This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
include/llvm/Analysis/
-
llvm/
-
Analysis/
3/5
TargetTransformInfoImpl.h
-
test/Analysis/CostModel/X86/
-
Analysis/
-
CostModel/
-
X86/
-
gep.ll

Differential D38337

Check for overflows when calculating the offset in GetGEPCost.
ClosedPublic

Authored by jlebar on Sep 27 2017, 3:19 PM.

Download Raw Diff

Details

Reviewers

sanjoy
efriedma

Commits

rG8ea84426c9ec: Check for overflows when calculating the offset in GetGEPCost.
rL314362: Check for overflows when calculating the offset in GetGEPCost.

Summary

This avoids C++ UB if the GEP is weird and the calculation overflows
int64_t, and it's also observable in the cost model's results.

Such GEPs are almost surely not valid pointers, but LLVM nonetheless
generates them sometimes.

Diff Detail

Build Status

Buildable 10636
Build 10636: arc lint + arc unit

Event Timeline

jlebar created this revision.Sep 27 2017, 3:19 PM

Harbormaster completed remote builds in B10635: Diff 116893.Sep 27 2017, 3:19 PM

efriedma added a subscriber: efriedma.Sep 27 2017, 3:28 PM

efriedma added inline comments.

llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
681	Should we use the pointer width here, rather than the constant "64"?
705	Might as well use wrapping math, rather than bailing out on overflow; that's how the actual lowering works.

Wrap the GEP indices instead of bailing on overflow.

Thank you for the review, Eli.

llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
681	Looking at the langref, I think you're right, here and below. I've updated the patch, wdyt?

Harbormaster completed remote builds in B10636: Diff 116898.Sep 27 2017, 3:54 PM

efriedma added inline comments.Sep 27 2017, 4:04 PM

llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
707	`ConstIdx->getValue().sextOrTrunc(PtrSizeBits)`? getSExtValue() can fail if ConstIdx is, for example, an i128.

Call sextOrTrunc instead of assuming the offset constant has the same width as the pointer.

llvm/include/llvm/Analysis/TargetTransformInfoImpl.h
707	Indeed. Fixed, and added a testcase.

LGTM

This revision is now accepted and ready to land.Sep 27 2017, 4:17 PM

Closed by commit rL314362: Check for overflows when calculating the offset in GetGEPCost. (authored by jlebar). · Explain WhySep 27 2017, 4:18 PM

This revision was automatically updated to reflect the committed changes.

Hi Justin,

This patch has an problem with negative offsets and 32-bit pointers.
Here is a test case:

target datalayout = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64"
target triple = "thumbv7em-arm-none-eabi"

define internal void @test(i16* %pOut, i16* %pIn) {
entry:
  br label %for.body

for.body:                                         ; preds = %entry, %for.body
  %pIn.pn45 = phi i16* [ %pIn, %entry ], [ %add.ptr9, %for.body ]
  %i.046 = phi i32 [ 0, %entry ], [ %inc, %for.body ]
  %pIn.addr.0 = getelementptr inbounds i16, i16* %pIn.pn45, i32 -32
  %0 = load i16, i16* %pIn.pn45, align 2
  store volatile i16 %0, i16* %pOut, align 2
  %add.ptr9 = getelementptr inbounds i16, i16* %pIn.pn45, i32 -64
  %inc = add nsw i32 %i.046, 1
  %cmp = icmp slt i32 %inc, 21
  br i1 %cmp, label %for.body, label %for.end

for.end:                                          ; preds = %for.body
  ret void
}

In armv7m the pointer size is 32-bit. "ConstIdx->getValue().sextOrTrunc(PtrSizeBits) " sets the width to 32. "BaseOffset.getLimitedValue()" calls "APInt::getZExtValue()" which returns a zero extended value. So a negative value is truncated to 32-bit and then zero extended to uint64_t. As a result a wrong value is created.

Run the following in a debugger to reproduce:

opt -loop-unswitch -S test.ll

Thanks,
Evgeny Astigeevich

This revision is now accepted and ready to land.Oct 4 2017, 6:05 AM

Thank you for the detailed bug report, Evgeny, and I'm sorry for the breakage.

I'm able to reproduce, and I've made a failing testcase for Analysis/CostModel/ARM. I'm working on the fix now.

Fix is out for review in D38557.

Thank you, Justin.

Revision Contents

Path

Size

llvm/

include/

llvm/

Analysis/

TargetTransformInfoImpl.h

16 lines

test/

Analysis/

CostModel/

X86/

gep.ll

5 lines

Diff 116898

llvm/include/llvm/Analysis/TargetTransformInfoImpl.h

Show First 20 Lines • Show All 668 Lines • ▼ Show 20 Lines	int getGEPCost(Type PointeeType, const Value Ptr,
if (Ptr != nullptr) {		if (Ptr != nullptr) {
// TODO: will remove this when pointers have an opaque type.		// TODO: will remove this when pointers have an opaque type.
assert(Ptr->getType()->getScalarType()->getPointerElementType() ==		assert(Ptr->getType()->getScalarType()->getPointerElementType() ==
PointeeType &&		PointeeType &&
"explicit pointee type doesn't match operand's pointee type");		"explicit pointee type doesn't match operand's pointee type");
BaseGV = dyn_cast<GlobalValue>(Ptr->stripPointerCasts());		BaseGV = dyn_cast<GlobalValue>(Ptr->stripPointerCasts());
}		}
bool HasBaseReg = (BaseGV == nullptr);		bool HasBaseReg = (BaseGV == nullptr);
int64_t BaseOffset = 0;
		auto PtrSizeBits = DL.getPointerTypeSizeInBits(Ptr->getType());
		APInt BaseOffset(PtrSizeBits, 0);
int64_t Scale = 0;		int64_t Scale = 0;

		efriedmaUnsubmitted Done Reply Inline Actions Should we use the pointer width here, rather than the constant "64"? efriedma: Should we use the pointer width here, rather than the constant "64"?
		jlebarAuthorUnsubmitted Not Done Reply Inline Actions Looking at the langref, I think you're right, here and below. I've updated the patch, wdyt? jlebar: Looking at the langref, I think you're right, here and below. I've updated the patch, wdyt?
auto GTI = gep_type_begin(PointeeType, Operands);		auto GTI = gep_type_begin(PointeeType, Operands);
Type *TargetType = nullptr;		Type *TargetType = nullptr;

// Handle the case where the GEP instruction has a single operand,		// Handle the case where the GEP instruction has a single operand,
// the basis, therefore TargetType is a nullptr.		// the basis, therefore TargetType is a nullptr.
if (Operands.empty())		if (Operands.empty())
return !BaseGV ? TTI::TCC_Free : TTI::TCC_Basic;		return !BaseGV ? TTI::TCC_Free : TTI::TCC_Basic;

for (auto I = Operands.begin(); I != Operands.end(); ++I, ++GTI) {		for (auto I = Operands.begin(); I != Operands.end(); ++I, ++GTI) {
TargetType = GTI.getIndexedType();		TargetType = GTI.getIndexedType();
// We assume that the cost of Scalar GEP with constant index and the		// We assume that the cost of Scalar GEP with constant index and the
// cost of Vector GEP with splat constant index are the same.		// cost of Vector GEP with splat constant index are the same.
const ConstantInt ConstIdx = dyn_cast<ConstantInt>(I);		const ConstantInt ConstIdx = dyn_cast<ConstantInt>(I);
if (!ConstIdx)		if (!ConstIdx)
if (auto Splat = getSplatValue(*I))		if (auto Splat = getSplatValue(*I))
ConstIdx = dyn_cast<ConstantInt>(Splat);		ConstIdx = dyn_cast<ConstantInt>(Splat);
if (StructType *STy = GTI.getStructTypeOrNull()) {		if (StructType *STy = GTI.getStructTypeOrNull()) {
// For structures the index is always splat or scalar constant		// For structures the index is always splat or scalar constant
assert(ConstIdx && "Unexpected GEP index");		assert(ConstIdx && "Unexpected GEP index");
uint64_t Field = ConstIdx->getZExtValue();		uint64_t Field = ConstIdx->getZExtValue();
BaseOffset += DL.getStructLayout(STy)->getElementOffset(Field);		BaseOffset += DL.getStructLayout(STy)->getElementOffset(Field);
} else {		} else {
int64_t ElementSize = DL.getTypeAllocSize(GTI.getIndexedType());		int64_t ElementSize = DL.getTypeAllocSize(GTI.getIndexedType());
if (ConstIdx)		if (ConstIdx) {
		efriedmaUnsubmitted Done Reply Inline Actions Might as well use wrapping math, rather than bailing out on overflow; that's how the actual lowering works. efriedma: Might as well use wrapping math, rather than bailing out on overflow; that's how the actual…
BaseOffset += ConstIdx->getSExtValue() * ElementSize;		BaseOffset +=
else {		APInt(PtrSizeBits, ConstIdx->getSExtValue()) * ElementSize;
		efriedmaUnsubmitted Done Reply Inline Actions `ConstIdx->getValue().sextOrTrunc(PtrSizeBits)`? getSExtValue() can fail if ConstIdx is, for example, an i128. efriedma: `ConstIdx->getValue().sextOrTrunc(PtrSizeBits)`? getSExtValue() can fail if ConstIdx is, for…
		jlebarAuthorUnsubmitted Not Done Reply Inline Actions Indeed. Fixed, and added a testcase. jlebar: Indeed. Fixed, and added a testcase.
		} else {
// Needs scale register.		// Needs scale register.
if (Scale != 0)		if (Scale != 0)
// No addressing mode takes two scale registers.		// No addressing mode takes two scale registers.
return TTI::TCC_Basic;		return TTI::TCC_Basic;
Scale = ElementSize;		Scale = ElementSize;
}		}
}		}
}		}

// Assumes the address space is 0 when Ptr is nullptr.		// Assumes the address space is 0 when Ptr is nullptr.
unsigned AS =		unsigned AS =
(Ptr == nullptr ? 0 : Ptr->getType()->getPointerAddressSpace());		(Ptr == nullptr ? 0 : Ptr->getType()->getPointerAddressSpace());
if (static_cast<T *>(this)->isLegalAddressingMode(		if (static_cast<T *>(this)->isLegalAddressingMode(
TargetType, const_cast<GlobalValue *>(BaseGV), BaseOffset,		TargetType, const_cast<GlobalValue *>(BaseGV),
HasBaseReg, Scale, AS))		static_cast<int64_t>(BaseOffset.getLimitedValue()), HasBaseReg,
		Scale, AS))
return TTI::TCC_Free;		return TTI::TCC_Free;
return TTI::TCC_Basic;		return TTI::TCC_Basic;
}		}

using BaseT::getIntrinsicCost;		using BaseT::getIntrinsicCost;

unsigned getIntrinsicCost(Intrinsic::ID IID, Type *RetTy,		unsigned getIntrinsicCost(Intrinsic::ID IID, Type *RetTy,
ArrayRef<const Value *> Arguments) {		ArrayRef<const Value *> Arguments) {
▲ Show 20 Lines • Show All 88 Lines • Show Last 20 Lines

llvm/test/Analysis/CostModel/X86/gep.ll

Show All 29 Lines	;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x i32>, <4 x i32>
%a9 = getelementptr inbounds <4 x i32>, <4 x i32>* undef, i32 0		%a9 = getelementptr inbounds <4 x i32>, <4 x i32>* undef, i32 0
;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x i64>, <4 x i64>		;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x i64>, <4 x i64>
%a10 = getelementptr inbounds <4 x i64>, <4 x i64>* undef, i32 0		%a10 = getelementptr inbounds <4 x i64>, <4 x i64>* undef, i32 0
;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x float>, <4 x float>		;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x float>, <4 x float>
%a11 = getelementptr inbounds <4 x float>, <4 x float>* undef, i32 0		%a11 = getelementptr inbounds <4 x float>, <4 x float>* undef, i32 0
;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x double>, <4 x double>		;CHECK: cost of 0 for instruction: {{.}} getelementptr inbounds <4 x double>, <4 x double>
%a12 = getelementptr inbounds <4 x double>, <4 x double>* undef, i32 0		%a12 = getelementptr inbounds <4 x double>, <4 x double>* undef, i32 0

		; Check that we handle outlandishly large GEPs properly. This is unlikely to
		; be a valid pointer, but LLVM still generates GEPs like this sometimes in
		; dead code.
		;CHECK: cost of 1 for instruction: {{.}} getelementptr inbounds i8, i8
		%giant_gep_idx = getelementptr inbounds i8, i8* undef, i64 9223372036854775807

ret void		ret void
}		}