<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Vectorizer is querying SCEV on partially constructed IR"
href="https://bugs.llvm.org/show_bug.cgi?id=49900">49900</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Vectorizer is querying SCEV on partially constructed IR
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Loop Optimizer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>listmail@philipreames.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>This bug is a reduced form of
<a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33029">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33029</a> which was reported
as a regression against 4ffcd4fe9ac2ee948948f732baa16663eb63f1c7. I've further
reduced the test case and confirmed that this is not actually related to
multiple exit vectorization. The test case below involves no multiple or early
exit loops, and disabling the multiple exit support entirely does not change
the outcome.
$ ./opt -S test.ll -loop-vectorize # crashes
$ cat test.ll
; ModuleID =
'/home/preames/Downloads/clusterfuzz-testcase-minimized-llvm-opt-fuzzer--x86_64-loop_vectorize-5093295945547776'
source_filename =
"llvm-project/llvm/test/Transforms/LoopVectorize/X86/pr39160.ll"
target datalayout =
"e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128-ni:1"
target triple = "x86_64-unknown-linux-gnu"
define void @barney() {
bb:
br label %bb2
bb2: ; preds = %bb2, %bb
%tmp4 = icmp slt i32 undef, 0
br i1 %tmp4, label %bb2, label %bb5
bb5: ; preds = %bb2
br label %bb19
bb18: ; preds = %bb33
ret void
bb19: ; preds = %bb36, %bb5
%tmp22 = phi i32 [ %tmp65, %bb36 ], [ undef, %bb5 ]
br label %bb50
bb33: ; preds = %bb62
br i1 undef, label %bb18, label %bb36
bb36: ; preds = %bb33
br label %bb19
bb46: ; preds = %bb50
%C = icmp uge i8 16, 0
%B4 = and i1 %C, true
%B5 = xor i1 %C, undef
br i1 %B5, label %bb48, label %bb59
bb48: ; preds = %bb46
ret void
bb50: ; preds = %bb50, %bb19
%tmp52 = phi i32 [ %tmp55, %bb50 ], [ %tmp22, %bb19 ]
%tmp53 = phi i64 [ %tmp56, %bb50 ], [ 1, %bb19 ]
%tmp54 = add i32 %tmp52, 12
%tmp55 = add i32 %tmp52, 13
%tmp56 = add nuw nsw i64 %tmp53, 1
%C6 = icmp sle i32 %tmp54, 65536
br i1 %C6, label %bb50, label %bb46
bb59: ; preds = %bb46
br label %bb62
bb62: ; preds = %bb68, %bb59
%tmp63 = phi i32 [ %tmp65, %bb62 ], [ %tmp55, %bb59 ]
%tmp64 = phi i64 [ %tmp66, %bb62 ], [ %tmp56, %bb59 ]
%tmp65 = add i32 %tmp63, 13
%tmp66 = add nuw nsw i64 %tmp64, 1
%C1 = icmp ult i32 %tmp65, 65536
br i1 %C1, label %bb62, label %bb33
}
We're crashing way down in SCEV when the predecessor lists of a phi and the
basic block itself don't match. This can be seen in the basic block below:
bb46: ; preds = %middle.block,
%bb50
%tmp55.lcssa = phi i32 [ %tmp55, %bb50 ]
%tmp56.lcssa = phi i64 [ %tmp56, %bb50 ]
%C = icmp uge i8 16, 0
%B4 = and i1 %C, true
%B5 = xor i1 %C, undef
br i1 %B5, label %bb48, label %bb59
This is illegal usage of SCEV by LoopVectorize. It appears to be a long
standing issue related to how we set up the phis for newly added edges.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>