This is an archive of the discontinued LLVM Phabricator instance.

Differential D85332

[SCCP] Do not replace deref'able ptr with un-deref'able one.
ClosedPublic

Authored by fhahn on Aug 5 2020, 11:04 AM.

Details

Reviewers
nlopes
efriedma
hfinkel
aqjune
Commits
rG3542feeb2077: [SCCP] Do not replace deref'able ptr with un-deref'able one.
Summary

Currently IPSCCP (and others like CVP/GVN) blindly propagate pointer
equalities. In certain cases, that leads to dereferenceable pointers
being replaced, as in the example test case.

I think this is not allowed, as it introduces an access of an
un-dereferenceable pointer. Note that the pointer is inbounds, but one
past the last element, so it is valid, but not dereferenceable.

This patch is mostly to highlight the issue and start a discussion.
Currently it only checks for specifically looking
one-past-the-last-element pointers with array typed bases.

This causes the mis-compile outlined in
https://stackoverflow.com/questions/55754313/is-this-gcc-clang-past-one-pointer-comparison-behavior-conforming-or-non-standar

In the test case, if we replace %p with the GEP for the store, we
subsequently determine that the store and the load cannot alias, because
they are to different underlying objects.

Note that Alive2 seems to think that the replacement is valid:
https://alive2.llvm.org/ce/z/2rorhk

Diff Detail

Event Timeline

fhahn created this revision.Aug 5 2020, 11:04 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2020, 11:04 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
fhahn requested review of this revision.Aug 5 2020, 11:04 AM
Harbormaster completed remote builds in B67140: Diff 283304.Aug 5 2020, 11:07 AM
aqjune added a comment.Aug 5 2020, 12:39 PM

Note that Alive2 seems to think that the replacement is valid:
https://alive2.llvm.org/ce/z/2rorhk

This is because Alive2's pointer comparison is approximating its behavior yet; it is right that we cannot replace a pointer with another pointer in general.

efriedma added a comment.Aug 5 2020, 1:28 PM

LLVM's memory model isn't completely settled with respect to how to determine the "base" of a pointer; see https://bugs.llvm.org/show_bug.cgi?id=34548 etc. But consensus is that the general transform you're describing isn't legal without proving more about the pointer. (e.g. that the two pointers have the same base, or the replaced value isn't used for any memory operations).

llvm/lib/Transforms/Scalar/SCCP.cpp
1352

I'm not sure I completely follow what this code is doing, but using getPointerElementType() like this is probably wrong.

fhahn added a comment.Aug 5 2020, 2:13 PM
In D85332#2197623, @efriedma wrote:

LLVM's memory model isn't completely settled with respect to how to determine the "base" of a pointer; see https://bugs.llvm.org/show_bug.cgi?id=34548 etc. But consensus is that the general transform you're describing isn't legal without proving more about the pointer. (e.g. that the two pointers have the same base, or the replaced value isn't used for any memory operations).

Great, thanks for the reference.

This patch is aimed as a first step towards incrementally improving the current situation by avoiding replacements for which there is agreement that they are problematic. The narrow initial case would be replacing a dereferenceable pointer with a clearly un-dereferenceable one.

If there is consensus on the approach, I think it would make sense to adjust the patch roughly as follows:

  1. Add a canReplaceDueToPointerEqualilty(Ptr1, Ptr2) which returns true if we can replace Ptr1 with Ptr2 if they are considered equal or false if not.
  2. The initial implementation will be incomplete and only reject certain cases (rather than only allowing cases we know are fine (e.g. both pointers dereferenceable and from the same underlying object)
  3. Update GVN/SCCP/CPV to use canReplaceDueToPointerEqualilty.

Does that make sense?

llvm/lib/Transforms/Scalar/SCCP.cpp
1352

My intention here is to catch the case where we create a pointer to the 'one-past-the-last-element', which clearly is not dereferenceable.

As implemented above, it probably only works for GEPs with pointers to array types as bases. So this would need further refinement to make sure we actually use the right base when dealing with nested data types. Is that what you were referring to or is there something else I am missing? Do you know if there are any helpful utilities for doing such a thing?

nikic added a subscriber: nikic.Aug 5 2020, 2:28 PM
efriedma added inline comments.Aug 5 2020, 2:43 PM
llvm/lib/Transforms/Scalar/SCCP.cpp
1352

The simplest correct check I can think of is that you could DecomposeGEPExpression both sides of the equality, and check if the "Base" is equal. That should cover everything, barring any weirdness with noalias/argmemonly/etc.

The problem here isn't really restricted to one-past-the-end. Consider, for example, if you call malloc, then free the memory, then call malloc again. The two pointers can be equal, but don't point to the same object.

fhahn updated this revision to Diff 283906.Aug 7 2020, 7:26 AM

Updated to use canReplacePointersIfEqual, only guard the actual replacement, which still allows for simplification of conditionals based on equality.

Harbormaster completed remote builds in B67464: Diff 283906.Aug 7 2020, 7:26 AM
fhahn added a parent revision: D85524: [Loads] Add canReplacePointersIfEqual helper..Aug 26 2020, 1:10 AM
fhahn added a comment.Sep 1 2020, 12:59 PM

ping

efriedma accepted this revision.Sep 2 2020, 5:56 PM

LGTM

This revision is now accepted and ready to land.Sep 2 2020, 5:56 PM
This revision was landed with ongoing or failed builds.Sep 3 2020, 2:22 AM
Closed by commit rG3542feeb2077: [SCCP] Do not replace deref'able ptr with un-deref'able one. (authored by fhahn). · Explain Why
This revision was automatically updated to reflect the committed changes.
fhahn added a commit: rG3542feeb2077: [SCCP] Do not replace deref'able ptr with un-deref'able one..
fhahn added a reverting change: rG4c5e4aa89b11: Revert "[SCCP] Do not replace deref'able ptr with un-deref'able one.".Sep 3 2020, 2:29 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Scalar/
11 lines
test/
Transforms/
SCCP/
6 lines
4 lines
4 lines

Diff 289666

llvm/lib/Transforms/Scalar/SCCP.cpp

Show All 25 Lines
#include "llvm/ADT/SetVector.h" #include "llvm/ADT/SetVector.h"
#include "llvm/ADT/SmallPtrSet.h" #include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/ConstantFolding.h" #include "llvm/Analysis/ConstantFolding.h"
#include "llvm/Analysis/DomTreeUpdater.h" #include "llvm/Analysis/DomTreeUpdater.h"
#include "llvm/Analysis/GlobalsModRef.h" #include "llvm/Analysis/GlobalsModRef.h"
#include "llvm/Analysis/InstructionSimplify.h" #include "llvm/Analysis/InstructionSimplify.h"
#include "llvm/Analysis/Loads.h"
#include "llvm/Analysis/TargetLibraryInfo.h" #include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/Analysis/ValueLattice.h" #include "llvm/Analysis/ValueLattice.h"
#include "llvm/Analysis/ValueLatticeUtils.h" #include "llvm/Analysis/ValueLatticeUtils.h"
#include "llvm/Analysis/ValueTracking.h" #include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Constant.h" #include "llvm/IR/Constant.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
▲ Show 20 LinesShow All 130 Lines▼ Show 20 Linesclass SCCPSolver : public InstVisitor<SCCPSolver> {
DenseSet<Edge> KnownFeasibleEdges; DenseSet<Edge> KnownFeasibleEdges;
DenseMap<Function *, AnalysisResultsForFn> AnalysisResults; DenseMap<Function *, AnalysisResultsForFn> AnalysisResults;
DenseMap<Value *, SmallPtrSet<User *, 2>> AdditionalUsers; DenseMap<Value *, SmallPtrSet<User *, 2>> AdditionalUsers;
LLVMContext &Ctx; LLVMContext &Ctx;
public: public:
const DataLayout &getDataLayout() const { return DL; }
void addAnalysis(Function &F, AnalysisResultsForFn A) { void addAnalysis(Function &F, AnalysisResultsForFn A) {
AnalysisResults.insert({&F, std::move(A)}); AnalysisResults.insert({&F, std::move(A)});
} }
const PredicateBase *getPredicateInfoFor(Instruction *I) { const PredicateBase *getPredicateInfoFor(Instruction *I) {
auto A = AnalysisResults.find(I->getParent()->getParent()); auto A = AnalysisResults.find(I->getParent()->getParent());
if (A == AnalysisResults.end()) if (A == AnalysisResults.end())
return nullptr; return nullptr;
▲ Show 20 LinesShow All 1,153 Lines▼ Show 20 Lines if (II->getIntrinsicID() == Intrinsic::ssa_copy) {
return; return;
} else if (Pred == CmpInst::ICMP_NE && CondVal.isConstant() && } else if (Pred == CmpInst::ICMP_NE && CondVal.isConstant() &&
!MayIncludeUndef) { !MayIncludeUndef) {
// Propagate inequalities. // Propagate inequalities.
addAdditionalUser(OtherOp, &CB); addAdditionalUser(OtherOp, &CB);
mergeInValue(IV, &CB, mergeInValue(IV, &CB,
ValueLatticeElement::getNot(CondVal.getConstant())); ValueLatticeElement::getNot(CondVal.getConstant()));
return; return;
} }
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I'm not sure I completely follow what this code is doing, but using getPointerElementType() like this is probably wrong.

efriedma: I'm not sure I completely follow what this code is doing, but using getPointerElementType()…
fhahnAuthorUnsubmitted
Done
ReplyInline Actions

My intention here is to catch the case where we create a pointer to the 'one-past-the-last-element', which clearly is not dereferenceable.

As implemented above, it probably only works for GEPs with pointers to array types as bases. So this would need further refinement to make sure we actually use the right base when dealing with nested data types. Is that what you were referring to or is there something else I am missing? Do you know if there are any helpful utilities for doing such a thing?

fhahn: My intention here is to catch the case where we create a pointer to the 'one-past-the-last…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

The simplest correct check I can think of is that you could DecomposeGEPExpression both sides of the equality, and check if the "Base" is equal. That should cover everything, barring any weirdness with noalias/argmemonly/etc.

The problem here isn't really restricted to one-past-the-end. Consider, for example, if you call malloc, then free the memory, then call malloc again. The two pointers can be equal, but don't point to the same object.

efriedma: The simplest correct check I can think of is that you could DecomposeGEPExpression both sides…
return (void)mergeInValue(IV, &CB, CopyOfVal); return (void)mergeInValue(IV, &CB, CopyOfVal);
} }
} }
// The common case is that we aren't tracking the callee, either because we // The common case is that we aren't tracking the callee, either because we
// are not doing interprocedural analysis or the callee is indirect, or is // are not doing interprocedural analysis or the callee is indirect, or is
// external. Handle these cases first. // external. Handle these cases first.
▲ Show 20 LinesShow All 267 Lines▼ Show 20 Lines if (CI && CI->isMustTailCall() && !CI->isSafeToRemove()) {
if (F) if (F)
Solver.AddMustTailCallee(F); Solver.AddMustTailCallee(F);
LLVM_DEBUG(dbgs() << " Can\'t treat the result of musttail call : " << *CI LLVM_DEBUG(dbgs() << " Can\'t treat the result of musttail call : " << *CI
<< " as a constant\n"); << " as a constant\n");
return false; return false;
} }
// Do not propagate equality of a un-dereferenceable pointer.
// FIXME: Currently this only treats pointers one past the last element
// for array types. Should probably be much stricter.
if (Const->getType()->isPointerTy() &&
!canReplacePointersIfEqual(V, Const, Solver.getDataLayout(),
dyn_cast<Instruction>(V)))
return false;
LLVM_DEBUG(dbgs() << " Constant: " << *Const << " = " << *V << '\n'); LLVM_DEBUG(dbgs() << " Constant: " << *Const << " = " << *V << '\n');
// Replaces all of the uses of a variable with uses of the constant. // Replaces all of the uses of a variable with uses of the constant.
V->replaceAllUsesWith(Const); V->replaceAllUsesWith(Const);
return true; return true;
} }
static bool simplifyInstsInBlock(SCCPSolver &Solver, BasicBlock &BB, static bool simplifyInstsInBlock(SCCPSolver &Solver, BasicBlock &BB,
▲ Show 20 LinesShow All 517 LinesShow Last 20 Lines

llvm/test/Transforms/SCCP/apint-bigint2.ll

Show First 20 LinesShow All 45 Lines▼ Show 20 Linesdefine i101 @large_aggregate_2() {
%DD = or i101 %D, 1 %DD = or i101 %D, 1
%F = getelementptr [6 x i101], [6 x i101]* @Y, i32 0, i32 5 %F = getelementptr [6 x i101], [6 x i101]* @Y, i32 0, i32 5
%G = getelementptr i101, i101* %F, i101 %DD %G = getelementptr i101, i101* %F, i101 %DD
%L3 = load i101, i101* %G %L3 = load i101, i101* %G
ret i101 %L3 ret i101 %L3
} }
; CHECK-LABEL: @index_too_large ; CHECK-LABEL: @index_too_large
; CHECK-NEXT: store i101* getelementptr (i101, i101* getelementptr ([6 x i101], [6 x i101]* @Y, i32 0, i32 -1), i101 9224497936761618431), i101** undef ; CHECK-NEXT: %ptr1 = getelementptr [6 x i101], [6 x i101]* @Y, i32 0, i32 -1
; CHECK-NEXT: %ptr2 = getelementptr i101, i101* %ptr1, i101 9224497936761618431
; CHECK-NEXT: store i101* %ptr2, i101** undef
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
define void @index_too_large() { define void @index_too_large() {
%ptr1 = getelementptr [6 x i101], [6 x i101]* @Y, i32 0, i32 -1 %ptr1 = getelementptr [6 x i101], [6 x i101]* @Y, i32 0, i32 -1
%ptr2 = getelementptr i101, i101* %ptr1, i101 9224497936761618431 %ptr2 = getelementptr i101, i101* %ptr1, i101 9224497936761618431
store i101* %ptr2, i101** undef store i101* %ptr2, i101** undef
ret void ret void
} }

llvm/test/Transforms/SCCP/indirectbr.ll

Show All 25 Lines
; Make sure we can eliminate what is in BB0 as we know that the indirectbr is going to BB1 ; Make sure we can eliminate what is in BB0 as we know that the indirectbr is going to BB1
; by looking through the casts. The casts should be folded away when they are visited ; by looking through the casts. The casts should be folded away when they are visited
; before the indirectbr instruction. ; before the indirectbr instruction.
; ;
define void @indbrtest2() { define void @indbrtest2() {
; CHECK-LABEL: @indbrtest2( ; CHECK-LABEL: @indbrtest2(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: br label [[BB1:%.*]] ; CHECK-NEXT: [[B:%.*]] = inttoptr i64 ptrtoint (i8* blockaddress(@indbrtest2, [[BB1:%.*]]) to i64) to i8*
; CHECK-NEXT: [[C:%.*]] = bitcast i8* [[B]] to i8*
; CHECK-NEXT: br label [[BB1]]
; CHECK: BB1: ; CHECK: BB1:
; CHECK-NEXT: call void @BB1_f() ; CHECK-NEXT: call void @BB1_f()
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
entry: entry:
%a = ptrtoint i8* blockaddress(@indbrtest2, %BB1) to i64 %a = ptrtoint i8* blockaddress(@indbrtest2, %BB1) to i64
%b = inttoptr i64 %a to i8* %b = inttoptr i64 %a to i8*
%c = bitcast i8* %b to i8* %c = bitcast i8* %b to i8*
▲ Show 20 LinesShow All 124 LinesShow Last 20 Lines

llvm/test/Transforms/SCCP/replace-dereferenceable-ptr-with-undereferenceable.ll

; NOTE: Assertions have been autogenerated by utils/update_test_checks.py ; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; RUN: opt -ipsccp -S %s | FileCheck %s ; RUN: opt -ipsccp -S %s | FileCheck %s
@y = common global [1 x i32] zeroinitializer, align 4 @y = common global [1 x i32] zeroinitializer, align 4
@x = common global [1 x i32] zeroinitializer, align 4 @x = common global [1 x i32] zeroinitializer, align 4
define i32 @eq_undereferenceable(i32* %p) { define i32 @eq_undereferenceable(i32* %p) {
; CHECK-LABEL: @eq_undereferenceable( ; CHECK-LABEL: @eq_undereferenceable(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: store i32 1, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4 ; CHECK-NEXT: store i32 1, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4
; CHECK-NEXT: [[CMP:%.*]] = icmp eq i32* [[P:%.*]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1) ; CHECK-NEXT: [[CMP:%.*]] = icmp eq i32* [[P:%.*]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1)
; CHECK-NEXT: br i1 [[CMP]], label [[IF_THEN:%.*]], label [[IF_END:%.*]] ; CHECK-NEXT: br i1 [[CMP]], label [[IF_THEN:%.*]], label [[IF_END:%.*]]
; CHECK: if.then: ; CHECK: if.then:
; CHECK-NEXT: store i32 2, i32* getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1), align 4 ; CHECK-NEXT: store i32 2, i32* [[P]], align 4
; CHECK-NEXT: br label [[IF_END]] ; CHECK-NEXT: br label [[IF_END]]
; CHECK: if.end: ; CHECK: if.end:
; CHECK-NEXT: [[TMP0:%.*]] = load i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4 ; CHECK-NEXT: [[TMP0:%.*]] = load i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4
; CHECK-NEXT: ret i32 [[TMP0]] ; CHECK-NEXT: ret i32 [[TMP0]]
; ;
entry: entry:
store i32 1, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4 store i32 1, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @y, i64 0, i64 0), align 4
%cmp = icmp eq i32* %p, getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1) %cmp = icmp eq i32* %p, getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1)
Show All 37 Lines
} }
define i1 @eq_undereferenceable_cmp_simp(i32* %p) { define i1 @eq_undereferenceable_cmp_simp(i32* %p) {
; CHECK-LABEL: @eq_undereferenceable_cmp_simp( ; CHECK-LABEL: @eq_undereferenceable_cmp_simp(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: [[CMP_0:%.*]] = icmp eq i32* [[P:%.*]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1) ; CHECK-NEXT: [[CMP_0:%.*]] = icmp eq i32* [[P:%.*]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1)
; CHECK-NEXT: br i1 [[CMP_0]], label [[IF_THEN:%.*]], label [[IF_END:%.*]] ; CHECK-NEXT: br i1 [[CMP_0]], label [[IF_THEN:%.*]], label [[IF_END:%.*]]
; CHECK: if.then: ; CHECK: if.then:
; CHECK-NEXT: store i32 2, i32* getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1), align 4 ; CHECK-NEXT: store i32 2, i32* [[P]], align 4
; CHECK-NEXT: ret i1 true ; CHECK-NEXT: ret i1 true
; CHECK: if.end: ; CHECK: if.end:
; CHECK-NEXT: [[CMP_2:%.*]] = icmp eq i32* [[P]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1) ; CHECK-NEXT: [[CMP_2:%.*]] = icmp eq i32* [[P]], getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1)
; CHECK-NEXT: ret i1 [[CMP_2]] ; CHECK-NEXT: ret i1 [[CMP_2]]
; ;
entry: entry:
%cmp.0 = icmp eq i32* %p, getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1) %cmp.0 = icmp eq i32* %p, getelementptr inbounds (i32, i32* getelementptr inbounds ([1 x i32], [1 x i32]* @x, i64 0, i64 0), i64 1)
br i1 %cmp.0, label %if.then, label %if.end br i1 %cmp.0, label %if.then, label %if.end
Show All 10 Lines