Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StraightLineStrengthReduce can introduce UB when optimizing 2-dim array gep #43878

Open
aqjune opened this issue Jan 13, 2020 · 2 comments
Open

StraightLineStrengthReduce can introduce UB when optimizing 2-dim array gep #43878

aqjune opened this issue Jan 13, 2020 · 2 comments
Labels
bugzilla Issues migrated from bugzilla miscompilation

Comments

@aqjune
Copy link
Contributor

aqjune commented Jan 13, 2020

Bugzilla Link 44533
Version trunk
OS All
Attachments Input
CC @hfinkel,@nunoplopes,@rotateright

Extended Description

$ cat slsr-gep.ll 
target datalayout = "e-i64:64-v16:16-v32:32-n16:32:64-p:64:64:64-p1:32:32:32"

define void @​f([10 x [5 x i32]]* %input, i64 %s, i64 %t) {
  %p0 = getelementptr inbounds [10 x [5 x i32]], [10 x [5 x i32]]* %input, i64 0, i64 %s, i64 %t
  call void @​foo(i32* %p0)

  %s2 = shl nsw i64 %s, 1
  %p1 = getelementptr inbounds [10 x [5 x i32]], [10 x [5 x i32]]* %input, i64 0, i64 %s2, i64 %t
  call void @​foo(i32* %p1)

  ret void
}

declare void @​foo(i32*)

$ opt -slsr -S -o - slsr-gep.ll
; ModuleID = 'slsr-gep.ll'
target datalayout = "e-i64:64-v16:16-v32:32-n16:32:64-p:64:64:64-p1:32:32:32"
define void @​f([10 x [5 x i32]]* %input, i64 %s, i64 %t) {
  %p0 = getelementptr inbounds [10 x [5 x i32]], [10 x [5 x i32]]* %input, i64 0, i64 %s, i64 %t
  call void @​foo(i32* %p0)
  %1 = mul i64 %s, 5
  %p1 = getelementptr inbounds i32, i32* %p0, i64 %1
  call void @​foo(i32* %p1)
  ret void
}
declare void @​foo(i32*)

(the test excerpted from Transforms/StraightLineStrengthReduce/slsr-gep.ll)

This is incorrect when input[s][t] is not inbounds but input[s2][t] is inbounds.
For example, if s = 1, s2 = 2, and t = -6, it can happen.
After optimization, %p1 becomes poison.

One possible solution for this is to allow the transformation when %s and %t have a same sign bit. Will this solution be effective enough?
@nunoplopes
Copy link
Member

An alternative fix would be to remove inbounds from the base pointer, thus allowing it to overflow.

@llvmbot llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 10, 2021
@nunoplopes
Copy link
Member

still repros: https://alive2.llvm.org/ce/z/LBv42y

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugzilla Issues migrated from bugzilla miscompilation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nunoplopes @aqjune