[PATCH] D44232: [SimplifyCFG] Create attribute to disable select formation.

Matt Morehouse via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Mar 8 11:03:27 PST 2018


morehouse added a comment.

In https://reviews.llvm.org/D44232#1031682, @hfinkel wrote:

> Shouldn't be too much work. Just turn the logic in CodeGenPrepare::optimizeSelectInst into a utility function, add an aggressive mode, and call it.


Well that's easier than I thought.  Thanks for the insight.

> I took a quite look at the bug report, but I'm still not exactly sure what's going on. Can you explain? Is the problem that the coverage instrumentation looks at the arguments to a comparison, somehow, but doesn't look through boolean operations?

The coverage instrumentation passes both arguments of every comparison to a `__sanitizer_cov_trace[_const]_cmp` callback.  The callbacks are implemented in libFuzzer.  libFuzzer uses a simple (but effective) heuristic that searches the program input for either argument to the comparison and then mutates matches to be close (-1, ==, or +1) to the other argument.

In the bug report, if `x > 16 && x < 32` had been translated into a comparison with 16 and a comparison with 32, and if `x` were found in the program input, libFuzzer would be able to quickly find `x==17` or `x==31` to take the true branch.  But instead, `x > 16 && x < 32` is translated to a single unsigned comparison between `x - 17` and 15, thereby defeating our heuristic.


https://reviews.llvm.org/D44232





More information about the llvm-commits mailing list