Ping.

Are there tests to ensure that the appropriate stack protector level is added to the function after inlining?

Move % eater to MatchRegisterName.

In D91735#2403921, @nickdesaulniers wrote:

I was thinking "would it be better to move this logic down into PPCAsmParser::MatchRegisterName? Well, I would suppose that would depend on if the % prefix on registers is valid in other contexts, for instance maybe other places that directly call PPCAsmParser::MatchRegisterName rather than `PPCAsmParser::tryParseRegister which you've modified here.

In D87956#2348433, @nickdesaulniers wrote:

In phab here, it looks like my newly added clang/test/Frontend/optimization-remark-missed-inline-stack-protectors.c fails on windows because I redirect stdout to /dev/null. How does that work for other tests? I see other tests in that dir write to /dev/null. Oh, I guess -o /dev/null will just create a file called "/dev/null" on Windows? So I should do that rather than 1> /dev/null?

Only a couple of nits, but I think this looks good.

Rerun with the correct llc.

Update comment and testcase.

In D88823#2314595, @jyknight wrote:

Okay. Abandoning this change.

Sorry, maybe I buried the lede too far into the message? "I think the fix you have here is OK" was at the end. :)

One thing, I believe we're trying to turn "asm goto" into something it was never meant to be. If you look at gcc's output for this code.

Okay. I'll reclaim this revision.

One thing, I believe we're trying to turn "asm goto" into something it was never meant to be. If you look at gcc's output for this code:

Okay. Abandoning this change.

Here are the relevant parts of the original issue in get_partial_node. Blocks bb.16.bb100 and bb.17.bb106 are the sources of the values in the PHI node in bb.18.bb110. The bb.19.bb17.i.i.i block is the indirect destination and bb.20.bb113 the default destination.

In D88823#2313337, @jyknight wrote:

When we go to resolve this PHI node, there's no place to put the put the values that works in all situations; we can't split the critical edges and it's not valid to place the resolved instructions at the ends of the predecessor blocks.

We can (at least: should be able to) handle a PHI node in the indirect targets of an INLINEASM_BR, for any value which is not the output of the INLINEASM_BR itself. We place the required register copies prior to the INLINEASM_BR, rather than after it. This is handled by findPHICopyInsertPoint -- where we did have a bug already, fixed in f7a53d82c0902147909f28a9295a9d00b4b27d38.

In D88823#2313262, @nickdesaulniers wrote:

%9:gr32 = PHI %0:gr32, %bb.1, %5:gr32, %bb.2

The problem is this PHI here. We don't have a way to resolve PHI nodes in the entry block to an indirect destination. (This is the reason we don't allow "asm goto" outputs on the indirect paths.) When we go to resolve this PHI node, there's no place to put the put the values that works in all situations; we can't split the critical edges and it's not valid to place the resolved instructions at the ends of the predecessor blocks.

We're also not using "asm goto" outputs in this test case, so I still don't understand why this PHI is problematic.

That doesn't matter. It's problematic because of the PHI in the block with the INLINEASM_BR. As I mentioned, the result of the tail duplication is that that PHI is more-or-less moved *down* into the indirect and default destinations. Look at those PHIs and you'll see that they have the same values coming into them.

In D88823#2312933, @nickdesaulniers wrote:

I confirmed that this patch does fix the kernel panic observed in https://github.com/ClangBuiltLinux/linux/issues/1125#issuecomment-703890483.

I don't understand the bug though. Looking at the output of:

llc -mtriple=i686-- -stop-after=early-tailduplication -print-after-all llvm/test/CodeGen/X86/tail-dup-asm-goto.ll -o - 2>&1 | less

Before/After IR Dump After Early Tail Duplication before rebuilding clang with this patch applied (so still in a bad state), but nothing looks wrong to me. So what precisely is the bug?

Before early tail dup:

bb.0.bb:
  successors: %bb.1(0x40000000), %bb.2(0x40000000); %bb.1(50.00%), %bb.2(50.00%)

  %2:gr32 = IMPLICIT_DEF
  %0:gr32 = MOV32rm killed %2:gr32, 1, $noreg, 0, $noreg :: (load 4 from `i8** undef`, align 8)
  %3:gr32_abcd = MOV32r0 implicit-def dead $eflags
  %4:gr8 = COPY %3.sub_8bit:gr32_abcd
  TEST8rr %4:gr8, %4:gr8, implicit-def $eflags
  JCC_1 %bb.2, 5, implicit $eflags
  JMP_1 %bb.1

bb.1.bb100:
; predecessors: %bb.0
  successors: %bb.3(0x80000000); %bb.3(100.00%)

  %6:gr32 = IMPLICIT_DEF
  MOV32mi killed %6:gr32, 1, $noreg, 0, $noreg, 0 :: (store 4 into `i8** undef`, align 8)
  JMP_1 %bb.3

bb.2.bb106:
; predecessors: %bb.0
  successors: %bb.3(0x80000000); %bb.3(100.00%)

  ADJCALLSTACKDOWN32 0, 0, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
  CALLpcrel32 @foo, <regmask $bh $bl $bp $bph $bpl $bx $di $dih $dil $ebp $ebx $edi $esi $hbp $hbx $hdi $hsi $si $sih $sil>, implicit $esp, implicit $ssp, implicit-def $esp, implicit-def 
$ssp
  ADJCALLSTACKUP32 0, 0, implicit-def dead $esp, implicit-def dead $eflags, implicit-def dead $ssp, implicit $esp, implicit $ssp
  %5:gr32 = MOV32r0 implicit-def dead $eflags

bb.3.bb110:
; predecessors: %bb.2, %bb.1
  successors: %bb.5(0x80000000), %bb.4(0x00000000); %bb.5(100.00%), %bb.4(0.00%)

  %1:gr32 = PHI %5:gr32, %bb.2, %0:gr32, %bb.1

In D88813#2312627, @nickdesaulniers wrote:

test case looks reasonable (I haven't run it pre-patch to see what goes wrong yet). Just curious, is this CL related to D88823?

@jyknight This doesn't have the loop refactored like you asked for. I'll work on that today.

Update with missing elements so that it works.

In D88813#2312195, @nickdesaulniers wrote:

test?

Add testcase.

Add testcase.

Improve comment on why we're limiting tail duplication on INLINEASM_BR instruction.

In D88823#2312092, @jyknight wrote:

Hm, it doesn't seem like it should be a problem to duplicate an inlineasm_br instruction. I'm interested to see what's going wrong here.

In D88438#2304953, @nickdesaulniers wrote:

In D88438#2304941, @void wrote:

I believe that a critical edge may be split on the default path, but not the indirect path.

I don't think https://github.com/llvm/llvm-project/commit/2fe457690da0fc38bc7f9f1d0aee2ba6a6a16ada made a similar distinction?

Yeah. I made an error there...

In D88438#2305068, @efriedma wrote:

The concept of splitting a critical edge is still relatively new to me; any thoughts on *why* it would not be ok to split a critical branch of an indirect-like jump?

The problem has to do with blockaddress.

For normal branches, splitting an edge is usually straightforward: you just introduce a new block that branches to the original block, and then you rewrite the branch in the predecessor. But suppose you have a block with two indirectbr predecessors, and you want to split the edge. In that case, the "rewrite the branch" step doesn't work: you can't rewrite the address argument to the indirectbr. (Or at least, you can't without performing some invasive rewrite like indirectbr->switch lowering.)

I believe that a critical edge may be split on the default path, but not the indirect path.

Erm...Reverted...Sorry.

Clarify commit message.

In D88195#2293559, @nickdesaulniers wrote:

In D88195#2293533, @void wrote:

In D88195#2293165, @nickdesaulniers wrote:

I'm super confused between the commit message and initial hunk, that seem to make sense and probably should go in clang-11 if it's not too late, and the additional tests for modules which the commit message does not address. Were these meant to be separate commits, because otherwise it looks like you uploaded unrelated stuff. Are C++20 modules broken with asm goto, or are you just adding additional test coverage for that?

The assert only triggers for modules, so yeah modules are broken with "asm goto", but only if asserts are enabled.

The assert was removed from AST/Stmt.cpp; it doesn't look module related. Wouldn't it be triggered by ANY GCCAsmStmt? (I have patches that use ASM goto w/ outputs on the kernel, let me try an assertions enabled build). It's not obvious to me why the method modified would only trigger for modules.

Yes, but that particular function is only called during serialization reading. It would trigger for any serialization, this just happens to be for modules. I'll edit the commit message to be clearer.

In D88195#2293165, @nickdesaulniers wrote:

I'm super confused between the commit message and initial hunk, that seem to make sense and probably should go in clang-11 if it's not too late, and the additional tests for modules which the commit message does not address. Were these meant to be separate commits, because otherwise it looks like you uploaded unrelated stuff. Are C++20 modules broken with asm goto, or are you just adding additional test coverage for that?

Fix test.

Fix test case.

In D86260#2229449, @jyknight wrote:

In D86260#2229406, @void wrote:

In D86260#2229387, @jyknight wrote:

The commit message is confusing for this -- this isn't a correctness fix, but a minor optimization, right?

I'm not convinced it's just an optimization, but I could be swayed. It seems to me that the value coming into the PHI shouldn't rely upon the semantics of the asm block. So for instance would this be incorrect?

Inline assembly must declare what registers it clobbers, and the compiler can safely assume other registers are preserved across it.

bb1:
  %eax = MOV 0
  INLINEASM_BR "mov 37, %eax"
  JMP return

return:
  PHI bb1, 0 ...

So, in this example the input inline-asm is invalid, because it failed to declare that it clobbered eax.

In D86260#2229387, @jyknight wrote:

The commit message is confusing for this -- this isn't a correctness fix, but a minor optimization, right?

Remove extraneous thread_local from global variable.

In D75098#2170382, @arsenm wrote:

What's the status of this? I'm still interested in terminator copies

LGTM

Here are a few other places to contemplate similar changes:

I think this might be a better fix:

Without this change, the "ADD64ri8" instruction is before the INLINEASM_BR before machine sinking.

I'm confused by this change. The original code *should* be correct. That it's resulting in this issue is another thing.

In D79794#2121018, @nickdesaulniers wrote:

The only other concern I have is whether we have enough test coverage of the scheduling boundary changes? (Does removing the added checks there cause any existing or new test from the change to file? If not, seems like a lack of test coverage.) In the case of PostRASchedulerList, that implies a MIR test (writing MIR tests isn't something I'd wish on my worst enemy though).

Thanks! :-)

In D79794#2107203, @nickdesaulniers wrote:

In D79794#2105792, @nathanchance wrote:

@void that diff on top of this revision resolves the issue I was seeing, thanks!

That's great! @void is there a test case we can add for that post RA schedule, so that we don't regress that? @jyknight would you mind rolling @void 's changes up into this and rebasing, please? I'm curious if there's anything we can do to combine isSchedBoundary and isSchedulingBoundary?

@nathanchance & @nickdesaulniers: I forgot the post scheduler. Try the patch below.

In D81632#2094672, @linzj wrote:

Which platform did you run valgrind on? The x86 platform should set SubIdx on all paths through it...

ARM. armv8-linux-android.

In D81632#2092363, @linzj wrote:

I think SubIdx is supposed to be set by TII->isCoalescableExtInstr(). If it's not doing that, then the error's probably in that call and not in this function.

Then most target instr infos need to patch.

A test case that shows the problem would also be good.

valgrind shows me this bug. I don't think any testcase is able to reproduce an expected value in this circumstance.

I think you need the following patch. We shouldn't allow instructions to be rescheduled after an INLINEASM_BR, because all values who's definition dominate the INLINEASM_BR are assumed to be valid on the indirect branch.

In D81607#2091105, @efriedma wrote:

While it's not the case right now, I think it would be very desirable to allow this in the future for callbr. Some of the other envisioned use-cases for callbr would require the ability to pass the target block in as a value (in which case there may be no blockaddress arguments directly on the callbr.)

Being indecisive about this is creating a mess in both the LLVM IR and MachineInstrs. I've repeatedly asked about this, and gotten contradictory answers every time. We need to make a decision here and stick to it.

In D81607#2091010, @nickdesaulniers wrote:

In D81607#2090768, @efriedma wrote:

Disclaimer: I don't plan to rework callbr's operands before landing this. Was that a conditional LGTM?

Wasn't intended to be conditional on any code changes. Just that we don't plan to ever allow jumping to blockaddresses passed in as register operands.

I assume there's something important @fhahn was alluding to, but I'm not sure precisely what, and I would like to make sure everyone's happy with this.

The reason we can't split edges coming out of indirectbr instructions is that in general, there is no way to fix the related blockaddresses in functions that contain multiple indirectbrs. We can't rename the successor in one indirectbr without renaming it in all of them. And if we rename it in all of them, the edge is still critical after the transform.

We want to be sure the same issue doesn't apply to callbr instructions. If it does, then we would need to fix the callers of SplitCriticalEdge, not SplitCriticalEdge itself.

Wait, that sounds like a problem. Imagine we have 3 callbrs, two that share the same indirect destination, and we decide to split one their critical edges. Then we update the blockaddress of that callbr, but not the others where the others' indirect branch now doesn't preserve the previous operations. As if we added another callbr in the entry of this test case with an indirect destination of %CallSiteBB.

In D81607#2090671, @nickdesaulniers wrote:

In D81607#2090510, @efriedma wrote:

If the plan is to drop blockaddresses from callbr, then this LGTM.

Disclaimer: I don't plan to rework callbr's operands before landing this. Was that a conditional LGTM?

I would like to resolve @fhahn 's question. TBH, I understand what a critical edge is, but I don't understand why splitting them is necessary? I assume there's something important @fhahn was alluding to, but I'm not sure precisely what, and I would like to make sure everyone's happy with this.

I think SubIdx is supposed to be set by TII->isCoalescableExtInstr(). If it's not doing that, then the error's probably in that call and not in this function.

In D79605#2065825, @void wrote:

Is this and D79793 ready for submission? :-)

Is this and D79793 ready for submission? :-)

In D75098#2049787, @qcolombet wrote:

Regardless of what happens to INLINEASM_BR, I think we still need a terminator copy

What for?
The whole concept is bogus to me because if the previous instructions are really terminators (as in they branch to somewhere else), then this copy would never be executed.

Quick ping to ask about the status of this change. :-)

I think we should rename INLINEASM_BR to something that doesn't involve the _BR bit, since it's no longer a branch.

In D75098#2030777, @jyknight wrote:

I think the better fix here is to make INLINEASM_BR _not_ be a terminator -- just like the CALL involved in an invoke is not.

That change turned out to be a bit complicated, and while I had started taking a stab at that a couple months ago, I got distracted by many other things going on...However, I've now dusted off that experiment and got it into a useful state, and will send out a review for this tomorrow, so we can consider both the options.

In D75098#2026425, @void wrote:

In D75098#2021573, @qcolombet wrote:

Thanks Bill for the detailed explanations. A couple more questions.

CodeGen wants registers to be spilled at the end of a block.

That's fast reg alloc only. What is happening with the other allocators?

They don't appear to use the correct registers for the defined values.

I should probably explain a bit better. With a normal INLINEASM instruction, any defined registers are spilled directly afterwards. This is one reason why I want to do the same for INLINEASM_BR with the TCOPY. There could be other ways to achieve the same thing, but I think it would involve placing a larger burden on the code generation passes than needs be.

Revert bad formatting that sneaked (snuck?) in.

Fix formatting and clang-tidy warnings.