Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DSE incorrectly removes store in function that only triggers UB in one branch #47865

Closed
nunoplopes opened this issue Dec 15, 2020 · 1 comment
Labels
bugzilla Issues migrated from bugzilla duplicate Resolved as duplicate miscompilation

Comments

@nunoplopes
Copy link
Member

Bugzilla Link 48521
Resolution DUPLICATE
Resolved on Dec 15, 2020 15:22
Version trunk
OS All
CC @fhahn,@aqjune

Extended Description

Test: Transforms/DeadStoreElimination/MSSA/out-of-bounds-stores.ll
Summary: Once DSE finds a store that is OOB, and therefore the function triggers UB, it removes all stores. However, in the program below OOB only happens if %c = true.
When %c=false there's no UB and therefore the store cannot be removed.

define i32 @​test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
%d = alloca i64 4, align 4
br label %for.body

%for.body:
%arrayidx = gep inbounds * %d, 4 x i64 0, 4 x i64 0
store i32 10, * %arrayidx, align 4
br label %for.inc

%for.inc:
br i1 %c, label %for.body.1, label %for.end

%for.body.1:
%arrayidx.1 = gep inbounds * %d, 4 x i64 0, 4 x i64 1
store i32 20, * %arrayidx.1, align 4
ret i32 1

%for.end:
%arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
%lv1 = load i32, * %arrayidx1, align 4
call void @​use(i32 %lv1)
ret i32 0
}
=>
define i32 @​test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
%d = alloca i64 4, align 4
br label %for.body

%for.body:
br label %for.inc

%for.inc:
br i1 %c, label %for.body.1, label %for.end

%for.body.1:
ret i32 1

%for.end:
%arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
%lv1 = load i32, * %arrayidx1, align 4
call void @​use(i32 %lv1)
ret i32 0
}
Transformation doesn't verify!
ERROR: Source is more defined than target

Example:
i1 %c = #x0 (0)

Source:

  • %d = pointer(local, block_id=2, offset=0)
  • %arrayidx = pointer(local, block_id=2, offset=0)
  • %arrayidx.1 = pointer(local, block_id=2, offset=4)
  • %arrayidx1 = pointer(local, block_id=2, offset=0)
    i32 %lv1 = #x0000000a (10)

Target:

  • %d = pointer(local, block_id=2, offset=0)
  • %arrayidx1 = pointer(local, block_id=2, offset=0)
    i32 %lv1 = poison

https://web.ist.utl.pt/nuno.lopes/alive2/index.php?hash=4b7777d913fed80c&test=Transforms%2FDeadStoreElimination%2FMSSA%2Fout-of-bounds-stores.ll

@fhahn
Copy link
Contributor

fhahn commented Dec 15, 2020

The test was added for #47623 . Marking as duplicate.

*** This bug has been marked as a duplicate of bug #47623 ***

@llvmbot llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 11, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugzilla Issues migrated from bugzilla duplicate Resolved as duplicate miscompilation
Projects
None yet
Development

No branches or pull requests

2 participants