[llvm-bugs] [Bug 48521] New: DSE incorrectly removes store in function that only triggers UB in one branch

Tue Dec 15 11:33:03 PST 2020

https://bugs.llvm.org/show_bug.cgi?id=48521

            Bug ID: 48521
           Summary: DSE incorrectly removes store in function that only
                    triggers UB in one branch
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Keywords: miscompilation
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: nunoplopes at sapo.pt
                CC: evgueni.brevnov at gmail.com, florian_hahn at apple.com,
                    juneyoung.lee at sf.snu.ac.kr, llvm-bugs at lists.llvm.org

Test: Transforms/DeadStoreElimination/MSSA/out-of-bounds-stores.ll
Summary: Once DSE finds a store that is OOB, and therefore the function
triggers UB, it removes all stores. However, in the program below OOB only
happens if %c = true.
When %c=false there's no UB and therefore the store cannot be removed.

define i32 @test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
  %d = alloca i64 4, align 4
  br label %for.body

%for.body:
  %arrayidx = gep inbounds * %d, 4 x i64 0, 4 x i64 0
  store i32 10, * %arrayidx, align 4
  br label %for.inc

%for.inc:
  br i1 %c, label %for.body.1, label %for.end

%for.body.1:
  %arrayidx.1 = gep inbounds * %d, 4 x i64 0, 4 x i64 1
  store i32 20, * %arrayidx.1, align 4
  ret i32 1

%for.end:
  %arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
  %lv1 = load i32, * %arrayidx1, align 4
  call void @use(i32 %lv1)
  ret i32 0
}
=>
define i32 @test_out_of_bounds_store_nonlocal(i1 %c) {
%0:
  %d = alloca i64 4, align 4
  br label %for.body

%for.body:
  br label %for.inc

%for.inc:
  br i1 %c, label %for.body.1, label %for.end

%for.body.1:
  ret i32 1

%for.end:
  %arrayidx1 = gep inbounds * %d, 4 x i64 0, 4 x i64 0
  %lv1 = load i32, * %arrayidx1, align 4
  call void @use(i32 %lv1)
  ret i32 0
}
Transformation doesn't verify!
ERROR: Source is more defined than target

Example:
i1 %c = #x0 (0)

Source:
* %d = pointer(local, block_id=2, offset=0)
* %arrayidx = pointer(local, block_id=2, offset=0)
* %arrayidx.1 = pointer(local, block_id=2, offset=4)
* %arrayidx1 = pointer(local, block_id=2, offset=0)
i32 %lv1 = #x0000000a (10)

Target:
* %d = pointer(local, block_id=2, offset=0)
* %arrayidx1 = pointer(local, block_id=2, offset=0)
i32 %lv1 = poison

https://web.ist.utl.pt/nuno.lopes/alive2/index.php?hash=4b7777d913fed80c&test=Transforms%2FDeadStoreElimination%2FMSSA%2Fout-of-bounds-stores.ll

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20201215/fe17a3cd/attachment.html>