This is an archive of the discontinued LLVM Phabricator instance.

Differential D66778

[Loads/SROA] Remove blatantly incorrect code and fix a bug revealed in the process
ClosedPublic

Authored by reames on Aug 26 2019, 5:38 PM.

Details

Reviewers
chandlerc
jdoerfert
Commits
rG2694522f1345: [Loads/SROA] Remove blatantly incorrect code and fix a bug revealed in the…
rL370102: [Loads/SROA] Remove blatantly incorrect code and fix a bug revealed in the…
Summary

The code we had isSafeToLoadUnconditionally was blatantly wrong. This function takes a "Size" argument which is supposed to describe the span loaded from. Instead, the code use the size of the pointer passed (which may be unrelated!) and only checks that span. For any Size > LoadSize, this can and does lead to miscompiles.

Worse, the generic code just a few lines above correctly handles the cases which *are* valid. So, let's delete said code.

(Note: There's another occurrence of the same bug in the same function in the scan code. I'll get that next.)

Removing this exposes a bits vs bytes confusion in SROA + one other test change where the semantics of the test aren't clear to me. I propose to simply change the test output (as in the diff) and move on.

Diff Detail

Repository
rL LLVM

Event Timeline

reames created this revision.Aug 26 2019, 5:38 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 26 2019, 5:38 PM
Herald added subscribers: bollu, mcrosier. · View Herald Transcript
jdoerfert accepted this revision.Aug 26 2019, 6:50 PM

I think ByteOffset is used *but* the logic you remove is just a copy of what isDereferenceableAndAlignedPointer is doing already only worse and also wrong (see my comment below).

LGTM.

test/Transforms/SROA/addrspacecast.ll
287 ↗(On Diff #217284)

Maybe add something like ; Note that the external linkage of @gv doesn't guarantee dereferenceable memory to make sure people will not fall into the same trap again and understand easily what is happening.

This revision is now accepted and ready to land.Aug 26 2019, 6:50 PM
reames updated this revision to Diff 217437.Aug 27 2019, 11:06 AM
reames edited the summary of this revision. (Show Details)

Updating patch, and requesting re-review.

I screwed up in posting the original patch. I managed to leave out part of the diff, and my patch description was unclear.

reames requested review of this revision.Aug 27 2019, 11:06 AM
reames updated this revision to Diff 217443.Aug 27 2019, 11:17 AM

Fix the other occurrence of the Size vs LoadSize bug.

reames updated this revision to Diff 217450.Aug 27 2019, 11:31 AM

Improve test coverage to make bugs being fixed clear.

jdoerfert accepted this revision.Aug 27 2019, 12:06 PM

Removing the duplicated (wrong) logic is still fine. Using Size is also the right thing. The bits/bytes size mixup seems unrelated but given that bytes is the right thing I'm OK with it.

The one thing I would like to add is a test for the Size vs PtrSize issue, see my comment below. Otherwise, LGTM.

lib/Analysis/Loads.cpp
268 ↗(On Diff #217450)

Can we have a test for this? I would hope something where we want to pre-loads a 64 bit pointer but only have a 32 bit access?

This revision is now accepted and ready to land.Aug 27 2019, 12:06 PM
reames marked an inline comment as done.Aug 27 2019, 12:15 PM
reames added inline comments.
lib/Analysis/Loads.cpp
268 ↗(On Diff #217450)

I've been sitting here trying to write that test for most of the morning. :)

Most existing callers pass a size which is the pointer size. The sole exception is the phi-speculation code in SROA, and I haven't figured out how to trigger it there just yet. My previously added select tests demonstrate the *spirit* of the problem, but don't actually expose the current bug.

Closed by commit rL370102: [Loads/SROA] Remove blatantly incorrect code and fix a bug revealed in the… (authored by reames). · Explain WhyAug 27 2019, 12:40 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Analysis/
47 lines
Transforms/
Scalar/
2 lines
test/
Transforms/
SROA/
11 lines

Diff 217475

llvm/trunk/lib/Analysis/Loads.cpp

Show First 20 LinesShow All 204 Lines▼ Show 20 Lines if (Align == 0)
Align = DL.getABITypeAlignment(V->getType()->getPointerElementType()); Align = DL.getABITypeAlignment(V->getType()->getPointerElementType());
assert(isPowerOf2_32(Align)); assert(isPowerOf2_32(Align));
// If DT is not specified we can't make context-sensitive query // If DT is not specified we can't make context-sensitive query
const Instruction* CtxI = DT ? ScanFrom : nullptr; const Instruction* CtxI = DT ? ScanFrom : nullptr;
if (isDereferenceableAndAlignedPointer(V, Align, Size, DL, CtxI, DT)) if (isDereferenceableAndAlignedPointer(V, Align, Size, DL, CtxI, DT))
return true; return true;
int64_t ByteOffset = 0; if (!ScanFrom)
Value *Base = V;
Base = GetPointerBaseWithConstantOffset(V, ByteOffset, DL);
if (ByteOffset < 0) // out of bounds
return false; return false;
Type *BaseType = nullptr; if (Size.getBitWidth() > 64)
unsigned BaseAlign = 0;
if (const AllocaInst *AI = dyn_cast<AllocaInst>(Base)) {
// An alloca is safe to load from as load as it is suitably aligned.
BaseType = AI->getAllocatedType();
BaseAlign = AI->getAlignment();
} else if (const GlobalVariable *GV = dyn_cast<GlobalVariable>(Base)) {
// Global variables are not necessarily safe to load from if they are
// interposed arbitrarily. Their size may change or they may be weak and
// require a test to determine if they were in fact provided.
if (!GV->isInterposable()) {
BaseType = GV->getType()->getElementType();
BaseAlign = GV->getAlignment();
}
}
PointerType *AddrTy = cast<PointerType>(V->getType());
uint64_t LoadSize = DL.getTypeStoreSize(AddrTy->getElementType());
// If we found a base allocated type from either an alloca or global variable,
// try to see if we are definitively within the allocated region. We need to
// know the size of the base type and the loaded type to do anything in this
// case.
if (BaseType && BaseType->isSized()) {
if (BaseAlign == 0)
BaseAlign = DL.getPrefTypeAlignment(BaseType);
if (Align <= BaseAlign) {
// Check if the load is within the bounds of the underlying object.
if (ByteOffset + LoadSize <= DL.getTypeAllocSize(BaseType) &&
((ByteOffset % Align) == 0))
return true;
}
}
if (!ScanFrom)
return false; return false;
const uint64_t LoadSize = Size.getZExtValue();
// Otherwise, be a little bit aggressive by scanning the local block where we // Otherwise, be a little bit aggressive by scanning the local block where we
// want to check to see if the pointer is already being loaded or stored // want to check to see if the pointer is already being loaded or stored
// from/to. If so, the previous load or store would have already trapped, // from/to. If so, the previous load or store would have already trapped,
// so there is no harm doing an extra load (also, CSE will later eliminate // so there is no harm doing an extra load (also, CSE will later eliminate
// the load entirely). // the load entirely).
BasicBlock::iterator BBI = ScanFrom->getIterator(), BasicBlock::iterator BBI = ScanFrom->getIterator(),
E = ScanFrom->getParent()->begin(); E = ScanFrom->getParent()->begin();
Show All 32 Lines while (BBI != E) {
Type *AccessedTy = AccessedPtr->getType()->getPointerElementType(); Type *AccessedTy = AccessedPtr->getType()->getPointerElementType();
if (AccessedAlign == 0) if (AccessedAlign == 0)
AccessedAlign = DL.getABITypeAlignment(AccessedTy); AccessedAlign = DL.getABITypeAlignment(AccessedTy);
if (AccessedAlign < Align) if (AccessedAlign < Align)
continue; continue;
// Handle trivial cases. // Handle trivial cases.
if (AccessedPtr == V) if (AccessedPtr == V &&
LoadSize <= DL.getTypeStoreSize(AccessedTy))
return true; return true;
if (AreEquivalentAddressValues(AccessedPtr->stripPointerCasts(), V) && if (AreEquivalentAddressValues(AccessedPtr->stripPointerCasts(), V) &&
LoadSize <= DL.getTypeStoreSize(AccessedTy)) LoadSize <= DL.getTypeStoreSize(AccessedTy))
return true; return true;
} }
return false; return false;
} }
▲ Show 20 LinesShow All 142 LinesShow Last 20 Lines

llvm/trunk/lib/Transforms/Scalar/SROA.cpp

Show First 20 LinesShow All 1,212 Lines▼ Show 20 Lines if (LI->getParent() != BB)
return false; return false;
// Ensure that there are no instructions between the PHI and the load that // Ensure that there are no instructions between the PHI and the load that
// could store. // could store.
for (BasicBlock::iterator BBI(PN); &*BBI != LI; ++BBI) for (BasicBlock::iterator BBI(PN); &*BBI != LI; ++BBI)
if (BBI->mayWriteToMemory()) if (BBI->mayWriteToMemory())
return false; return false;
uint64_t Size = DL.getTypeStoreSizeInBits(LI->getType()); uint64_t Size = DL.getTypeStoreSize(LI->getType());
MaxAlign = std::max(MaxAlign, LI->getAlignment()); MaxAlign = std::max(MaxAlign, LI->getAlignment());
MaxSize = MaxSize.ult(Size) ? APInt(APWidth, Size) : MaxSize; MaxSize = MaxSize.ult(Size) ? APInt(APWidth, Size) : MaxSize;
HaveLoad = true; HaveLoad = true;
} }
if (!HaveLoad) if (!HaveLoad)
return false; return false;
▲ Show 20 LinesShow All 3,419 LinesShow Last 20 Lines

llvm/trunk/test/Transforms/SROA/addrspacecast.ll

Show First 20 LinesShow All 276 Lines▼ Show 20 Lines;
%p.0.c = select i1 undef, i64* %c, i64* %c %p.0.c = select i1 undef, i64* %c, i64* %c
%asc = addrspacecast i64* %p.0.c to i64 addrspace(1)* %asc = addrspacecast i64* %p.0.c to i64 addrspace(1)*
%cond.in = select i1 undef, i64 addrspace(1)* %asc, i64 addrspace(1)* null %cond.in = select i1 undef, i64 addrspace(1)* %asc, i64 addrspace(1)* null
%cond = load i64, i64 addrspace(1)* %cond.in, align 8 %cond = load i64, i64 addrspace(1)* %cond.in, align 8
ret void ret void
} }
@gv = external addrspace(1) global i64 ;; If this was external, we wouldn't be able to prove dereferenceability
;; of the location.
@gv = addrspace(1) global i64 zeroinitializer
define void @select_addrspacecast_gv(i1 %a, i1 %b) { define void @select_addrspacecast_gv(i1 %a, i1 %b) {
; CHECK-LABEL: @select_addrspacecast_gv( ; CHECK-LABEL: @select_addrspacecast_gv(
; CHECK-NEXT: [[COND_SROA_SPECULATE_LOAD_FALSE:%.*]] = load i64, i64 addrspace(1)* @gv, align 8 ; CHECK-NEXT: [[COND_SROA_SPECULATE_LOAD_FALSE:%.*]] = load i64, i64 addrspace(1)* @gv, align 8
; CHECK-NEXT: [[COND_SROA_SPECULATED:%.*]] = select i1 undef, i64 undef, i64 [[COND_SROA_SPECULATE_LOAD_FALSE]] ; CHECK-NEXT: [[COND_SROA_SPECULATED:%.*]] = select i1 undef, i64 undef, i64 [[COND_SROA_SPECULATE_LOAD_FALSE]]
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
%c = alloca i64, align 8 %c = alloca i64, align 8
%p.0.c = select i1 undef, i64* %c, i64* %c %p.0.c = select i1 undef, i64* %c, i64* %c
%asc = addrspacecast i64* %p.0.c to i64 addrspace(1)* %asc = addrspacecast i64* %p.0.c to i64 addrspace(1)*
%cond.in = select i1 undef, i64 addrspace(1)* %asc, i64 addrspace(1)* @gv %cond.in = select i1 undef, i64 addrspace(1)* %asc, i64 addrspace(1)* @gv
%cond = load i64, i64 addrspace(1)* %cond.in, align 8 %cond = load i64, i64 addrspace(1)* %cond.in, align 8
ret void ret void
} }
; CHECK-LABEL: @select_addrspacecast_i8(
; CHECK: [[SEL:%.*]] = select i1 undef, i8 undef, i8 undef
; CHECK-NEXT: ret i8 [[SEL]]
define i8 @select_addrspacecast_i8() { define i8 @select_addrspacecast_i8() {
; CHECK-LABEL: @select_addrspacecast_i8(
; CHECK-NEXT: [[RET_SROA_SPECULATED:%.*]] = select i1 undef, i8 undef, i8 undef
; CHECK-NEXT: ret i8 [[RET_SROA_SPECULATED]]
;
%a = alloca i8 %a = alloca i8
%b = alloca i8 %b = alloca i8
%a.ptr = addrspacecast i8* %a to i8 addrspace(1)* %a.ptr = addrspacecast i8* %a to i8 addrspace(1)*
%b.ptr = addrspacecast i8* %b to i8 addrspace(1)* %b.ptr = addrspacecast i8* %b to i8 addrspace(1)*
%ptr = select i1 undef, i8 addrspace(1)* %a.ptr, i8 addrspace(1)* %b.ptr %ptr = select i1 undef, i8 addrspace(1)* %a.ptr, i8 addrspace(1)* %b.ptr
%ret = load i8, i8 addrspace(1)* %ptr %ret = load i8, i8 addrspace(1)* %ptr
ret i8 %ret ret i8 %ret
} }
!0 = !{!1, !1, i64 0, i64 1} !0 = !{!1, !1, i64 0, i64 1}
!1 = !{!2, i64 1, !"type_0"} !1 = !{!2, i64 1, !"type_0"}
!2 = !{!"root"} !2 = !{!"root"}
!3 = !{!4, !4, i64 0, i64 1} !3 = !{!4, !4, i64 0, i64 1}
!4 = !{!2, i64 1, !"type_3"} !4 = !{!2, i64 1, !"type_3"}