[llvm-bugs] [Bug 47092] New: Wrong code: suspected bad NSW flag.

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Aug 10 07:09:57 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=47092

            Bug ID: 47092
           Summary: Wrong code: suspected bad NSW flag.
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: paulsson at linux.vnet.ibm.com
                CC: llvm-bugs at lists.llvm.org

Created attachment 23837
  --> https://bugs.llvm.org/attachment.cgi?id=23837&action=edit
reduced testcase: llc input after clang -O2

This csmith program:

long b = 8446744073709551615;
static int fn1(int p1, int p2) {
  return (((p1 ^ ((p1 ^ p2) & ~2147483647)) - p2) ^ p2) < 0 ? p1 : p1 - p2;
}
int main() {
  int a = fn1(b & 1303940520, -1628135358);
  printf("checksum = %X\n", a);
}

should print 44108DA8 (p1 in hex).

clang -target s390x-unknown-linux-gnu -march=z10 -O1 ./wrong1.i -o a.out -w ;
./a.out
checksum = 44108DA8
clang -target s390x-unknown-linux-gnu -march=z10 -O2 ./wrong1.i -o a.out -w ;
./a.out
checksum = A51BED66

I found out that there is one case where SystemZElimCompare removes a compare
w/0 after an AFI. The AFI (Add Fullword Immediate) has the nsw and nuw flags,
which makes this transformation safe at this point. However, removing that
compare is the difference between the two results, which indicates that the NSW
flag was present when there in fact will be an overflow.

llc -mtriple=s390x-linux-gnu -mcpu=z10 -O2 ./wrong1.ll -o wrong1.s

  renamable $r1l = nuw nsw AFI killed renamable $r1l(tied-def 0), 1628135358,
implicit-def dead $cc
  CHI renamable $r1l, 0, implicit-def $cc
  BRC 14, 4, %bb.2, implicit $cc

=>

  renamable $r1l = nuw nsw AFI killed renamable $r1l(tied-def 0), 1628135358,
implicit-def $cc
  BRC 15, 4, %bb.2, implicit $cc

  -> WRONG-CODE

I don't think that the constants in the source program will cause an overflow,
and -fsanitize=undefined does not indicate this either. 

I suspect that the multiple combinations of the logical/arithemtic operations
may have introduced an operation that causes an overflow, but I am not quite
sure...

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200810/935da866/attachment.html>

More information about the llvm-bugs mailing list