubmitted
Done
ReplyInline Actions

Sure, we can refine the check.

spatel: Sure, we can refine the check.
// If we reach here, they do have operations in common. // If we reach here, they do have operations in common.
Value *NewSI = Builder.CreateSelect(Cond, OtherOpT, OtherOpF, Value *NewSI = Builder.CreateSelect(Cond, OtherOpT, OtherOpF,
SI.getName() + ".v", &SI); SI.getName() + ".v", &SI);
Value *Op0 = MatchIsOpZero ? MatchOp : NewSI; Value *Op0 = MatchIsOpZero ? MatchOp : NewSI;
Value *Op1 = MatchIsOpZero ? NewSI : MatchOp; Value *Op1 = MatchIsOpZero ? NewSI : MatchOp;
if (auto *BO = dyn_cast<BinaryOperator>(TI)) { if (auto *BO = dyn_cast<BinaryOperator>(TI)) {
BinaryOperator *NewBO = BinaryOperator::Create(BO->getOpcode(), Op0, Op1); BinaryOperator *NewBO = BinaryOperator::Create(BO->getOpcode(), Op0, Op1);
NewBO->copyIRFlags(TI); NewBO->copyIRFlags(TI);
▲ Show 20 LinesShow All 3,100 LinesShow Last 20 Lines

llvm/test/Transforms/InstCombine/select-divrem.ll

; NOTE: Assertions have been autogenerated by utils/update_test_checks.py ; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt < %s -passes=instcombine -S | FileCheck %s ; RUN: opt < %s -passes=instcombine -S | FileCheck %s
; It is a miscompile in most of these tests if we
; execute div/rem without freezing the potentially
; poison condition value.
define i5 @sdiv_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @sdiv_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @sdiv_common_divisor( ; CHECK-LABEL: @sdiv_common_divisor(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[SEL_V]], [[X:%.*]] ; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[SEL_V]], [[X:%.*]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = sdiv i5 %y, %x %r1 = sdiv i5 %y, %x
%r2 = sdiv i5 %z, %x %r2 = sdiv i5 %z, %x
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @srem_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @srem_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @srem_common_divisor( ; CHECK-LABEL: @srem_common_divisor(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = srem i5 [[SEL_V]], [[X:%.*]] ; CHECK-NEXT: [[SEL:%.*]] = srem i5 [[SEL_V]], [[X:%.*]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = srem i5 %y, %x %r1 = srem i5 %y, %x
%r2 = srem i5 %z, %x %r2 = srem i5 %z, %x
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @udiv_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @udiv_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @udiv_common_divisor( ; CHECK-LABEL: @udiv_common_divisor(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = udiv i5 [[SEL_V]], [[X:%.*]] ; CHECK-NEXT: [[SEL:%.*]] = udiv i5 [[SEL_V]], [[X:%.*]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = udiv i5 %y, %x %r1 = udiv i5 %y, %x
%r2 = udiv i5 %z, %x %r2 = udiv i5 %z, %x
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @urem_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @urem_common_divisor(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @urem_common_divisor( ; CHECK-LABEL: @urem_common_divisor(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = urem i5 [[SEL_V]], [[X:%.*]] ; CHECK-NEXT: [[SEL:%.*]] = urem i5 [[SEL_V]], [[X:%.*]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = urem i5 %y, %x %r1 = urem i5 %y, %x
%r2 = urem i5 %z, %x %r2 = urem i5 %z, %x
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @sdiv_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @sdiv_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @sdiv_common_dividend( ; CHECK-LABEL: @sdiv_common_dividend(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[X:%.*]], [[SEL_V]] ; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[X:%.*]], [[SEL_V]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = sdiv i5 %x, %y %r1 = sdiv i5 %x, %y
%r2 = sdiv i5 %x, %z %r2 = sdiv i5 %x, %z
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @srem_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @srem_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @srem_common_dividend( ; CHECK-LABEL: @srem_common_dividend(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = srem i5 [[X:%.*]], [[SEL_V]] ; CHECK-NEXT: [[SEL:%.*]] = srem i5 [[X:%.*]], [[SEL_V]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = srem i5 %x, %y %r1 = srem i5 %x, %y
%r2 = srem i5 %x, %z %r2 = srem i5 %x, %z
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @udiv_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @udiv_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @udiv_common_dividend( ; CHECK-LABEL: @udiv_common_dividend(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = udiv i5 [[X:%.*]], [[SEL_V]] ; CHECK-NEXT: [[SEL:%.*]] = udiv i5 [[X:%.*]], [[SEL_V]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = udiv i5 %x, %y %r1 = udiv i5 %x, %y
%r2 = udiv i5 %x, %z %r2 = udiv i5 %x, %z
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
define i5 @urem_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) { define i5 @urem_common_dividend(i1 %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @urem_common_dividend( ; CHECK-LABEL: @urem_common_dividend(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[TMP1:%.*]] = freeze i1 [[B:%.*]]
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[TMP1]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = urem i5 [[X:%.*]], [[SEL_V]] ; CHECK-NEXT: [[SEL:%.*]] = urem i5 [[X:%.*]], [[SEL_V]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = urem i5 %x, %y %r1 = urem i5 %x, %y
%r2 = urem i5 %x, %z %r2 = urem i5 %x, %z
%sel = select i1 %b, i5 %r2, i5 %r1 %sel = select i1 %b, i5 %r2, i5 %r1
ret i5 %sel ret i5 %sel
} }
; Repeat the above tests, but guarantee that the select
; condition is not poison via argument attribute. That
; makes it safe to execute the select before div/rem
; without needing to freeze the condition.
define i5 @sdiv_common_divisor_defined_cond(i1 noundef %b, i5 %x, i5 %y, i5 %z) { define i5 @sdiv_common_divisor_defined_cond(i1 noundef %b, i5 %x, i5 %y, i5 %z) {
; CHECK-LABEL: @sdiv_common_divisor_defined_cond( ; CHECK-LABEL: @sdiv_common_divisor_defined_cond(
; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]] ; CHECK-NEXT: [[SEL_V:%.*]] = select i1 [[B:%.*]], i5 [[Z:%.*]], i5 [[Y:%.*]]
; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[SEL_V]], [[X:%.*]] ; CHECK-NEXT: [[SEL:%.*]] = sdiv i5 [[SEL_V]], [[X:%.*]]
; CHECK-NEXT: ret i5 [[SEL]] ; CHECK-NEXT: ret i5 [[SEL]]
; ;
%r1 = sdiv i5 %y, %x %r1 = sdiv i5 %y, %x
%r2 = sdiv i5 %z, %x %r2 = sdiv i5 %z, %x
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines