[llvm] r283528 - AMDGPU: Fix use-after-free in SIOptimizeExecMasking
Nicolai Haehnle via llvm-commits
llvm-commits at lists.llvm.org
Fri Oct 7 01:40:14 PDT 2016
Author: nha
Date: Fri Oct 7 03:40:14 2016
New Revision: 283528
URL: http://llvm.org/viewvc/llvm-project?rev=283528&view=rev
Log:
AMDGPU: Fix use-after-free in SIOptimizeExecMasking
Summary:
There was a bug with sequences like
s_mov_b64 s[0:1], exec
s_and_b64 s[2:3]<def>, s[0:1], s[2:3]<kill>
...
s_mov_b64_term exec, s[2:3]
because s[2:3] was defined and used in the same instruction, ending up with
SaveExecInst inside OtherUseInsts.
Note that the test case also exposes an unrelated bug.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98028
Reviewers: tstellarAMD, arsenm
Subscribers: kzhuravl, wdng, yaxunl, llvm-commits, tony-tye
Differential Revision: https://reviews.llvm.org/D25306
Added:
llvm/trunk/test/CodeGen/AMDGPU/branch-condition-and.ll
Modified:
llvm/trunk/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
Modified: llvm/trunk/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp?rev=283528&r1=283527&r2=283528&view=diff
==============================================================================
--- llvm/trunk/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp (original)
+++ llvm/trunk/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp Fri Oct 7 03:40:14 2016
@@ -248,14 +248,17 @@ bool SIOptimizeExecMasking::runOnMachine
if (J->readsRegister(CopyFromExec, TRI)) {
SaveExecInst = &*J;
DEBUG(dbgs() << "Found save exec op: " << *SaveExecInst << '\n');
+ continue;
} else {
DEBUG(dbgs() << "Instruction does not read exec copy: " << *J << '\n');
break;
}
}
- if (SaveExecInst && J->readsRegister(CopyToExec, TRI))
+ if (SaveExecInst && J->readsRegister(CopyToExec, TRI)) {
+ assert(SaveExecInst != &*J);
OtherUseInsts.push_back(&*J);
+ }
}
if (!SaveExecInst)
Added: llvm/trunk/test/CodeGen/AMDGPU/branch-condition-and.ll
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/CodeGen/AMDGPU/branch-condition-and.ll?rev=283528&view=auto
==============================================================================
--- llvm/trunk/test/CodeGen/AMDGPU/branch-condition-and.ll (added)
+++ llvm/trunk/test/CodeGen/AMDGPU/branch-condition-and.ll Fri Oct 7 03:40:14 2016
@@ -0,0 +1,39 @@
+; RUN: llc -march=amdgcn -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+; RUN: llc -march=amdgcn -mcpu=tonga -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+
+; This used to crash because during intermediate control flow lowering, there
+; was a sequence
+; s_mov_b64 s[0:1], exec
+; s_and_b64 s[2:3], s[0:1], s[2:3] ; def & use of the same register pair
+; ...
+; s_mov_b64_term exec, s[2:3]
+; that was not treated correctly.
+;
+; GCN-LABEL: {{^}}ham:
+; GCN-DAG: v_cmp_lt_f32_e64 [[OTHERCC:s\[[0-9]+:[0-9]+\]]],
+; GCN-DAG: v_cmp_lt_f32_e32 vcc,
+; GCN: s_and_b64 [[AND:s\[[0-9]+:[0-9]+\]]], vcc, [[OTHERCC]]
+; GCN: s_and_saveexec_b64 [[SAVED:s\[[0-9]+:[0-9]+\]]], [[AND]]
+; GCN: s_xor_b64 [[SAVED]], exec, [[SAVED]]
+;
+; TODO: The following sequence is a bug (missing s_endpgm)!
+;
+; GCN: s_branch [[BB:BB[0-9]+_[0-9]+]]
+; GCN: [[BB]]:
+; GCN-NEXT: .Lfunc_end0:
+define amdgpu_ps void @ham(float %arg, float %arg1) #0 {
+bb:
+ %tmp = fcmp ogt float %arg, 0.000000e+00
+ %tmp2 = fcmp ogt float %arg1, 0.000000e+00
+ %tmp3 = and i1 %tmp, %tmp2
+ br i1 %tmp3, label %bb4, label %bb5
+
+bb4: ; preds = %bb
+ unreachable
+
+bb5: ; preds = %bb
+ ret void
+}
+
+attributes #0 = { nounwind readonly "InitialPSInputAddr"="36983" }
+attributes #1 = { nounwind readnone }
More information about the llvm-commits
mailing list