[llvm-bugs] [Bug 31632] New: SimplifyCFG and InstCombine interact badly and produce wrong code

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Jan 13 08:40:58 PST 2017 

https://llvm.org/bugs/show_bug.cgi?id=31632

            Bug ID: 31632
           Summary: SimplifyCFG and InstCombine interact badly and produce
                    wrong code
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Keywords: miscompilation
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: nunoplopes at sapo.pt
                CC: gil.hur at sf.snu.ac.kr, juneyoung.lee at sf.snu.ac.kr,
                    llvm-bugs at lists.llvm.org, regehr at cs.utah.edu,
                    sanjoy at playingwithpointers.com,
                    spatel+llvm at rotateright.com
    Classification: Unclassified

The following test case is miscompiled if both SimplifyCFG and InstCombine are
run together:

$ cat select.ll
define i1 @g(i8 %x) {
  %add_is_nsw = icmp ne i8 %x, 127
  br i1 %add_is_nsw, label %is_nsw, label %may_wrap

is_nsw:
  %add = add nsw i8 %x, 1
  br label %merge

may_wrap:
  br label %merge

merge:
  %never_poison = phi i8 [ undef, %may_wrap ],  [ %add, %is_nsw ]
  %result = icmp sgt i8 %never_poison, %x
  ret i1 %result
}


$ opt -S -simplifycfg select.ll
define i1 @g(i8 %x) {
  %add_is_nsw = icmp ne i8 %x, 127
  %add = add nsw i8 %x, 1
  %never_poison = select i1 %add_is_nsw, i8 %add, i8 undef
  %result = icmp sgt i8 %never_poison, %x
  ret i1 %result
}

and with InstCombine:
$ opt -S -simplifycfg -instcombine select.ll
define i1 @g(i8 %x) {
  ret i1 true
}


The original, unoptimized, test case returns 0 for %x==127, while the optimized
version returns 1.

This bug happens because SimplifyCFG and InstCombine assume different semantics
for select with a poison value.  SimplifyCFG assumes a select is only poison if
its dynamically chosen value is poison, while InstCombine is assuming that
select is poison if any of its operands is poison.
We have proposed in the mailing list that select should follow SimplifyCFG's
version (search for "Discussion on select" here:
http://lists.llvm.org/pipermail/llvm-dev/2016-October/106182.html).
Therefore, Alive says that InstCombine is wrong: http://rise4fun.com/Alive/AI0

(test case from Sanjoy)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170113/9cfcbbe1/attachment.html>

More information about the llvm-bugs mailing list