<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - MergeICmps reorders comparisons and introduces UB"
href="https://bugs.llvm.org/show_bug.cgi?id=51845">51845</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>MergeICmps reorders comparisons and introduces UB
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Keywords</th>
<td>miscompilation
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Scalar Optimizations
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>nunoplopes@sapo.pt
</td>
</tr>
<tr>
<th>CC</th>
<td>clement.courbet@gmail.com, llvm-bugs@lists.llvm.org, nikita.ppv@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>test: Transforms/MergeICmps/X86/entry-block-shuffled.ll
src: compares 12/8, br, 0/0, br, 4/4, br, 12/12
tgt: compares 0/0, 4/4, br, 12/8, br, 12/12
The issue is that tgt branches on 0-8 values, which can be poison, while src
wouldn't branch on those if e.g. 12/8 offsets are different.
Needs a freeze.
define i1 @opeq1(* nocapture nowrite dereferenceable(16) %a, * nocapture
nowrite dereferenceable(16) %b) nofree {
%entry:
%first.i = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64
0, 1 x i64 12
%0 = load i32, * %first.i, align 4
%first1.i = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x i64
0, 1 x i64 8
%1 = load i32, * %first1.i, align 4
%cmp.i = icmp eq i32 %0, %1
br i1 %cmp.i, label %land.rhs.i, label %opeq1.exit
%land.rhs.i:
%second.i = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64
0, 1 x i64 0
%2 = load i32, * %second.i, align 4
%second2.i = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x
i64 0, 1 x i64 0
%3 = load i32, * %second2.i, align 4
%cmp3.i = icmp eq i32 %2, %3
br i1 %cmp3.i, label %land.rhs.i.2, label %opeq1.exit
%land.rhs.i.2:
%third.i = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64
0, 1 x i64 4
%4 = load i32, * %third.i, align 4
%third2.i = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x i64
0, 1 x i64 4
%5 = load i32, * %third2.i, align 4
%cmp4.i = icmp eq i32 %4, %5
br i1 %cmp4.i, label %land.rhs.i.3, label %opeq1.exit
%land.rhs.i.3:
%fourth.i = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64
0, 1 x i64 12
%6 = load i32, * %fourth.i, align 4
%fourth2.i = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x
i64 0, 1 x i64 12
%7 = load i32, * %fourth2.i, align 4
%cmp5.i = icmp eq i32 %6, %7
br label %opeq1.exit
%opeq1.exit:
%8 = phi i1 [ 0, %entry ], [ 0, %land.rhs.i ], [ 0, %land.rhs.i.2 ], [
%cmp5.i, %land.rhs.i.3 ]
ret i1 %8
}
=>
define i1 @opeq1(* nocapture nowrite dereferenceable(16) %a, * nocapture
nowrite dereferenceable(16) %b) nofree {
%land.rhs.i+land.rhs.i.2:
%0 = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64 0, 1 x
i64 0
%1 = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x i64 0, 1 x
i64 0
%cstr = bitcast * %0 to *
%cstr3 = bitcast * %1 to *
%memcmp = memcmp * %cstr, * %cstr3, i64 8
%2 = icmp eq i32 %memcmp, 0
br i1 %2, label %entry2, label %opeq1.exit
%entry2:
%3 = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64 0, 1 x
i64 12
%4 = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x i64 0, 1 x
i64 8
%5 = load i32, * %3, align 4
%6 = load i32, * %4, align 4
%7 = icmp eq i32 %5, %6
br i1 %7, label %land.rhs.i.31, label %opeq1.exit
%land.rhs.i.31:
%8 = gep inbounds * nocapture nowrite dereferenceable(16) %a, 16 x i64 0, 1 x
i64 12
%9 = gep inbounds * nocapture nowrite dereferenceable(16) %b, 16 x i64 0, 1 x
i64 12
%10 = load i32, * %8, align 4
%11 = load i32, * %9, align 4
%12 = icmp eq i32 %10, %11
br label %opeq1.exit
%opeq1.exit:
%13 = phi i1 [ %12, %land.rhs.i.31 ], [ 0, %entry2 ], [ 0,
%land.rhs.i+land.rhs.i.2 ]
ret i1 %13
}
Transformation doesn't verify!
ERROR: Source is more defined than target
Example:
* nocapture nowrite dereferenceable(16) %a = pointer(non-local, block_id=1,
offset=10, attrs=3)
* nocapture nowrite dereferenceable(16) %b = pointer(non-local, block_id=2,
offset=88, attrs=3)
Source:
* %first.i = pointer(non-local, block_id=1, offset=22, attrs=3)
i32 %0 = #x80000002 (2147483650, -2147483646)
* %first1.i = pointer(non-local, block_id=2, offset=96, attrs=3)
i32 %1 = #x00010100 (65792)
i1 %cmp.i = #x0 (0)
>> Jump to %opeq1.exit
i1 %8 = #x0 (0)
SOURCE MEMORY STATE
===================
NON-LOCAL BLOCKS:
Block 0 > size: 0 align: 1 alloc type: 0 address: 0
Block 1 > size: 129 align: 2 alloc type: 0 address: 122
Block 2 > size: 105 align: 2 alloc type: 0 address: 16
Target:
* %0 = pointer(non-local, block_id=1, offset=10, attrs=3)
* %1 = pointer(non-local, block_id=2, offset=88, attrs=3)
* %cstr = pointer(non-local, block_id=1, offset=10, attrs=3)
* %cstr3 = pointer(non-local, block_id=2, offset=88, attrs=3)
i32 %memcmp = poison
i1 %2 = poison
UB triggered on br</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>