Hi,

I'm seeing a miscompile with this patch. I'm not very good at the semantic differences between undef and poison so I don't know really where it goes wrong.

Before Early CSE I see this in the input:

entry:
  %cmp1 = icmp uge i16 1015, 16, !dbg !9
  %shr = lshr i16 -1, 1015
  %cmp2 = icmp ugt i16 2, %shr
  %or.cond = or i1 %cmp1, %cmp2, !dbg !10
  br i1 %or.cond, label %if.then3, label %if.else4, !dbg !10

This corresponds to the following C-code:

int16_t y1 = 1022;
uint16_t res1 = 0;
if (y1 < 0)
  res1 = 0;
else
  res1 = 1015;

if ((res1 >= 16) || (2 > (65535u >> res1)))
  res2 = 42;
else
  res2 = 1;

So in the C input, the right shift is guarded and won't be carried out if res1 is too large to avoid UB, but in the ll file the lshr is executed unconditionally.

Then after Early CSE I instead get

entry:
  br i1 poison, label %if.then3, label %if.else4, !dbg !9

So I suppose, with this patch the lshr will result in poison, and that poison will then make both %cmp2 and %or.cond be poison. And then we don't know where to jump so res2 gets the wrong value.

I'm not very good at poison semantics, but it seems to me that either the input to ewarly cse is invalid, or the patch has broken the semantics of "or"?

Hi,

It seems it is related to two optimizations:
(1) select i1 x, true, y -> or i1 x, y
(2) or i1 x, poison -> poison

Semantically, the first one is broken. It needs to freeze y. But, it will introduce a lot of freeze instructions. The clang patches that introduce noundef to function arguments is still ongoing.
Another workaround is to weaken (2) to or i1 x, poison -> x. This fixes the miscompilation; I'll push a commit that does this.

--- a/llvm/lib/IR/ConstantFold.cpp
+++ b/llvm/lib/IR/ConstantFold.cpp
@@ -1105,7 +1105,10 @@ Constant *llvm::ConstantFoldBinaryInstruction(unsigned Opcode, Constant *C1,
   }
 
   // Binary operations propagate poison.
-  if (isa<PoisonValue>(C1) || isa<PoisonValue>(C2))
+  bool PoisonFold = !C1->getType()->isIntegerTy(1) || 
+      (Opcode != Instruction::Or && Opcode != Instruction::And &&
+       Opcode != Instruction::Xor);
+  if (PoisonFold && (isa<PoisonValue>(C1) || isa<PoisonValue>(C2)))
     return PoisonValue::get(C1->getType());
 
   // Handle scalar UndefValue and scalable vector UndefValue. Fixed-length

In D92270#2422625, @aqjune wrote:

Hi,

It seems it is related to two optimizations:
(1) select i1 x, true, y -> or i1 x, y
(2) or i1 x, poison -> poison

Semantically, the first one is broken. It needs to freeze y. But, it will introduce a lot of freeze instructions. The clang patches that introduce noundef to function arguments is still ongoing.
Another workaround is to weaken (2) to or i1 x, poison -> x. This fixes the miscompilation; I'll push a commit that does this.

Should langref also be updated to describe this? Or does it already?
I just found this
"An instruction that depends on a poison value, produces a poison value itself."
here
http://llvm.org/docs/LangRef.html#poison-values

In D92270#2422661, @uabelho wrote:

Should langref also be updated to describe this? Or does it already?
I just found this
"An instruction that depends on a poison value, produces a poison value itself."
here
http://llvm.org/docs/LangRef.html#poison-values

I think "Values other than phi nodes and select instructions depend on their operands." was supposed to say that. :)

In D92270#2422741, @aqjune wrote:

In D92270#2422661, @uabelho wrote:

Should langref also be updated to describe this? Or does it already?
I just found this
"An instruction that depends on a poison value, produces a poison value itself."
here
http://llvm.org/docs/LangRef.html#poison-values

I think "Values other than phi nodes and select instructions depend on their operands." was supposed to say that. :)

I see. Ok, thanks!

We bisected a test failure to this (https://bugs.chromium.org/p/angleproject/issues/detail?id=5500#c17). Can you expand a bit on what this patch means in practice? I'm guessing it makes UB in C++ code have bad effects more often? If so, what type of UB?

In D92270#2482741, @thakis wrote:

We bisected a test failure to this (https://bugs.chromium.org/p/angleproject/issues/detail?id=5500#c17). Can you expand a bit on what this patch means in practice? I'm guessing it makes UB in C++ code have bad effects more often? If so, what type of UB?

This patch makes the result of erroneous operations in source to participate in constant folding in more eager manner.
BTW, I am aware that this patch interacts with existing old (but hard to fix) bug in LLVM and miscompiles codes in certain code that has conditional branch + shifts. https://bugs.llvm.org/show_bug.cgi?id=48353 has more context.
Do you think your bug is related to this bug report?

To fix the old bug quite a few patches in LLVM have landed so far and it is still ongoing.

It turned out to be UB in our code as far as I can tell, see https://bugs.chromium.org/p/angleproject/issues/detail?id=5500#c36 and the follow-on.

(If this is known to trigger an existing bug more often, it might still be a good idea to undo it until that existing bug is fixed? But we're not affected by this existing bug as far as I can tell, so this is just a suggestion.)

In D92270#2483557, @thakis wrote:

It turned out to be UB in our code as far as I can tell, see https://bugs.chromium.org/p/angleproject/issues/detail?id=5500#c36 and the follow-on.

(If this is known to trigger an existing bug more often, it might still be a good idea to undo it until that existing bug is fixed? But we're not affected by this existing bug as far as I can tell, so this is just a suggestion.)

I don't know the policy of LLVM in this case, but it sounds legit. LLVM branching date is also near. @nikic May I ask your opinion?
BTW, shift operation is continually causing this problem interestingly - I guess shift operation with large shift amount hasn't been treated as 'that bad' for some reason.

https://bugs.llvm.org/show_bug.cgi?id=49005 seems to be due to this (either directly or it has unearthed an existing problem)

In D92270#2538713, @RKSimon wrote:

https://bugs.llvm.org/show_bug.cgi?id=49005 seems to be due to this (either directly or it has unearthed an existing problem)

I reverted this commit; I'll reland this after the underlying problem is resolved.
I'll push the revert commit to 12.x branch as well.

I bisected an arm 32 bit issue with WebKit Javascript's infinity value (https://github.com/llvm/llvm-project/issues/52669) down to this commit.

Just to make people aware there is another failing case. No reproducer yet I'm still working on a way to reduce it, but it'll probably turn out to be covered by the points others have made.