<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - DSE incorrectly removes store in function that only triggers UB in one branch"
href="https://bugs.llvm.org/show_bug.cgi?id=48521">48521</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>DSE incorrectly removes store in function that only triggers UB in one branch
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Keywords</th>
<td>miscompilation
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Scalar Optimizations
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>nunoplopes@sapo.pt
</td>
</tr>
<tr>
<th>CC</th>
<td>evgueni.brevnov@gmail.com, florian_hahn@apple.com, juneyoung.lee@sf.snu.ac.kr, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Test: Transforms/DeadStoreElimination/MSSA/out-of-bounds-stores.ll
Summary: Once DSE finds a store that is OOB, and therefore the function
triggers UB, it removes all stores. However, in the program below OOB only
happens if %c = true.
When %c=false there's no UB and therefore the store cannot be removed.
define i32 @test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
%d = alloca i64 4, align 4
br label %for.body
%for.body:
%arrayidx = gep inbounds * %d, 4 x i64 0, 4 x i64 0
store i32 10, * %arrayidx, align 4
br label %for.inc
%for.inc:
br i1 %c, label %for.body.1, label %for.end
%for.body.1:
%arrayidx.1 = gep inbounds * %d, 4 x i64 0, 4 x i64 1
store i32 20, * %arrayidx.1, align 4
ret i32 1
%for.end:
%arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
%lv1 = load i32, * %arrayidx1, align 4
call void @use(i32 %lv1)
ret i32 0
}
=>
define i32 @test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
%d = alloca i64 4, align 4
br label %for.body
%for.body:
br label %for.inc
%for.inc:
br i1 %c, label %for.body.1, label %for.end
%for.body.1:
ret i32 1
%for.end:
%arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
%lv1 = load i32, * %arrayidx1, align 4
call void @use(i32 %lv1)
ret i32 0
}
Transformation doesn't verify!
ERROR: Source is more defined than target
Example:
i1 %c = #x0 (0)
Source:
* %d = pointer(local, block_id=2, offset=0)
* %arrayidx = pointer(local, block_id=2, offset=0)
* %arrayidx.1 = pointer(local, block_id=2, offset=4)
* %arrayidx1 = pointer(local, block_id=2, offset=0)
i32 %lv1 = #x0000000a (10)
Target:
* %d = pointer(local, block_id=2, offset=0)
* %arrayidx1 = pointer(local, block_id=2, offset=0)
i32 %lv1 = poison
<a href="https://web.ist.utl.pt/nuno.lopes/alive2/index.php?hash=4b7777d913fed80c&test=Transforms%2FDeadStoreElimination%2FMSSA%2Fout-of-bounds-stores.ll">https://web.ist.utl.pt/nuno.lopes/alive2/index.php?hash=4b7777d913fed80c&test=Transforms%2FDeadStoreElimination%2FMSSA%2Fout-of-bounds-stores.ll</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>