This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/Transforms/InstCombine/
-
Transforms/
-
InstCombine/
2/2
InstCombineCompares.cpp
-
test/Transforms/InstCombine/
-
Transforms/
-
InstCombine/
2/3
gep-inbounds-null.ll

Differential D67233

InstCombine: Fix crash on icmp of gep with addrspacecasted null
ClosedPublic

Authored by arsenm on Sep 5 2019, 10:37 AM.

Download Raw Diff

Details

Reviewers

reames
jdoerfert
spatel

Diff Detail

Event Timeline

arsenm created this revision.Sep 5 2019, 10:37 AM

Herald added a subscriber: wdng. · View Herald TranscriptSep 5 2019, 10:37 AM

jdoerfert added inline comments.Sep 5 2019, 11:33 AM

lib/Transforms/InstCombine/InstCombineCompares.cpp
908	Why doesn't the `NullPointerIsDefined` check catch this and prevent the transformation in the first place?

arsenm marked an inline comment as done.Sep 5 2019, 11:37 AM

arsenm added inline comments.

lib/Transforms/InstCombine/InstCombineCompares.cpp
908	Because this is valid. This stripped off the addrspacecast and sees this is a cast from the invalid null in addrspace 0.

jdoerfert added inline comments.Sep 5 2019, 11:54 AM

test/Transforms/InstCombine/gep-inbounds-null.ll

223

I somehow feel we should transform this into ret i1 false instead of something we cannot lower into a constant anymore.

However, I see the problem and the fix seems fine. Could you add the following test as well and a fixme above to denote this should be ret i1 false?

define i1 @invalid_bitcast_icmp_addrspacecast_as0_null_var(i32 addrspace(5)* %ptr, i32 %idx) {
; CHECK-LABEL: @invalid_bitcast_icmp_addrspacecast_as0_null(
; CHECK-NEXT:  bb:
; CHECK-NEXT:    [[TMP2:%.*]] = icmp eq i32 addrspace(5)* [[PTR:%.*]], addrspacecast (i32* null to i32 addrspace(5)*)
; CHECK-NEXT:    ret i1 [[TMP2]]
;
bb:
  %tmp1 = getelementptr inbounds i32, i32 addrspace(5)* %ptr, i32 %idx
  %tmp2 = icmp eq i32 addrspace(5)* %tmp1, addrspacecast (i32* null to i32 addrspace(5)*)
  ret i1 %tmp2
}

arsenm marked an inline comment as done.Sep 5 2019, 12:01 PM

arsenm added inline comments.

test/Transforms/InstCombine/gep-inbounds-null.ll
223	Actually, this did fold to false in my original test. I might have broken something when I copied it into the preexisting test

Add test and fixme

test/Transforms/InstCombine/gep-inbounds-null.ll
223	My original test was comparing to an alloca derived pointer, so I believe it was deleted for other reasons

Thx. LGTM.

This revision is now accepted and ready to land.Sep 5 2019, 4:20 PM

r371146

Revision Contents

Path

Size

lib/

Transforms/

InstCombine/

InstCombineCompares.cpp

4 lines

test/

Transforms/

InstCombine/

gep-inbounds-null.ll

28 lines

Diff 218993

lib/Transforms/InstCombine/InstCombineCompares.cpp

Show First 20 Lines • Show All 899 Lines • ▼ Show 20 Lines	if (!Offset)
Offset = EmitGEPOffset(GEPLHS);		Offset = EmitGEPOffset(GEPLHS);
return new ICmpInst(ICmpInst::getSignedPredicate(Cond), Offset,		return new ICmpInst(ICmpInst::getSignedPredicate(Cond), Offset,
Constant::getNullValue(Offset->getType()));		Constant::getNullValue(Offset->getType()));
}		}

if (GEPLHS->isInBounds() && ICmpInst::isEquality(Cond) &&		if (GEPLHS->isInBounds() && ICmpInst::isEquality(Cond) &&
isa<Constant>(RHS) && cast<Constant>(RHS)->isNullValue() &&		isa<Constant>(RHS) && cast<Constant>(RHS)->isNullValue() &&
!NullPointerIsDefined(I.getFunction(),		!NullPointerIsDefined(I.getFunction(),
RHS->getType()->getPointerAddressSpace())) {		RHS->getType()->getPointerAddressSpace())) {
		jdoerfertUnsubmitted Done Reply Inline Actions Why doesn't the `NullPointerIsDefined` check catch this and prevent the transformation in the first place? jdoerfert: Why doesn't the `NullPointerIsDefined` check catch this and prevent the transformation in the…
		arsenmAuthorUnsubmitted Done Reply Inline Actions Because this is valid. This stripped off the addrspacecast and sees this is a cast from the invalid null in addrspace 0. arsenm: Because this is valid. This stripped off the addrspacecast and sees this is a cast from the…
// For most address spaces, an allocation can't be placed at null, but null		// For most address spaces, an allocation can't be placed at null, but null
// itself is treated as a 0 size allocation in the in bounds rules. Thus,		// itself is treated as a 0 size allocation in the in bounds rules. Thus,
// the only valid inbounds address derived from null, is null itself.		// the only valid inbounds address derived from null, is null itself.
// Thus, we have four cases to consider:		// Thus, we have four cases to consider:
// 1) Base == nullptr, Offset == 0 -> inbounds, null		// 1) Base == nullptr, Offset == 0 -> inbounds, null
// 2) Base == nullptr, Offset != 0 -> poison as the result is out of bounds		// 2) Base == nullptr, Offset != 0 -> poison as the result is out of bounds
// 3) Base != nullptr, Offset == (-base) -> poison (crossing allocations)		// 3) Base != nullptr, Offset == (-base) -> poison (crossing allocations)
// 4) Base != nullptr, Offset != (-base) -> nonnull (and possibly poison)		// 4) Base != nullptr, Offset != (-base) -> nonnull (and possibly poison)
//		//
// (Note if we're indexing a type of size 0, that simply collapses into one		// (Note if we're indexing a type of size 0, that simply collapses into one
// of the buckets above.)		// of the buckets above.)
//		//
// In general, we're allowed to make values less poison (i.e. remove		// In general, we're allowed to make values less poison (i.e. remove
// sources of full UB), so in this case, we just select between the two		// sources of full UB), so in this case, we just select between the two
// non-poison cases (1 and 4 above).		// non-poison cases (1 and 4 above).
//		//
// For vectors, we apply the same reasoning on a per-lane basis.		// For vectors, we apply the same reasoning on a per-lane basis.
auto *Base = GEPLHS->getPointerOperand();		auto *Base = GEPLHS->getPointerOperand();
if (GEPLHS->getType()->isVectorTy() && Base->getType()->isPointerTy()) {		if (GEPLHS->getType()->isVectorTy() && Base->getType()->isPointerTy()) {
int NumElts = GEPLHS->getType()->getVectorNumElements();		int NumElts = GEPLHS->getType()->getVectorNumElements();
Base = Builder.CreateVectorSplat(NumElts, Base);		Base = Builder.CreateVectorSplat(NumElts, Base);
}		}
return new ICmpInst(Cond, Base,		return new ICmpInst(Cond, Base,
ConstantExpr::getBitCast(cast<Constant>(RHS),		ConstantExpr::getPointerBitCastOrAddrSpaceCast(
Base->getType()));		cast<Constant>(RHS), Base->getType()));
} else if (GEPOperator *GEPRHS = dyn_cast<GEPOperator>(RHS)) {		} else if (GEPOperator *GEPRHS = dyn_cast<GEPOperator>(RHS)) {
// If the base pointers are different, but the indices are the same, just		// If the base pointers are different, but the indices are the same, just
// compare the base pointer.		// compare the base pointer.
if (PtrBase != GEPRHS->getOperand(0)) {		if (PtrBase != GEPRHS->getOperand(0)) {
bool IndicesTheSame = GEPLHS->getNumOperands()==GEPRHS->getNumOperands();		bool IndicesTheSame = GEPLHS->getNumOperands()==GEPRHS->getNumOperands();
IndicesTheSame &= GEPLHS->getOperand(0)->getType() ==		IndicesTheSame &= GEPLHS->getOperand(0)->getType() ==
GEPRHS->getOperand(0)->getType();		GEPRHS->getOperand(0)->getType();
if (IndicesTheSame)		if (IndicesTheSame)
▲ Show 20 Lines • Show All 5,097 Lines • Show Last 20 Lines

test/Transforms/InstCombine/gep-inbounds-null.ll

	Show First 20 Lines • Show All 200 Lines • ▼ Show 20 Lines
	; CHECK-NEXT: [[CND:%.]] = icmp eq i8 addrspace(2) [[GEP]], null			; CHECK-NEXT: [[CND:%.]] = icmp eq i8 addrspace(2) [[GEP]], null
	; CHECK-NEXT: ret i1 [[CND]]			; CHECK-NEXT: ret i1 [[CND]]
	;			;
	entry:			entry:
	%gep = getelementptr inbounds i8, i8 addrspace(2)* %base, i64 %idx			%gep = getelementptr inbounds i8, i8 addrspace(2)* %base, i64 %idx
	%cnd = icmp eq i8 addrspace(2)* %gep, null			%cnd = icmp eq i8 addrspace(2)* %gep, null
	ret i1 %cnd			ret i1 %cnd
	}			}

				; Test for an assert from trying to create an invalid constantexpr
				; bitcast between different address spaces. The addrspacecast is
				; stripped off and the addrspace(0) null can be treated as invalid.
				; FIXME: This should be able to fold to ret i1 false
				define i1 @invalid_bitcast_icmp_addrspacecast_as0_null(i32 addrspace(5)* %ptr) {
				; CHECK-LABEL: @invalid_bitcast_icmp_addrspacecast_as0_null(
				; CHECK-NEXT: bb:
				; CHECK-NEXT: [[TMP2:%.]] = icmp eq i32 addrspace(5) [[PTR:%.]], addrspacecast (i32 null to i32 addrspace(5)*)
				; CHECK-NEXT: ret i1 [[TMP2]]
				;
				bb:
				%tmp1 = getelementptr inbounds i32, i32 addrspace(5)* %ptr, i32 1
				%tmp2 = icmp eq i32 addrspace(5)* %tmp1, addrspacecast (i32* null to i32 addrspace(5)*)
				ret i1 %tmp2
				jdoerfertUnsubmitted Not Done Reply Inline Actions I somehow feel we should transform this into `ret i1 false` instead of something we cannot lower into a constant anymore. However, I see the problem and the fix seems fine. Could you add the following test as well and a fixme above to denote this should be `ret i1 false`? define i1 @invalid_bitcast_icmp_addrspacecast_as0_null_var(i32 addrspace(5)* %ptr, i32 %idx) { ; CHECK-LABEL: @invalid_bitcast_icmp_addrspacecast_as0_null( ; CHECK-NEXT: bb: ; CHECK-NEXT: [[TMP2:%.]] = icmp eq i32 addrspace(5) [[PTR:%.]], addrspacecast (i32 null to i32 addrspace(5)) ; CHECK-NEXT: ret i1 [[TMP2]] ; bb: %tmp1 = getelementptr inbounds i32, i32 addrspace(5) %ptr, i32 %idx %tmp2 = icmp eq i32 addrspace(5)* %tmp1, addrspacecast (i32* null to i32 addrspace(5)) ret i1 %tmp2 } jdoerfert:* I somehow feel we should transform this into `ret i1 false` instead of something we cannot…
				arsenmAuthorUnsubmitted Done Reply Inline Actions Actually, this did fold to false in my original test. I might have broken something when I copied it into the preexisting test arsenm: Actually, this did fold to false in my original test. I might have broken something when I…
				arsenmAuthorUnsubmitted Done Reply Inline Actions My original test was comparing to an alloca derived pointer, so I believe it was deleted for other reasons arsenm: My original test was comparing to an alloca derived pointer, so I believe it was deleted for…
				}

				define i1 @invalid_bitcast_icmp_addrspacecast_as0_null_var(i32 addrspace(5)* %ptr, i32 %idx) {
				; CHECK-LABEL: @invalid_bitcast_icmp_addrspacecast_as0_null_var(
				; CHECK-NEXT: bb:
				; CHECK-NEXT: [[TMP2:%.]] = icmp eq i32 addrspace(5) [[PTR:%.]], addrspacecast (i32 null to i32 addrspace(5)*)
				; CHECK-NEXT: ret i1 [[TMP2]]
				;
				bb:
				%tmp1 = getelementptr inbounds i32, i32 addrspace(5)* %ptr, i32 %idx
				%tmp2 = icmp eq i32 addrspace(5)* %tmp1, addrspacecast (i32* null to i32 addrspace(5)*)
				ret i1 %tmp2
				}

This is an archive of the discontinued LLVM Phabricator instance.

InstCombine: Fix crash on icmp of gep with addrspacecasted nullClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 218993

lib/Transforms/InstCombine/InstCombineCompares.cpp

test/Transforms/InstCombine/gep-inbounds-null.ll

InstCombine: Fix crash on icmp of gep with addrspacecasted null
ClosedPublic