[llvm-bugs] [Bug 38434] New: [polly] miscompile due to missing overflow check for isl expressions

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Aug 2 13:10:12 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=38434

            Bug ID: 38434
           Summary: [polly] miscompile due to missing overflow check for
                    isl expressions
           Product: Polly
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Optimizer
          Assignee: polly-dev at googlegroups.com
          Reporter: efriedma at codeaurora.org
                CC: llvm-bugs at lists.llvm.org

Consider the following loop:

void a(int* restrict x,int * restrict x2, long long g, long long g2, int n) {
  for (int i = 0; i < n; ++i) {
    x[i]++;
    if (g < 0x4000000000000000 - g2/8) x2[i]++;
  }
}

polly currently miscompiles this loop.  It has no runtime check because polly
correctly computes that "g < 0x4000000000000000 - g2/8" can't overflow. 
However, isl "simplifies" the condition to "if ((p_0 <= -1 && p_0 + 8 * p_1 <=
36893488147419103224) || (p_0 >= 0 && p_0 + 8 * p_1 <= 36893488147419103231))",
and polly blindly assumes the math will not overflow an i64.

This is a synthetic testcase. (I ran into something sort of similar which
inspired this, but it overflowed in the runtime check instead of miscompiling.)

IR version follows; reproduce with "opt -polly-codegen
-polly-process-unprofitable".

define void @a(i32* noalias nocapture %x, i32* noalias nocapture %x2, i64 %g,
i64 %g2, i32 %n) {
entry:
  %cmp10 = icmp sgt i32 %n, 0
  br i1 %cmp10, label %for.body.lr.ph, label %for.cond.cleanup

for.body.lr.ph:
  %div = sdiv i64 %g2, 8
  %sub = sub nsw i64 4611686018427387904, %div
  %cmp1 = icmp sgt i64 %sub, %g
  %wide.trip.count = zext i32 %n to i64
  br label %for.body

for.cond.cleanup:
  ret void

for.body:
  %indvars.iv = phi i64 [ 0, %for.body.lr.ph ], [ %indvars.iv.next, %for.inc ]
  %arrayidx = getelementptr inbounds i32, i32* %x, i64 %indvars.iv
  %0 = load i32, i32* %arrayidx, align 4
  %inc = add nsw i32 %0, 1
  store i32 %inc, i32* %arrayidx, align 4
  br i1 %cmp1, label %if.then, label %for.inc

if.then:
  %arrayidx3 = getelementptr inbounds i32, i32* %x2, i64 %indvars.iv
  %1 = load i32, i32* %arrayidx3, align 4
  %inc4 = add nsw i32 %1, 1
  store i32 %inc4, i32* %arrayidx3, align 4
  br label %for.inc

for.inc:
  %indvars.iv.next = add nuw nsw i64 %indvars.iv, 1
  %exitcond = icmp eq i64 %indvars.iv.next, %wide.trip.count
  br i1 %exitcond, label %for.cond.cleanup, label %for.body
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180802/7f5ddfe5/attachment-0001.html>

More information about the llvm-bugs mailing list