[llvm-bugs] [Bug 37523] New: MemorySanitizer false positive in divide-by-undef

via llvm-bugs llvm-bugs at lists.llvm.org
Fri May 18 11:04:25 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=37523

            Bug ID: 37523
           Summary: MemorySanitizer false positive in divide-by-undef
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: Miscellaneous Instrumentation passes
          Assignee: unassignedbugs at nondot.org
          Reporter: eugeni.stepanov at gmail.com
                CC: llvm-bugs at lists.llvm.org

#include <xmmintrin.h>
#include <sanitizer/msan_interface.h>

int main() {
  volatile int scale = 5;
  auto zz = _mm_div_ps(_mm_set1_ps(255), _mm_set1_ps(scale));
  __msan_print_shadow(&zz, sizeof(zz));
}

Until recently, it was represented like this in the IR:
  %vecinit.i = insertelement <4 x float> undef, float %conv, i32 0
  %vecinit3.i = shufflevector <4 x float> %vecinit.i, <4 x float> undef, <4 x
i32> zeroinitializer
  %div.i = fdiv <4 x float> <float 2.550000e+02, float 2.550000e+02, float
2.550000e+02, float 2.550000e+02>, %vecinit3.i

The something changed, and now we fill the first lane only, divide, and then
broadcast:

  %vecinit.i = insertelement <4 x float> undef, float %conv, i32 0
  %0 = fdiv <4 x float> <float 2.550000e+02, float undef, float undef, float
undef>, %vecinit.i
  %1 = shufflevector <4 x float> %0, <4 x float> undef, <4 x i32>
zeroinitializer

This in effect divides undef by undef and throws away the result.

MSan instruments division with a strict check for the divisor's shadow,
assuming that division by an uninitialized value may trap. This is not aligned
with IR semantics: LangRef describes fdiv as side effect free.

MSan should delay the check until the value is actually used (or not, like in
this case) by combining and propagating shadow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180518/f7fc8140/attachment-0001.html>

More information about the llvm-bugs mailing list