This is an archive of the discontinued LLVM Phabricator instance.

Differential D41981

[SROA] fix assetion failure
ClosedPublic

Authored by inouehrs on Jan 11 2018, 10:30 PM.

Download Raw Diff

Details

Reviewers

davide
rnk
efriedma
chandlerc
sanjoy
kbarton
nemanjai

Commits

rG99a8faa6153a: [SROA] fix assetion failure
rL322533: [SROA] fix assetion failure

Summary

This patch fixes the assertion failure in SROA reported in PR35657.
PR35657 reports the assertion failure due to r319522 (splitting for non-whole-alloca slices), but this problem can happen even without r319522.

The problem exists in a check for reusing an existing alloca when rewriting partitions. As the original comment said, we can reuse the existing alloca if the new alloca has the same type and offset with the existing one. But the code checks only type of the alloca and then check the offset using an assert.
In a corner case with out-of-bounds access (e.g. @PR35657 function added in unit test), it is possible that the two allocas have the same type but different offsets.

This patch makes the check of the offset in the if condition, and re-enables the splitting for non-whole-alloca slices.

Diff Detail

Repository: rL LLVM

Event Timeline

inouehrs created this revision.Jan 11 2018, 10:30 PM

rnk added inline comments.Jan 12 2018, 10:49 AM

lib/Transforms/Scalar/SROA.cpp
130 ↗	(On Diff #129580)	Can you delete this flag instead and simplify the logic that checks it?
test/Transforms/SROA/basictest.ll
1712 ↗	(On Diff #129580)	WOW, I guess this isn't UB because the storage size of i48 is 8 bytes, right? Crazy.

eliminated SROASplitNonWholeAllocaSlices flag

inouehrs marked an inline comment as done.Jan 12 2018, 11:21 AM

efriedma added inline comments.Jan 12 2018, 2:01 PM

test/Transforms/SROA/basictest.ll
1712 ↗	(On Diff #129580)	No, this is UB; an i48 has a storage size of 6 bytes. Granted, we still shouldn't crash.

It looks like this doesn't properly fix PR35657; it fixes the crash, yes, but it looks like the optimizer is introducing undefined behavior.

fixed an unit test to avoid emitting undef values.

In D41981#975406, @efriedma wrote:

It looks like this doesn't properly fix PR35657; it fixes the crash, yes, but it looks like the optimizer is introducing undefined behavior.

I updated the test case to avoid undef in the generated code due to loads from uninitialized alloca.
Do you expect other behavior (such as not applying SROA for out-of-bounds accesses)?

LGTM, but don't close PR35657 until you track down the miscompile. (csmith should not be generating code with out-of-bounds accesses, so there's probably another bug somewhere.)

lib/Transforms/Scalar/SROA.cpp
3933 ↗	(On Diff #129752)	Please add a comment explaining that beginOffset() != 0 can happen for out-of-bounds accesses. (We want to transform anyway because we don't want undefined behavior in unreachable code to block optimizations in other code.)

This revision is now accepted and ready to land.Jan 15 2018, 4:20 PM

Closed by commit rL322533: [SROA] fix assetion failure (authored by inouehrs). · Explain WhyJan 15 2018, 10:25 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

llvm/

trunk/

lib/

Transforms/

Scalar/

SROA.cpp

13 lines

test/

DebugInfo/

X86/

sroasplit-2.ll

3 lines

Transforms/

SROA/

basictest.ll

57 lines

big-endian.ll

40 lines

Diff 129918

llvm/trunk/lib/Transforms/Scalar/SROA.cpp

Show First 20 Lines • Show All 118 Lines • ▼ Show 20 Lines
static cl::opt<bool> SROARandomShuffleSlices("sroa-random-shuffle-slices",		static cl::opt<bool> SROARandomShuffleSlices("sroa-random-shuffle-slices",
cl::init(false), cl::Hidden);		cl::init(false), cl::Hidden);

/// Hidden option to experiment with completely strict handling of inbounds		/// Hidden option to experiment with completely strict handling of inbounds
/// GEPs.		/// GEPs.
static cl::opt<bool> SROAStrictInbounds("sroa-strict-inbounds", cl::init(false),		static cl::opt<bool> SROAStrictInbounds("sroa-strict-inbounds", cl::init(false),
cl::Hidden);		cl::Hidden);

/// Hidden option to allow more aggressive splitting.
static cl::opt<bool>
SROASplitNonWholeAllocaSlices("sroa-split-nonwhole-alloca-slices",
cl::init(false), cl::Hidden);

namespace {		namespace {

/// \brief A custom IRBuilder inserter which prefixes all names, but only in		/// \brief A custom IRBuilder inserter which prefixes all names, but only in
/// Assert builds.		/// Assert builds.
class IRBuilderPrefixedInserter : public IRBuilderDefaultInserter {		class IRBuilderPrefixedInserter : public IRBuilderDefaultInserter {
std::string Prefix;		std::string Prefix;

const Twine getNameWithPrefix(const Twine &Name) const {		const Twine getNameWithPrefix(const Twine &Name) const {
▲ Show 20 Lines • Show All 3,786 Lines • ▼ Show 20 Lines	VectorType *VecTy =
IsIntegerPromotable ? nullptr : isVectorPromotionViable(P, DL);		IsIntegerPromotable ? nullptr : isVectorPromotionViable(P, DL);
if (VecTy)		if (VecTy)
SliceTy = VecTy;		SliceTy = VecTy;

// Check for the case where we're going to rewrite to a new alloca of the		// Check for the case where we're going to rewrite to a new alloca of the
// exact same type as the original, and with the same access offsets. In that		// exact same type as the original, and with the same access offsets. In that
// case, re-use the existing alloca, but still run through the rewriter to		// case, re-use the existing alloca, but still run through the rewriter to
// perform phi and select speculation.		// perform phi and select speculation.
		// P.beginOffset() can be non-zero even with the same type in a case with
		// out-of-bounds access (e.g. @PR35657 function in SROA/basictest.ll).
AllocaInst *NewAI;		AllocaInst *NewAI;
if (SliceTy == AI.getAllocatedType()) {		if (SliceTy == AI.getAllocatedType() && P.beginOffset() == 0) {
assert(P.beginOffset() == 0 &&
"Non-zero begin offset but same alloca type");
NewAI = &AI;		NewAI = &AI;
// FIXME: We should be able to bail at this point with "nothing changed".		// FIXME: We should be able to bail at this point with "nothing changed".
// FIXME: We might want to defer PHI speculation until after here.		// FIXME: We might want to defer PHI speculation until after here.
// FIXME: return nullptr;		// FIXME: return nullptr;
} else {		} else {
unsigned Alignment = AI.getAlignment();		unsigned Alignment = AI.getAlignment();
if (!Alignment) {		if (!Alignment) {
// The minimum alignment which users can rely on when the explicit		// The minimum alignment which users can rely on when the explicit
▲ Show 20 Lines • Show All 109 Lines • ▼ Show 20 Lines	bool SROA::splitAlloca(AllocaInst &AI, AllocaSlices &AS) {
// We leave a slice splittable if all other slices are disjoint or fully		// We leave a slice splittable if all other slices are disjoint or fully
// included in the slice, such as whole-alloca loads and stores.		// included in the slice, such as whole-alloca loads and stores.
// If we fail to split these during pre-splitting, we want to force them		// If we fail to split these during pre-splitting, we want to force them
// to be rewritten into a partition.		// to be rewritten into a partition.
bool IsSorted = true;		bool IsSorted = true;

uint64_t AllocaSize = DL.getTypeAllocSize(AI.getAllocatedType());		uint64_t AllocaSize = DL.getTypeAllocSize(AI.getAllocatedType());
const uint64_t MaxBitVectorSize = 1024;		const uint64_t MaxBitVectorSize = 1024;
if (SROASplitNonWholeAllocaSlices && AllocaSize <= MaxBitVectorSize) {		if (AllocaSize <= MaxBitVectorSize) {
// If a byte boundary is included in any load or store, a slice starting or		// If a byte boundary is included in any load or store, a slice starting or
// ending at the boundary is not splittable.		// ending at the boundary is not splittable.
SmallBitVector SplittableOffset(AllocaSize + 1, true);		SmallBitVector SplittableOffset(AllocaSize + 1, true);
for (Slice &S : AS)		for (Slice &S : AS)
for (unsigned O = S.beginOffset() + 1;		for (unsigned O = S.beginOffset() + 1;
O < S.endOffset() && O < AllocaSize; O++)		O < S.endOffset() && O < AllocaSize; O++)
SplittableOffset.reset(O);		SplittableOffset.reset(O);

▲ Show 20 Lines • Show All 373 Lines • Show Last 20 Lines

llvm/trunk/test/DebugInfo/X86/sroasplit-2.ll

	Show All 15 Lines
	; int foo(Outer outer) {			; int foo(Outer outer) {
	; Inner i1 = outer.inner[1];			; Inner i1 = outer.inner[1];
	; return i1.a;			; return i1.a;
	; }			; }
	;			;

	; Verify that SROA creates a variable piece when splitting i1.			; Verify that SROA creates a variable piece when splitting i1.
	; CHECK: call void @llvm.dbg.value(metadata i64 %outer.coerce0, metadata ![[O:[0-9]+]], metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64)),			; CHECK: call void @llvm.dbg.value(metadata i64 %outer.coerce0, metadata ![[O:[0-9]+]], metadata !DIExpression(DW_OP_LLVM_fragment, 0, 64)),
	; CHECK: call void @llvm.dbg.value(metadata i64 %outer.coerce1, metadata ![[O]], metadata !DIExpression(DW_OP_LLVM_fragment, 64, 64)),			; CHECK: call void @llvm.dbg.value(metadata i32 {{.*}}, metadata ![[O]], metadata !DIExpression(DW_OP_LLVM_fragment, 64, 32)),
				; CHECK: call void @llvm.dbg.value(metadata i32 {{.*}}, metadata ![[O]], metadata !DIExpression(DW_OP_LLVM_fragment, 96, 32)),
	; CHECK: call void @llvm.dbg.value({{.*}}, metadata ![[I1:[0-9]+]], metadata !DIExpression(DW_OP_LLVM_fragment, 0, 32)),			; CHECK: call void @llvm.dbg.value({{.*}}, metadata ![[I1:[0-9]+]], metadata !DIExpression(DW_OP_LLVM_fragment, 0, 32)),
	; CHECK-DAG: ![[O]] = !DILocalVariable(name: "outer",{{.*}} line: 10			; CHECK-DAG: ![[O]] = !DILocalVariable(name: "outer",{{.*}} line: 10
	; CHECK-DAG: ![[I1]] = !DILocalVariable(name: "i1",{{.*}} line: 11			; CHECK-DAG: ![[I1]] = !DILocalVariable(name: "i1",{{.*}} line: 11

	; ModuleID = 'sroasplit-2.c'			; ModuleID = 'sroasplit-2.c'
	target datalayout = "e-m:o-i64:64-f80:128-n8:16:32:64-S128"			target datalayout = "e-m:o-i64:64-f80:128-n8:16:32:64-S128"
	target triple = "x86_64-apple-macosx10.9.0"			target triple = "x86_64-apple-macosx10.9.0"

	▲ Show 20 Lines • Show All 66 Lines • Show Last 20 Lines

llvm/trunk/test/Transforms/SROA/basictest.ll

Show First 20 Lines • Show All 1,609 Lines • ▼ Show 20 Lines	entry:
%load = load atomic volatile i64, i64* %ptr seq_cst, align 8		%load = load atomic volatile i64, i64* %ptr seq_cst, align 8
ret void		ret void
}		}

define i16 @PR24463() {		define i16 @PR24463() {
; Ensure we can handle a very interesting case where there is an integer-based		; Ensure we can handle a very interesting case where there is an integer-based
; rewrite of the uses of the alloca, but where one of the integers in that is		; rewrite of the uses of the alloca, but where one of the integers in that is
; a sub-integer that requires extraction and extends past the end of the		; a sub-integer that requires extraction and extends past the end of the
; alloca. In this case, we should extract the i8 and then zext it to i16.		; alloca. SROA can split the alloca to avoid shift or trunc.
;		;
; CHECK-LABEL: @PR24463(		; CHECK-LABEL: @PR24463(
; CHECK-NOT: alloca		; CHECK-NOT: alloca
; CHECK: %[[SHIFT:.*]] = lshr i16 0, 8		; CHECK-NOT: trunc
; CHECK: %[[TRUNC:.*]] = trunc i16 %[[SHIFT]] to i8		; CHECK-NOT: lshr
; CHECK: %[[ZEXT:.*]] = zext i8 %[[TRUNC]] to i16		; CHECK: %[[ZEXT:.]] = zext i8 {{.}} to i16
; CHECK: ret i16 %[[ZEXT]]		; CHECK: ret i16 %[[ZEXT]]
entry:		entry:
%alloca = alloca [3 x i8]		%alloca = alloca [3 x i8]
%gep1 = getelementptr inbounds [3 x i8], [3 x i8]* %alloca, i64 0, i64 1		%gep1 = getelementptr inbounds [3 x i8], [3 x i8]* %alloca, i64 0, i64 1
%bc1 = bitcast i8* %gep1 to i16*		%bc1 = bitcast i8* %gep1 to i16*
store i16 0, i16* %bc1		store i16 0, i16* %bc1
%gep2 = getelementptr inbounds [3 x i8], [3 x i8]* %alloca, i64 0, i64 2		%gep2 = getelementptr inbounds [3 x i8], [3 x i8]* %alloca, i64 0, i64 2
%bc2 = bitcast i8* %gep2 to i16*		%bc2 = bitcast i8* %gep2 to i16*
▲ Show 20 Lines • Show All 57 Lines • ▼ Show 20 Lines
; CHECK-NEXT: ret void		; CHECK-NEXT: ret void
bb1:		bb1:
%e.7.sroa.6.i = alloca i32, align 1		%e.7.sroa.6.i = alloca i32, align 1
%e.7.sroa.6.0.load81.i = load i32, i32* %e.7.sroa.6.i, align 1		%e.7.sroa.6.0.load81.i = load i32, i32* %e.7.sroa.6.i, align 1
%0 = bitcast i32* %e.7.sroa.6.i to i8*		%0 = bitcast i32* %e.7.sroa.6.i to i8*
call void @llvm.lifetime.end.p0i8(i64 2, i8* %0)		call void @llvm.lifetime.end.p0i8(i64 2, i8* %0)
ret void		ret void
}		}

		; PR35657 reports assertion failure with this code
		define void @PR35657(i64 %v) {
		; CHECK-LABEL: @PR35657
		; CHECK: call void @callee16(i16 %{{.*}})
		; CHECK: call void @callee48(i48 %{{.*}})
		; CHECK: ret void
		entry:
		%a48 = alloca i48
		%a48.cast64 = bitcast i48* %a48 to i64*
		store i64 %v, i64* %a48.cast64
		%a48.cast16 = bitcast i48* %a48 to i16*
		%b0_15 = load i16, i16* %a48.cast16
		%a48.cast8 = bitcast i48* %a48 to i8*
		%a48_offset2 = getelementptr inbounds i8, i8* %a48.cast8, i64 2
		%a48_offset2.cast48 = bitcast i8* %a48_offset2 to i48*
		%b16_63 = load i48, i48* %a48_offset2.cast48, align 2
		call void @callee16(i16 %b0_15)
		call void @callee48(i48 %b16_63)
		ret void
		}

		declare void @callee16(i16 %a)
		declare void @callee48(i48 %a)

		define void @test28(i64 %v) #0 {
		; SROA should split the first i64 store to avoid additional and/or instructions
		; when storing into i32 fields

		; CHECK-LABEL: @test28(
		; CHECK-NOT: alloca
		; CHECK-NOT: and
		; CHECK-NOT: or
		; CHECK: %[[shift:.*]] = lshr i64 %v, 32
		; CHECK-NEXT: %{{.*}} = trunc i64 %[[shift]] to i32
		; CHECK-NEXT: ret void

		entry:
		%t = alloca { i64, i32, i32 }

		%b = getelementptr { i64, i32, i32 }, { i64, i32, i32 }* %t, i32 0, i32 1
		%0 = bitcast i32* %b to i64*
		store i64 %v, i64* %0

		%1 = load i32, i32* %b
		%c = getelementptr { i64, i32, i32 }, { i64, i32, i32 }* %t, i32 0, i32 2
		store i32 %1, i32* %c
		ret void
		}

llvm/trunk/test/Transforms/SROA/big-endian.ll

	Show First 20 Lines • Show All 77 Lines • ▼ Show 20 Lines

	; CHECK-NOT: store			; CHECK-NOT: store
	; CHECK-NOT: load			; CHECK-NOT: load

	%a0i16ptr = bitcast i8* %a0ptr to i16*			%a0i16ptr = bitcast i8* %a0ptr to i16*
	store i16 1, i16* %a0i16ptr			store i16 1, i16* %a0i16ptr

	store i8 1, i8* %a2ptr			store i8 1, i8* %a2ptr
	; CHECK: %[[mask1:.*]] = and i40 undef, 4294967295
	; CHECK-NEXT: %[[insert1:.*]] = or i40 %[[mask1]], 4294967296

	%a3i24ptr = bitcast i8* %a3ptr to i24*			%a3i24ptr = bitcast i8* %a3ptr to i24*
	store i24 1, i24* %a3i24ptr			store i24 1, i24* %a3i24ptr
	; CHECK-NEXT: %[[mask2:.*]] = and i40 %[[insert1]], -4294967041
	; CHECK-NEXT: %[[insert2:.*]] = or i40 %[[mask2]], 256

	%a2i40ptr = bitcast i8* %a2ptr to i40*			%a2i40ptr = bitcast i8* %a2ptr to i40*
	store i40 1, i40* %a2i40ptr			store i40 1, i40* %a2i40ptr
	; CHECK-NEXT: %[[ext3:.*]] = zext i40 1 to i56
	; CHECK-NEXT: %[[mask3:.*]] = and i56 undef, -1099511627776			; the alloca is splitted into multiple slices
	; CHECK-NEXT: %[[insert3:.*]] = or i56 %[[mask3]], %[[ext3]]			; Here, i8 1 is for %a[6]
				; CHECK: %[[ext1:.*]] = zext i8 1 to i40
				; CHECK-NEXT: %[[mask1:.*]] = and i40 undef, -256
				; CHECK-NEXT: %[[insert1:.*]] = or i40 %[[mask1]], %[[ext1]]

				; Here, i24 0 is for %a[3] to %a[5]
				; CHECK-NEXT: %[[ext2:.*]] = zext i24 0 to i40
				; CHECK-NEXT: %[[shift2:.*]] = shl i40 %[[ext2]], 8
				; CHECK-NEXT: %[[mask2:.*]] = and i40 %[[insert1]], -4294967041
				; CHECK-NEXT: %[[insert2:.*]] = or i40 %[[mask2]], %[[shift2]]

				; Here, i8 0 is for %a[2]
				; CHECK-NEXT: %[[ext3:.*]] = zext i8 0 to i40
				; CHECK-NEXT: %[[shift3:.*]] = shl i40 %[[ext3]], 32
				; CHECK-NEXT: %[[mask3:.*]] = and i40 %[[insert2]], 4294967295
				; CHECK-NEXT: %[[insert3:.*]] = or i40 %[[mask3]], %[[shift3]]

				; CHECK-NEXT: %[[ext4:.*]] = zext i40 %[[insert3]] to i56
				; CHECK-NEXT: %[[mask4:.*]] = and i56 undef, -1099511627776
				; CHECK-NEXT: %[[insert4:.*]] = or i56 %[[mask4]], %[[ext4]]

	; CHECK-NOT: store			; CHECK-NOT: store
	; CHECK-NOT: load			; CHECK-NOT: load

	%aiptr = bitcast [7 x i8]* %a to i56*			%aiptr = bitcast [7 x i8]* %a to i56*
	%ai = load i56, i56* %aiptr			%ai = load i56, i56* %aiptr
	%ret = zext i56 %ai to i64			%ret = zext i56 %ai to i64
	ret i64 %ret			ret i64 %ret
	; CHECK-NEXT: %[[ext4:.*]] = zext i16 1 to i56			; Here, i16 1 is for %a[0] to %a[1]
	; CHECK-NEXT: %[[shift4:.*]] = shl i56 %[[ext4]], 40			; CHECK-NEXT: %[[ext5:.*]] = zext i16 1 to i56
	; CHECK-NEXT: %[[mask4:.*]] = and i56 %[[insert3]], 1099511627775			; CHECK-NEXT: %[[shift5:.*]] = shl i56 %[[ext5]], 40
	; CHECK-NEXT: %[[insert4:.*]] = or i56 %[[mask4]], %[[shift4]]			; CHECK-NEXT: %[[mask5:.*]] = and i56 %[[insert4]], 1099511627775
	; CHECK-NEXT: %[[ret:.*]] = zext i56 %[[insert4]] to i64			; CHECK-NEXT: %[[insert5:.*]] = or i56 %[[mask5]], %[[shift5]]
				; CHECK-NEXT: %[[ret:.*]] = zext i56 %[[insert5]] to i64
	; CHECK-NEXT: ret i64 %[[ret]]			; CHECK-NEXT: ret i64 %[[ret]]
	}			}

	define i64 @PR14132(i1 %flag) {			define i64 @PR14132(i1 %flag) {
	; CHECK-LABEL: @PR14132(			; CHECK-LABEL: @PR14132(
	; Here we form a PHI-node by promoting the pointer alloca first, and then in			; Here we form a PHI-node by promoting the pointer alloca first, and then in
	; order to promote the other two allocas, we speculate the load of the			; order to promote the other two allocas, we speculate the load of the
	; now-phi-node-pointer. In doing so we end up loading a 64-bit value from an i8			; now-phi-node-pointer. In doing so we end up loading a 64-bit value from an i8
	▲ Show 20 Lines • Show All 117 Lines • Show Last 20 Lines