This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/Analysis/
-
Analysis/
1
ValueTracking.cpp
-
test/Transforms/SimplifyCFG/
-
Transforms/
-
SimplifyCFG/
-
speculate-vector-ops.ll

Differential D24542

Make vector operation with variable index unsafe to speculate
AbandonedPublic

Authored by arsenm on Sep 13 2016, 8:18 PM.

Download Raw Diff

Details

Reviewers: None

Summary

A branch condition could be guarding an out of bounds access of the vector.

Diff Detail

Event Timeline

arsenm updated this revision to Diff 71288.Sep 13 2016, 8:18 PM

arsenm retitled this revision from to Make vector operation with variable index unsafe to speculate.

arsenm updated this object.

arsenm added a subscriber: llvm-commits.

Herald added a subscriber: wdng. · View Herald TranscriptSep 13 2016, 8:18 PM

It's not clear this is the right model for this. I agree we have to consider out of bounds indices (as specified by the LangRef), but perhaps we'd be better off treating the result as undef/poison as we do for other bits of undefined behaviour? I'm not really the right person to help debate this; you might want to get Sanjoy or David Majnemer involved. They tend to be really good with this family of issues.

LangRef says "If idx exceeds the length of val, the results are undefined." That implies that the operation itself isn't undefined behavior, and therefore it's safe to speculate.

That said, the current implementation of DAGTypeLegalizer::GetVectorElementPointer can lead to undefined behavior... so we need to either fix that to mask the index, or change LangRef. I would lean towards fixing GetVectorElementPointer.

lib/Analysis/ValueTracking.cpp
3239	`isa<Constant>` doesn't prove anything useful.

arsenm mentioned this in D24544: SpeculativeExecution: Stop using whitelist for costs.Sep 22 2016, 8:02 AM

D26174 makes sure the index is in bounds when legalizing

The legalization of variable indexes doesn't introduce undefined behavior now

Revision Contents

Path

Size

lib/

Analysis/

ValueTracking.cpp

4 lines

test/

Transforms/

SimplifyCFG/

speculate-vector-ops.ll

36 lines

Diff 71288

lib/Analysis/ValueTracking.cpp

Show First 20 Lines • Show All 3,229 Lines • ▼ Show 20 Lines	if (const IntrinsicInst *II = dyn_cast<IntrinsicInst>(Inst)) {
// TODO: are convert_{from,to}_fp16 safe?		// TODO: are convert_{from,to}_fp16 safe?
// TODO: can we list target-specific intrinsics here?		// TODO: can we list target-specific intrinsics here?
default: break;		default: break;
}		}
}		}
return false; // The called function could have undefined behavior or		return false; // The called function could have undefined behavior or
// side-effects, even if marked readnone nounwind.		// side-effects, even if marked readnone nounwind.
}		}
		case Instruction::ExtractElement:
		return isa<Constant>(Inst->getOperand(1));
		efriedmaUnsubmitted Not Done Reply Inline Actions `isa<Constant>` doesn't prove anything useful. efriedma: `isa<Constant>` doesn't prove anything useful.
		case Instruction::InsertElement:
		return isa<Constant>(Inst->getOperand(2));
case Instruction::VAArg:		case Instruction::VAArg:
case Instruction::Alloca:		case Instruction::Alloca:
case Instruction::Invoke:		case Instruction::Invoke:
case Instruction::PHI:		case Instruction::PHI:
case Instruction::Store:		case Instruction::Store:
case Instruction::Ret:		case Instruction::Ret:
case Instruction::Br:		case Instruction::Br:
case Instruction::IndirectBr:		case Instruction::IndirectBr:
▲ Show 20 Lines • Show All 994 Lines • Show Last 20 Lines

test/Transforms/SimplifyCFG/speculate-vector-ops.ll

	Show First 20 Lines • Show All 51 Lines • ▼ Show 20 Lines
	cond.else27: ; preds = %cond.end18			cond.else27: ; preds = %cond.end18
	br label %cond.end28			br label %cond.end28

	cond.end28: ; preds = %cond.else27, %cond.then26			cond.end28: ; preds = %cond.else27, %cond.then26
	%cond32 = phi i32 [ %tmp30, %cond.then26 ], [ %cond22, %cond.else27 ]			%cond32 = phi i32 [ %tmp30, %cond.then26 ], [ %cond22, %cond.else27 ]
	br label %return			br label %return
	}			}

				; CHECK-LABEL: @no_speculate_extractelement_varindex(
				; CHECK: br i1 %cmp
				; CHECK: extractelement
				; CHECK: phi
				define i32 @no_speculate_extractelement_varindex(i32 %c, i32 %idx) #0 {
				entry:
				%cmp = icmp eq i32 %c, 0
				br i1 %cmp, label %a, label %b

				a:
				%x = extractelement <4 x i32> undef, i32 %idx
				br label %b

				b:
				%phi = phi i32 [ 0, %entry], [ %x, %a ]
				ret i32 %phi
				}

				; CHECK-LABEL: @no_speculate_insertelement_varindex(
				; CHECK: br i1 %cmp
				; CHECK: insertelement
				; CHECK: phi
				define <4 x i32> @no_speculate_insertelement_varindex(i32 %c, i32 %idx) #0 {
				entry:
				%cmp = icmp eq i32 %c, 0
				br i1 %cmp, label %a, label %b

				a:
				%x = insertelement <4 x i32> undef, i32 8, i32 %idx
				br label %b

				b:
				%phi = phi <4 x i32> [ zeroinitializer, %entry], [ %x, %a ]
				ret <4 x i32> %phi
				}

	attributes #0 = { nounwind }			attributes #0 = { nounwind }