<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [DebugInfo][Dexter] Unreachable line stepped onto after speculating 2 insns"

   href="https://bugs.llvm.org/show_bug.cgi?id=38762">38762</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[DebugInfo][Dexter] Unreachable line stepped onto after speculating 2 insns

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>jeremy.morse.llvm@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>chackz0x12@gmail.com, greg.bedwell@sony.com, international.phantom@gmail.com, llvm-bugs@lists.llvm.org, paul_robinson@playstation.sony.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>If SimplifyCFGs speculates more than one insn when flattening phi's to selects,

unreached lines and illegal values can be seen. Giving a non-broken case for

context, if you take this test:

-------->8--------

int

main()

{

  volatile int foo = 0;

  int read1 = foo;

  int brains = foo;

  if (read1 > 3) {

    //brains *= 2;

    brains += 1;

  }

  return brains;

}

--------8<--------

When compiled -O2 -g on trunk, the increment of brains is speculated into a

"select" IR insn, and becomes a conditional mov (on x86_64). If one steps

through under gdb/lldb then the DebugInfo carefully ensures the speculated

increment isn't visible to the user: we step from the if-condition straight to

the return.

However, if you uncomment the multiplication line, the if-block is still

speculated by SimplifyCFG to a select (probably because

constant-mul-and-addition can be done in one lea insn on x86), and we start

observing unreached lines in the debugger. Specifically, we step from the 'if'

condition, onto the addition, then back to the 'if' again, which is misleading

because that addition doesn't really "happen" because it's speculated.

Additionally, the result of the speculation is visible in the "brains" variable

when we step onto the "if" a second time, when it's technically never

calculated by the program.

Found using DExTer ( <a href="https://github.com/SNSystems/dexter">https://github.com/SNSystems/dexter</a> ).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>