<html>
<head>
<base href="http://llvm.org/bugs/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:hans@chromium.org" title="Hans Wennborg <hans@chromium.org>"> <span class="fn">Hans Wennborg</span></a>
</span> changed
<a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Right-hand side of logical expression gets speculated, causing jump on uninitialized value"
href="http://llvm.org/bugs/show_bug.cgi?id=21084">bug 21084</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>NEW
</td>
<td>RESOLVED
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>---
</td>
<td>INVALID
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Right-hand side of logical expression gets speculated, causing jump on uninitialized value"
href="http://llvm.org/bugs/show_bug.cgi?id=21084#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - Right-hand side of logical expression gets speculated, causing jump on uninitialized value"
href="http://llvm.org/bugs/show_bug.cgi?id=21084">bug 21084</a>
from <span class="vcard"><a class="email" href="mailto:hans@chromium.org" title="Hans Wennborg <hans@chromium.org>"> <span class="fn">Hans Wennborg</span></a>
</span></b>
<pre>Bisection points to r216814: InstCombine: Try harder to combine icmp
instructions
But it's SimplifyCFG that speculates the load and ands all the conditions
together:
*** IR Dump After Module Verifier ***
; Function Attrs: uwtable
define void @_Z4testv() #0 {
entry:
%local = alloca i32, align 4
%call = call zeroext i1 @_Z7ReadIntPi(i32* %local)
br i1 %call, label %land.lhs.true, label %if.end
land.lhs.true: ; preds = %entry
%0 = load i32* %local, align 4
%cmp = icmp slt i32 %0, 8
br i1 %cmp, label %land.lhs.true1, label %if.end
land.lhs.true1: ; preds = %land.lhs.true
%1 = load i32* %local, align 4
%cmp2 = icmp sge i32 %1, 0
br i1 %cmp2, label %if.then, label %if.end
if.then: ; preds = %land.lhs.true1
call void @_Z1fv()
br label %if.end
if.end: ; preds = %if.then,
%land.lhs.true1, %land.lhs.true, %entry
ret void
}
*** IR Dump After Simplify the CFG ***
; Function Attrs: uwtable
define void @_Z4testv() #0 {
entry:
%local = alloca i32, align 4
%call = call zeroext i1 @_Z7ReadIntPi(i32* %local)
%0 = load i32* %local, align 4
%cmp = icmp slt i32 %0, 8
%or.cond = and i1 %call, %cmp
%1 = load i32* %local, align 4
%cmp2 = icmp sge i32 %1, 0
%or.cond1 = and i1 %or.cond, %cmp2
br i1 %or.cond1, label %if.then, label %if.end
if.then: ; preds = %entry
call void @_Z1fv()
br label %if.end
if.end: ; preds = %if.then, %entry
ret void
}
We're speculating the load from the stack and doing arithmetic with an undef
value, which is fine. The surprise comes when this turns into jumping on an
undef value after lowering to X86.
After discussing this, the current view is that the generated code is correct,
it will not be a problem for MSan as it works on the IR level, and should be
added to the list of optimizations that Valgrind has trouble with.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>