This is an archive of the discontinued LLVM Phabricator instance.

[DAGCombiner] guard against an oversized shift crash
ClosedPublic

Authored by spatel on Nov 27 2018, 8:29 AM.

Download Raw Diff

Details

Reviewers

efriedma
craig.topper

Commits

rG2daceedf9279: [DAGCombiner] guard against an oversized shift crash
rL348089: [DAGCombiner] guard against an oversized shift crash

Summary

This change prevents the crash noted in the post-commit comments for rL347478 :
http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20181119/605166.html

We can't guarantee that an oversized shift amount is folded away, so we have to check for it.

Note that I committed an incomplete fix for that crash with:
rL347502

But as discussed here:
http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20181126/605679.html
...we have to try harder.

So I'm not sure how to expose the bug now (and apparently no fuzzers have found a way yet either).

On the plus side, we have discovered that we're missing real optimizations by not simplifying nodes sooner, so the earlier fix still has value, and there's likely more value in extending that so we can simplify more opcodes and simplify when doing RAUW and/or putting nodes on the combiner worklist.

Diff Detail

Event Timeline

spatel created this revision.Nov 27 2018, 8:29 AM

Herald added a subscriber: mcrosier. · View Herald TranscriptNov 27 2018, 8:29 AM

uabelho added a subscriber: uabelho.Nov 28 2018, 6:18 AM

bjope added a subscriber: bjope.Nov 28 2018, 11:01 AM

efriedma added inline comments.Nov 29 2018, 3:46 PM

lib/CodeGen/SelectionDAG/DAGCombiner.cpp
6105	I think you need to use getLimitedValue() here?

Patch updated:
Fixed to use "getLimitedValue" (make sure that really big values don't escape the check).

LGTM

This revision is now accepted and ready to land.Nov 30 2018, 9:38 AM

Closed by commit rL348089: [DAGCombiner] guard against an oversized shift crash (authored by spatel). · Explain WhyDec 2 2018, 5:36 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

CodeGen/

SelectionDAG/

DAGCombiner.cpp

23 lines

Diff 175489

lib/CodeGen/SelectionDAG/DAGCombiner.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 6,092 Lines • ▼ Show 20 Lines	if (N0Opcode == ISD::AND && N0.hasOneUse() && N0->getOperand(1) == N1) {
SDValue NotX = DAG.getNOT(SDLoc(X), X, VT);		SDValue NotX = DAG.getNOT(SDLoc(X), X, VT);
AddToWorklist(NotX.getNode());		AddToWorklist(NotX.getNode());
return DAG.getNode(ISD::AND, DL, VT, NotX, N1);		return DAG.getNode(ISD::AND, DL, VT, NotX, N1);
}		}

if ((N0Opcode == ISD::SRL \|\| N0Opcode == ISD::SHL) && N0.hasOneUse()) {		if ((N0Opcode == ISD::SRL \|\| N0Opcode == ISD::SHL) && N0.hasOneUse()) {
ConstantSDNode *XorC = isConstOrConstSplat(N1);		ConstantSDNode *XorC = isConstOrConstSplat(N1);
ConstantSDNode *ShiftC = isConstOrConstSplat(N0.getOperand(1));		ConstantSDNode *ShiftC = isConstOrConstSplat(N0.getOperand(1));
		unsigned BitWidth = VT.getScalarSizeInBits();
if (XorC && ShiftC) {		if (XorC && ShiftC) {
APInt Ones = APInt::getAllOnesValue(VT.getScalarSizeInBits());		// Don't crash on an oversized shift. We can not guarantee that a bogus
Ones = N0Opcode == ISD::SHL ? Ones.shl(ShiftC->getZExtValue())		// shift has been simplified to undef.
: Ones.lshr(ShiftC->getZExtValue());		unsigned ShiftAmt = ShiftC->getZExtValue();
		efriedmaUnsubmitted Done Reply Inline Actions I think you need to use getLimitedValue() here? efriedma: I think you need to use getLimitedValue() here?
		if (ShiftAmt < BitWidth) {
		APInt Ones = APInt::getAllOnesValue(BitWidth);
		Ones = N0Opcode == ISD::SHL ? Ones.shl(ShiftAmt) : Ones.lshr(ShiftAmt);
if (XorC->getAPIntValue() == Ones) {		if (XorC->getAPIntValue() == Ones) {
// If the xor constant is a shifted -1, do a 'not' before the shift:		// If the xor constant is a shifted -1, do a 'not' before the shift:
// xor (X << ShiftC), XorC --> (not X) << ShiftC		// xor (X << ShiftC), XorC --> (not X) << ShiftC
// xor (X >> ShiftC), XorC --> (not X) >> ShiftC		// xor (X >> ShiftC), XorC --> (not X) >> ShiftC
SDValue Not = DAG.getNOT(DL, N0.getOperand(0), VT);		SDValue Not = DAG.getNOT(DL, N0.getOperand(0), VT);
return DAG.getNode(N0Opcode, DL, VT, Not, N0.getOperand(1));		return DAG.getNode(N0Opcode, DL, VT, Not, N0.getOperand(1));
}		}
}		}
}		}
		}

// fold Y = sra (X, size(X)-1); xor (add (X, Y), Y) -> (abs X)		// fold Y = sra (X, size(X)-1); xor (add (X, Y), Y) -> (abs X)
if (TLI.isOperationLegalOrCustom(ISD::ABS, VT)) {		if (TLI.isOperationLegalOrCustom(ISD::ABS, VT)) {
SDValue A = N0Opcode == ISD::ADD ? N0 : N1;		SDValue A = N0Opcode == ISD::ADD ? N0 : N1;
SDValue S = N0Opcode == ISD::SRA ? N0 : N1;		SDValue S = N0Opcode == ISD::SRA ? N0 : N1;
if (A.getOpcode() == ISD::ADD && S.getOpcode() == ISD::SRA) {		if (A.getOpcode() == ISD::ADD && S.getOpcode() == ISD::SRA) {
SDValue A0 = A.getOperand(0), A1 = A.getOperand(1);		SDValue A0 = A.getOperand(0), A1 = A.getOperand(1);
SDValue S0 = S.getOperand(0);		SDValue S0 = S.getOperand(0);
▲ Show 20 Lines • Show All 12,915 Lines • Show Last 20 Lines