[llvm-bugs] [Bug 51906] New: LIVM introduces load in writeonly function (UB)

Sun Sep 19 03:53:43 PDT 2021

https://bugs.llvm.org/show_bug.cgi?id=51906

            Bug ID: 51906
           Summary: LIVM introduces load in writeonly function (UB)
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Keywords: miscompilation
          Severity: normal
          Priority: P
         Component: Loop Optimizer
          Assignee: unassignedbugs at nondot.org
          Reporter: nunoplopes at sapo.pt
                CC: aeubanks at google.com, alina.sbirlea at gmail.com,
                    llvm-bugs at lists.llvm.org, nikita.ppv at gmail.com,
                    regehr at cs.utah.edu, Vsevolod.Livinskij at frtk.ru,
                    whitneyt at ca.ibm.com

LICM transforms this:
for (i=0; i < 4; i += 4)
  store @glb, some-expr
=>
tmp = load @lgb
compute some-expr
for (i=0; i < 4; i += 4)
  tmp = expr
store @glb, tmp

For functions that are writeonly this introduces UB as the original function
had no load and the optimized now has a load from global memory.
The second issue is the store introduction. I didn't check if the store is
introduced for loops that are not guaranteed to execute, but if that's the case
that may violate C++'s memory model (where I believe you cannot introduce
stores).

@glb = external global i8, align 1

define void @test(i8 %var) writeonly {
entry:
  br label %for.cond

for.cond:
  %i = phi i64 [ 0, %entry ], [ %add, %cond.end ]
  %cmp = icmp ult i64 %i, 4
  br i1 %cmp, label %for.body39, label %for.end

for.body39:
  %div = sdiv i8 %var, 3
  %cmp2 = icmp slt i8 %div, 0
  br i1 %cmp2, label %cond.true, label %cond.false

cond.true:
  br label %cond.end

cond.false:
  br label %cond.end

cond.end:
  %merge = phi i8 [ %div, %cond.true ], [ 0, %cond.false ]
  store i8 %merge, i8* @glb, align 1
  %add = add i64 %i, 4
  br label %for.cond

for.end:
  ret void
}

After LICM:
define void @test(i8 %var) #0 {
entry:
  %div = sdiv i8 %var, 3
  %cmp2 = icmp slt i8 %div, 0
  %glb.promoted = load i8, i8* @glb, align 1
  br label %for.cond

for.cond:                                         ; preds = %cond.end, %entry
  %merge1 = phi i8 [ %glb.promoted, %entry ], [ %merge, %cond.end ]
  %i = phi i64 [ 0, %entry ], [ %add, %cond.end ]
  %cmp = icmp ult i64 %i, 4
  br i1 %cmp, label %for.body39, label %for.end

for.body39:                                       ; preds = %for.cond
  br i1 %cmp2, label %cond.true, label %cond.false

cond.true:                                        ; preds = %for.body39
  br label %cond.end

cond.false:                                       ; preds = %for.body39
  br label %cond.end

cond.end:                                         ; preds = %cond.false,
%cond.true
  %merge = phi i8 [ %div, %cond.true ], [ 0, %cond.false ]
  %add = add i64 %i, 4
  br label %for.cond

for.end:                                          ; preds = %for.cond
  %merge1.lcssa = phi i8 [ %merge1, %for.cond ]
  store i8 %merge1.lcssa, i8* @glb, align 1
  ret void
}

Reduced test case from John Regehr & Vsevolod Livinskii.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210919/855bb606/attachment.html>