[llvm-bugs] [Bug 43817] New: LLVM conditional jump in PeepholeOptimizer.cpp:460 using uninitialized value
via llvm-bugs
llvm-bugs at lists.llvm.org
Sat Oct 26 06:13:17 PDT 2019
https://bugs.llvm.org/show_bug.cgi?id=43817
Bug ID: 43817
Summary: LLVM conditional jump in PeepholeOptimizer.cpp:460
using uninitialized value
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: Backend: AMDGPU
Assignee: unassignedbugs at nondot.org
Reporter: witold.baryluk+llvm at gmail.com
CC: llvm-bugs at lists.llvm.org
Using libllvm10 1:10~svn375339-1~exp1 from Debian experimental.
Mesa git master at c580f134ae5d7e9f24e8b1bfc405825b5d413414
Arch: amd64
GPU: AMD Radeon Fury X
Compiler: gcc version 9.2.1 20191022 (Debian 9.2.1-12)
Compiler flags used when compiling mesa:
`COMMON_OPTS_OPT=("-Dc_args=-pipe -march=native -O3 -flto -ggdb"
"-Dcpp_args=-pipe -std=c++17 -march=native -O3 -flto -ggdb" "-Db_ndebug=true")`
glxgears under valgrind:
```
$ valgrind glxgears
==1012== Memcheck, a memory error detector
==1012== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1012== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1012== Command: glxgears
==1012==
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
==1012== Conditional jump or move depends on uninitialised value(s)
==1012== at 0x8293EE3: optimizeExtInstr
(lib/CodeGen/PeepholeOptimizer.cpp:460)
==1012== by 0x8293EE3: (anonymous
namespace)::PeepholeOptimizer::runOnMachineFunction(llvm::MachineFunction&)
(lib/CodeGen/PeepholeOptimizer.cpp:1734)
==1012== by 0x81DA007:
llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(lib/CodeGen/MachineFunctionPass.cpp:73)
==1012== by 0x8048345: llvm::FPPassManager::runOnFunction(llvm::Function&)
(lib/IR/LegacyPassManager.cpp:1648)
==1012== by 0x8C4A3A9: RunPassOnSCC (lib/Analysis/CallGraphSCCPass.cpp:176)
==1012== by 0x8C4A3A9: RunAllPassesOnSCC
(lib/Analysis/CallGraphSCCPass.cpp:441)
==1012== by 0x8C4A3A9: (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
(lib/Analysis/CallGraphSCCPass.cpp:497)
==1012== by 0x8048A6F: runOnModule (lib/IR/LegacyPassManager.cpp:1749)
==1012== by 0x8048A6F: llvm::legacy::PassManagerImpl::run(llvm::Module&)
(lib/IR/LegacyPassManager.cpp:1862)
==1012== by 0x6A115C2: UnknownInlinedFun (ac_llvm_helper.cpp:212)
==1012== by 0x6A115C2: UnknownInlinedFun (si_shader_tgsi_setup.c:107)
==1012== by 0x6A115C2: si_compile_llvm (si_shader.c:5658)
==1012== by 0x6A182DC: si_get_shader_part.lto_priv.0 (si_shader.c:7303)
==1012== by 0x6A0EDC8: UnknownInlinedFun (si_shader.c:8133)
==1012== by 0x6A0EDC8: si_shader_create (si_shader.c:8312)
==1012== by 0x62B2E12: UnknownInlinedFun (si_state_shaders.c:2108)
==1012== by 0x62B2E12: si_shader_select_with_key.constprop.0
(si_state_shaders.c:2400)
==1012== by 0x6A6D2F0: si_shader_select (si_state_shaders.c:2419)
==1012== by 0x6A6F4E2: si_update_shaders (si_state_shaders.c:4021)
==1012== by 0x6A7E034: si_draw_vbo.lto_priv.0 (si_state_draw.c:2039)
==1012==
77 frames in 5.0 seconds = 15.377 FPS
==1012==
==1012== HEAP SUMMARY:
==1012== in use at exit: 557,673 bytes in 3,951 blocks
==1012== total heap usage: 115,963 allocs, 112,012 frees, 36,544,548 bytes
allocated
==1012==
==1012== LEAK SUMMARY:
==1012== definitely lost: 640 bytes in 3 blocks
==1012== indirectly lost: 374,464 bytes in 1,612 blocks
==1012== possibly lost: 0 bytes in 0 blocks
==1012== still reachable: 182,569 bytes in 2,336 blocks
==1012== suppressed: 0 bytes in 0 blocks
==1012== Rerun with --leak-check=full to see details of leaked memory
==1012==
==1012== Use --track-origins=yes to see where uninitialised values come from
==1012== For lists of detected and suppressed errors, rerun with: -s
==1012== ERROR SUMMARY: 333 errors from 1 contexts (suppressed: 0 from 0)
```
More complex title, Factorio:
```
$ valgrind ./bin/x64/factorio
==539== Memcheck, a memory error detector
==539== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==539== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==539== Command: ./bin/x64/factorio
==539==
0.021 2019-10-25 13:32:37; Factorio 0.17.73 (build 47508, linux64, demo)
0.158 Operating system: Linux (Debian unstable)
0.165 Program arguments: "./bin/x64/factorio"
0.166 Read data path: /home/user/Downloads/factorio/data
0.167 Write data path: /home/user/Downloads/factorio [16289/122425MB]
0.167 Binaries path: /home/user/Downloads/factorio/bin
1.093 System info: [CPU: Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz, 32
cores, RAM: 128868 MB]
1.101 Environment: DISPLAY=:0 WAYLAND_DISPLAY=<unset>
DESKTOP_SESSION=lightdm-xsession XDG_SESSION_DESKTOP=lightdm-xsession
XDG_CURRENT_DESKTOP=MATE __GL_FSAA_MODE=<unset> __GL_LOG_MAX_ANISO=<unset>
__GL_SYNC_TO_VBLANK=<unset> __GL_SORT_FBCONFIGS=<unset> __GL_YIELD=<unset>
1.115 Display options: [FullScreen: 1] [VSync: 1] [UIScale: automatic
(100.0%)] [Native DPI: 1] [Screen: 255] [Special: lmw] [Lang: en]
10.684 Available displays: 2
10.687 [0]: EV2730Q 27" - {[0,0], 1920x1920, SDL_PIXELFORMAT_RGB888, 60Hz}
10.687 [1]: WQX DP 30" - {[1920,0], 2560x1600, SDL_PIXELFORMAT_RGB888, 60Hz}
11.035 Initialised OpenGL:[0] AMD Radeon (TM) R9 Fury Series (FIJI, DRM
3.32.0, 5.2.0-3-amd64, LLVM 10.0.0); driver: 4.5 (Core Profile) Mesa
19.3.0-devel (git-c580f134ae)
11.036 [Extensions] s3tc:yes; KHR_debug:yes; ARB_clear_texture:yes,
ARB_copy_image:yes
11.037 [Version] 4.5
11.048 Graphics settings preset: very-high
11.049 Dedicated video memory size 4096 MB
12.521 Graphics options: [Graphics quality: high] [Video memory usage: all]
[Light scale: 25%] [DXT: high-quality] [Color: 32bit]
12.523 [Max threads (load/render): 32/32] [Max texture
size: 0] [Tex.Stream.: 0] [Rotation quality: normal] [Other: STDC]
==539== Conditional jump or move depends on uninitialised value(s)
==539== at 0x1A518EE3: optimizeExtInstr
(lib/CodeGen/PeepholeOptimizer.cpp:460)
==539== by 0x1A518EE3: (anonymous
namespace)::PeepholeOptimizer::runOnMachineFunction(llvm::MachineFunction&)
(lib/CodeGen/PeepholeOptimizer.cpp:1734)
==539== by 0x1A45F007:
llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(lib/CodeGen/MachineFunctionPass.cpp:73)
==539== by 0x1A2CD345: llvm::FPPassManager::runOnFunction(llvm::Function&)
(lib/IR/LegacyPassManager.cpp:1648)
==539== by 0x1AECF3A9: RunPassOnSCC (lib/Analysis/CallGraphSCCPass.cpp:176)
==539== by 0x1AECF3A9: RunAllPassesOnSCC
(lib/Analysis/CallGraphSCCPass.cpp:441)
==539== by 0x1AECF3A9: (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
(lib/Analysis/CallGraphSCCPass.cpp:497)
==539== by 0x1A2CDA6F: runOnModule (lib/IR/LegacyPassManager.cpp:1749)
==539== by 0x1A2CDA6F: llvm::legacy::PassManagerImpl::run(llvm::Module&)
(lib/IR/LegacyPassManager.cpp:1862)
==539== by 0x18C965C2: UnknownInlinedFun (ac_llvm_helper.cpp:212)
==539== by 0x18C965C2: UnknownInlinedFun (si_shader_tgsi_setup.c:107)
==539== by 0x18C965C2: si_compile_llvm (si_shader.c:5658)
==539== by 0x18C9D2DC: si_get_shader_part.lto_priv.0 (si_shader.c:7303)
==539== by 0x18C93DC8: UnknownInlinedFun (si_shader.c:8133)
==539== by 0x18C93DC8: si_shader_create (si_shader.c:8312)
==539== by 0x18537E12: UnknownInlinedFun (si_state_shaders.c:2108)
==539== by 0x18537E12: si_shader_select_with_key.constprop.0
(si_state_shaders.c:2400)
==539== by 0x18CF22F0: si_shader_select (si_state_shaders.c:2419)
==539== by 0x18CF44E2: si_update_shaders (si_state_shaders.c:4021)
==539== by 0x18D03034: si_draw_vbo.lto_priv.0 (si_state_draw.c:2039)
==539==
17.630 Loading mod core 0.0.0 (data.lua)
20.686 Loading mod base 0.17.73 (data.lua)
24.722 Loading mod base 0.17.73 (data-updates.lua)
27.317 Checksum for core: 3106065888
...
```
Programs doesn't crash.
Obviously issue might be in the LLVM, but it is likely that some structures are
not properly initalized by Mesa.
glxgears with valgrind tracking enabled:
```
$ valgrind --track-origins=yes glxgears
==1136== Memcheck, a memory error detector
==1136== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1136== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1136== Command: glxgears
==1136==
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
==1136== Conditional jump or move depends on uninitialised value(s)
==1136== at 0x8293EE3: optimizeExtInstr
(lib/CodeGen/PeepholeOptimizer.cpp:460)
==1136== by 0x8293EE3: (anonymous
namespace)::PeepholeOptimizer::runOnMachineFunction(llvm::MachineFunction&)
(lib/CodeGen/PeepholeOptimizer.cpp:1734)
==1136== by 0x81DA007:
llvm::MachineFunctionPass::runOnFunction(llvm::Function&)
(lib/CodeGen/MachineFunctionPass.cpp:73)
==1136== by 0x8048345: llvm::FPPassManager::runOnFunction(llvm::Function&)
(lib/IR/LegacyPassManager.cpp:1648)
==1136== by 0x8C4A3A9: RunPassOnSCC (lib/Analysis/CallGraphSCCPass.cpp:176)
==1136== by 0x8C4A3A9: RunAllPassesOnSCC
(lib/Analysis/CallGraphSCCPass.cpp:441)
==1136== by 0x8C4A3A9: (anonymous
namespace)::CGPassManager::runOnModule(llvm::Module&)
(lib/Analysis/CallGraphSCCPass.cpp:497)
==1136== by 0x8048A6F: runOnModule (lib/IR/LegacyPassManager.cpp:1749)
==1136== by 0x8048A6F: llvm::legacy::PassManagerImpl::run(llvm::Module&)
(lib/IR/LegacyPassManager.cpp:1862)
==1136== by 0x6A115C2: UnknownInlinedFun (ac_llvm_helper.cpp:212)
==1136== by 0x6A115C2: UnknownInlinedFun (si_shader_tgsi_setup.c:107)
==1136== by 0x6A115C2: si_compile_llvm (si_shader.c:5658)
==1136== by 0x6A182DC: si_get_shader_part.lto_priv.0 (si_shader.c:7303)
==1136== by 0x6A0EDC8: UnknownInlinedFun (si_shader.c:8133)
==1136== by 0x6A0EDC8: si_shader_create (si_shader.c:8312)
==1136== by 0x62B2E12: UnknownInlinedFun (si_state_shaders.c:2108)
==1136== by 0x62B2E12: si_shader_select_with_key.constprop.0
(si_state_shaders.c:2400)
==1136== by 0x6A6D2F0: si_shader_select (si_state_shaders.c:2419)
==1136== by 0x6A6F4E2: si_update_shaders (si_state_shaders.c:4021)
==1136== by 0x6A7E034: si_draw_vbo.lto_priv.0 (si_state_draw.c:2039)
==1136== Uninitialised value was created by a stack allocation
==1136== at 0x82928BA: (anonymous
namespace)::PeepholeOptimizer::runOnMachineFunction(llvm::MachineFunction&)
(lib/CodeGen/PeepholeOptimizer.cpp:1593)
==1136==
2 frames in 5.1 seconds = 0.396 FPS
XIO: fatal IO error 110 (Connection timed out) on X server ":0"
after 303 requests (34 known processed) with 0 events remaining.
==1136==
==1136== HEAP SUMMARY:
==1136== in use at exit: 14,540,979 bytes in 48,924 blocks
==1136== total heap usage: 115,813 allocs, 66,889 frees, 36,537,027 bytes
allocated
==1136==
==1136== LEAK SUMMARY:
==1136== definitely lost: 0 bytes in 0 blocks
==1136== indirectly lost: 0 bytes in 0 blocks
==1136== possibly lost: 163,934 bytes in 626 blocks
==1136== still reachable: 14,377,045 bytes in 48,298 blocks
==1136== of which reachable via heuristic:
==1136== newarray : 786,528 bytes in 24
blocks
==1136== multipleinheritance: 176,544 bytes in 252
blocks
==1136== suppressed: 0 bytes in 0 blocks
==1136== Rerun with --leak-check=full to see details of leaked memory
==1136==
==1136== For lists of detected and suppressed errors, rerun with: -s
==1136== ERROR SUMMARY: 333 errors from 1 contexts (suppressed: 0 from 0)
```
Quick check in LLVM source tree, indicate it is probably this if statement:
line 460:
```c++
bool PeepholeOptimizer::
optimizeExtInstr(MachineInstr &MI, MachineBasicBlock &MBB,
SmallPtrSetImpl<MachineInstr*> &LocalMIs) {
unsigned SrcReg, DstReg, SubIdx;
if (!TII->isCoalescableExtInstr(MI, SrcReg, DstReg, SubIdx))
return false;
```
but TII is some subclass of `llvm::TargetInstrInfo`, so I am not sure which
implementation of `isCoalescableExtInstr` I should be looking at exactly.
This function is called from runOnMachineFunction
line 1593:
```
bool PeepholeOptimizer::runOnMachineFunction(MachineFunction &MF) {
```
Around caller:
```
if (isMoveImmediate(*MI, ImmDefRegs, ImmDefMIs)) {
SeenMoveImm = true;
} else {
Changed |= optimizeExtInstr(*MI, MBB, LocalMIs);
// CALL into optimizeExtInstr
// optimizeExtInstr might have created new instructions after MI
// and before the already incremented MII. Adjust MII so that the
// next iteration sees the new instructions.
MII = MI;
++MII;
if (SeenMoveImm)
Changed |= foldImmediate(*MI, ImmDefRegs, ImmDefMIs);
}
```
Maybe related to `MBB`, `LocalMIs`.
I have trouble navigating LLVM source code to look further, as it appears that
`createAMDGPUMCSubtargetInfoImpl` is a generated function.
PS. I filled this against Mesa initially, but it does look like LLVM issue -
https://gitlab.freedesktop.org/mesa/mesa/issues/2000
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191026/773b95ce/attachment-0001.html>
More information about the llvm-bugs
mailing list