This is an archive of the discontinued LLVM Phabricator instance.

[X86] Fix a KNL miscompile caused by combineSetCC swapping LHS/RHS variables before a later use.
ClosedPublic

Authored by craig.topper on Dec 19 2019, 5:09 PM.

Details

Summary

The setcc operands are copied into LHS and RHS variables at the top of the function. We also capture the condition code.

A later piece of code swaps the operands and changing the CC variable as part of a canonicalization to make some other checks simpler. But we might not make the transform we canonicalized for. So we continue on through the function where we can use the swapped LHS/RHS variables and access the original condition code operand instead of the modified CC variable. This leads to a setcc being created with the original condition code, but with swapped operands.

To mitigate this, this patch does a couple things. The LHS/RHS/CC variables are made const to keep them from being modified like this again. The transform that needs the swap now uses temporary copies of the variables. And the transform that used the original condition code operand has been altered to use the CC variable we cached originally. Either of these changes are enough to fix the issue, but doing both to make this code very safe.

I also considered rewriting the swap code in some way to check both permutations without explicitly swapping or needing temporary variables, but held off on that.

Diff Detail

Event Timeline

craig.topper created this revision.Dec 19 2019, 5:09 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 19 2019, 5:09 PM
Herald added a subscriber: hiraditya. · View Herald Transcript
spatel accepted this revision.Dec 20 2019, 8:22 AM

LGTM. Breaking the function up with helpers/lambdas could be another option for not leaking modified state to other folds.

llvm/lib/Target/X86/X86ISelLowering.cpp
43341–43342

Add a comment here to explain. Something like:

// Make temporary copies of the operands because we may swap
// them to ease pattern matching, but then fall through without
// doing the transform.
This revision is now accepted and ready to land.Dec 20 2019, 8:22 AM
This revision was automatically updated to reflect the committed changes.