Internally, I can see that either (1) this causes the following code to miscompile, or (2) the code is UB:
https://github.com/grpc/grpc/blob/master/src/core/ext/transport/chttp2/transport/frame_settings.cc#L48
Note that in that code the two checks on lines 57 and 64 are related if that helps.

Working on providing a small reproducible test case.

In D72396#1810034, @krasimir wrote:

Internally, I can see that either (1) this causes the following code to miscompile, or (2) the code is UB:
https://github.com/grpc/grpc/blob/master/src/core/ext/transport/chttp2/transport/frame_settings.cc#L48
Note that in that code the two checks on lines 57 and 64 are related if that helps.

What is the maximal value of count there? Is it count u< 32? (Is that code UBSan-clean?)

Working on providing a small reproducible test case.

The original code seems ubsan-clean.

Reproducer:

Running under x86_64.

steps

$ clang -lsdc++ -O3 main.cpp
$ ./a.out < input.txt

main.cpp

// main.cpp
#include <cstdint>
#include <cstdio>

int f(uint32_t* olds, const uint32_t* news, uint32_t mask, size_t count) {
  size_t i;
  uint32_t n = 0;
  for (i = 0; i < count; i++) {
    n += (news[i] != olds[i] || (mask & (1u << i)) != 0);
  }
  return n;
}

int main() {
  size_t count;
  uint32_t mask;
  scanf("%zu %u", &count, &mask);
  printf("count: %zu\n", count);
  printf("mask: %u\n", mask);
  uint32_t* olds = new uint32_t[count];
  uint32_t* news = new uint32_t[count];
  for (int i = 0; i < count; ++i) {
    scanf("%u", olds + i);
  }
  for (int i = 0; i < count; ++i) {
    scanf("%u", news + i);
  }
  printf("olds: ");
  for (int i = 0; i < count; ++i) {
    printf("%u ", olds[i]);
  }
  printf("\n");
  printf("news: ");
  for (int i = 0; i < count; ++i) {
    printf("%u ", news[i]);
  }
  printf("\n");
  printf("\n\nn:%d\n", f(olds, news, mask, count));
}

input.txt

7 8
4096 1 4294967295 65535 16384 16777216 0
4096 0 0 4194304 4194304 8192 1

Expected output (without this patch):

count: 7
mask: 8
olds: 4096 1 4294967295 65535 16384 16777216 0 
news: 4096 0 0 4194304 4194304 8192 1 


n:6

Output with this patch:

(with clang built at revision 903e5c3028d)

count: 7
mask: 8
olds: 4096 1 4294967295 65535 16384 16777216 0 
news: 4096 0 0 4194304 4194304 8192 1 


n:1

Thanks all for the reductions!

From what I can see so far, this patch is exposing an existing bug. We do this in instcombine independently of this patch:

$ cat sel.ll 
define i1 @poison_sel(i1 %cmp1, i1 %t) {
  %s = select i1 %cmp1, i1 %t, i1 true
  ret i1 %s
}
$ opt -instcombine sel.ll -S
define i1 @poison_sel(i1 %cmp1, i1 %t) {
  %not.cmp1 = xor i1 %cmp1, true
  %s = or i1 %not.cmp1, %t
  ret i1 %s
}

https://rise4fun.com/Alive/0uez
ERROR: Target is more poisonous than Source for i1 %s

I'm very surprised we didn't hit this sooner, but we have this set of 'select' folds in InstCombiner::visitSelectInst() that have existed for at least 10 years, and they are all poison-unsafe:

Name: fval is true
  %s = select i1 %cmp1, i1 %x, i1 true
  =>
  %not = xor i1 %cmp1, true
  %s = or i1 %not, %x

Name: fval is false
  %s = select i1 %cmp1, i1 %x, i1 false
  =>
  %s = and i1 %cmp1, %x

Name: tval is true
  %s = select i1 %cmp1, i1 true, i1 %x
  =>
  %s = or i1 %cmp1, %x

Name: tval is false
  %s = select i1 %cmp1, i1 false, i1 %x
  =>
  %not = xor i1 %cmp1, true
  %s = and i1 %not, %x

Very nice! People have been talking about those select folds being unsound for a long time, but I think this is the first time they cause a real-life miscompile...

What is status of this patch?

In D72396#2213671, @xbolva00 wrote:

What is status of this patch?

We need to remove the unsafe select transforms and see if anything regresses. Then, add transforms to avoid those regressions. When there are no more known regressions after removing the select transforms, this patch should be good to go.

It should be ready to go?

In D72396#2696806, @xbolva00 wrote:

It should be ready to go?

I don't think we're there yet. cc @aqjune to see what is remaining.

The most basic test is still converted to bitwise logic:

define i1 @poison_sel(i1 %cmp1, i1 %t) {
  %s = select i1 %cmp1, i1 %t, i1 true
  ret i1 %s
}

The C++ reproducer from https://reviews.llvm.org/D72396#1810203 is also still miscompiled with this patch applied.

There were many plumbings done to existing transformations to recognize select instead of and/or, and then D99674 did conditional disabling of the select folding.
There hasn't been a performance regression reported, except instruction cost related issue which is immediately patched later.

This is a very hopeful news because the patch is virtually disabling the folding in most cases.
The patch blocks select a, b, false -> and a, b (and similarly for or) if b contains op that creates poison, e.g. icmp (add nsw), x.

In the patch I promised to fully remove the select folding if there is no performanace regression for 2 weeks, and now the duration has passed, so maybe it is time to remove it.
In a day or two I'll have a time to make a patch for its full removal.

In D72396#2697589, @aqjune wrote:

In a day or two I'll have a time to make a patch for its full removal.

Great - thank you for all of the patches!

The select fix landed last week (and hasn't been reverted yet -- yay), so it's probably possible to pick this back up now.

In D72396#2748629, @nikic wrote:

The select fix landed last week (and hasn't been reverted yet -- yay), so it's probably possible to pick this back up now.

Thanks for the reminder...right on cue, it looks like we just got a regression report. :)
So I'll hold off a bit to see if we can fix that up first.

I think it is safe to try this again. It's been about 2 weeks since D101191 landed, and the C++ repro program produces the expected output now.
The patch still applies cleanly, so no updates needed.
Can someone re-review / mark this as approved? Thanks!

Ping.