This is an archive of the discontinued LLVM Phabricator instance.

[BasicAA] Fix for missing must alias information
ClosedPublic

Authored by Gerolf on Jan 19 2016, 7:18 PM.

Download Raw Diff

Details

Reviewers

reames
hfinkel

Summary

BasicAA performs offset computations in 64b mode independent of the
target. For 32b mode this can result in missing must alias information when
the array offsets wrap-around. The fix checks for the target pointersize and
ensures offsets are computed as 32b offsets for 32b targets.

Diff Detail

Event Timeline

Gerolf updated this revision to Diff 45336.Jan 19 2016, 7:18 PM

Gerolf retitled this revision from to [BasicAA] Fix for missing must alias information.

Gerolf updated this object.

Gerolf added a reviewer: hfinkel.

Gerolf added a subscriber: llvm-commits.

mcrosier added a subscriber: mcrosier.Jan 20 2016, 5:59 AM

This looks like it should be two separate patches. The mustalias logic should be expressible on 64 bit pointers independent of the wrap around. The 32 bit wrap around logic I'm a bit unclear on. I think that it's correct per the lang ref. At minimum, should be using uint32_t types. Preferably, you'd rephrase this in a generic way which worked for other pointer sizes (i.e. 48 bit?).

This revision now requires changes to proceed.Jan 25 2016, 1:26 PM

Philip, thank you for your initial review. This is the general and simplified
version you hinted at. Please take a look.

Better, but.. why mask on only some updates vs every one or once at end?

lib/Analysis/BasicAliasAnalysis.cpp
328	Isn't shifting into the sign bit undefined behaviour? I think what you really want to express is Offset % 0xFF..PointerSize..FF. Why not just write it that way?
458	This line is highly likely wrong. It looks like you're converting to a signed type, doing wrapping there, then converting back. That's suspicious at best. I suspect you may need to change the signage of the existing code, but that should definitely be separate.

Regarding: "Better, but.. why mask on only some updates vs every one or once at end?"

I took the wrap-around out of inner loop and made sure it is done once for each PointerSize. If we can hoist that out of the loop then the BaseOffs wrap can be pushed out of the outer loop also. That requires at least additional checks on the assumption of a constant PointerSize. That needs a separate commit - if any.

lib/Analysis/BasicAliasAnalysis.cpp
328	In C++ (Section 5.8.2) it actually is well defined: The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are zero-filled. In older C standards I think at one point it was undefined and later implementation defined when the result did not fit. And no, for we offset we actually need the sign extension. % doesn't do that. So I think that code is fine. Agreed?
458	It is "correct" since the bits don't change in that cast: "correct" in the sense of being equivalent to the old code. But I agree with you that this should be an independent commit and take it out.

Philip, I removed the wrap for Scale as you suggested.
Please check if you agree with my comments. Thank you!

Aside from the suspected UB (which I think Philip was right about,
see my comments inline below), this seems pretty obviously correct.

A have a couple of other nitpicks below, but after that LGTM.
Philip, did you have anything else on your side?

I'm happy to defer to Duncan here.

lib/Analysis/BasicAliasAnalysis.cpp
324	correct -> precise. Very different in this context.

Diffusion mentioned this in rL259299: [BasicAA] Fix for missing must alias (D16343).Jan 29 2016, 9:56 PM

Thank you Duncan + Philip! Committed NFC is r259290+r259298, the actual fix is 259299. And you convinced me to finally get rid of my outdated C/C++ standards ... :-)

lib/Analysis/BasicAliasAnalysis.cpp
324	Done: r259300

per previous comment from author patches have landed.

This revision is now accepted and ready to land.Mar 9 2016, 12:12 PM

reames closed this revision.Mar 9 2016, 12:12 PM

Revision Contents

Path

Size

lib/

Analysis/

BasicAliasAnalysis.cpp

18 lines

test/

Analysis/

BasicAA/

noalias-wraparound-bug.ll

24 lines

Diff 45336

lib/Analysis/BasicAliasAnalysis.cpp

Show All 36 Lines
#include "llvm/Pass.h"		#include "llvm/Pass.h"
#include "llvm/Support/ErrorHandling.h"		#include "llvm/Support/ErrorHandling.h"
#include <algorithm>		#include <algorithm>
using namespace llvm;		using namespace llvm;

/// Enable analysis of recursive PHI nodes.		/// Enable analysis of recursive PHI nodes.
static cl::opt<bool> EnableRecPhiAnalysis("basicaa-recphi", cl::Hidden,		static cl::opt<bool> EnableRecPhiAnalysis("basicaa-recphi", cl::Hidden,
cl::init(false));		cl::init(false));
		#define DEBUG_TYPE "basicaa"
/// SearchLimitReached / SearchTimes shows how often the limit of		/// SearchLimitReached / SearchTimes shows how often the limit of
/// to decompose GEPs is reached. It will affect the precision		/// to decompose GEPs is reached. It will affect the precision
/// of basic alias analysis.		/// of basic alias analysis.
#define DEBUG_TYPE "basicaa"
STATISTIC(SearchLimitReached, "Number of times the limit to "		STATISTIC(SearchLimitReached, "Number of times the limit to "
"decompose GEPs is reached");		"decompose GEPs is reached");
STATISTIC(SearchTimes, "Number of times a GEP is decomposed");		STATISTIC(SearchTimes, "Number of times a GEP is decomposed");

/// Cutoff after which to stop analysing a set of phi nodes potentially involved		/// Cutoff after which to stop analysing a set of phi nodes potentially involved
/// in a cycle. Because we are analysing 'through' phi nodes we need to be		/// in a cycle. Because we are analysing 'through' phi nodes we need to be
/// careful with value equivalence. We use reachability to make sure a value		/// careful with value equivalence. We use reachability to make sure a value
/// cannot be involved in a cycle.		/// cannot be involved in a cycle.
▲ Show 20 Lines • Show All 259 Lines • ▼ Show 20 Lines	/static/ const Value *BasicAAResult::GetLinearExpression(
Scale = 1;		Scale = 1;
Offset = 0;		Offset = 0;
return V;		return V;
}		}

/// If V is a symbolic pointer expression, decompose it into a base pointer		/// If V is a symbolic pointer expression, decompose it into a base pointer
/// with a constant offset and a number of scaled symbolic offsets.		/// with a constant offset and a number of scaled symbolic offsets.
///		///
/// The scaled symbolic offsets (represented by pairs of a Value* and a scale		/// The scaled symbolic offsets (represented by pairs of a Value* and a scale
		reamesUnsubmitted Not Done Reply Inline Actions correct -> precise. Very different in this context. reames: correct -> precise. Very different in this context.
		GerolfAuthorUnsubmitted Not Done Reply Inline Actions Done: r259300 Gerolf: Done: r259300
/// in the VarIndices vector) are Value*'s that are known to be scaled by the		/// in the VarIndices vector) are Value*'s that are known to be scaled by the
/// specified amount, but which may have other unrepresented high bits. As		/// specified amount, but which may have other unrepresented high bits. As
/// such, the gep cannot necessarily be reconstructed from its decomposed form.		/// such, the gep cannot necessarily be reconstructed from its decomposed form.
///		///
		reamesUnsubmitted Not Done Reply Inline Actions Isn't shifting into the sign bit undefined behaviour? I think what you really want to express is Offset % 0xFF..PointerSize..FF. Why not just write it that way? reames: Isn't shifting into the sign bit undefined behaviour? I think what you really want to express…
		GerolfAuthorUnsubmitted Not Done Reply Inline Actions In C++ (Section 5.8.2) it actually is well defined: The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are zero-filled. In older C standards I think at one point it was undefined and later implementation defined when the result did not fit. And no, for we offset we actually need the sign extension. % doesn't do that. So I think that code is fine. Agreed? Gerolf: In C++ (Section 5.8.2) it actually is well defined: The value of E1 << E2 is E1 left-shifted E2…
/// When DataLayout is around, this function is capable of analyzing everything		/// When DataLayout is around, this function is capable of analyzing everything
/// that GetUnderlyingObject can look through. To be able to do that		/// that GetUnderlyingObject can look through. To be able to do that
/// GetUnderlyingObject and DecomposeGEPExpression must use the same search		/// GetUnderlyingObject and DecomposeGEPExpression must use the same search
/// depth (MaxLookupSearchDepth). When DataLayout not is around, it just looks		/// depth (MaxLookupSearchDepth). When DataLayout not is around, it just looks
/// through pointer casts.		/// through pointer casts.
/static/ const Value *BasicAAResult::DecomposeGEPExpression(		/static/ const Value *BasicAAResult::DecomposeGEPExpression(
const Value *V, int64_t &BaseOffs,		const Value *V, int64_t &BaseOffs,
SmallVectorImpl<VariableGEPIndex> &VarIndices, bool &MaxLookupReached,		SmallVectorImpl<VariableGEPIndex> &VarIndices, bool &MaxLookupReached,
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines	do {

// Don't attempt to analyze GEPs over unsized objects.		// Don't attempt to analyze GEPs over unsized objects.
if (!GEPOp->getOperand(0)->getType()->getPointerElementType()->isSized())		if (!GEPOp->getOperand(0)->getType()->getPointerElementType()->isSized())
return V;		return V;

unsigned AS = GEPOp->getPointerAddressSpace();		unsigned AS = GEPOp->getPointerAddressSpace();
// Walk the indices of the GEP, accumulating them into BaseOff/VarIndices.		// Walk the indices of the GEP, accumulating them into BaseOff/VarIndices.
gep_type_iterator GTI = gep_type_begin(GEPOp);		gep_type_iterator GTI = gep_type_begin(GEPOp);
		unsigned PointerSize = DL.getPointerSizeInBits(AS);
for (User::const_op_iterator I = GEPOp->op_begin() + 1, E = GEPOp->op_end();		for (User::const_op_iterator I = GEPOp->op_begin() + 1, E = GEPOp->op_end();
I != E; ++I) {		I != E; ++I) {
const Value Index = I;		const Value Index = I;
// Compute the (potentially symbolic) offset in bytes for this index.		// Compute the (potentially symbolic) offset in bytes for this index.
if (StructType STy = dyn_cast<StructType>(GTI++)) {		if (StructType STy = dyn_cast<StructType>(GTI++)) {
// For a struct, add the member offset.		// For a struct, add the member offset.
unsigned FieldNo = cast<ConstantInt>(Index)->getZExtValue();		unsigned FieldNo = cast<ConstantInt>(Index)->getZExtValue();
if (FieldNo == 0)		if (FieldNo == 0)
continue;		continue;

BaseOffs += DL.getStructLayout(STy)->getElementOffset(FieldNo);		BaseOffs += DL.getStructLayout(STy)->getElementOffset(FieldNo);
		if (PointerSize == 32) {
		int Cast = (int)BaseOffs;
		BaseOffs = Cast;
		}
continue;		continue;
}		}

// For an array/pointer, add the element offset, explicitly scaled.		// For an array/pointer, add the element offset, explicitly scaled.
if (const ConstantInt *CIdx = dyn_cast<ConstantInt>(Index)) {		if (const ConstantInt *CIdx = dyn_cast<ConstantInt>(Index)) {
if (CIdx->isZero())		if (CIdx->isZero())
continue;		continue;
BaseOffs += DL.getTypeAllocSize(GTI) CIdx->getSExtValue();		BaseOffs += DL.getTypeAllocSize(GTI) CIdx->getSExtValue();
		if (PointerSize == 32) {
		int Cast = (int)BaseOffs;
		BaseOffs = Cast;
		}
continue;		continue;
}		}

uint64_t Scale = DL.getTypeAllocSize(*GTI);		uint64_t Scale = DL.getTypeAllocSize(*GTI);
unsigned ZExtBits = 0, SExtBits = 0;		unsigned ZExtBits = 0, SExtBits = 0;

// If the integer type is smaller than the pointer size, it is implicitly		// If the integer type is smaller than the pointer size, it is implicitly
// sign extended to pointer size.		// sign extended to pointer size.
unsigned Width = Index->getType()->getIntegerBitWidth();		unsigned Width = Index->getType()->getIntegerBitWidth();
unsigned PointerSize = DL.getPointerSizeInBits(AS);
if (PointerSize > Width)		if (PointerSize > Width)
SExtBits += PointerSize - Width;		SExtBits += PointerSize - Width;

// Use GetLinearExpression to decompose the index into a C1*V+C2 form.		// Use GetLinearExpression to decompose the index into a C1*V+C2 form.
APInt IndexScale(Width, 0), IndexOffset(Width, 0);		APInt IndexScale(Width, 0), IndexOffset(Width, 0);
bool NSW = true, NUW = true;		bool NSW = true, NUW = true;
Index = GetLinearExpression(Index, IndexScale, IndexOffset, ZExtBits,		Index = GetLinearExpression(Index, IndexScale, IndexOffset, ZExtBits,
SExtBits, DL, 0, AC, DT, NSW, NUW);		SExtBits, DL, 0, AC, DT, NSW, NUW);
Show All 16 Lines	for (User::const_op_iterator I = GEPOp->op_begin() + 1, E = GEPOp->op_end();
}		}
}		}

// Make sure that we have a scale that makes sense for this target's		// Make sure that we have a scale that makes sense for this target's
// pointer size.		// pointer size.
if (unsigned ShiftBits = 64 - PointerSize) {		if (unsigned ShiftBits = 64 - PointerSize) {
Scale <<= ShiftBits;		Scale <<= ShiftBits;
Scale = (int64_t)Scale >> ShiftBits;		Scale = (int64_t)Scale >> ShiftBits;
}		}
		reamesUnsubmitted Not Done Reply Inline Actions This line is highly likely wrong. It looks like you're converting to a signed type, doing wrapping there, then converting back. That's suspicious at best. I suspect you may need to change the signage of the existing code, but that should definitely be separate. reames: This line is highly likely wrong. It looks like you're converting to a signed type, doing…
		GerolfAuthorUnsubmitted Not Done Reply Inline Actions It is "correct" since the bits don't change in that cast: "correct" in the sense of being equivalent to the old code. But I agree with you that this should be an independent commit and take it out. Gerolf: It is "correct" since the bits don't change in that cast: "correct" in the sense of being…

if (Scale) {		if (Scale) {
VariableGEPIndex Entry = {Index, ZExtBits, SExtBits,		VariableGEPIndex Entry = {Index, ZExtBits, SExtBits,
static_cast<int64_t>(Scale)};		static_cast<int64_t>(Scale)};
VarIndices.push_back(Entry);		VarIndices.push_back(Entry);
}		}
}		}

▲ Show 20 Lines • Show All 531 Lines • ▼ Show 20 Lines	if (GEP1->getPointerOperand() == GEP2->getPointerOperand()) {
if (R != MayAlias)		if (R != MayAlias)
return R;		return R;
}		}

// If the max search depth is reached the result is undefined		// If the max search depth is reached the result is undefined
if (GEP2MaxLookupReached \|\| GEP1MaxLookupReached)		if (GEP2MaxLookupReached \|\| GEP1MaxLookupReached)
return MayAlias;		return MayAlias;

		if (GEP1BaseOffset == GEP2BaseOffset && GEP1VariableIndices.empty() &&
		GEP2VariableIndices.empty()) {
		return MustAlias;
		}

// Subtract the GEP2 pointer from the GEP1 pointer to find out their		// Subtract the GEP2 pointer from the GEP1 pointer to find out their
// symbolic difference.		// symbolic difference.
GEP1BaseOffset -= GEP2BaseOffset;		GEP1BaseOffset -= GEP2BaseOffset;
GetIndexDifference(GEP1VariableIndices, GEP2VariableIndices);		GetIndexDifference(GEP1VariableIndices, GEP2VariableIndices);

} else {		} else {
// Check to see if these two pointers are related by the getelementptr		// Check to see if these two pointers are related by the getelementptr
// instruction. If one pointer is a GEP with a non-zero index of the other		// instruction. If one pointer is a GEP with a non-zero index of the other
▲ Show 20 Lines • Show All 625 Lines • Show Last 20 Lines

test/Analysis/BasicAA/noalias-wraparound-bug.ll

This file was added.

				; RUN: opt -S -basicaa -gvn < %s \| FileCheck %s

				target datalayout = "e-m:o-p:32:32-f64:32:64-f80:128-n8:16:32-S128"
				target triple = "i386-apple-macosx10.6.0"

				; We incorrectly returned noalias in the example below for "tmp5" and
				; "tmp12" returning i32 32, since basicaa converted the offsets to 64b
				; and missed the wrap-around

				define i32 @foo(i8* %buffer) {
				entry:
				%tmp2 = getelementptr i8, i8* %buffer, i32 -2071408432
				%tmp3 = bitcast i8* %tmp2 to i32*
				%tmp4 = getelementptr i8, i8* %buffer, i32 128
				%tmp5 = bitcast i8* %tmp4 to i32*
				store i32 32, i32* %tmp5, align 4
				%tmp12 = getelementptr i32, i32* %tmp3, i32 -1629631508
				store i32 28, i32* %tmp12, align 4
				%tmp13 = getelementptr i8, i8* %buffer, i32 128
				%tmp14 = bitcast i8* %tmp13 to i32*
				%tmp2083 = load i32, i32* %tmp14, align 4
				; CHECK: ret i32 28
				ret i32 %tmp2083
				}