[llvm-bugs] [Bug 45210] New: Incorrect optimization of gep without inbounds + load -> icmp eq

via llvm-bugs llvm-bugs at lists.llvm.org
Sun Mar 15 04:31:29 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=45210

            Bug ID: 45210
           Summary: Incorrect optimization of gep without inbounds + load
                    -> icmp eq
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Keywords: miscompilation
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: nunoplopes at sapo.pt
                CC: juneyoung.lee at sf.snu.ac.kr, lebedev.ri at gmail.com,
                    llvm-bugs at lists.llvm.org, regehr at cs.utah.edu,
                    spatel+llvm at rotateright.com

The following unit test in "Transforms/InstCombine/load-cmp.ll" exposes an
incorrect optimization:

define i1 @test1_noinbounds(i32 %X) {
; CHECK-LABEL: @test1_noinbounds(
; CHECK-NEXT:    [[R:%.*]] = icmp eq i32 [[X:%.*]], 9
; CHECK-NEXT:    ret i1 [[R]]
;
  %P = getelementptr [10 x i16], [10 x i16]* @G16, i32 0, i32 %X
  %Q = load i16, i16* %P
  %R = icmp eq i16 %Q, 0
  ret i1 %R
}


Output of Alive2. TL;DR: the optimization is only correct with gep inbounds,
otherwise the transformation to "icmp eq" misses the overflow case.

@G16 = constant 20 bytes, align 16

define i1 @test1_noinbounds(i32 %X) {
#init:
  store [10 x i16] { 35, 82, 69, 81, 85, 73, 82, 69, 68, 0 }, * @G16, align 16
  br label %0

%0:
  %P = gep * @G16, 20 x i32 0, 2 x i32 %X
  %Q = load i16, * %P, align 2
  %R = icmp eq i16 %Q, 0
  ret i1 %R
}
=>
@G16 = constant 20 bytes, align 16

define i1 @test1_noinbounds(i32 %X) {
#init:
  store [10 x i16] { 35, 82, 69, 81, 85, 73, 82, 69, 68, 0 }, * @G16, align 16
  br label %0

%0:
  %R = icmp eq i32 %X, 9
  ret i1 %R
}


Transformation doesn't verify!
ERROR: Value mismatch

Example:
i32 %X = #x80000009 (2147483657, -2147483639)

Source:
* %P = pointer(non-local, block_id=1, offset=18)
i16 %Q = #x0000 (0)
i1 %R = #x1 (1)

Target:
i1 %R = #x0 (0)
Source value: #x1 (1)
Target value: #x0 (0)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200315/c98f58f0/attachment.html>

More information about the llvm-bugs mailing list